// we are

At, we write code, we hack, and we do science!

InfoSec RTFM: Password Expiration Policies

This post is the first of a hopefully irregular series of articles on the consequences, in the information security industry, of decisions not based on most recent research or even on basic threat modelling but on common sense faux-amis. Password Expiration Policies (PEP from now on) are quite widespread these days, and are justified by a various assumptions about attacker and defender behaviour. They consist of forcing you to change your password on a regular basis to access a service, often restricting syntactically similar passwords.

PEP may sound brilliant at first. However, a superficial economics overview and an attack/attacker breakdown of the problem help to understand why PEP do more harm than good in practice. Demonstration.

DIY Programmable Paper Lanterns #2

Hi there. This is a followup of the Programmable Paper Lantern project which I previously blogged about. Since the last time, I’ve found a much better cage design, ordered a first set of LEDs and a transformer for testing (with a more than DIY solution to power it, as you’ll see…) and I’ve, especially, made the design of the electronics that will be used in the final version. The last bit obviously happened with tremendous help from Martin, who went as far as offering me my first Arduino. And who also re-taught me the basics of electronics. Shame on me, the engineering graduate, but I must say I started almost from scratch on that, and I still know nothing but elementary survival notions.

WtRPM: A Web-based (Wt) Suite to Power Up/down Your Computers

Over the past last month or so, I have been working on creating the hardware and the software needed to be able to boot/reboot/hard reboot my computers at home. The reason I need this is that I am going away for a few months, away from my computers, and I would like to be able to keep on reverse engineering nvidia’s ptherm.

A possible software-only solution is to use Wake-On-Lan to boot up the computer remotely, ssh to connect to the computer, grub-reboot to select the kernel to boot on at the next reboot and finally, the watchdog to reboot the computer when it crashes. If it seems to you like a pain to use, I definitely agree!

So, a hardware-based solution seems more interesting! The standard solution to solve this issue is called IPMI. The interesting features are:

  • Being able to cut the power down and put it back up again;
  • Read back some of the state (Power & disk LEDs for instance);
  • Having a serial console.

However, I don’t have an IPMI-ready motherboard as they are usually used on servers. I thus decided to make myself an equivalent. The only thing that was worrying me was that I had to be able to control that from the internet. So, one machine had to be up and running! I decided to buy a Raspberry Pi as it was the cheapest and lowest-power consumption computer I could get with an ethernet port and a few General Purpose Input/Output (GPIO).

Using those GPIOs, I can control a custom-made circuit board to cut the power, press the power switch and read the power led state but the real question was about the user interface to wrap those GPIOs. I decided to make a web-based user interface because it was more demo-able and also could be updated in real time for displaying logs and the power LED state.

DIY Programmable Paper Lanterns or Why I Should Be Worried About My Impulsiveness

Hey. Been a while. Since the last time I posted, I graduated from two universities and moved to London. Life passes fast, huh? But hey, this is not a rant about the weather, food, cultural differences, the superficiality of relationship in big cities, expensive hockey rinks or whatever. Note how I’m not even pretending any more that I’m gonna tell you in the next post about that super cool thing I’m working on at the moment!

Instead, I’m gonna tell you about paper lanterns! Hey! Hey, no, wait! Hold on, don’t leave! Just a sec! We’re not speaking about your average paper lantern here! The goal of this project is to combine traditional and modern, handcrafted and digital, in short… to make a bunch of programmable paper lanterns!

WtComments: A Secure Way of Serving Comments on Static Blogs!

As a new proud user of Octopress I missed the comment section that I used to have on our previous blog (powered by Django). However, I knew something could be done and months later, I finally did something about it :).

So, let me introduce you to Wt Comments:

Wt Comments is a project that was written in order to allow users to comment on static websites (such as The goal was to create a secure, minimal and self-standing binary that would serve user’s comments as needed. These comments are to be stored in a JSON file.

I wanted a program that would run under a specific UID (using FCGI or a built-in http server) and that would provide strong separation between code and data in order to limit the risks posed by this service to the system. I decided to write this project in Wt, a C++ Web Framework that I have been looking into using for a while now, because it satisfied all my pre-requirements and allowed the usage of hardware and gcc security features such as the NX bit and canaries.

The program has been written with portability in mind. However, it is currently limited to Linux due to one simple function (getExeDirectory()). Feel free to send me patches ;)

The Arduide Now Supports the Arduino Leonardo + a Bunch of Other News

Hey, it’s been a while since my last post about the Arduide. Here are some highlights of the past months.

Arduino Leonardo

Contrarily to last time, where it took a long time to get my hands on an Arduino Uno, an new contributor sent me some patches to support the new Arduino Leonardo. A big round of applause to Jefferson Delfes for bearing my comments and a few round trips before inclusion. The work included compilation flag fixes and a new way of uploading firmwares. As always, please test and report bugs!