RSAに対するフェルマー攻撃 - Qiita
a: 9163378376717311892759896790709874300966750864559366002850511560483289442694938524371536081394826360219831218372600953278212991300807322321661081276951933103914701695370758044798746081504842558400345289682449481886671521761200653758803217979571859303042229856285712216457977509930641541741829391994680979277814996883564209816622422745240098425979554433781556268409710036195179160807729930231193303
悪いのは全部 Eve だと思ってた | blog.jxck.io
Intro いつも本ブログを読んで頂いている皆様、そしてセキュリティ関係者の皆様へ。 この度は、筆者による "Eve" に対する不適切な引用、および、原稿内における不名誉な扱いについて、この場を借りて謝罪させていただきます。 Alice と Bob ネットワークやセキュリティ系の解説の中で、プロトコルの送受信を二人の対話構成になぞらえる場合、一方を Alice、もう一方を Bob とする通例があります。 その構成は、業界では長くこの通例が使われており、私的な文書から現場実務まで、あらゆる文書で Alice と Bob は対話を重ねて参りました。 この二人の会話の間で、ひっそりと盗み聞きしている存在が「Eve」です。 C (Charlie), D (Dave) を飛ばしていきなり Eve が登場するのは、盗聴を意味する Eavesdropper に由来していることと、Charlie と Da
At over thirty years old, HTTP is still the foundation of the web and one of the Internet’s most popular protocols—not just for browsing, watching videos and listening to music, but also for apps, machine-to-machine communication, and even as a basis for building other protocols, forming what some refer to as a “second waist” in the classic Internet hourglass diagram. What makes HTTP so successful
This post is part of a collection on UUIDs. What is IDOR? Indirect Object Reference (IDOR) occurs when a resource can be accessed directly by its ID even when the user does not have proper authorization to access it. IDOR is a common mistake when using a separate service for storing files, such as a publicly readable Amazon S3 bucket. The web application may perform access control checks correctly
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
Bluetooth通信実装のセキュリティ観点を4ステップ + 1で理解する - GMO Flatt Security Blog
Bluetoothは、米国Bluetooth SIG,Inc.の商標です。 イントロ BLE通信 概観 GATTプロファイル ペアリング 脆弱性 1: Characteristicの権限指定ミスによる平文通信 観点: GATT Characteristicと属性 対策: characteristicへの暗号化必須属性の付与 脆弱性 2. Legacy Pairingにおける暗号化された通信のブルートフォース LE Legacy Pairingにおける鍵生成と鍵交換 TKの生成 random値の生成 STK/LTKの生成 観点: ペアリングフローの盗聴による経路復号 既成ツールを用いたTKの総当りと通信の復号実践 対策: Legacy vs Secure Connection 脆弱性 3. Secure ConnectionのJust Worksにおけるperipheralのspoofing
Java 25新機能まとめ - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article? Java 25が2025/9/16にリリースされました。 Java 25 / JDK 25: General Availability Oracle Releases Java 25 The Arrival of Java 25 LTSで、Java 21からの変更も多いので、長く使われるバージョンになると思います。 今回はmainメソッドの簡略化とモジュール単位でのimportが正式化されたことが大きいですね。というか、それ以外は大きな影響がなさそうです。 IO.printlnと書けるようになったことは、補完が効かない環境でコードを書く
Security Incident December 2022 Update - LastPass - The LastPass Blog
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time. Please refer to the latest article for updated information. Update as of Thursday, December 2
This post is the first in a three-part series. The remaining two: How does Google Authenticator work? (Part 2) How does Google Authenticator work? (Part 3) When you’re accessing services over the WEB – let’s pick GMail as an example – a couple of things have to happen upfront: The server you’re connecting to (GMail in our example) has to get to know who you are. Only after getting to know who you
Rationale The entire premise behind GitOps is to use Git as the source of truth for infrastructure and application configuration, taking advantage of Git workflows, while at the same time, having automation that realizes the configurations described in Git repositories (GitOps operators when we are deploying to Kubernetes). That said, both infrastructure configuration and application configuration
The GNU Name System
The GNU Name System Abstract This document provides the GNU Name System (GNS) technical specification. GNS is a decentralized and censorship-resistant domain name resolution protocol that provides a privacy-enhancing alternative to the Domain Name System (DNS) protocols.¶ This document defines the normative wire format of resource records, resolution processes, cryptographic routines, and security
Assessing Claude Mythos Preview’s cybersecurity capabilities April 7, 2026 Nicholas Carlini, Newton Cheng, Keane Lucas, Michael Moore, Milad Nasr, Vinay Prabhushankar, Winnie Xiao Hakeem Angulu, Evyatar Ben Asher, Jackie Bow, Keir Bradwell, Ben Buchanan, David Forsythe, Daniel Freeman, Alex Gaynor, Xinyang Ge, Logan Graham, Kyla Guru, Hasnain Lakhani, Matt McNiece, Mojtaba Mehrara, Renee Nichol, A
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday. The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authent
Hive ransomware gets upgrades in Rust | Microsoft Security Blog
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0237 is now tracked as Pistachio Tempest. To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming
Internet Engineering Task Force (IETF) K. Davis Request for Comments: 9562 Cisco Systems Obsoletes: 4122 B. Peabody Category: Standards Track Uncloud ISSN: 2070-1721 P. Leach University of Washington May 2024 Universally Unique IDentifiers (UUIDs) Abstract This specification defines UUIDs (Universally Unique IDentifiers) -- also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform Resou
Introduction 11 May 2021 — This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard
こんにちは、技術開発室の滝澤です。 技術開発室の基盤システム担当チームで電子メールプロトコル勉強会を開催したので、その概要について紹介します。 この記事ではプロトコルの内容についてではなく、どのようなことを行ったかを紹介します。どのRFCを調べてもらったかについてはおまけに掲載しましたので、もしメールプロトコルについて学習したい人や組織の参考になれば幸いです。 背景 先月(2022年11月)に技術開発室の基盤システム担当のメンバーで自社のメールサーバーの構築・移設を完了させました。 メンバー構成としてはベテラン1人(わたし)と中堅1人と新人2人です。メールサーバーに関しては、わたし以外のメンバーは運用のみ経験があるか、構築・運用経験が全くないようなメンバーでした。そのため、この移設プロジェクト開始時の最大の課題は、メンバーへの電子メール(以降、単にメールと呼ぶ)に関する技術移転と技術習得で
Testing a new encrypted messaging app's extraordinary claims
How I accidentally breached a nonexistent database and found every private key in a 'state-of-the-art' encrypted messenger called Converso I recently heard this ad on a podcast: I use the Converso app for privacy because I care about privacy, and because other messaging apps that tell you they're all about privacy look like the NSA next to Converso. With Converso, you've got end-to-end encryption,
WebKit Features in Safari 18.0
ContentsNew in Safari 18Web apps for MacCSSSpatial WebHTMLJavaScriptWeb APICanvasManaged Media SourceWebRTCHTTPSWebGLWeb InspectorPasskeysSafari ExtensionsApple PayDeprecationsBug Fixes and moreUpdating to Safari 18.0Feedback Safari 18.0 is here. Along with iOS 18, iPadOS 18, macOS Sequoia and visionOS 2, today is the day another 53 web platform features, as well as 25 deprecations and 209 resolve
AMD TPM Exploit: faulTPM Attack Defeats BitLocker and TPM-Based Security (Updated)
Original Article, 9:16am PT : A new paper released by security researchers at the Technical University of Berlin reveals that AMD's firmware-based Trusted Platform Module (fTPM / TPM) can be fully compromised via a voltage fault injection attack, thus allowing full access to the cryptographic data held inside the fTPM in an attack called 'faulTPM.' Ultimately this allows an attacker to fully compr
On Developing OAuth
Learn why and how to build your AI on your terms with a data platform you control. PostgreSQL 18 ships with a new framework for supporting OAuth 2.0, which is an open authorization system that has seen wide use on the Internet for years. I posted my first proof-of-concept for this back in 2021, so it’s been a long road, and I’m both excited and nervous to see it out in the wider world for the firs
At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn't be accessed. Her Apple Keychain had deleted the Passkey she was using on that site. This is just the icing on a long trail of enshittification that has undermined Webauthn. I'm over it at this point, and I think it's time to pour one out for P
Passkeys を完全に理解するために Rails で実装してみた with Remix - STORES Product Blog
この記事は STORES Advent Calendar 2023 22日目の記事です。 こんにちは STORES 予約開発チームでエンジニアリングマネージャーをしています Natsume です。 昨今 Passkeys が各サービスで導入されており、勢いを感じています。 個人では 1Password のパスワードマネージャーを使っており、1Password が Passkeys 対応してから試しています。 Passkeys でのログインは ID/PW/OTP の autofill などに比べて 1step 省略される程度ですが、ログイン体験が良いと思っており、導入されていたらどんどん切り替えています。 ほどんどのサービスでは ID/PW との併用となっているケースが多く、セキュリティ面でのメリットを享受できるのはまだ先になりそうです。 個人的に Passkeys の実際の挙動や導入する時
How decentralized is Bluesky really? -- Dustycloud Brainstorms
Recently due to various events (namely a lot of people getting off of X-Twitter), Bluesky has become a lot more popular, and excitement for its underlying protocol, ATProto, is growing. Since I worked on ActivityPub which connects together Mastodon, Sharkey, Peertube, GotoSocial, etc, etc, etc in the present-day fediverse, I often get asked whether or not I have opinions about ATProto vs ActivityP
Astral builds tools that millions of developers around the world depend on and trust. That trust includes confidence in our security posture: developers reasonably expect that our tools (and the processes that build, test, and release them) are secure. The rise of supply chain attacks, typified by the recent Trivy and LiteLLM hacks, has developers questioning whether they can trust their tools. To
Go 1.20 Cryptography
The first second release candidate of Go 1.20 is out!1 This is the first release I participated in as an independent maintainer, after leaving Google to become a professional Open Source maintainer. (By the way, that’s going great, and I’m going to write more about it here soon!) I’m pretty happy with the work that’s landing in it. There are both exciting new APIs, and invisible deep backend impro
ISP Column - October 2022
There is a common view out there that the QUIC transport protocol (RFC 9000) is just another refinement to the original TCP transport protocol [1] [2]. I find it hard to agree with this sentiment, and for me QUIC represents a significant shift in the set of transport capabilities available to applications in terms of communication privacy, session control integrity and flexibility. QUIC embodies a
The Go Programming Language and Environment – Communications of the ACM
Go is a programming language created at Google in late 2007 and released as open source in November 2009. Since then, it has operated as a public project, with contributions from thousands of individuals and dozens of companies. Go has become a popular language for building cloud infrastructure: Docker, a Linux container manager, and Kubernetes, a container deployment system, are core cloud techno
Gwtar is a new polyglot HTML archival format which provides a single, self-contained, HTML file which still can be efficiently lazy-loaded by a web browser. This is done by a header’s JavaScript making HTTP range requests. It is used on Gwern.net to serve large HTML archives. Archiving HTML files faces a trilemma: it is easy to create an archival format which is any two of static (self-contained i
Emulating an iPod Touch 1G and iPhoneOS 1.0 using QEMU (Part I) | Martijn de Vos
Around a year ago, I started working on emulating an iPod Touch 1G using the QEMU emulation software. After months of reverse engineering, figuring out the specifications of various hardware components, and countless debugging runs with GDB, I now have a functional emulation of an iPod Touch that includes display rendering and multitouch support. The emulated device runs the first firmware ever re
New BitM Attack Lets Hackers Steal User Sessions Within Seconds
A sophisticated cyberattack technique known as Browser-in-the-Middle (BitM) has emerged, enabling hackers to bypass multi-factor authentication (MFA) and steal user sessions in mere seconds. This method exploits web browser functionalities to hijack authenticated sessions, posing a significant threat to organizations relying on traditional security measures. BitM attacks mimic legitimate browsing
また、PreviewやExperimentalであるJEPを以下に示しました。 470:PEM Encodings of Cryptographic Objects(Preview) 502:Stable Values(Preview) 505:Structured Concurrency(Fifth Preview) 507:Primitive Types in Patterns, instanceof, and switch(Third Preview) 508:Vector API (Tenth Incubator) 509:JFR CPU-Time Profiling(Experimental) 本記事では主にStandard JEPに関して簡単に解説を加えていきます。 Java 25の新機能 初心者向け機能 Javaは初心者にとってハードルの高い言語と言われています。 その理由の
Have you ever found a user at your company who actually likes using multi-factor authentication (MFA), either time-based one-time passwords (TOTP) or push-based MFA? Either method adds friction for users by necessitating a second device for logins while increasing the cost to attackers. However, both have problems. SMS MFA is widely regarded as insecure because of the proliferation of SIM jacking
Jun 10, 2024 by Jen Simmons, Jon Davis, Karl Dubost, Anne van Kesteren, Marcos Cáceres, Ada Rose Canon, Tim Nguyen, Sanjana Aithal, Pascoe, and Garrett Davidson ContentsWebXRCSSWeb apps for MacSafari ExtensionsSpatial mediaHTMLMediaWebRTCPasskeysHTTPSJavaScriptWeb APICanvasWebGLWeb InspectorWKWebViewApple PayDeprecationsBug Fixes and moreHelp us Beta TestFeedback The last year has been a great one
Introduction to Go 1.19 The latest Go release, version 1.19, arrives five months after Go 1.18. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There is only one small change to the language, a
Disclosure: I was the Staff Engineering Manager for the npm CLI team between July 2019 & December 2022. I was a part of the GitHub acquistion of npm inc. in 2020. I left GitHub, for various reasons, in December.tldr;a npm package's manifest is published independently from its tarballmanifests are never fully validated against the tarball's contentsthe ecosystem has broadly assumed the contents of
PuTTY vulnerability vuln-p521-bias Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist summary: NIST P521 private keys are exposed by biased signature generation class: vulnerability: This is a security vulnerability. priority: high: This should be fixed in the next release. absent-in: 0.67 present-in: 0.68 0.6
This post could’ve been titled “Nostr vs ATProto”, but that really isn’t what I wanted to do here. While I will be comparing and contrasting them a lot, and that’s kind of even the point of writing this, I didn’t want to really pit the two against each other at all, and especially not with the title. I also want to try avoiding commenting on the differences between the communities that have formed
Mozilla's Vision of the Web
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy. Mozilla’s vision for the evolution of the Web March 23, 2022 Mozilla's mission is to ensure that the Internet is a global public resource, open and accessible to all. We belie
Paper Fermat Factorization in the Wild, background paper published at the Cryptology ePrint Archive (2023-01-09). Introduction In 1643, Pierre de Fermat developed a factorization algorithm. The algorithm allows efficient calculation of the prime factors of a composite number that is the product of two "close" primes. The RSA encryption and signature algorithm relies on the fact that factorization
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
The state of HTTP in 2022
Why UUIDs won't protect your secrets
How does Google Authenticator work? (Part 1)
A Guide to Secrets Management with GitOps and Kubernetes
Claude Mythos Preview \ red.anthropic.com
RFC 9562: Universally Unique IDentifiers (UUIDs)
FragAttacks: Security flaws in all Wi-Fi devices
電子メール技術移転:メールプロトコル勉強会をチームで開催してみた
Passkeys: A Shattered Dream
Open source security at Astral
Gwtar: a static efficient single-file HTML format · Gwern.net
Java 25リリース――初心者向け機能や起動時間短縮など | gihyo.jp
How Discord Rolled Out Yubikeys for All Employees
News from WWDC24: WebKit in Safari 18 beta
Go 1.19 Release Notes - The Go Programming Language
The massive bug at the heart of the npm ecosystem
PuTTY vulnerability vuln-p521-bias
Nostr and ATProto - Shreyan Jain
Fermat Attack on RSA