Tamuro is a security and crypto(graphy) meetup in London.
Tamuro is a security and crypto(graphy) meetup in London.
A DAPP (for Decentralized App) built on top of the Ethereum blockchain. It is a proof of concept demonstrating how 4chan would be implemented on the Ethereum blockchain.
Learning Go/Golang Assembly with examples.
Need to encrypt a file before sending it to someone? This is it.
A Firefox plugin to track the time you spend on internet.
Napster + Node-webkit. A free spotify-like desktop application made with node-webkit. It crawls google and find mp3 files and plays them back to you.
Keep track of your facebook friends. shows you who's deleting you, adding you or changing his/her name on facebook. Not available anymore.
Makes you write everyday with clever incentives. Last time I checked 12,729 people had used it to write 153,255,590 words.
Lyon01 showcases events happening in the city of Lyon, France. In 2009-2010 Lyon01 gave away thousands of tickets to gigs and student parties through online contests. Lyon01's logo was printed on most fliers and posters around the city. The project is unfortunately dead.
A script to organize tournaments easily. Can be used for multiple games, customizable, different kind of brackets, ... Used to be translated in 7 languages and used all over Europe.
An online tool to figure out if the birthday attack is a problem. It allows you to obtain such information: if you generate one million identifiers of 128-bit per second, in 26 years you will have one in a billion chance to generate a collision. Is this enough? If this is not adversary-controlled, or it is rate-limited, you will probably not generate millions of identifiers per second though, but rather thousands, in this case it will take 265 centuries to get these odds.
A page to help consultants to audit cryptography-related applications.
A tool to check source code for cryptographic pitfalls.
Learn Block Cipher Cryptanalysis. The page is unfinished as it was initially supposed to contain tutorials on how to perform linear and differential cryptanalysis on caesar and lightweight block ciphers as well.
Cache attacks found on 7 major TLS implementations. CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, CVE-2018-16870. The paper was published in IEEE Symposium on Security and Privacy 2019
A tiny C cryptographic library to encrypt sessions, authenticate messages, sign, hash, etc. based only on SHA-3 and Curve25519. Only takes a 1000 lines-of-code.
The Decentralized Application Security Project is a top 10 of known Ethereum smart contract security vulnerabilities. It also includes a timeline of known exploits and there associated loss in Ether.
disco and libdisco are a modern plug-and-play secure protocol and a cryptographic library in Golang. It offers different ways of encrypting communications, as well as different cryptographic primitives for all of an application's needs. A paper was released on ePrint.
A Common Vulnerability Exposure found in the math bignum library of Go. This provokes a infinite loop that would have facilitated DoS attacks on TLS, SSH and some other custom protocols like the Let's Encrypt one.
This is an explanation of Bleichenbacher's million messages attacks (1998) on RSA encryption PKCS#1 v1.5. You can find the code and a graphically interactive attack here.
A nicer page for RFC 8446: TLS 1.3. It includes summary videos for each sections, it hides all sections that are unnecessary to the implementation of TLS 1.3 only, it re-creates figures, it re-shapes the presentation of the original RFC, it also includes erratas. The original RFC being a static document this page is up-to-date.
Today, SSL/TLS is the de-facto standard for encrypting communication. While its last version (1.3) is soon to be released, new actors in the field are introducing more modern and better designed protocols. This talk is about the past, the present and the future of session encryption. We will see how TLS led the way, how the Noise protocol framework allowed the standardization of more modern and targeted protocols and how the duplex construction helped change the status quo.
This talk was targetting developers who are interested in Ethereum smart contracts and what are the gotchas and bugs that they should avoid.
This talk introduced the world of Ethereum smart contracts and their (in)security to the Black Hat community. The talk led to the release of the Decentralized Application Security Project.
This talk introduced the SHA-3 hash function as well as the two protocol frameworks Noise and Strobe. It then presented my work on Disco which is a protocol and a cryptographic library merging the two protocol frameworks. The work was released on www.discocrypto.com.
I showed up at the OWASP meetup of London as the first crypto talk since ages. I took this opportunity to talk about the SHA-3 competition and about the different constructions that derived from it and that developers might find useful.
Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve we’ll cover what hash functions are out there, what is being used, and what you should use. Extending hash functions, we’ll also discover STROBE, a symmetric protocol framework derived from SHA-3.
This is a walk through of the Ethernaut capture-the-flag competition where each challenge was an ethereum smart contract you had to break. I did this at 2am in a hotel room in Romania and ended up not finishing the last challenge because I took too long and didn't want to re-record that part. Basically what I was missing in my malicious contract: a function to withdraw tokens from the victim contract (it would have work since I had a huge amount of token via the attack).
Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve I covered what hash functions are out there, what is being used, and what people should use. Extending hash functions, I also quickly introduced STROBE, a symmetric protocol framework derived from SHA-3.
This is an explanation of the BEAST attack on TLS 1.0.
I gave a course on cryptography during Black Hat US 2017 along with Alex Balducci, Mason Hemmel and Javed Samuel.
This is an introduction to Tamarin Prover, a Protocol Verification Tool with a constraint solver at its core.
This is a tl;dr of the sweet32 paper, officially called "On the Practical (In-)Security of 64-bit Block Ciphers".
I gave a talk on my research on how to backdoor Diffie-Hellman at Defcon 24.
I gave a course on cryptography during Black Hat US 2016 along with Javed Samuel and Alex Balducci.
An overview of the Noise Protocol Framework, a building base to create TLS-like protocol, notably used in the WhatsApp messaging app.
A quick explanation of Pollard's p-1 factorization algorithm.
My master defense at the university of Bordeaux, it's in french.
A talk I gave at the NCC Group's office in Chicago about the paper I published.
an explanation following the paper Dual EC: A Standardized Backdoor by Daniel J. Bernstein, Tanja Lange and Ruben Niederhagen.
In this video I'm explaining what is that Galois Counter Mode that provides Authenticated Encryption with Associated Data (AEAD).
This video is an explanation of Coppersmith's attack on RSA, which was later simplified by Howgrave-Graham, and the later attack by Boneh and Durfee, simplified as well by Herrmann and May. Both use LLL, the lattice reduction algorithm of Lenstra Lenstra Lovasz.
This is an explanation of the Kocher et al paper on Differential Power Analysis.
KhunさんがFacebookの仮想通貨部門で働くDavid Wong氏に「Facebookで働くための最良の方法は？」と尋ねたところ、返ってきた答えは「『副業』と『ブログ』」だったとのこと。副業に関するブログを公開すると、他の人がブログと副業を通して自分自身に興味を持ってくれる可能性が生まれます。From gigazine.net
In a paper published on Friday, "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations," co-authors Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom describe an updated version of an attack, first outlined by Swiss cryptographer Daniel Bleichenbacher two decades ago.Written by Thomas Claburn on theregister.co.uk
The Logjam discovery was followed up by other researchers including NCC Group's David Wong, who in 2016 published this paper at IACR demonstrating a practical way to put a backdoor in weak Diffie-Hellman systems.Written by Richard Chirgwin on theregister.co.uk
We talked to the cryptographer David Wong about crypto-related blogs worth reading and exploring in an interview. We also asked him about the changing landscape of the crypto-world and the awareness of IT security issues.Written by Constanze Kurtz on Netzpolitik.org
Der Vorfall brachte David Wong von der Sicherheitsfirma NCC allerdings auf die Idee, man könne eine ähnliche Änderung in einer Krypto-Software in eine NOBUS-Hintertür verwandeln.Written by Fabian A. Scherschel on Heise.de
Der Diffie-Hellman-Schlüsselaustausch ist sicher - wenn die Parameter korrekt gewählt sind. Doch was passiert, wenn es einem Angreifer gelingt, fehlerhafte Parameter einzuschleusen? David Wong ist es gelungen, damit eine sogenannte Nobus-Hintertür zu erzeugen.Written by Hanno Böck on Golem.de
Le deal est simple... Vous vous inscrivez sur 3Pages et celui-ci vous offrira un cadre d'écriture très zen avec une quantité à respecter de 750 mots pas jour (soit 3 pages). Il ne s'agit pas d'un blog, personne ne lira vos écrits, mais il vous aidera à tenir le rythme tout en vous faisant plaisir jour après jour.Written by Korben.
L'incroyable effet viral de Facebook prend alors la relève et c'est parti pour une audience qui peut monter en France à 300.000 visiteurs/jours (chiffre revendiqué par On aime bien).Written by Vincent Glad for Slate
Le réseau social a mis en lumière une tendance de fond du web jeune —le besoin de marqueurs identitaires, de tatouages 2.0— dont il est possible de tirer partie différement. C'est ce qu'a bien compris David Wong, 21 ans, créateur de On aime bien:
«Vie de merde a eu une belle carrière. J'imagine qu'On aime bien et tous les sites du genre pourraient rêver du même parcours à condition de se détacher le plus possible de Facebook et de leurs caprices. C'est ce que j'essaye de faire actuellement avec On aime bien où j'essaye de pousser les utilisateurs à voter sur le site, et non pas via Facebook».