Sunday, March 24, 2019

The Aviary: Huckleberry

The Aviary, Pg 404

One of the cocktails hailing from The Office, a speakeasy basement bar underneath The Aviary, this seemed simple to assemble with only one bit of complicated machinery: a sous vide.  Also, the presentation alone was intoxicating: a frothy head atop a mauve concoction? Sign me up!


I was able to obtain a chinois at a Goodwill.  The strainer and pestle separates juice from pulp and seeds.  However, the main ingredient is a clove tincture (fancy word for Everclear infused with clove). This required a sous vide as written.  As long as I've heard about them, I have never pulled the trigger on this low temperature wonder-machine (I don't have an instant pot either).  I figured it was time to lay that to rest.

There are plenty of DIY sous vide videos on the internet.  I settled on one that recommended a rice cooker combined with an industrial 110V AC temperature controller instead of a brewer's setup.  The most important part of this setup is the type of heated pot you use.  I couldn't use my crock pot, for example, because it had a digital control.  Every time the power cut off and then back on, it would not return to heating the pot.  My manual-switch rice cooker worked like a charm, however.  Then, for $20 in parts from the hardware store and $20 for the temperature controller on Amazon, I had a safe contraption through which to control my rice cooker and keep a pot of water within 2 degrees of a specific temperature for any length of time (perhaps "safe" is relative; use wire nuts and an electrical box when playing with mains, kids; the picture below shows iteration one with no cover).


The clove tincture was dead simple but extremely smelly.  $1 in bulk cloves and some Everclear got me a half dropper full of the cloviest drops the ever passed your nose. A word of warning: toasting the cloves is a horrendously smokey business.  Do this with a hood on full blast or outside.  We had to open all the windows and run for coffee.  I already had a vacuum sealer so I dumped the toasted cloves into a bag, poured on the alcohol, and dunked it into the rice cooker for an hour.  I decanted the result into an amber bottle with dropper and savored the aroma (which wasn't hard; it was everywhere).


The rest of the recipe was fairly simple.  Huckleberries don't come into season until August, so we went with blackberries from Mexico.  The syrup came together easy with a few gradually finer strainings.  6oz made 166g of juice.  Amaro Averna from Total Wine, Bombay Gin on sale, and Angostura bitters I already had on hand completed the boozy bits.  A quick trip through a shaker came out with a pink foamy pour that gradually separated into mauve and foam.  The bitters and pepper hit our nose, and the herbal hit of the drink completes it.  It's just sweet enough with off-season blackberries to be pleasant without being overpowering.  As we drank, we noticed the colors change and aromas deepen.  Very fun and dynamic drink.



A second round (can't waste syrup, after all) made with vodka toned down the herbal nature.  This will probably be the version I make for myself unless the guests are already gin drinkers.  Too close to 'too much' pine.  A friend suggested ditching the clove and replacing it by painting the glass with Chartreuse.  Either way, this seems to be a reliable cocktail to just have on hand.  Freezing berry syrup during their season in 2oz portions and the huge amount of clove tincture I have left over means it will be quick to assemble with a fun story to tell while we shake it up.

The Aviary: Knickerbocker

The Aviary, Pg 249

One part of a tiki flight, I was recommended to try this this based on the raspberries.

While the recipe as written requires a pacojet, I don't have $5000 just to get deliciously drunk.  I tried an ice cream maker to make the slush instead with fantastic results.  The instructions say to freeze the mix and rum separately and process together, but a spin in the ice cream maker brought it to just enough slush for a small batch.






The real winner here is the recommended rum.  My first "drink until you hurl" experience was with coconut rum, and I've avoided the spirit ever since.  The Zaya Gran Reserva aged rum has really caught me by the nose, however.  It has just enough molasses to be delicious, and the aging has mellowed it considerably compared to its frat-boy cousin.  I'll definitely be stocking this as a rum of choice (unless the book turns up something even better).

Dan Moves North

Plenty has gone on in the past year. Here's a quick rundown:

- Learned how to quilt. 104 patches from my tour-guiding days on a lap quilt.




- Learned how to Black Badge at DEF CON 26. Shout out to my fellow Murder Hobos, PunkAB, and the entire Dungeons@DEFCON team for this kick-ass experience.













- Learned how to move across country through forest fires and with cats









- Learned how to survive a leg infection possibly from a cat scratch (not pictured; it was pretty gnarly)

- Learned how to not buy board games. I finished a 10x10 (play ten games ten times or more) without buying any new games in between. Moving thinned the collection, but it still takes up an entire linen closet.




Friday, July 27, 2018

Testing Encryption - 3 years of Dan Boneh's Online Cryptography Course

Three years ago in July, I completed Dan Boneh's online cryptography course with distinction through Coursera's Cryptography 1.  Since then, I've had the opportunity to use and test cryptographic systems at work and for hobbies.  Here are a few lessons learned when testing encryption.

I have found my fair share of bugs in the crypto we chose to use at work.  I've gotten into a routine when testing encryption used for message authentication:
  • Test the same plaintext multiple times.  Does it need to be different each time?  How much of the MAC is different each time?  It might help to explore the data your hashing function spits out as it can tell you how your hash function does what it does.
  • Replay it.  How can a user abuse identical MAC'd data if they replay it at a later date?  For a different user?  Can you add items to the plaintext that will allow you to validate not only the data but the source or timeframe as well?
  • Ensure your hashes are detecting changes. Is your MAC rejected if you change the data at various places within the message?
  • Rotate the key. Do you need a hash to survive a key change?  Usually you can just regenerate the data and re-MAC it, so figure out if you really need to use MACs over long lifetimes.  They're easy to compute.
  • Generate a bunch at once.  Is performance an issue with the service?  Most hashes are built for speed, but is yours?
For each of these failure modes, I'm looking mostly for hints of weakness.  I'm expecting pseudo-random noise, but how does my brain distinguish that from almost random noise?

There are many times when you need to generate a unique but random value but don't have the space to use a GUID.  To evaluate if a solution will be "unique enough", check out the Birthday problem wikipedia page, and this table of probabilities in particular.  Find out how many possible values exist (9 numeric digits = 10^9 ~= 2^30).  Compare on the table with that value as the hash space size versus the number of times you'll be setting this value.  This will tell you if the algorithm you want to use is sufficient.  If you are making long-term IDs that can only be created once, you obviously  want the probability of collision to be extremely low.  If you can recover from a collision by creating a new transaction fairly readily, you might not need as much assurance.  Ive used this to help drive a decision to increase unique token size from 13 to 40 characters, guide switching from SQL auto-numbers to random digits to hide transaction volumes, and ensure internal transaction IDs are unique enough to guide troubleshooting and reporting.

Time and again, the past three years have taught me that cryptography must be easy for it to be used widely.  I've stayed with Signal for text messaging because it just works.  I can invite friends and not be embarrassed at its user interface.  It doesn't tick all the boxes (anonymity is an issue being a centralized solution), but it has enough features to be useful and few shortcomings.  This is the key to widespread adoption of encryption for securing communications.  Since Snowden revealed the extent of the NSA's data collection capability, sites everywhere have switched on HTTPS through Let's Encrypt. Learning more about each implementation of SSH and TLS in the course was both informative and daunting. I was anxious to get HTTPS enabled without rehosting the site on my own.  Early 2018, Blogger added the ability to do just that through Let's Encrypt.  It requires zero configuration once I toggle it on.  I can't sing its praises enough.  The content of this blog isn't exactly revolutionary, but this little move toward a private and authentic web helps us all.

Dan Boneh's Cryptography course continues to inform my testing.  The core lesson still applies: "Never roll your own cryptography."  And the second is how fragile these constructs are.  Randomness is only random enough given the time constraints.  Secure is only secure enough for this defined application.  Every proof in the course is only as good as our understanding of the math, and every implementation is vulnerable at the hardware, software, and user layers.  In spite of this, it continues to work because we test it and prove it hasn't broken yet.  I'm looking forward to another three years of picking it apart.

Wednesday, July 25, 2018

Wristband Teardown from Amazon's #FireTVSDCC Event at San Diego Comic Con

A friend returned from San Diego Comic Con 2018 with an RFID bracelet used to track users in the Amazon Fire TV experience (on Twitter, #FireTVSDCC).  This is a teardown of the bracelet after the event.  At this time, I was unable to read from the bracelet.



The bracelet is fairly simple with a cloth band and plastic/paper tab threaded through.  The closure is plastic and one-way.  It bites into and mangles the cloth band if you attempt to remove, but you could probably shim it with tools and practice.  Might be a fun thing for the Tamper Evident Village if it turned out events were trying to use this for access control like plastic self-destructing wristbands.


The back contains a serial number.  I would like to see if this serial number would match the data read off the tag.



Separating the badge by prying them apart, I  spot the prize: an adhesive RFID tag placed between the glossy plastic covers.  It appears to have a model number of "CXJ-040" in the center of the tag.  It uses a circular antenna.  CXJ is the initials of Shenzen manufacturer ChuangxinjiaTheir product pages show many similar wristbands in a few different frequencies.

The tag didn't respond to my Android phone, so it is not a Mifare or similar.  Hopefully I can find a reader at the local Hackerspace or DEF CON 26.

Monday, July 16, 2018

AES CBC Encryption on OpenVMS

It turns out that using the convenience function ENCRYPT$ENCRYPT_ONE_RECORD on OpenVMS for AES CBC does something squirrelly.  It will not let you pass in an IV.  Instead, ENCRYPT$INIT sets the IV to 16 bytes of \0.  In order to ensure your identical plaintext first blocks aren't identical after encryption, your first 16 byte block needs to be your true IV.  This will get XORd with the null byte encrypted IV and sufficiently scrambled so your second block can be uniquely encrypted.  OR just do it right and avoid the convenience method.  Use ENCRYPT$INIT properly.

Ref: http://h41379.www4.hpe.com/doc/83final/4493/4493pro_025.html#encrypt_one_routine

"For AES, the optional P1 argument for the AES IV initialization vector is a reference to a 16-byte (2 quadword) value.
If you omit this argument, the initialization vector used is the residue of the previous use of the specified context block. ENCRYPT$INIT initializes the context block with an initialization vector of zero."

Tuesday, June 26, 2018

Interacting with OpenVMS on Mac through Terminal.app and iterm2

Terminal.app and iterm2 can be used on Mac interact with an OpenVMS system by setting the right profile settings and keys with escape sequences. Most keys work by default (PF1-PF4 when Fn is used to disable Mac system interactions), but it must be configured correctly to allow access to other keys commonly used in OpenVMS terminal applications (FIND, PREV, NEXT).

PF1-PF4

The F1 - F4 function keys will work as PF1-PF4 if Fn is pressed as well.
  • If your keyboard is a large Mac keyboard with a Fn key above the arrows, access PF1 - PF4 by turing off the Mac keyboard options (brightness, volume controls, etc) by holding the Fn key and pressing F1 - F4. This also works for some other function keys. Smaller keyboards will need to map F13+. 
  • If you are on a PC keyboard, you can disable the Function Keys functions in System Preferences and return them to act as F1 - F4. 
  • If you don't want your function keys to always act as F1 - F4, the program FunctionFlip can be used to change your function keys back and forth on the fly. 

Accessing Keys with Shift and Alt

Some keys are mapped, but not accessible without using Shift and Alt in combination with the above Fn key/FunctionFlip.

Here are Terminal.app configs:
  • F11: Alt F6 
  • F12: Alt F7 
  • HELP: F15 on an extended keyboard or Shift F7 
  • DO: F16 on an extended keyboard or Shift F8 or Alt F11 
  • F17: Shift F9 or Alt F12 or F17 on an extended keyboard 
  • F18: Shift F10 or F18 on an extended keyboard 
  • F19: Alt F14 on an extended keyboard or F19 on an extended keyboard or map it (see below) 
  • F20: Shift F12 or Alt F15 
Some of the above work for iterm2. Here are alternate mappings:
  • F11 can be accessed with Control F11 
  • F20 will need to be mapped to a key of your choice using escape sequence [34~ 

Mapping Other Keys

Other keys can be mapped within Terminal.app or iterm2 by making a profile.
  1. For Terminal.app: 
  2. Open a terminal 
  3. Go to the Terminal menu, Preferences. 
  4. Add a new profile with the + button at the bottom left. 
  5. Name it 'OpenVMS'. 
  6. On the Text tab, adjust the colors so you can differentiate it from your other terminal windows. 
  7. On the Window tab, adjust the Window Size to 132 Columns if your terminal apps support this width. 
  8. You may need to enable the keypad mode to get access to LSE's navigation keys on the keypad (PF1+4 or 5 to seek to the bottom/top). 
On the Keyboard tab, you can add mappings to individual keys that OpenVMS needs for navigation. This is useful in LSE or other text editors. Choose a Key to map and then enter a mapping. Mappings are entered by typing a control character `Ctrl + [` (will appear as \033) followed by some additional keystrokes. The following mappings have been found and are based on this Google Groups thread:
OpenVMS Key Key Action
FIND Home \033[1~
PREV PgUp \033[5~
NEXT PgDown \033[6~
SELECT End \033[4~
F19 ^ F9 \033[33~
F20 ^ F10 \033[34~

For iterm2, use Profiles:

  • Use similar escape sequences for the FIND and similar keys as above. On Profiles, Keys tab: add a hotkey and select "Send Escape Sequence" for the action. Omit the \033 from the table above. FIND end up as "Send [1~". 
  • Enable Keypad mode for navigating in LSE. Profile, Keys, keypad mode checkbox. This only works for extended keyboards.