Philippe Oechslin

@thorsheim @BSidesLV I was looking for a name that was easier to remember than tables-where-the-reduction-function-changes-with-each-column 😀

@thorsheim @BSidesLV In both cases, if you have a collision within the same color it is merge, if it is in two different colors, it is only a colision. So they have the same coverage. But the rainbow table needs half as many hashes in the worst case and even much less if you're aiming for high prob

Hey @tradeoph, we got a question here at #PasswordsCon @BSidesLV yesterday that nobody could answer properly, but I thought of you: “Why is it called rainbowtables?”

@starbuck3000 Weather Underground a des données historiques, p.ex. Genève wunderground.com/history/daily/…

Question: où obtenir la météo de la veille? (p.ex. températures dans une ville Suisse 1 à 2 jours plus tôt)

@smetille @derBeauftragte Très souvent les données son seulement chiffrées au repos. Si les attaquants ont eu accès au compte d'une personne ayant accès aux fichiers, les fichiers auront été déchiffrés automatiquement par le système.

On peut se demander comment les données ont été déchiffrées...? Le @derBeauftragte n'a pas encore communiqué mais on peut imaginer qu'il va d'office ouvrir une procédure

Le @GovCERT_CH confirme que les données dérobées à l'entreprise informatique #Xplain et conservées sous une forme chiffrée comprenaient bien des données opérationnelles de l'administration fédérale. ces données ont été publiées sur le #darknet admin.ch/gov/fr/accueil…

@veorq I've seen it defined as "authenticity of origin and content", e.g. in Matt Bishop's Computer Security, Arts & Science

beginner crypto question: how to best call signature's security property? "non-repudiation" isnt good – when's the last time you wish you could repudiate a sig? sounds legalese but unusable as evidence it's more a mix of "identity binding" and "content commitment"

@veorq Beware of the attack of the European Central Bank (seen in the syllabus of a crypto training)

I am the only one to think that the real issue is Windows using an unsalted, single-round hash in 2023. With salt, it would have taken 18k longer to crack 18k passwords. 5k rounds like Linux or MacOS makes it another 5k times slower, 90 million times slower in total

@Reversity homeassisant! cool, one of my favorite proscrastinations.

@jmgosney @Sc00bzT @Evil_Mog @godacity_ @TinkerSec @strategy_rpg @seventhsec For the example above (8 char NTLM) ,it takes one minute to crack the password with 2.5TB of rainbow tables on SSD and 48 CPU threads. The RT stores 0.0004 bytes per password.

@Sc00bzT @Evil_Mog @godacity_ @TinkerSec @strategy_rpg @seventhsec @tradeoph I was talking about creating a 1:1 map of hash:plains, like a massive potfile, which is what most people envision when they think of rainbow tables.

@cynicalsecurity Contrary to v3, NFSv4 not only signs the command but also the parameters. So we can't play funny games with the parameters anymore.

@tradeoph Ooh, that's sweet - do you also speak NFSv4?

We have finally published Tproxy (objectifsecurite.gitlab.io/tproxy/) our generic TCP interception proxy (think Burp for TCP): TLS handling, wireshark dissection, intercept and modify by hand or with scripts in GUI or CLI. There is a complete doc with demos (objectifsecurite.gitlab.io/tproxy/Demos/)

@modulo_p_sa congrats!

Hello world !

@veorq Reminds me of the day I learned that generation parameters are often stored in private keys to make calculations more efficient. Then you can get the public key from the private key and can't swap the roles of the private and public keys. Reality is not like text book crypto.

loving signature verification instructions that show you how to instantiate a public key object by deriving it from a private key

@MjHillEditor ..and they only work for unsalted hashes, which no sane system uses anymore. OTOH, our online demo objectif-securite.ch/en/ophcrack cracks 8char windows passwords in 60s avg on a dual proc server. This is equivalent to about 200 dual RTX3090, so we got that going for RT, which is nice.

Starting a new project exploring the various ins & outs of Rainbow Tables. Looking for insight & comment from those with knowledge on the topic. Get in touch for more! #Password #Security

@MjHillEditor Do not hesitate do DM me if you have any questions about Rainbow tables. The biggest limitations are that the effort is linear in the number of hashes to crack, that they crack a fixed set of passwords and that you can't benefit from GPU because of the large amount of data

@thorsheim @abditum @kennwhite @hashcat Having said that, I also use hashcat as soon as there are more than a dozen hashes and for dictionary based attacks.

@thorsheim @abditum @kennwhite @hashcat The death of RT has been greatly exaggerated. Our online demo still cracks 8 MixedCaseSpecialChars in 60 seconds average on two CPUs. How many GPUs would you need for this?