Skip to content

Instantly share code, notes, and snippets.

View atoponce's full-sized avatar
Crypto coffee

Aaron Toponce atoponce

Crypto coffee
121 followers · 16 following
View GitHub Profile
@atoponce
atoponce / README.md
Created July 30, 2018 20:30
Extracting entropy from mouse movement events

Extracing Entropy From Mouse Movement Events

Here are my findings of entropy extraction estimates from mouse movement events in the browser. Tables below show the results sorted by the minimum entropy extraction. Timing events, keyboard events, and other potential sources of entropy that can be collected from the user are not considered here.

A [visual representation][1] of slow, medium, and fast mouse movements can help visualize why the entropy estimation increases as the mouse velocity increases. The recorded data was plotted with Gnuplot as follows:

@atoponce
atoponce / readme.md
Last active October 17, 2020 16:53
Password generation in the shell

Simple Shell Password Generation

Just using the shell, either with built-in tools, or 3rd party generators, for building passwords with at least 70-bits of entropy (1 in at least 1,180,591,620,717,411,303,424 possibilities).

Each provide their own advantages and disadvantages.

Built-in Tools

All graphical keyboard characters

All possible 94 graphical characters (not the or) are

@atoponce
atoponce / README.md
Last active June 20, 2024 01:30
Proposed improvements to EFF's FANDOM wordlists

Proposed EFF Fandom Improvements

Contact

If there are any problems with the word lists, please reach out to me on Fosstodon [@atoponce][0].

Non-license

These word lists are released to the public domain. Enjoy.

Original Word List Problems

@atoponce
atoponce / examples.md
Last active June 23, 2023 18:15
Best practices for examples in documentation

Reserved Examples

Below are examples for best practices that have been set aside specifically for writing documentation, fictional stories, source code, or anything else where an example needs to be given without the fear of resolving to an actual phone number, domain, website, etc.

Domain Names

In 1999, the "example.com" domains have been set aside by the IETF in RFC 2606 and updated in RFC 6761 specifically for documentation and source code. They include example.com, example.net, and example.org. The example.edu domain was added by ICANN in 2000. Later, the ".example" top-level domain name has since been added explicitly for documentation purposes. While the pseudo-top-level domain ".local" carries no meaning, it is commonly deployed in multicast DNS, local DNS, and private networks. While it too could be used for documentation, it's better left alone, and to use the "example.com" and ".example" domains.

However, "test" [re

@atoponce
atoponce / index.html
Last active January 28, 2021 21:43
JavaScript entropy proof-of-concept
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<title>JavaScript Entropy Proof-of-Concept</title>
<script language='javascript'>
function draw_disco(s) {
const canvas = document.getElementById('canvas')
const context = canvas.getContext('2d')
const radius = 30
@atoponce
atoponce / gist:983b287af496338954942da5d612176d
Last active May 8, 2019 02:43
Show the differences betwen various base-32 encoding schemes. Alphanumeric order used to show what's missing in each.
RFC 2938: 0123456789ABCDEFGHIJKLMNOPQRSTUV : Preserves hex bitwise sort order
RFC 4648: 234567 ABCDEFGHIJKLMNOPQRSTUVWXYZ: 8/B, 9/g, 0/O, and 1/I ambiguity
Crockford: 0123456789ABCDEFGH JK MN PQRST VWXYZ: 0/O and 1/I/L ambiguity
Geohash: 0123456789 BCDEFGH JK MN PQRSTUVWYYZ: 0/O and 1/I/L ambiguity. No "A"
z-base-32: 1 3456789ABCDEFGHIJK MNOPQRSTU WXYZ: human ease-of-use
@atoponce
atoponce / log.txt
Created June 26, 2019 22:53
Testing negotiated MACs with OpenSSH 7.9
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
---
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
---
debug1: kex: server->client cipher: aes192-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes192-ctr MAC: [email protected] compression: none
---
debug1: kex: server->client cipher: aes256-ctr MAC: [email protected] compression: none
@atoponce
atoponce / table.md
Created July 2, 2019 03:11
Encrypted Filesystems for Linux
Filesystem Type Default Cipher Block Mode Authentication Encryption Mode Password Hash RNG Audit
CryFS Stacked FS AES-256 ? GCM AEAD scrypt ? ?
Cryptomator Stacked FS AES-256 ? HMAC-SHA256 Encrypt-then-MAC scrypt Userspace ?
dm-crypt Block Device AES-256 ESSIV None N/A RIPEMD160 Kernelspace ?
eCryptfs Stacked FS ? ? ? ? ? ? ?
EncFS Stacked FS ? ? ? ? ? ? ?
ext4 Block Device ? ? ? ?
@atoponce
atoponce / gist:c0e988023ac8cdebbec7d900f456a792
Created July 5, 2019 22:52
A = [0, 0, 0, 0, 1, 0, 0, 2, 0, 2, 1, 1, 1, 2, 0, 0, 2, 0, 1, 0, 1, 2, 1, 1, 0, 1, 2, 0, 3, 0, 2, 3, 0, 1, 1, 0, 1, 0, 1, 2, 1, 1, 0, 1, 0, 1, 0, 1, 2, 3, 1, 1, 1, 1, 0, 1, 0, 2, 1, 0, 0, 0, 1, 1]
min-entropy: H = -log2(p_max)
Shannon: H = -sum(p_i * log2(p_i))
max-entropy: H = -log2(unique(p_i))
min-entropy ~= 4.196397212803504
Shannon ~= 5.158365849770286
max-entropy = 2
@atoponce
atoponce / 0-README.md
Last active August 18, 2025 05:35
Magic Hashes

Magic Hashes

Motivations

Calculating magic hashes for https://www.whitehatsec.com/blog/magic-hashes/. These strings should probably be put into a blacklist preventing users from using them as passwords to mitigate PHP evaluating hashes starting with "0e" as floats.

Probabilities