Category: security

RNG, PRNG and Entropy: Why Your Softwares “Chaos” is Probably Broken

A game developer proudly claims their procedurally generated worlds are “infinitely unique”… until players find the same mountain repeating on level three. A blockchain touts “provably fair” randomness… until someone exploits predictable seeds to drain $170,000. A security team deploys “military-grade encryption”… only to discover their keys were generated by a Mersenne Twister.

Here’s the brutal truth: there’s no real randomness in software. Every “random” number you generate comes from a pseudo-random number generator (PRNG)—a clever algorithm pulling numbers out of a very predictable hat. It’s like watching a magician perform card tricks: it looks random, but behind the scenes, it’s all carefully scripted.

Welcome to the paradoxical world of randomness in software, where the foundations of fair games, secure encryption, and reliable blockchains hinge on something that’s fundamentally fake. Let’s dive into why entropy management is so often a disaster and how to build systems that don’t fall apart under their predictability.

Continue reading “RNG, PRNG and Entropy: Why Your Softwares “Chaos” is Probably Broken”

Distributed Systems Architecture: Authentication, authorization and ping-pong nonsense.

1–2 minutes

In the last post we explored the problems of accepting connections in high concurrency applications.
One of the significant points in opting for asynchronous queue-digester-based solutions is, in my opinion, the management of the client-server relationship from the point of view of authentication, authorization, limitations, etc.

This reflection did not take long to bring to my mind the hell of authorization flows in distributed systems and how complex (and absurd) they turn out to be.

In this article we will try to summarize authorization flows, the complications we have in distributed architectures and what, from my point of view, is an alternative solution to address them once and for all.

Continue reading “Distributed Systems Architecture: Authentication, authorization and ping-pong nonsense.”

Hiding malware in Windows – The basics of code injection

There are hundreds of teams working professionally trying to break into any single digital device to compromise sensitive data leaving no fingerprint.Malware industry is bigger than you might think, more than 4,000 ransom-ware attacks have occurred every day since the beginning of 2016 and much more general system vulnerations.

I remember viruses in Win95 where you got a freeze screen, a broken OS or a BSOD; that’s not the case anymore, today access violations leave no trace and usually patches the vulnerabilities behind them so no other malware can take control of the system.
A guy i met once told me that “the best AV you could ever have is a harmless virus”, I don’t fully agree, but that sentence hides a bit of truth.

But, how can this malicious code run freely in a host machine without the user noticing?
Continue reading “Hiding malware in Windows – The basics of code injection”

Practical SHA-1 signature collision

Yesterday 2017/02/23, Google’s security team announced the first real collision attack against the SHA-1 algorithm, the technique used, albeit being hard to perform and even hardest to pay (110 GPU running 24 hours per day during an entire year) is enough to demostrate that the algorithms and protocols that sustain the internet and our whole lives are not secure anymore.

Continue reading “Practical SHA-1 signature collision”

What is Buffer Overflow vulnerability and how do we exploit it.

Buffer overflow is probably the most feared security hole in software since it’s not just a development issue (it is) but also a language standard library “error”. This makes buffer overflow vulnerabilities hard to spot and fix and ridicously powerfull.
But, what is a buffer overflow vulnerabilty and how do we exploit it?Imágenes integradas 1

Continue reading “What is Buffer Overflow vulnerability and how do we exploit it.”

Camouflaging windows malware

It’s a fact, I’m in love with malware. As a researcher I want to understand how things works and sometimes, those things are not just usual software but viruses, exploits or rootkits.

Malware is built as software is, some code, some compiling and done, but it’s much more complex that just that, there’s no fast-line in malware, everything has to work anywhere silently and secretly, the program has to be able to boot, reproduce and care itself, sometimes without the hacker’s help, and all of this usually starts with a simple act… double-click.

Continue reading “Camouflaging windows malware”

A simple keylogger in C

keylogger, how it works and how to build it in pure C

keylogger-virus-windowsLong time since my last post, I’ve been kind of busy, but here we go again.

Today we are going to talk about keyloggers, how does it work and how to build it in pure C.
This project has been written down for learning proposes and, of course it’s not intended to serve ‘evil’, so stay away from “muh code” if you are a 1337 h4x0r looking for scripts to steal someones privacy ¬¬

Continue reading “A simple keylogger in C”

Design a site like this with WordPress.com
Get started