Month: August 2012

XOR is NOT Cryptography

Posted on Updated on

During my many years of developing software, working with opensource projects and using GNU/Linux systems you tend to do something odd. Yes, at times you tend to do something that causes your eyes to skim through letters and words dedicated to educating you about a subject. Well I’ll be damned, they call this “reading documentation” 🙂

So yes, I assume many other developers spend as much time as I do, or anyone else, doing expected things like reading Linux MAN pages, manuals and all sorts of technical docs to gain a better understanding of a topic at hand.

Then what happens, you find the most retarded practice ever being used by some of the largest and most trusted software companies in the world. During my work I have encountered a financial software that was purchased (company names shall not be mentioned) that was written in Java. Being curious about how these things work I browsed the files and found a file named PasswordCryptography.class … Yeah, that’s what I’m talking about. Lets take a look.

So we whip up JAD and decompile that class file. I was expecting to see amazing algorithms being used or maybe some sort of custom crypto methods … you know, things like that. What did I see…

  • AES256 ? …… no
  • Blowfish ? ….. no
  • TripleDES ? ….. no
  • Not even regular DES ?? …. nope

What did I see? I saw XOR OBFUSCATION of passwords using a key that was embedded right into the java class file. At this point I was ready to jump out any window given it was open and large enough.

This is their idea of “cryptography”

for(int i = 0; i < aa.length; i++)
{
    int k = aa[i] ^ key[j];
    int l = (k & 0xf) << 4;
    int i1 = (k & 0xf0) >> 4;
    aa1[i] = l | i1;
    if(j < key.length - 1)
         j++;
    else
         j = 0;
}

WTF? And here’s the part that really kills me. Why call it “PasswordCryptography” ?? I would have been perfectly fine if the file was called “InsecurePasswordXorObfuscation” … ok ok too harsh, how about “PasswordObfuscation” Of course, you know the programmer must have spent a lot of time coding, testing, coding and re-testing this that it was sooooo hard it had to have been cryptography! And thus decides to name the class “PasswordCryptography” and then this somehow passes all engineering stages, peer review, unit tests …etc and ends up being a part of one of the largest financial software solutions in the world and your password is protected by cryptography XOR obfuscation. Anyone after reading Encryption Matters will know how to reverse the obfuscation.

Even when I was a beginner it took no less than 1 hour to google “password encryption” and figure out that I could just download a jar file, import it and make a 1 line function call to encrypt a password using REAL encryption.

Advertisements

Eclipse Tooltip Issue with Ubuntu

Posted on Updated on

First off I want to say that I really hate Ubuntu. You install Eclipse on Ubuntu 12.04 and load it up to do some coding and only to be faced with the most annoying problem: black tooltip background. Sounds stupid? yes, as stupid as the distro is. This is the only distro I encountered that presents this problem with eclipse.

Either way, solving it was not as easy as installing Ubuntu! You have to go to the directory that holds the ubuntu themes, in my case it was “/usr/share/themes/Radiance” and edit the gtk-2.0 and gtk-3.0 css settings files and reset the background color of tooltip to #F5F5B5.

Someone was so nice as to post how to do this here

This got me on my way to putting my eye balls back in the sockets when I debug code. I still feel that Ubuntu, while easy to install is annoying to modify.

……….. Gentoo Rules!