21Mar/16
Hamachi Logo

Getting Hamachi working with the Raspberry Pi 3

I have been using Hamachi since first hearing about it on Security Now, over 10 years ago.  Hamachi is a hosted virtual private network solution that can create links with devices that are behind NAT firewalls.  Hamachi is able to do so by using server-assisted NAT traversal.  I mostly use it to access virtual machines from outside of my house. Continue reading

22Dec/15

Why are the default credentials in the realm attribute?

Recently, I was poking around on Shodan (as I do when I am bored) and I stumbled across an interesting query.  If you search for “Default: admin/1234”, you get over 14,000 devices that are broadcasting their own default username and password.  The devices appear to be Edimax routers.  I reached out to both EmbedThis and Edimax to ask them about this.  EmbedThis said that it was added by the device manufacturer and Edimax neglected to respond to me.

Basic Auth Box

Default usernames and passwords are not a secret.  There are entire websites out there that catalog default usernames and passwords for devices but Edimax made it so that you did not even need to know the make and model of the device.  All you need to do it read the text on the authentication box.

02Nov/15
w3c logo

How to generate keys with the Web Cryptography API

I have been playing around with the Web Cryptography API a lot lately.  My most recent post was about getRandomValues().  I wanted to take a moment to investigate two more methods: generateKey() and exportKey().  The generation of a good cryptographic key is fairly fundamental.  I wrote up a short demo app, to demonstrate how the two functions work.

The code outputs to the console, so make sure to have Firebug open when you run the app.  Also, keep in mind that the Web Cryptography API is not fully supported in every browser, so not all of the functions in this demo will work everywhere.  I added in a description box for the crypto algorithms, so you can see the details of each one.

Have any questions? Feel free to drop a comment, below.

19Oct/15
w3c logo

Generating random numbers with the Web Cryptography API

The W3C has been working on a Web Cryptography API for a while, now.  The current version (11 December 2014) is their “Candidate Recommendation”.  As such, I would not necessarily consider it fully ready for primetime but that does not mean that we can not play around with it a bit.  I figured that today, we should take a check out getRandomValues().

According to MDN, “To guarantee enough performance, implementations are not using a truly random number generator, but they are using a pseudo-random number generator seeded with a value with enough entropy.”  You do not want to use this method to generate encryption keys (especially since generateKey() is available within the same API).  I think that this method is more foundational than anything.  It is just meant to be part of the plumbing.

Like usual, you can find the code behind my example here or check out the final result here.

Have some thoughts? Drop a comment below.

02Sep/15

How to use FileReader() to generate data URLs

These days, the lines between the web and the local environment can be very blurry.  There is a web API called FileReader() that nicely adds to that blurriness.  It lets you asynchronously read the contents of a file on the user’s computer.  I am going to show you one way of using it.

 

 

So, what am I doing, here?  There is an input tag that is set up to accept images.  It triggers openFile() onChange.  The openFile() function looks at the first (and only) file supplied and reads it as a data URL.  The function then changes the innerHTML of the “TheImageContents” div to contain an img tag that uses the data URL as the source.

The code behind this demo is available on jsFiddle and Github Gist or you could just test the final result on jsFiddle.