Guys can you please take Mrz back

Emiya Kiwitsugu

Subhuman
Joined
Jun 30, 2015
Messages
47
Reputation
1
Guys I think you made Mrz sad by calling him a lonely pedophile in more recent threads, and now he's making somewhere around five accounts on the Farms a day crying about it, in addition to talking about fucking dogs.

Please take him back.
 

Franktank

Normie
Joined
Jun 30, 2015
Messages
1,785
Reputation
3
Mrz rarely discusses aesthetics and talks about jb too much plus he shouldn't even be talking to those autist bullies.
 

Emiya Kiwitsugu

Subhuman
Joined
Jun 30, 2015
Messages
47
Reputation
1
Harakiri said:
Why is mrz on that shithole?

Hell if I know. He showed up a few days ago vowing to hack the website for about five hours, failed to do so, and then said he totally could. Then he kept showing up day after day to talk about fucking dogs with peanut butter.
 

Emiya Kiwitsugu

Subhuman
Joined
Jun 30, 2015
Messages
47
Reputation
1
just lol buddy boyo said:
Emiya Kiwitsugu said:
Hell if I know. He showed up a few days ago vowing to hack the website for about five hours, failed to do so, and then said he totally could. Then he kept showing up day after day to talk about fucking dogs with peanut butter.
you reap what you sow 
buddy boy-O

No please, he has now made a second account before his current one's even banned in order to talk to himself and give the impression he has friends.
 
Joined
Jul 4, 2015
Messages
743
Reputation
0
mrz is free range. stop trying to cage him. He's not meant to be domesticated.

free range autism     [size=xx-small]free range autism     [size=xx-small]free range autism     [size=xx-small]free range autism     [size=xx-small]free range autism     [size=xx-small]free range autism[/size][/size][/size][/size][/size]


free range autism     free range autism     free range autism     free range autism     free range autism     free range autism


free range autism     free range autism     free range autism     free range autism     free range autism     free range autism
 

IcedEarth

Slayer
Joined
Jul 5, 2015
Messages
3,215
Reputation
4
oh you want to fuck up kiwifarm, pls keep on doing it no need to hurry they will be here in the next 6 months as well
 

rigidity

Slayer
Joined
Jun 30, 2015
Messages
2,203
Reputation
0
mrz said:
IcedEarth said:
from sluthate

I find it extremely interesting. I just spent the past hour trying to measure timing differences between string comparisons in a short circuiting string compare function just because I was interested in it lol (it took me so long primarily because I wasn't doing anything with the return value of the comparison function at first so it was optimizing it out, and also cuz I'm rusty with C in general).


==: 322
!=: 308
==: 323
!=: 304
==: 323
!=: 303
==: 324
!=: 305
==: 321
!=: 304
==: 322
!=: 304
==: 322


I'm going to implement a timing attack framework I think, I was analyzing the source code of xenforo and noticed



     



I haven't really tested it much but just from looking at it it appears that it uses a "remember me" cookie with a secret value that is valid for a session, so if you can spoof a cookie with a target user ID in it and a secret value that matches the one in the database, you can use that to login as the target. If you notice it is using !== to compare the user provided value to the value from the database (it hashes the value from the database, but not the user provided value).

So I kind of want to implement a program that spoofs a user ID in a cookie and then tries various secret values and takes timing measurements on how long it takes to get a response from the server, and use the return time to determine how many leading characters of the secret value in the cookie it got correct, and kind of intelligently brute force it in this way, up to the point it lets you login with that cookie.

I've not implemented an attack like this before, and wasn't particularly planning to, but the people on ********** keep talking shit about me so I kind of want to do it just to shut them up lol. Theoretically it seems like it should work, but I'm not entirely confident, so also want to do it for that reason.

Xenforo got the logic correct in passwords though, because with passwords it's like

$passwordHash = sha256("user provided password");

then $passwordHash is written to the database. When you login, you send "user provided password" in plaintext again, and then the server hashes it and does a short circuiting comparison to the $passwordHash from the database. So although it short circuits here and you can get the timing differential again, the most you learn is how much of the hash value the hash of your plaintext password matched, by the time you match all of the hash value with your plaintext password you already got the password so this sort of attack will not work there, but they seem to have fucked up the logic of the remember me cookie, because it directly compares the secret value to the user provided value without transforming the user provided value through a one way function first.
I know I have the theory right anyway, but I've never implemented anything like this before. I keep running into things that either fuck it up because of optimizations, or things like cache (which I'm getting around by calling all functions thousands of times before calling them when I need them, cache only appears to influence the first thousand or so measurements, if you measure nanoseconds for function to return the first times it is slowest, but then it levels off after thousands of times in a loop). For all I know I have horrible mistakes in my code, like I keep saying I'm mostly just having fun, and don't claim to be an infallible hacking God. I know I have the theory right though.
I don't support you hacking people, but why would you post this shit?   It's going to give away what you're doing and possibly lead to you getting caught.
 

IcedEarth

Slayer
Joined
Jul 5, 2015
Messages
3,215
Reputation
4
rigidity said:
I don't support you hacking people, but why would you post this shit?   It's going to give away what you're doing and possibly lead to you getting caught.
it doesn't because you need to prove who did it and when, would be hard over tor and the law enforcement won't lift a finger for such trivial shit
 
Top