Hey! I'm David Wong, a security consultant at Cryptography Services (NCC Group). You can find more about that on my blog. Prior to this I graduated from a Cryptography Masters at the University of Bordeaux and went through McMaster, Lyon1 to graduate in Math, and the Beijing Language and Culture University to learn Chinese. Here are some things I've done.

tamuro meetup crypto security london

www.tamuro.london

june 2018

Tamuro is a security and crypto(graphy) meetup in London.

five medium ethereum blockchain dapp

/FiveMedium

october 2017

A DAPP (for Decentralized App) built on top of the Ethereum blockchain. It is a proof of concept demonstrating how 4chan would be implemented on the Ethereum blockchain.

go assembly by example

/goasm

august 2017

Learning Go/Golang Assembly with examples.

Nodster

github/nodster

april 2014

Napster + Node-webkit. A free spotify-like desktop application made with node-webkit. It crawls google and find mp3 files and plays them back to you.

ltc

/ltc

march 2014

The Litecoin and Bitcoin exchange rate. Made with javascript and python because I needed something pretty to display continuously on a screen in the background. Not available anymore.

friends

/friends

november 2013

Keep track of your facebook friends. shows you who's deleting you, adding you or changing his/her name on facebook. Not available anymore.

3pages

www.3Pages.fr

november 2013

Makes you write everyday. Last time I checked 4134 people had used it to write 12,350,718 words. Around 300 people use it everyday.

lyon01

www.lyon01.com

september 2009

Lyon01 showcases events happening in the city of Lyon, France. In 2009-2010 Lyon01 gave away thousands of tickets to gigs and student parties through online contests. Lyon01's logo was printed on most fliers and posters around the city. The project is unfortunately dead.

wiitop

github/wiitop

~2006

A script to organize tournaments easily. Can be used for multiple games, customizable, different kind of brackets, ... Used to be translated in 7 languages and used all over Europe.

p1x3l

www.p1x3l.com

~2005

One of my first blog. It's now made with Laravel, but it used to be made with Django, Rails, Code Igniter, Wordpress, ... It's changed a lot over the years, it's kind of my sandbox to learn something new.

Research I've done.

ethereum smart contract security vulnerabilities

www.dasp.co

march 2018

The Decentralized Application Security Project is a top 10 of known Ethereum smart contract security vulnerabilities. It also includes a timeline of known exploits and there associated loss in Ether.

Disco libdisco noise strobe tls cryptographic library protocol secure encrypt communications

www.discocrypto.com

december 2017

disco and libdisco are a modern plug-and-play secure protocol and a cryptographic library in Golang. It offers different ways of encrypting communications, as well as different cryptographic primitives for all of an application's needs.

CVE golang

CVE-2016-3959

April 2016

A Common Vulnerability Exposure found in the math bignum library of Go. This provokes a infinite loop that would have facilitated DoS attacks on TLS, SSH and some other custom protocols like the Let's Encrypt one.

Talks, Videos, Education...

permutation based crypto

Modern Session Encryption @ Permutation Based Crypto Workshop 2018

october 2018

Today, SSL/TLS is the de-facto standard for encrypting communication. While its last version (1.3) is soon to be released, new actors in the field are introducing more modern and better designed protocols. This talk is about the past, the present and the future of session encryption. We will see how TLS led the way, how the Noise protocol framework allowed the standardization of more modern and targeted protocols and how the duplex construction helped change the status quo.

smart contract ethereum dasp itcamp

Smart Contract Security @ IT Camp 2018

june 2018

This talk was targetting developers who are interested in Ethereum smart contracts and what are the gotchas and bugs that they should avoid.

disco strobe noise protocol sha3

SHA-3 vs the world @ OWASP London

december 2017

I showed up at the OWASP meetup of London as the first crypto talk since ages. I took this opportunity to talk about the SHA-3 competition and about the different constructions that derived from it and that developers might find useful.

strobe noise protocol sha3

SHA-3 vs the world @ Defcamp 2017

november 2017

Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve we’ll cover what hash functions are out there, what is being used, and what you should use. Extending hash functions, we’ll also discover STROBE, a symmetric protocol framework derived from SHA-3.

ethereum break ethernaut smart contracts ctf

Ethernaut CTF walkthrough (breaking ethereum smart contracts)

october 2017

This is a walk through of the Ethernaut capture-the-flag competition where each challenge was an ethereum smart contract you had to break. I did this at 2am in a hotel room in Romania and ended up not finishing the last challenge because I took too long and didn't want to re-record that part. Basically what I was missing in my malicious contract: a function to withdraw tokens from the victim contract (it would have work since I had a huge amount of token via the attack).

hash functions sha3

SHA-3 vs The World @ Defcon 25

august 2017

Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve I covered what hash functions are out there, what is being used, and what people should use. Extending hash functions, I also quickly introduced STROBE, a symmetric protocol framework derived from SHA-3.

Noise Protocol

The Noise Protocol Framework

April 2016

An overview of the Noise Protocol Framework, a building base to create TLS-like protocol, notably used in the WhatsApp messaging app.

rsa-lll

Attacking RSA with lattice reduction techniques (LLL)

april 2015

This video is an explanation of Coppersmith's attack on RSA, which was later simplified by Howgrave-Graham, and the later attack by Boneh and Durfee, simplified as well by Herrmann and May. Both use LLL, the lattice reduction algorithm of Lenstra Lenstra Lovasz.

Sometimes the press talks about me.

+ December 19th 2017

The Logjam discovery was followed up by other researchers including NCC Group's David Wong, who in 2016 published this paper at IACR demonstrating a practical way to put a backdoor in weak Diffie-Hellman systems.
Written by Richard Chirgwin on theregister.co.uk

+ July 24th 2017

We talked to the cryptographer David Wong about crypto-related blogs worth reading and exploring in an interview. We also asked him about the changing landscape of the crypto-world and the awareness of IT security issues.
Written by Constanze Kurtz on Netzpolitik.org

+ August 10th 2016

Der Vorfall brachte David Wong von der Sicherheitsfirma NCC allerdings auf die Idee, man könne eine ähnliche Änderung in einer Krypto-Software in eine NOBUS-Hintertür verwandeln.
Written by Fabian A. Scherschel on Heise.de

+ August 8th 2016

Der Diffie-Hellman-Schlüsselaustausch ist sicher - wenn die Parameter korrekt gewählt sind. Doch was passiert, wenn es einem Angreifer gelingt, fehlerhafte Parameter einzuschleusen? David Wong ist es gelungen, damit eine sogenannte Nobus-Hintertür zu erzeugen.
Written by Hanno Böck on Golem.de

+ September 2014

Télérama

+ April 16th 2014

Le deal est simple... Vous vous inscrivez sur 3Pages et celui-ci vous offrira un cadre d'écriture très zen avec une quantité à respecter de 750 mots pas jour (soit 3 pages). Il ne s'agit pas d'un blog, personne ne lira vos écrits, mais il vous aidera à tenir le rythme tout en vous faisant plaisir jour après jour.
Written by Korben.

+ October 29th 2010

L'incroyable effet viral de Facebook prend alors la relève et c'est parti pour une audience qui peut monter en France à 300.000 visiteurs/jours (chiffre revendiqué par On aime bien).

Le réseau social a mis en lumière une tendance de fond du web jeune —le besoin de marqueurs identitaires, de tatouages 2.0— dont il est possible de tirer partie différement. C'est ce qu'a bien compris David Wong, 21 ans, créateur de On aime bien:
«Vie de merde a eu une belle carrière. J'imagine qu'On aime bien et tous les sites du genre pourraient rêver du même parcours à condition de se détacher le plus possible de Facebook et de leurs caprices. C'est ce que j'essaye de faire actuellement avec On aime bien où j'essaye de pousser les utilisateurs à voter sur le site, et non pas via Facebook».
Written by Vincent Glad for Slate