My heart is ok, but my eyes are bleeding

Leaf Security Research

TL;DR: heartbleed is bad, but not world ending. OpenSSL is not any more vulnerable because of its freelists and would still be vulnerable without them.

We felt that there weren’t enough heartbleed write-ups yet, so we wrote another one. Unlike many of the other posts, we are not going to talk about the TLS protocol or why we think the heartbeat extension is pointless. Instead, we are going to focus on the bug itself and more specifically, why sensitive data gets leaked.

First we would like to state that, as far as complexity goes, the heartbleed vulnerability is nothing special, but that doesn’t mean it was easy to find. All bugs are easy to spot after someone else points them out to you. Hindsight is 20/20 after all. Riku, Antti and Matti at Codenomicon and Neel Mehta at Google all independently discovered this bug. Neel was also kind enough to…

View original post 2,226 more words

Opinions expressed are your own. The consequences are not.

This isn’t a new thing, but there are more and more professionals (and you may take that word with as much weight as you like) who put this disclaimer on their Twitter page, Facebook or whatever other time-wasting watering hole for trite exists these days. “The opinions expressed are my own and not of my [employer, goat-sacrifice-accepting-deity etc…]” The idea is that no matter what I say, only I should be held responsible for what was said and not the people who help me pay bills.

But that’s not how it works does it?

The truth of the matter is that no matter what kind of disclaimer, warning, magic spell, enchanted stick figure you affix to your name, what you say can and always will be used. For you or against you depends on who’s ire or approval you’ve aroused. Arouse deeply enough in either direction and plenty of it will spill onto third parties even remotely associated with your name.

The internet is a magical pixieland with mounds for domains wherein each cluster of pixies hang out in popular mounds to spew and absorb whatever the firehose of kitty pics and strife that piques their fancy has to offer. [Most] people don’t like drama unless they’re third party observers (there’s a reason TV shows about women who have everything, including plastic faces, bickering over manufactured drama is popular).

The takeaway from all that build-up is simply this: What you say will spill over to who you associate, be it employers, friends or the like. You can choose to blog/tweet/share under a pseudonym (made more annoying lately by Google and Facebook’s real name policies), which is something I’ve decided to give up since Ghostnetworks went bust, or you can avoid any mention of your employer. How deeply it will affect them, as mentioned previously, will depend on who’s taken interest in you and in what form.

There’s a reason the name of my current employer or my boss’ name (who I affectionately refer to as “Boss” on Twitter)  isn’t listed on Facebook (the info is several years obsolete), Twitter or this blog. Unless someone really spends the time and effort to hunt through my information, I can plausibly deny who I work for. Therefore what I express can not only be mine, the consequences for what I say really are limited to myself as well.

A Playground

Oh, hi there blog! I didn’t forget you existed, but you did become the lovable aunt who likes to talk too much and so you were avoided.

Meanwhile, I’ve been hanging out in place called NeoCities, a throwback to GeoCities, which sadly shut down.

This is a huge deal! Why?

The Web is not the internet

The internet, as we know, is an interconnected network of tubes that funnel nutrients and raw sewage alike through our lovable dispensaries (PC, tablet, smartphone, smartcar, smartfridge, smartloo etc…)

The Web is the said nutrients and sewage. Now we have all been told what nutrients are by the owners of the web. Media, social or otherwise, have fed it to us labeled “nutrients”, but lately we’ve come to understand that this is a whitewashed molasses of contrived crap. You can’t blame these outlets alone since the owners of the web will do whatever they please with their property.

Owners? What owners?!

Who are the owners? Facebook, Google(G+) et. al. And yes, even WordPress to a degree. But I sense some of you have a niggling twitch on the back of your mind. The power of the “owners” of the web has increased in recent years and the alarm is compounded by the fact that the web wasn’t supposed to be owned by anyone. “Wait, it’s my blog/Facebook page/account!” Surely what is “your” property should be yours to do as you please, no? Well, that’s very true, but here we have a hiccup with what exactly “ownership” entails.

You do not own what you do not control.

Facebook, Google and any other entity that holds on to your things for you, creates themes, connects you to people you should know (or rather they think that you should know) and such that you can edit. These are features. But it is subject to their TOS (which excludes far more than spam and “illegal” content). They have every right to control what’s on their property. And it is “their” property, you’re simply renting an apartment there by using yourself as collateral. As the old social media adage goes…

If you’re using a “free” service, you’re the product

Side amusing factoid: Everyone I know, who uses Facebook, hates it.

I use it to keep in touch with friends ‘n stuff and once-in-a-while, I’ll play a game, but it’s such a timesuck, dude!

– Everyone

Back to the awesomeness of NeoCities.

Why is NeoCities awesome?

The early to mid 90s was an era of the www (Wild, Wild, Web) when anyone and everyone can create any sort of a jumble of content – and this is the operative word, folks, “content” – with muddled HTML, dancing Hammer gifs and whole assortment of unwholesomeness that (mostly)everyone loves.

Above all else, you “Owned” your page. You could download it, edit it as you please, share as you please, link who you please and most certainly, the host didn’t “connect” you to people you know or secretly gather usage data on who you visit or bookmarked. These are also features.

Note: A “like” is an acknowledgment. A “share” is a public bookmark. See how the new owners of the web have used existing features and renamed them?

NeoCities captures the www (second definition) to a T and I encourage everyone else to join the club. You’re not a network, you’re not a product. You’re a human being. Please express yourself as one. Right now the service is limited to editing HTML files and uploading small images, but there’s no reason you couldn’t use an outside image hosting service like (which is also free).

I started my experiment with NeoCities a week or so ago and it was still being tweaked at the time. However, you can see the end result. I don’t plan to stop here, of course.

Learn HTML (it’s not terribly complicated, but if you need a place to start, you can copy my layout and stylesheet). Everyone who feels like it should try it out, experiment, mould, create and do whatever.

Let the creator of NeoCities explain it better.


ID Obfuscation Part II

Last week, I wrote a simple function for obfuscating a string that can be used to shorten URLs. I got a few emails from people who would actually like to obfuscate an ID key (E.G. a numeric primary key) of a large size (E.G. a PostgreSQL ‘bigserial’ type which can go up to 231). So many examples out there, but they seem convert the input to integers first, which can lead to loss of precision, especially in PHP.

I use Postgres too and I’ve moved around the big number problem by appending a random digit or two to the front and then encoding the whole thing. So when I need the original, I just decode it and remove the front digit(s). This does two things: It obfuscates the ID (no one needs to know 10001 and 10002 are neighbors) and makes sure each one is unique as long as the key given to it is unique. Of course if it’s a primary key from a database, you won’t have to worry too much about uniqueness; it already is. And since I’m always appending the same number of digits as I’ll remove when decoding, it doesn’t matter how large the number gets.

So here’s a function that will create a shortened ID from a given numeric key in PHP :

public function ConvertKey( $k, $create = false ) {
	$range = str_split( '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' );
	$il = strlen( $k );
	$cl = 62; // count( $range ) is redundant;
	$out = '';
	// Get number from key
	if( $create ) {
		$out = 0;
		// Letter/number to array key swap
		$a = array_flip( $range );
		for( $i = 0; $i < $il; $i++ ) {
			$c = $k[$i];
			$n = bcpow( $cl, $il - $i - 1 );
			$out = bcadd( $out, bcmul( $a[$c], $n ) );
		// Strip front two random digits (appended below)
		$out = substr( $out, 2 );
	} else {
		// Append two random digits to the front
		// (NOT added, just attached to the front)
		$k = mt_rand( 10, 99 ) . $k . '.0';
		do {
			$c = bcmod( $k, $cl );
			$out .= $range[$c];
			$k = bcdiv( bcsub( $k, $c ), $cl );
		} while( bccomp( $k, 0 ) > 0 );
		// We worked from back to front
		$out = strrev( $out );
	return $out;

You can test this out by sticking it in a loop :

for( $i = 5000; $i < 6000; $i++ ) {
	$kConverted = ConvertKey( $i );
	$kOriginal = ConvertKey( $kConverted, true );
	echo $i . ' - ' . $kConverted . ' - ' . $kOriginal . '<br />';

Of course, you’ll need to keep in mind that the generated key will be different each time you run it, however the end result after decoding will be the same.

I also wrote a post on encryption with… *ahem*… colorful comments and, thankfully, most people stuck to the actual code itself when contacting me about it. Yes, I did change the encryption mode from CFB to CBC. CFB doesn’t need padding so I wasn’t lying about the sleep-deprivation. Thanks to those who wrote to me about it.