zorinaq.comMarc Bevand

m @ zorinaq • Homepage • Blog • AngelList • LinkedIn • Hacker News • GitHub • Twitter • Reddit • Travel blog CV Résumé (curriculum vitæ) Profile I graduated in 2003 with a Master's Degree from ÉPITA ( École Pour l'Informatique et les Techniques Avancées ), with a specialization in computer security. Shortly afterwards I moved from France to the US and worked for various companies, most recently at Google as a whitehat hacker. I took a sabbatical in 2015–2016 to travel the world with my wife , and have since then been working for myself as a researcher, angel investor, and entrepreneur. I have a keen interest in: reverse engineering, security vulnerability research/exploitation, cryptography, software optimization, GPGPU, decentralized cryptocurrencies (Bitcoin), hardware hacking, home automation, IoT, just to name a few things. Popular posts My 5 most popular blog posts: "I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why." From 32 to 2 ports: Ideal SATA/SAS Controllers for ZFS & Linux MD RAID Whitepixel breaks 28.6 billion password/sec My Experience With the Great Firewall of China Electricity consumption of Bitcoin: a market-based and technical analysis Security Research Vulnerabilities I discovered either as an independent researcher or as an employee: Attacks on Merkle Tree Proof Nginx resolver vulnerabilities allow cache poisoning attack PivotX Insecure Password Hashing R7-0033 : Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting R7-0026 : HTTP Header Injection Vulnerabilities in the Flash Player Plugin R7-0022 : Symantec Scan Engine Known Immutable DSA Private Key R7-0021 : Symantec Scan Engine Authentication Fundamental Design Error ASA-0001 : OpenBSD chpass/chfn/chsh file content leak ASA-0000 : GV Execution of Arbitrary Shell Commands ASA stands for "After" Security Advisory , based on an old handle I used back in college. Cryptocurrency I maintain these cryptocurrency resources: Bitcoin price Many-PCIe motherboards Reviews I love to review research papers, even in domains that are not my primary area of expertise. And by review I really mean dissecting the theories, data, models, logical arguments, code, etc. The kind of work a peer-reviewer does. I am going to start documenting some of my findings below: The OPERA experiment appeared to measure neutrinos traveling faster than light, but I suspected a time drift in the FPGA counter that is reset every 0.6 seconds by the master clock. My suspicion turned out correct : they later identified this time drift as 1 of 2 sources of errors. Talks Talks I gave at security conferences: MD5 Chosen-Prefix Collisions on GPUs [ whitepaper ]; Black Hat USA 2009, Las Vegas, NV, USA (July 30, 2009). In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. In addition, an MD5 password hash bruteforcer tool has been built on top of this implementation and achieves a speed of 1.5 billion MD5 hash/sec on an ATI Radeon HD 4850 X2, or 725 million MD5 hash/sec on an ATI Radeon HD 4850. Source code : bday/ Breaking UNIX crypt() on the PlayStation 3 ; ToorCon 10, San Diego, CA, USA (September 28, 2008). A UNIX crypt() password bruteforcing tool has been developed and optimized for the Cell B.E. processor. The major advance resides in a new set of bitslice DES "S-Box circuits" that average 45.5 gates per S-box by using all the logical instructions of the SPU ISA. This allows the bruteforcer to fully exploit the SPU cores of the Cell processor. Source code : cell-bf/ Projects Open source software I wrote: SILENTARMY is a Zcash miner for Linux with multi-GPU and Stratum support. It is written in OpenCL and has been tested on AMD/Nvidia/Intel GPUs, Xeon Phi, and more. I initially wrote it as a command line solver for the Zcash open source miner challenge , and later expanded it into a full-featured miner. hdminer is a Bitcoin GPU miner I wrote in 2010. I mined with it and sold copies of the software (I gave the source code to buyers, but the license prohibited redistribution.) It is of course useless today because miners abandoned GPUs and moved to ASICs. whitepixel is an open source GPU-accelerated password hash auditing software for AMD/ATI graphics cards. owlet_monitor is the result of reverse engineering the Owlet Android app : a Python script to monitor Owlet Smart Sock statistics such as heart rate, oxygen level, etc. hablog is the proof-of-concept high availability, distributed blogging platform that I use for my blog. See my post for more information . I am only releasing it because I expect people will ask me for the code. However I cannot emphasize enough how proof-of-concept, prototype-stage, poorly documented this code is. You have been warned :-) bday is an implementation of the improved birthday search described in On Collisions for MD5 , Marc Stevens, Master's Thesis, section 7.4, using a hand-optimized MD5 compression function written in AMD CAL IL (Compute Abstract Layer Intermediate Language) targetting the ATI Radeon HD 4000 series and higher GPUs. cell-bf is A UNIX crypt() password bruteforcing tool developed and optimized for the Cell B.E. processor. The major advance resides in a new set of bitslice DES "S-Box circuits" that average 45.5 gates per S-box by using all the logical instructions of the SPU ISA. This allows the bruteforcer to fully exploit the SPU cores of the Cell processor. CDN53 is a Chrome extension that uses DNS instead of HTTP to fetch web content. See my blog post about it. qemudo is a Web interface to QEMU offering a way for users to access and control multiple virtual machines (guest systems) running on one or more remote physical machines (host systems). unrarhp is a Unix command line brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x "-hp" option. This option, contrary to "-p", also encrypts the block headers and protects metadata such as filenames, etc. As of June 2010, unrarhp is the only RAR "-hp" brute forcer that is open source and free. bpwd is a GNU/Linux tool that allow you to tweak bios supervisor passwords by accessing directly the nvram, aka the cmos-ram. It can find them with the help of bruteforce (all possible combinations of characters are tried), test a password list, or even simply enable/disable them by modifying bios settings. geronimo is a Unix/Win32 Netsoul client—a custom instant messaging protocol designed by ÉPITA sysadmins and used throughout the school. Geronimo was initially created by Nicolas Delon, and I have been maintaining it since November 2002 (version 0.7.2.) B eaver is an E arly A d V anced E dito R . It was the end-of-year project of my second year ( InfoSpé ) at ÉPITA. When the project began in January 2000, the developers team was composed of 3 students: Emmanuel Turquin, Damien Terrier and I. Currently, the project is maintained by Leslie Polzer and Michael Terry. lceb finds all possible solutions to the mathematical game called "Le Compte est Bon," which is played on the French television show "Des Chiffres et des Lettres." Papers and Articles [ md5-amd64 ] MD5 optimized for AMD64 [ shellcode-amd64 ] A Short Shellcode for AMD64 [ rc4-amd64 ] RC4 implementation for AMD64 ÉPITA-Epitech FAQ ÉPITA and Epitech are two French computer science schools. One day, I decided to write the FAQ (Frequently Asked Questions) of the computer network and resources available to students, because the same questions were asked in the newsgroups, again and again. It instantly became a hit. The first version (0.5.0) of the ÉPITA-Epitech FAQ ( Epifaq ) was published on December 4, 2001. I maintained it until April 2002 (version 0.8.8.) Then Jeff Lambo became the of...