Frederik

@fre@infosec.exchange
189 Followers
376 Following
135 Posts
studying it sec at TU Darmstadt
Pronounshe/him
Signalfre.99
GitHubhttps://github.com/frereit
Bloghttps://frereit.de
Frederik4d ago

Today at #TROOPERS25 I released a reimplementation of a set of protocols used to interact with a DHL #Packstation without using the official app: https://github.com/frereit/pydhl

It's more of a proof of concept than an actual utility, but maybe it's interesting for some.

GitHub - frereit/pydhl

Contribute to frereit/pydhl development by creating an account on GitHub.

GitHub
Frederik5d ago
Nothing like discovering new facts less than 24 hours before the talk about said facts  
luckily just an actual confirmation for something we already suspected anyway, so just needed to remove a "likely" from the documentation but still, how fun
FrederikJun 22

hi crypto people, I could use a crypto vibe check on some black box crypto:

I'm looking at a key encryption mechanisms where some "inner" encryption keys are used to encrypt some data, and then encrypted themselves with a main key and stored along the data. The data decryption is therefore a two step process where you first decrypt the inner key using your main key and then the data with the inner key. The concept is pretty much exactly like the AWS KMS.

I am in a position where I can see something about the inner keys but I'm not sure exactly what it is. It might be either the keys themselves, or some seed used to derive the inner key. This is where I'd be interested in some educated guesses on the format.

This something is mostly 144 bytes long, but weirdly sometimes it's 143 bytes long (~7%), and sometimes only 142 bytes (~7%). Based on one hundred samples, the content looks like it's random. Flipping any bit in the key material causes the system to reject it.

In my armchair crypto gut feeling, it seems like 144 bytes is quite long for only a key, even if there was some tag added to the key, and the differing lengths are also a bit curious.

Obviously there's a bunch of scenarios where there's just no way to tell what I'm actually looking at without looking at any code but I wonder if there are any standard ways to create such a mechanisms that would result in these long variable-length inner keys. Has anyone seen something like that before?

#crypto #cryptography

AWS Key Management Service - AWS Key Management Service

AWS Key Management Service (AWS KMS) is a web service that securely protects cryptographic keys and allows other AWS services and custom applications to perform encryption and decryption and signing and verification.

FrederikJun 14

The big Google outage was apparently some kind of null pointer deref:

The issue with this change was that it did not have appropriate error handling nor was it feature flag protected. Without the appropriate error handling, the null pointer caused the binary to crash. Feature flags are used to gradually enable the feature region by region per project, starting with internal projects, to enable us to catch issues. If this had been flag protected, the issue would have been caught in staging.
https://status.cloud.google.com/incidents/ow5i3PPK96RduMcb1SsW

I can't help but wonder if this was LLM-assisted code. I mean, if normally new features get a feature flag, but this one didn't, I wonder if it's because it's something an LLM doesn't emit when asked to implement a feature. Also, based on my experience with LLMs, the emitted code often lacks error handling and fails to consider edge cases.

Google Cloud Service Health

Show threadFrederikApr 29
If you want to hear me talk about DHL parcel lockers, the underlying Bluetooth protocol, and how we can pick up parcels without the official app, come to my talk:
https://troopers.de/troopers25/talks/s99jks/
:)
DHL Hackstation: What's inside?

TROOPERS is more than just an infoSec con. Hands-on, high-end knowledge sharing leaves you motivated and charged to

FrederikApr 25
Just got the email that my proposal for a talk at #TROOPERS25 got accepted!!!! I'm soo excited ahahaha
FrederikApr 17
BaaApr 17
"Anti-Virus, where is my download?"
anti-virus with suspiciously executable-shaped stomach: "idk bro"
FrederikApr 6
josefApr 6
on Linux, is there a way to switch off "Tamagotchi Mode"? specifically i mean the thing where you set up linux exactly how you want, and every 2 weeks you run package updates and some obscure part of your system which you didn't even know existed now no longer works the way you set it up, and you have to spend 90 minutes fixing it, and it's always a different thing, and this happens every 2 weeks, forever. how do you switch that off? (ideally in a way where it won't switch back on after 2 weeks)
FrederikApr 1
joey castilloApr 1
new paper just dropped
FrederikFeb 17
CatFeb 16

A straight white guy friend was complaining about not being able to find any gaming groups for WoW that weren't full of MAGA assholes. He said he keeps joining guilds with older (60+) casual gamers like himself because he can't keep up with the kids, and he'll start to make friends, but then they will reveal themselves to be Trump-lovers. He asked, "What am I doing wrong?"

I said, "First of all, your screen name is Russian. Leftys are gonna be wary of that, and the Alt-right loves it.
Second, you should put some social signals in your bio, like pronouns."

"Okay, but how do I tell people I'm cool, but I'm not gay or trans?"
I explained to him what "cis" and "ally" mean. He had never heard of this before, which showed me what kind of online spaces he was landing in.

Next, I said, "Look for the furries."
"But, I'm not a furry?"
"Yes, but the presence of furries are like lichen. They are a sign of a healthy ecosystem."

This was about 3 months ago. Now, he tells me he joined a guild labeled as LGBTQ-friendly and has made several new cool friends. He says, "I thought they would be talking about sex all the time but it's just a regular group." He mentioned that there are many women and PoC in the group too, and "Everyone's so nice on dungeon runs, telling people they did a good job and being supportive, sharing loot."

I didn't tell him that this is what the whole world would be like without patriarchal toxic masculinity, because I think he figured it out himself.