Ben Tasker's Blog

Twitter Jail: My Memoirs

Sometimes life throws you an opportunity. A quick search on the net suggests that whilst many celebrities have written about their time inside bricks and bars prison, no-one's had the foresight to document their time in something more modern.

I've been thrown in Twitter Jail, with all privileges withdrawn pending appeal. In physical jail, you can still watch the other inmates, but in Twitter jail if you have the temerity to appeal they blind you until the appeal is concluded.

This is a tongue-in-cheek record of my time in Twittertraz - with some very strong language within

Read more ...

A small reminder of Legitimate URLs for my content

I've had some reports come in of my site not loading correctly  via an onion (tor) address.

Upon further inspection, it's not actually an address operated by me, but is someone trying to ride on the back of my content to extract ad revenue. For avoidance of doubt 6zdgqjwwmjiphye3.onion is not legitimate.

 

Read more ...

The Curious Case of BitFi and Secret Persistence

For some slightly obscure reasons I've recently found myself looking at the Bitfi hardware wallet and some of the claims the company make, particularly in relation to whether or not it's actually possible to extract secrets from the device.

The way the device is supposed to work is that, in order to (say) sign a transaction, you use an onscreen keyboard to enter a salt, and a >30 char passphrase.

The device then derives a private key from those two inputs, uses it and then flushes the key, salt and passphrase out.

Each time you want to use the device, you need to re-enter salt and passphrase - the idea being that if it never stores any of your secrets, then there's nothing to extract from a seized/stolen device. 

From Bitfi's site we can see this wrapped up in marketing syntax:


The Bitfi does not store your private keys. Ever. Your digital assets are stored on the Blockchains, when you want to make a transaction with your assets (move them, sell them, etc.) you simply enter your 6-character (minimum) SALT and your 30-character (minimum) PASSPHRASE into your Bitfi Legacy device which will then calculate your private key for any given token “on-demand” and then immediately expunge that private key.

For various reasons (see Background) I was somewhat dubious about the veracity of this claim, and ultimately ended up looking over their source code in order to try and verify it.

This post details the results of that examination, the following items should be noted

  • Although not explicitly vulnerabilities, the issues noted below have been submitted in advance to the Bitfi dev team (I did ask previously via email whether email or Bitfi.dev was preferable for raising issues).
  • Incomplete sources are published on Bitfi.dev - example here, so although I include code snippets in this post, it's updated versions of code that's already public - I'm not simply publishing their code on the net :)
  • I probably will make some mistakes: I've been ill, so focusing is hard, and I dislike C# so it's more than possible something's changed without me realising.
  • This is the result of a fairly short code review, and in no circumstances should be viewed or characterised as a full audit
  • In the sources, code version shows as v112

The result is a long analysis, so some may prefer to jump to the Conclusion.  

Read more ...

Last Nights Storm

We had an awesome double thunderstorm last night, it ran for well over an hour.

I'd been drinking so couldn't drive out to stand and watch from a field, but this post has some gifs of what I did capture

Read more ...

Configuring Pi-Hole to update blocklists more regularly

By default Pi-Hole updates it's block lists once a week.

Broadly speaking, this is fine for blocking Ad domains (although the recent trend towards advertisers generating new domains does undermine that a bit).

But, if you've added a Phishing block list (as detailed in Building Your Own DNS over HTTPS Server), this is far less optimal - Phishing domains tend to do the majority of their damage during the first 24 hours, so only getting an update into the blocklist (potentially) 7 days later isn't much use.

In this post we'll walk through the (simple) procedure to have Pi-Hole update the gravity lists more frequently

Read more ...