| I wasn't first to get the key. Nor was I second, third, or even fourth. I'm probably not even the | |
| 10th to get it (ok, looks like I was the 8th.) But I'm happy that I was able to prove to myself | |
| that I too could do it. | |
| First, I have to admit I was a skeptic. Like the handful of other dissenters, I had initially | |
| believed that it would be highly improbable under normal conditions to obtain the private key | |
| through exploiting Heartbleed. So this was my motivation for participating in Cloudflare's | |
| challenge. I had extracted a lot of other things with Heartbleed, but I hadn't actually set out to | |
| extract private keys. So I wanted to see first-hand if it was possible or not. |
| const { Task } = Cu.import("resource://gre/modules/Task.jsm", {}); | |
| const { defer, all } = require("sdk/core/promise"); | |
| const { setTimeout } = require("sdk/timers"); | |
| Task.spawn(function *() { | |
| let item1 = yield getItem(1); | |
| let [item2, item3] = yield all([getItem(2), getItem(3)]); | |
| console.log(item1, item2, item3); // 1, 2, 3 | |
| }).then(function () { | |
| console.log('all items processed') |
| # to use: | |
| # 1. put this file in ~/callstatement/callstatement.py | |
| # 2. make a file ~/Library/Python/2.7/site-packages/derp.pth with this as the contents: | |
| # "/Users/USER/callstatement/\nimport callstatement\n" | |
| # 3. export PYTHONIOENCODING="callstatement_utf8" | |
| # warning: EXTREMELY NASTY DO NOT USE IN PRODUCTION CODE | |
| # WILL BREAK EVERYTHING I AM NOT RESPONSIBLE IF | |
| # YOU'RE FOOLISH ENOUGH TO ACTUALLY TRY TO USE | |
| # THIS |
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import requests | |
| import sys | |
| import json | |
| def hipchat_notify(token, room, message, color='yellow', notify=False, | |
| format='text', host='api.hipchat.com'): |
| # tcpdump -A -nn -s 0 'tcp dst port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo | |
| tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | |
| listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes | |
| 14:32:33.525122 IP 127.0.0.1.49777 > 127.0.0.1.9200: Flags [P.], seq 313752908:313753888, ack 2465010394, win 257, options [nop,nop,TS val 2684167067 ecr 2684167066], length 980 | |
| E...^.@[email protected]#...}L............... | |
| ..#...#.GET /index/_search HTTP/1.1 | |
| Host: 127.0.0.1:9200 | |
| Accept: */* | |
| Content-Length: 845 | |
| Content-Type: application/x-www-form-urlencoded |
Picking the right architecture = Picking the right battles + Managing trade-offs
| # Install https://www.vaultproject.io/ | |
| brew install vault | |
| # Start dev vault server in a separate terminal | |
| vault server -dev | |
| # ==> Vault server configuration: | |
| # ... | |
| # Unseal Key: 7ACQHhLZY5ivzNzhMruX9kSa+VXCah3y87hl3dPSWFk= | |
| # Root Token: 858a6658-682e-345a-e4c4-a6e14e6f7853 |
| import asyncio | |
| import itertools | |
| import aiohttp | |
| import async_timeout | |
| async def fetch_with_response_delay(session, delay): | |
| if not 0 <= delay <= 10: | |
| raise ValueError('Delay must be between 0 and 10 inclusive') |