Site Archives

About me, the site, and its content

Presentations, Papers, other data

General topics and post types

Longer-term special projects and interests

On a recent Accidental Tech Podcast member special, John Siracusa unknowingly nerd-sniped me when he mentioned adding Dark Mode to his website. This sent me down a lengthy path of improvements and fixes to this site.

A couple months ago, I identified a (likely) bug in Intel versions of macOS Sequoia. How’s that been going? Though it’s faked me out a couple times…the bug is still here, and still just as bad.

You’ve got a big logfile, and something weird is happening, but you don’t know what. There’s lots of data there, and you’re sure there are patterns. How can you make sense of the chaos, quickly, when you really don’t even know where to begin? Sometimes, you just need The Old Tools.

After a lot of exploration and experimentation, I’m finally closing in on a strategy that, if it won’t SOLVE the problems Ive been having, should at least mitigate them.

My Mac’s disk has been filling up. I think I figured out where the problem was, but spent a week collecting data to be sure. Now I’m more confident, but also more confused.

My Mac Mini’s disk kept filling up. A lot. Even after I got rid of crap, it filled up again. Multiple gigs in just a day. What the hell is going on?

My decade-old NAS finally conked out. Just how easy is it, really, to move the drives to a newer unit? Let’s find out.

Still poking around the Noise Storm rabbit hole. I think I’ve figured out the four main packet types in this storm.

GreyNoise has been seeing crazy noise storms full of pings for years. I may have figured out what some of them are.

A year ago, I got laid off. It’s been a weird ride since then…

Writing the firmware for a NeoTrellis keypad to allow it to send and receive MQTT controls, and dealing with keypad library read/write conflicts.

Introduction to a series about a 16-key remote-control MQTT keypad

Building a board generator for Codenames as a fun diversion

Pulling the whole series together to demonstrate the 1Password vault system from unlock to item decryption

Slides from my BSidesDE talk, November 9, 2018. A detailed description of how 1Password client unlocking and shared vault encryption works.

Finishing the Inside 1Password series with some miscellaneous topics

Looking at how Local Vaults are encrypted, and how that affects unlocking 1Password clients

How 1Password’s shared vaults work

How the Encrypted Master Key works to unlock the Windows 1Password client

The Master Unlock Key and unlocking 1Pass on macOS

Beginning of a deep dive into how 1password works

How to properly encrypt EICES-format messages to be decrypted by the iOS and macOS Secure Enclave system

I had way too many conference badges hanging from a stuffed moose head. So I built a nice display for my office.

My 3D Blu-Ray stopped working. It took an hour to figure out the stupid simple cause.

I’ve been waiting for this eclipse for nearly 40 years. Here’s how I got to see it firsthand.

The key to decrypt the firmware for the Secure Enclave Processor (SEP) on the iPhone 5S has been disclosed. It’s actually potentially a good thing.

I decided the site needed a visual overhaul, and didn’t want to keep hacking the old engine, so found a new one.

Adding a Fully Jarvis J3 standing desk frame to my IKEA desk

ShmooCon 13 Badge contest, scoring, solutions to the puzzles.

Just the challenges from the 2017 ShmooCon badge puzzle / contest. No spoilers.

Slides from my BSidesROC talk, April 23, 2016. An overview of how iOS encryption works, with emphasis on passcoes and potential attacks.

A rough introduction to how poem codes work and how they may have been used in practice by SOE agents in WWII.

A high-level summary of what we know, what we think we know, and what we know we don’t know, as well as some words of caution.

A first, rough look at a new mobile app authentication service from Trail of Bits

A quick, simple rig to film a time-lapse video of snow piling up on my desk in a blizzard.

Slides from my ShmooCon talk, January 17, 2016. A detailed overview of how Digest, NTLM, and OAuth work in the context of web and mobile applications.

Yet another uninformed, unrealistically idealistic rant about how things *ought* to be. Most readers will probably strongly disagree.

A discussion of ideas I’ve been kicking around about security research in general, and how current CyberUL speculation fits in.

A new service called Blind Hashing, that incorporates salts taken from petabyte-sized cloud databases, hopes to make password cracking obsolete.

Nails in the Crypt – White Paper

The Lenovo-installed SuperFish man-in-the-middle malware has me thinking again about how the CA system is still broken.

Slides from my ShmooCon talk. A short review of multiple iOS apps and how they handle server authentication, looking at both network use and on-device storage of credentials.

DerbyCon 2013 – Apple TV and Raspberry Pi Slides

A bug in iOS (fixed in 8.1.1) allows a well-timed reboot to bypass the forced lockout timeout, allowing for multiple PIN attempts.

The parties have made voting even more of a hassle, and more infuriating, than the months of attack ads we endure.

Videos of people breaking into cars, and reports of hijacked dealer equipment. Real-world example of why backdoors are bad?

MCX – a lousy substitute for proven technology

If you’ve enabled SMS forwarding on your iPhone, you might want to ensure that messages don’t get displayed on your Mac when it’s locked.

A response from Apple downplays security concerns raised over how Spotlight search works on Yosemite.

Slides from a quick NoVA Hackers talk I pulled together based on recent blog posts about Apple iOS encryption and privacy changes.

The “Apple can’t decrypt devices for law enforcement” conversation continues to spawn excellent posts and explanations.

Making sense of how iOS encryption works, especially what’s changed in iOS 8 and how Apple made it harder for law enforcement, can be difficult. I’ll try to help.

Advertising companies are placing Bluetooth beacons in New York City phone booths. Forbes explains this isn’t quite as scary as many think.

My HVAC system is constantly failing. I’m building a system to closely monitor temps so I can catch failures earlier. After only a couple days with rough prototypes I’m already learning something useful.

A fun set of (reasonably) quick crypto, puzzle, and hacking challenges from Praetorian.

Quick description and demo videos for activity hijacking to steal user-entered data like passwords, credit card numbers, and check images. Includes links to USENIX paper.

A badge puzzle / mini CTF at BSidesLV 2014. Created by Zack Fasel, sponsered by Urbane Security, won (somewhat soundly) by Darth Null.

Just the challenges for the 2014 BSides Las Vegas badge puzzle / contest. No spoilers.

Quick review of BSidesLV Talk, in which they describe problems with the Mersenne Twister and other similer pseudo-random number generators.

Paypal mobile app authenticates, then kicks you out because it’s not two-factor compliant. They show how to leverage this into non 2FA access.

A quick overview of changes to iOS configuation profile settings in the current iOS 8 beta.

Lots of press recently about a potentially serious malware called Svpeng. A nice case study in the use of FUD in mainstream tech press.

A consolidated list of known malware for iOS. Depending on your definition of malware.

Last year, Apple introduced advanced power saving techniques. Can they do the same for memory? There’s never enough to smoothly switch between apps. If they can fix that, a world of opportunities opens.

VPNs which require 2-Factor Google Authenticator codes are a pain to start up in Tunnelblick on OS X. Here’s a script to make it easier.

Recent reports of users getting locked out of their iOS devices, probably due to compromise of their Apple ID password.

Backing up iOS devices to iCloud is still opaque and unreliable. And iTunes Wi-Fi backups just don’t work at all.

Running your own server to protect the anonymity and content of your email is great, as long as nobody else you exchange messages with uses Gmail. How many of your emails are also on a Google server?

Mail.app’s protection against loading images on suspected SPAM messages is broken when forwarding the email to a spam-reporting service.

Dark Reading article on the DBIR Puzzle

Shared files, hidden by the obscurity of their URLs, may be revealed to third parties if the files contain a link to an external site. The remote site can find the file via the referrer header.

How we set up multiple personal iCloud accounts for the family, and a couple of shared accounts for parents and kids.

A quick list of some of the puzzles or contests that I’ve won, with links to writeups (when they exist).