Welcome!

This blog is about software security, cryptography, software engineering, ponies and whatever lies in between.

Recent articles

June 2017

D sightseeing: crc32

Let's have a glance at a real although very short D program to discuss some of its features.

SSL/TLS Configuration Recommendations

How to configure SSL/TLS on your server in order to make it secure? Here is the way to do it quick and cleanly.

Hacking the simplest database

Julia Evans proposed the simplest database, let's take it down! A case study of simple file manipulations in bash.

May 2017

Fixing video noise with sox

How to use sox for something simple and practical: fixing the noise in a youtube video.

April 2017

Why we need authenticated cryptography

Simple demonstration of how an attacker could tamper with an encrypted message to his benefit without ever decrypting it in the absence of message authentication.

Weaponizing Excel Webservice

Excel formula injections are common in programs generating XLS files, but often considered harmless. This discusses a new technique that greatly improve the Red Team situation.

March 2017

Privilege Escalations

How to identify flawed resource management leading to privilege escalation. Part of the Fast Security Source Code Review series.

Fast Security Source Code Review

Introduction to the main concepts behind a fast security review. Intended for developers as well as pentesters.

February 2017

How secure is unpredictableSeed?

D's unpredictableSeed is sometimes used to compensate for the lack of a CSPRNG in the standard library. But how secure is that really?


Older

Crypter writeup

"A file was encrypted. You have the encryption software and an encrypted file. Decrypt that file." Detailed writeup using radare2.

Exploiting Gource

Improvised code review of the Gource git repository viewer. It is meant as a way to show how one can perform quick and targeted code reviews.

Let's build an Object System!

What makes an object system tick? What does it mean to be object oriented? What are classes really?

Mail.local et TOCTTOU

Une explication détaillée d'exploitation de programme SUID root via une TOCTTOU pour obtenir une élévation de privilège.

Comment who fonctionne-t-il ?

Strace est un outil puissant mais qui peut être difficile à manipuler. Nous voyons donc un cas concret en étudiant le fonctionnement de la commande "who".

Puppy writeup

Quelqu'un sur irc a proposé hier un petit challenge de steganographie. La victime du jour ? Un chiot qui renferme, nous dit-on, des secrets.

Introduction à l'éditeur de texte ed

Ed est un éditeur puissant mais terriblement déconcertant au premier abord. Cet article présente les commandes essentielles et un peu plus pour bien débuter avec l'Éditeur.

Shell streams and redirections

Shell streams are the most powerful feature of bash. Knowing about redirections is a capital step toward an efficient use of command-line.