elektro in my head

Federleicht - On The Streets (Kollektiv Turmstrasse Let Freedom Ring RMX)

Humans (aren’t that bad) after all.

… as even economists (the scientists, not the practicioneers) find/found out:
Ernst Fehr: How I found what’s wrong with economics.

Fehr studies the outcomes of economic experiments. He finds that the theoretical hard-core “homo economicus” model produces completly different (and often worse) outcomes than the emprical real-life experiments. People seem to put a certain value at fairness.

Simon Sinek: How great leaders inspire action

highly inspiring:

Simon Sinek: How great leaders inspire action

“People don’t buy what you do, they buy why you do it.”

MOTM

(Elektro Bass) Enola - Words in a Bottle

Street Photography

The Magic is in the hole — Chris Weeks

Sleep

Sleeper

Jonathan Kohl about a post-Agile world

Jonathan Kohl

What’s More Important: Being Agile or Creating Value?

Process isn’t everything, in fact it’s just a part of it.

StarTrek for the masses

The people at CERN who run LHC, probably are more bright than anyone of us. So they are even bright enough to show pretty pictures for those who are not so bright: StarTrek@CERN.

I don’t want to know how many demos they needed to create to get the money for the LHC. I bet they still have more than one 3D artist on board ;)

Science isn’t all flashy and colored. But it’s worth it, anyhow.

shellcodegrml

… hab die letzten 8h damit verbracht herauszufinden warum mein selbstgebauter shellcode POC segfaultet …
Bis ich bemerkt habe, dass kernel+cpu W^X machen. So’n Mist! Im Wohnzimmer auf der alten Kiste und ohne PaX ging’s dann :)
Dear h4cker-g0dz, plz give me a ROP-compiler.

Introducing: pwsafe

We all have passwords. Lots of passwords. Be it for hosts or websites or disc-encryption. Noone can memorize a thousand different passwords for every account one needs. So we have two possibilities:

  1. use a small number of default-passwords or
  2. use a password-manager

Most people I know chose a combination of the two. But having shared passwords between different accounts makes you very vulnerable in case of targeted attacks (or even automated attacks, if the attackers tool is smart). So what you really want is different passwords for each and every account.

For that to work for daily use, you want an integrated wallet, like the KDE wallet, the Gnome keyring or the Firefox password manager. But for longtime archival to look up that password you had for that old mail-account somewhere, you want something seperate that can hold all kinds of different passwords and is more or less plattform independent.

For a long time I maintained my list of passwords with gpg: I had an encrypted file with all my accounts. To access one of the passwords, I could do a gpg -d passwords.txt.gpg | grep username. To add or change a password, I had to save the decrypted file on disk, edit the record, encrypt the cleartext again and then shred the remaining cleartext file. This was really cumbersome.

What I really wanted was a simple independant password-manager for the command line.

This is what pwsafe is.

It has a pretty simple cli. Every record has a group.name string as primary key and has username, password and optional notes as properties. The commands to access the records are straight forward:
pwsafe -l [REGEXP] — list passwords matching regexp
pwsafe -a group.name — add a new record
pwsafe -up [REGEXP] — print records matching regexp
pwsafe -e [REGEXP] — edit existing records matching regexp

The grouping system becomes really natural after some time. For every operation you have to enter a passphrase to decrypt the on-disc password database. The on-disc file format is compatible with the windows tool password-manager.

I’ve taken a quick view at the source-code. It tries to mimick the behaviour of Schneiers password-safe. That means it uses (openssl) Blowfish in CBC mode and tries to keep the passphrase in non-swappable memory (needs suid-root for that to work). The passphrase is directly fed into blowfish as the encryption key. That means if you supply an 8-character passphrase you only get like 40^8 bit of randomness. So you better chose a strong passphrase. To get at least a 64bit strong key from about 40 keys on the keyboard you need about 12 or 13 characters.

I didn’t look for any parser vulnerabilities, but so far it seems the author knows what he did and I can only suggest pwsafe :)