November 16, 2013

Is Google signing your chat messages?


A couple of days ago, my friend Tom asked me using GMail’s Google Talk widget why one bash command worked while another didn’t. The commands looked the same, but to make sure no UTF-8 silliness was going on, I checked Adium’s debug window. There, I noticed the messages both contained an XML element I didn’t recognize, google-mail-signature:

Read more
October 8, 2013

Piercing Through WhatsApp’s Encryption (2)


My previous post received a lot of attention today and some people rightly complained that the results don’t mean much when it can not be reproduced with an official WhatsApp client.

Read more
October 8, 2013

Piercing Through WhatsApp’s Encryption


WhatsApp has been plagued by numerous issues in their security: easily stolen passwords, unencrypted messages and even a website that can change anyone’s status. But that streak is not yet over.

Read more
September 2, 2013

The State of TLS on XMPP (3)


One important factor has not yet been covered in my two previous posts: clients. As barely any server uses a pre-defined cipher order, the order set by clients is at least as important as the cipher support of a server.

Read more
August 28, 2013

The State of TLS on XMPP (2)


To follow up on my previous post, the results for s2s encryption can be seen here, now also with XEP-0092 reported version and OS for every server.

I’ve also published the code on https://bitbucket.org/xnyhps/xmppoke. The code is still in a pretty unpolished state, many paths are fixed for my own machine. Note that it requires a patched luasec to be available for certain features. To properly test s2s support, you also need a certificate and key (I don’t know how trusted the certificate needs to be, for my tests CACert was good enough).

Read more
August 26, 2013

The State of TLS on XMPP (1)


Inspired by some recent discussion on the prosody-users mailing list, I started working on a tool to investigate the strength of the encryption an XMPP server offers. https://www.ssllabs.com/ has such a test, which gives a server a grade between A and F and shows a lot of helpful information about the SSL configuration, what features might be considered weak or undesirable, issues with the chain, etc. However, this only grades HTTPS servers, with no support for XMPP.

Read more
May 16, 2013

Game Boy cartridge dumping on a Raspberry Pi - Part 2


In Part 1 I covered the materials I got, now how I put all of them together.

I had soldered my Slice of PI/O a while ago, so all I had to solder was wires for the cartridge header.

Read more
May 14, 2013

Game Boy cartridge dumping on a Raspberry Pi - Part 1


Ever since seeing an emulator for a Game Boy color I’ve wondered how those things can work. How can they take a cartridge, a little box full of electronics, and turn it into a program you can run on a normal computer? Surely a cartridge can do anything it wants, so what magic is used to turn that into a file?

Read more
April 2, 2013

XMPP federation over Tor hidden services


Suppose you’re trying to chat with your friends in a totalitarian country and you want the government to learn as little as possible about you and your friends. How can you achieve that?

Read more
February 19, 2013

mutt & Keychain.app


I recently decided to give mutt a try. The lack of an updated GPGMail for Mountain Lion (donating to receive a beta version that might never get released? No thanks), and the instability of Thunderbird made me look for an flexible mail client with good GPG support.

This is not a review of mutt, though. I haven’t used it long enough to decide. All I wanted to point out is that the horribly ugly hacks for using password stored in the OS X Keychain in mutt are not necessary anymore: security, the command-line interface to Keychain, has a -w flag since Mountain Lion, to print just the password and nothing else.

Read more