adulau is currently certified at Journeyer level.

Name: Alexandre Dulaunoy
Member since: 2000-12-31 13:13:58
Last Login: 2011-05-25 20:20:05

FOAF RDF Share This


Notes: Daily mantra: "All information should be Free" Levy, 1984.


Articles Posted by adulau

Recent blog entries by adulau

Syndication: RSS 2.0

2013-04-01 Information Visualization Is Just A Starting Point

Keywords in Common Vulnerabilities and Exposures Quantité des déchets ménagers collectés sur la Province de Luxembourg - année 2012

Information Visualization Is Just A Starting Point

Information visualization is not an end but just a step to improve our understanding of data. Following a small discussion in the train about the visualisation of open data, I did a small experiment to analyse the statistics about the waste collection in my region. The result of this experiment is available along with some random notes. But the main question came from someone else looking at the visualization and basically told me: "I don't get it". He is right, the experimentation is just there to trigger more analysis (and sometime more visualization) with the objective to improve our understanding. Initially, the source of data is usually not analysed and sitting there waiting to be understood. Coming back to the data about waste collection, the initial discussion about the understanding or interpretation wouldn't be triggered if the first step of visualization is not done.

So in that scope, I tried a similar approach with a dataset I built from my cve-search tool. My idea was to see the terms used all the description of the Keywords in Common Vulnerabilities and Exposures (CVE). I did a first CVE terms visualization experiment and then I twitted about it. Then, this was triggering various explanations like why there is a predominance of some terms as commented by Steve Christey.

It clearly showed that is an iterative process especially to better understand the data. It's also an interactive process in order to improve the visualization and the data source. Following the good advise from Joshua J. Drake, I added a lemmatizer to keep only the root of each term and also exclude the standard English stopwords. With the visualization, we saw from some occurrences (e.g. unknown or unspecified) that the CVEs are based on incomplete information.

I'm quite sure that is not finished and just the beginning of more work and experiments in visualization. I read various books about information visualization but the result is often very static and you don't really see their iterative process to reach their visualization goals. Sometime, you just see a result without the process and the tools used to make the visualization happens.

At least with free software like D3.js, we have now a set of tools to understand how the visualization was built and maybe improve/discuss those visualizations. At least, if you want to play or improve the visualization of terms used for software vulnerabilities description, let me know.

You want an open mind, but not an empty head. Just because something is a new or fashionable alternative, doesn’t mean we need to get stupid when judging it. Edward Tufte.

Syndicated 2013-04-01 21:11:08 from AdulauWikiDiary: RecentChanges

2013-02-23 Vulnerability Management Is Just An Approximation

Everybody needs a hacker

Software Vulnerability Management Is Just A Huge Approximation

Approximation is a representation of something that is not exact. To be extremely exact vulnerability management is not even a mathematical approximation like we know it for Pi value. But from where this utterly huge approximation is coming from? The first origin is the inner definition of "vulnerability management". If you look at various definitions like the one from Wikipedia or some information security standards, you have something like "it's a process identifying → classifying → remediation → mitigation of software vulnerabilities". Many information security vendors might told that is an easy problem but you can ask yourself if this is an easy problem why so many organizations are still compromised with software vulnerabilities.

In my pragmatic eyes, it's very broad, so broad that a first reaction is to split the problems into parts that you can solve. If we just look at the initial step to identify software vulnerabilities.

To solve this problem, the first part is to discover, know and understand the software vulnerabilities. Everyone is discovering vulnerabilities everyday (just look at how many bug reports are going into the Linux Kernel bug tracking software) and very often when you report a bug, you don't even know if this is a software vulnerability. The worst part is that an organization (or an individual) doesn't exactly know what software they are running. If someone is telling you that they have a "software vulnerability management" software that is able to detect all the software running on a system, it's a lie. If such software would exist, you would have the perfect software that would be able to solve the virus detection issue while solving the Turing's halting problem. Just look at a simple software appliance and the set of software required to run the appliance.

Discovering vulnerabilities might be easy but it's difficult to be exhaustive. Even if a vulnerability is found, there is a market to limit their publications (like zero-day vulnerability market). For a named software, there is might be a large set of unknown vulnerabilities (I'm tempted to talk about Java but I think every software might fall into that category). Does this mean that you should give up? I don't think so. You must work on your vulnerability management but don't trust blindly solutions that claim to solve such issue.

Finally, my post is not a bashing post as it was an opportunity for me to talk about a side project I'm working to ease collecting and classifying Common Vulnerabilities and Exposures (CVE). The project is called cve-search and it's not a complete vulnerability management just a small tool to solve partially the identification and the classification part.

“When he time comes to leave, just walk away quietly and don't make any fuss.”– Banksy

infosec security vulnerability

Syndicated 2013-02-23 20:47:26 from AdulauWikiDiary: RecentChanges

2011-12-25 Against SOPA or How To Do Soap

I'm against SOPA... So I'll explain how to make soap with olive oil

One more time, some lobbyists try to regulate the Internet with some of the stupidest laws or rules. SOPA (in US) is again one of this tentative to break down the freedom of citizen worldwide to preserve some archaic business model. As I have a preference for concrete action leading to a direct social improvement, I'll explain how to do soap (it's better than SOPA and more useful, please note the clever inversion of the letters). My soap recipe is released under the public domain dedication license (CC0).

Stop SOPA make SOAPStop SOPA make SOAP

Safety Disclaimer

Doing soap is a chemical process that requires your full operating brain. Especially that you'll use sodium hydroxide that is a corrosive substance. So respect the proportions, the process and read the whole process multiple times before doing it. Wearing protective gloves and goggles is highly recommended. Avoid to use kitchen instruments in aluminum as it will be attacked by the sodium hydroxide.

Background of the chemical process

Doing soap is one of the first chemical process discovered by the humanity. The process is called saponification that is done by using a base to hydrolyze the triglycerides contained in the fats (organic or animal). This process generates a fatty acid salt along with the glycerol (the greasy touch of the soap). Each fat has a specific value for its saponification. The saponification value (usually called SAP in saponification tables) is expressed by the required volume of base (usually sodium hydroxide) to saponify 1 gram of fat. The saponification value is reduced to keep the resulting soap a bit fat (what is called the "excess fat"). I find it even convenient to keep a "safety" bound to ensure that the hydrolyze is complete and used the whole sodium hydroxide.

So that's the basis if you want to build your own soap, there are other rules to consider but for this recipe this is enough. In my case, I use olive oil as a fat. Easy to find and I have a preference for organic olive oil (to ensure that the oil producer is taking care of its environment). But you can use non-organic olive oil too (it's usually cheaper).


  • 1000 grams of olive oil
  • 124 grams of pure sodium hydroxide / NaOH (as the olive oil has a SAP factor of 0.134 and we want 7% of over fat → run bc and type (1000*0.134)*0.930) (total weight of fat *SAP factor for the fat)*(0.900<->0.960))
  • 350 grams of tap water (usually between 31% and 35% of the total fat. In this recipe ~ 1000*0.350)


  • Put your protective gloves and goggles
  • Prepare the sodium hydroxide by putting the sodium hydroxide in water (!put the sodium hydroxide in water not the reverse!).
  • and monitor the temperature of the prepared sodium hydroxide to reach around 46-47 Celcius degree (it will start at 80 Celcius degree with the reaction).
  • At the same time, warm the olive oil until 46-47 Celcius degree.
  • When both are at the same temperature (around 46-47 Celcius degree),
  • you can start to mix (using a mixer speed up the process) the warmed olive oil by incorporating the prepared sodium hydroxide. (!use a large pot to avoid projection of the prepared sodium hydroxide while mixing!).
  • When you start to see that the mixture is becoming consistent (especially that you can see a trace while removing the mixer) it means that's you reach the critical point.
  • When you have an homogeneous consistence, you can put the result into a plate.
  • Put a plastic film into the plate touching the mixture (to avoid oxygen to be in contact with the prepared soap).
  • In the next hours, you'll the "gelification process" where the soap is becoming a gel (usually starting from the center).
  • After 24 hours, your soap is becoming harder. (see above picture)
  • You can can remove it from the plate and cut the forms you want from your block soap.
  • And the soap must dry for the next 4 weeks in a dry and clean place. (see above picture)

Tags: soap sopa freedom chemistry diy

Syndicated 2011-12-25 15:29:22 from AdulauWikiDiary: RecentChanges

17 Dec 2011 (updated 18 Dec 2011 at 17:11 UTC) »

2011-12-17 Certificate Revocation Reasons 2011

This page is too big to send over RSS.

Syndicated 2011-12-17 12:05:57 (Updated 2011-12-18 17:11:22) from AdulauWikiDiary: RecentChanges

2011-10-02 Try and Vet Tshirt Crypto Challenge Hack.lu2011 The Solution

Try and Vet T-Shirt Cryptographic Contest at 2011

The Challenge

What Did You Get During 2011?

From the website, you got a text message including a message stream. During the conference, you got a t-shirt.

The horrible "Beer Scrunchie" subverted the 2011 conference to hide some cryptographic materials. He especially abused the t-shirt for 2011 to transmit under cover activities. We still don't know at which extend "Beer Scrunchie" abused the t-shirt. Everything is possible just like those trojan t-shirts discovered...



The message on the website gave already some clues especially that:

If you decode the message encoded in Base64, you'll see that the stream of data in binary is starting in the following way : "Salted__…." That's the behaviour of the OpenSSL? salted encryption scheme prefixing with "Salted__" to announce that the first 8 bytes of the encrypted stream are reserved for the salt. This gives the indication that the message has been probably encrypted with an OpenSSL? tool or library. If you look carefully look at the encryption schemes available in OpenSSL?:

aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc    
aes-256-ecb    base64         bf             bf-cbc         bf-cfb         
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc      
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc        
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb    
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb   
des-ofb        des3           desx           rc2            rc2-40-cbc     
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb        
rc4            rc4-40 

There are not so many algorithms written by Bruce Schneier in a default OpenSSL? except Blowfish (bf-*). Usually cryptographer recommends to use the "default" mode and in this case, bf is Blowfish in CBC mode. So this is highly probable…

Where Is The Key?

As you didn't use the t-shirt until now, there is a good guess that the key is hidden somewhere. If you look carefully at the text in the back of the 2011 t-shirt, you'll see many typographic errors. The interesting part is to compare the typographic errors from the original text as published by Phrack. Please note the typo in the URL (even if the URL works, doesn't mean that's the correct one ;-).

The original text from Phrack (original.txt)

This is our world now... the world of the electron and the switch, the beauty of the baud.
We make use of a service already existing without paying for what could be dirt-cheap if it
wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call
us criminals. We seek after knowledge... and you call us criminals. We exist without skin
color, without nationality, without religious bias... and you call us criminals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe
it's for our own good, yet we're the criminals. Yes, I am a criminal. 
My crime is that of curiosity. My crime is that of judging people by what they say and think, 
not what they look like. My crime is that of outsmarting you, something that you will
never forgive me for. 
I am a hacker, and this is my manifesto. 
You may stop this individual, but you can't stop us all... after all, we're all alike. 

The Conscience of a Hacker, The Mentor, January 8, 1986, 

The text from the 2011 t-shirt (modified.txt)

This is our world now... the world of the electron and the swich, the beauty of the baud,
We make use of a service already exeisting without paying for what could be dirt-cheep if it
was'nt run by profofiteering gluttons, and you call us cricriminal. We explore... and you call
us criminals. We seek after knowledge... and you call us criminals. We exist without skin
colo, without nationlity, without rrligious bias... and you call us crimnals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe
it's for our own good, yet we're the criminals. yes, I am a criminal.
My crime is that of curiosity. my crime is that of judginfg people by what thy say and think,
not what they look like. my crime is that of outmarting you, something that you will
never forgive me for.
I am a hacker, and this is my manifasto.
you may stop this individul, but you can't stop us all... after all, we're all alike.

The Conscience of a Hacker, The Mentor, January 8, 1986,$id=3#article 

So you can build a key from the differences but how? That's the most difficult part (as there are many different way to do it). As there is no natural way to generate a key, I decided to go for a long key that can be read easily from the original text. To build back the key from original to modified you can use word diff and use your favorite GNU tools for word diff. We just discarded the punctuation and we didn't care about the case sensitivity.

wdiff -i -3 original.txt modified.txt | egrep -o "(\[-(.*)-\])" | sed -e "s/-//g" | sed -e "s/\[//g" | sed -e "s/\]//" | sed -e "s/\.$//g" | sed -e "s/,//g" 
| sed ':a;N;$!ba;s/\n//g'

The key to decrypt the message generated from the above wdiff is the following:


and to decrypt the message, you'll need to use OpenSSL? in the following way used the guessed parameters:

openssl enc -d -a -bf -in encrypted.txt -out decrypted.txt 

and the original decrypted message is:

I'm Beer Scrunchie and I'm the author or co-author of various block ciphers, pseudo-random number generators and stream ciphers.

In 2012, there will be two major events: the proclamation of a winner for the NIST hash function competition and probably the 2012 infosec conference

I hope that my Skein hash function will be the winner.

If you are reading this text and be the first to submit to, you just won a ticket for next year. If I'm winning the NIST competition wit
h my hashing function,
you'll get a second free ticket...


I got one correct answer 5 days after the conference showing that the difficulty to get back the key was bound to the uncertainty of the key generation. Next year, it's possible that we make a multi-stage t-shirt challenge for 2012… from something more easy to something very difficult.

Tags: crypto infosec ctf conference hacklu

Syndicated 2011-10-02 11:48:07 from AdulauWikiDiary: RecentChanges

119 older entries...


adulau certified others as follows:

  • adulau certified alan as Master
  • adulau certified Telsa as Journeyer
  • adulau certified jallison as Master
  • adulau certified nutella as Journeyer
  • adulau certified chrisd as Journeyer
  • adulau certified Uraeus as Journeyer
  • adulau certified gleblanc as Journeyer
  • adulau certified NickElm as Journeyer
  • adulau certified davej as Master
  • adulau certified hadess as Journeyer
  • adulau certified andersee as Master
  • adulau certified Bryce as Master
  • adulau certified fufie as Journeyer
  • adulau certified chromatic as Journeyer
  • adulau certified davem as Master
  • adulau certified iwehrman as Apprentice
  • adulau certified advogato as Master
  • adulau certified hpa as Master
  • adulau certified riel as Master
  • adulau certified opiate as Master
  • adulau certified sh as Journeyer
  • adulau certified hub as Master
  • adulau certified nymia as Journeyer
  • adulau certified LaForge as Master
  • adulau certified deekayen as Journeyer
  • adulau certified async as Journeyer
  • adulau certified csm as Master
  • adulau certified fpmip as Journeyer
  • adulau certified argent as Master
  • adulau certified sascha as Master
  • adulau certified gstein as Master
  • adulau certified dugsong as Master
  • adulau certified jmg as Master
  • adulau certified stefan as Master
  • adulau certified lukeh as Master
  • adulau certified kbob as Master
  • adulau certified dyork as Master
  • adulau certified timj as Master
  • adulau certified renaud as Master
  • adulau certified dirkx as Master
  • adulau certified lkcl as Master
  • adulau certified chakie as Master
  • adulau certified jtauber as Master
  • adulau certified esr as Master
  • adulau certified sej as Master
  • adulau certified fxn as Journeyer
  • adulau certified osvaldo as Journeyer
  • adulau certified ruda as Master
  • adulau certified eliphas as Master
  • adulau certified Radagast as Master
  • adulau certified RaNma as Apprentice
  • adulau certified harkal as Journeyer
  • adulau certified mbp as Master
  • adulau certified anton as Master
  • adulau certified Nelson as Master
  • adulau certified raph as Master
  • adulau certified jerry as Journeyer
  • adulau certified jao as Master
  • adulau certified davidw as Master
  • adulau certified ncm as Master
  • adulau certified jerenkrantz as Master
  • adulau certified baretta as Master
  • adulau certified rmk as Master
  • adulau certified demoncrat as Master
  • adulau certified Fefe as Master
  • adulau certified loic as Master
  • adulau certified penso as Master
  • adulau certified Miod as Master
  • adulau certified rms as Master
  • adulau certified LotR as Master
  • adulau certified dhartmei as Master
  • adulau certified Physicman as Journeyer
  • adulau certified lkratz as Journeyer
  • adulau certified rodolphe as Master
  • adulau certified mulix as Master
  • adulau certified atai as Master
  • adulau certified Kouran as Journeyer
  • adulau certified jneves as Master
  • adulau certified mglazer as Apprentice
  • adulau certified yeupou as Master
  • adulau certified villate as Master
  • adulau certified xsa as Journeyer
  • adulau certified mako as Master
  • adulau certified argp as Journeyer
  • adulau certified Ruffy as Master
  • adulau certified ger as Master
  • adulau certified lloydwood as Master

Others have certified adulau as follows:

  • Uraeus certified adulau as Journeyer
  • davej certified adulau as Journeyer
  • sh certified adulau as Journeyer
  • jonabbey certified adulau as Journeyer
  • hub certified adulau as Journeyer
  • async certified adulau as Journeyer
  • fpmip certified adulau as Journeyer
  • fxn certified adulau as Journeyer
  • ruda certified adulau as Journeyer
  • jao certified adulau as Master
  • sdodji certified adulau as Journeyer
  • lkratz certified adulau as Journeyer
  • sye certified adulau as Journeyer
  • r4f certified adulau as Journeyer
  • Kouran certified adulau as Master
  • mglazer certified adulau as Apprentice
  • Physicman certified adulau as Journeyer
  • xsa certified adulau as Journeyer
  • argp certified adulau as Journeyer
  • jarod certified adulau as Journeyer
  • Miod certified adulau as Journeyer

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page