Using BIP39 to create short pr0n stories

BIP39 is a catchy name for a way to make great big long random numbers easier to write down and enter. It emerged from a need to back up the private and public keys associated with crypto currency wallets. Many of the common coins use BIP39.

BIP39 is a set list of 2048 English words which are written down one after the other to make a backup of your crypto currency keys. Not only is the wordlist fixed, but also your key is always exactly 24 words long. The last word is a check word to make sure that the rest are correct.

What makes BIP39 really clever is that although it’s only 24 words long, further extensions to the standard such as BIP32 allow it to be used to deterministically generate not only the keypair but the receive addresses too.

For extra cleverness, because blockchain, you don’t need anything else to recover your worthless crypto tokens, so those 24 word nuggets are pretty awesome.

Ok, that’s BIP39: Smart, no?

We all do stupid things, yes? I was backing up my Chia wallet words and talking with a mate about how much entropy (randomness) there is the BIP39 standard (hint, there is a lot!) and what possibilities might be given the word list size is and we discovered that the word list does just about include some verbs making some stories and sentences just about possible if you squint.

A quick google showed a Rule #34 violation and so it became necessary to write some smut. Bonus points awarded for making the story 24 words long and actually being BIP39 compliant – you can use it in any client that uses BIP39 to (re)generate keys from wallet words in this way.

Here is my first attempt:
gym fit pretty nurse split beef curtain quick index finger plunge front bottom wet slide nest weapon into crack shiver decorate crack nut receive

And if I whack those recovery words into (for example) Goji, we have a real key pair.

Please do not send Goji to xgj1ta95r52cfc5nhgs3m0wlcf06fg8mzt3du3tkmwkpp9mfmn0lmv6qfv0ewa as anyone can get it. Kthnx 😉

Think you can do better? Knock yourself out and let me know! The BIP39 wordlist is here.

You will also need a validator to help you with that last word which contains a checksum. Ian Coleman has a great tool here.

Have fun and for the sake of fuck, do NOT use the keys you generate for anything other than fun – they are essentially worthless as an entropy source, especially if you tell anyone!

Other attempts:
gold hair fantasy girl kiss pole give great head plunge tube steak into amazing ginger box blast nut butter over blouse bird cry clap

lonely young boy huge rigid horn spend all term try two destroy girl crack little success because girl prefer girl action during school shy

It does not all have to be pr0n:
spoil girl holiday camp family meat nice man fun dance girl two baby trouble doctor dad repair exotic girl dance lift dad proud match

black square box earth monkey evolve rocket travel planet space man machine destroy man lock man outdoor ugly sing scene mind

hard work copper visit wife december party man gun open vault steel gold cream evil man save hundred life man fall outside window winter

And Dumb Security Company of the day goes to…..

Argh, dammit, I can’t tell you.  But the imaginary conversation goes like this.

Me: “Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?”

Dumb Security Company (DSC) “Yes, can I tell you about it, its great – it has elements that …”

Me: “No, no, please stop.  Anyway, the client tells me that your security products runs on Windows”

DSC: “Yes, that’s right we have a strategic relationship with Mi…”

Me: “Woah, thanks, got that, so my client needs to apply patches to the server that you run your product on?”

DSC: “Very good, patching is an important cyb….”

Me : “Gonna have to stop you again. But in this case your support people have told their support people that they must not install the critical OS patches or bad things might happen?”

DSC: “So stability is of para….”

Me: “Easy there tiger. So just to calibrate my BS detectors – You produce an enterprise grade security product that runs on a version of windows that you insist cannot be patched – in this case for more than a year?”

DSC: “…”

Me: “You, a SECURITY company make a SECURITY PRODUCT and then insist that the platform is NEVER PATCHED?

DSC: “…”

Me: “Do you KNOW how many critical issues there are for the platform that your system runs on?”

DSC: “…”

Me “Great, nice talking to you”.

And the lesson of the day is that just because patching is hard does not mean that it does not need to be done.  Yes, you will need to regression test your product.  Get on with it.  Make fixes not excuses.

New Password Hashing Method

Dammit, Bruce Schneier had a link this month to a password hashing competition, but I was too slow.  the link is here:

In the meantime it occurs that one way to try and defeat GPU based cracking is to increase the complexity of the hashing process so that it's harder to pipeline the functions on the GPU.

One way to do that would be to have per user based iteration counts where the actual number of iterations is decided within the hashing process itself, by using different hashing algorithms and by re-introducing the salt at various points in the iteration process.

The hashing version would define the total iteration count and each of two hashing algorithms. V1 would use an iteration count i of 100000, SHA-512 and Whirlpool-512.

  • Take the Password 'p', generate a random salt, 'r'
  • concatenate p and r.
  • iterate pr through Algorithm 1 for 1000 iterations to arrive at h incrementing i each time
  • take the last byte of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • iterate hs for x iterations through Algorithm 2 increming i each time
  • take the last bye of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • go back to Algorithm 1 unless the i is exceeded in which case h is the output hash

As part of the password test, the user has required to transmit the password.  This would be a great time to change the salt!  Yes, I mean it, so at the same time as we test the password, we also make a new hash from a new random salt.  if the password test succeeded, we store the new salt and hash.

WTF?  Why are we doing that?  If attackers have regular access to our user table the passwords all change a LOT more frequently, so it's harder to tell who has really changed their password. The disbenefit is that users that log in rarely will be plainly obvious.  An additional benefit if that if there is a need to move from V1 to V2, this will be done magically at next login.

Each concatentaion is a string function converting the 512 bit hash to a string and then adding another string to it.


Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above.  Just like all most great ideas – someone has had it already!  If you use firefox, go grab the plugin.

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?

Bloody Symantec are still Rubbish!

Fancy a laugh? Here is a hilarious transcript of a “support chat” with a symantec bod showing why their customer support is the worst on the planet.  For Gods sake don’t buy anything important from these people!

Toby Seaman has entered room.

Gnanamurthy has entered room.

Email with reconnect link has been sent

If you get disconnected, click the link to reconnect to the same chat session.

Gnanamurthy You are being transferred to Gnanamurthy.

Gnanamurthy  Hi , my name is Gnanamoorthy from Norton Support, how are you doing today?

Toby Seaman good thanks

Gnanamurthy I understand that you are unable to restore the backup. Am I correct?

Toby Seaman That is correct. So I have purchased Ghost version 15. I have been supplied with a .gho files and it seems that ghost version 15 does not support .gho files any more. so I think I need to download an older version of ghost.

Gnanamurthy Just in case I need to call you back, can I please have your phone number with the country and area code?

Toby Seaman UK +44xxxxxxxxxxxx

Gnanamurthy The .Gho file is from a old version of Norton. Norton Ghost 15 does not support it as it uses .V2i files.

Gnanamurthy May I know which version of Ghost is used to backup .Gho file?

Toby Seaman that’s correct, well done. So I need to restore the .gho file so I would like to downgrade the ghost version to a version which does support .gho files. this was the only reason I purchased ghost.

GnanamurthyThe old version of Norton Ghost cannot be purchased now. But I can give you the link to download the Gho explorer which you can use it to restore the files and folders from the .Gho file.

Toby Seaman no. I don’t need to explore a ghost file I need to restore it. I don’t wish to purchase an old ghost version, I want to downgrade the existing one.

Gnanamurthy I am sorry Toby. There is no option to get the old version of Norton Ghost as they are not supported now.

Toby Seaman so, I need to restore a ghost file .gho. Please escalate this issue.

Gnanamurthy You’re using an older version of Norton Ghost backup. I’m afraid that chat, email and phone support for this product has been discontinued. For assistance with this product we’d recommend that you search our online knowledge base that you’ll find here:

Toby Seaman I’ve tried that already. No joy. I don’t need product support for an older version. I know exactly what I need to do. I just want to restore a .gho file. Please tell me how to downgrade the license to a version that works.

Gnanamurthy If you have the old version of Norton Ghost that is used to create that .gho file, you can use it to restore the backup. The Ghost 15 license cannot be downgraded to the old version as they are unsupported now.

Toby Seaman I already explained that I don’t have an old version of ghost. My business uses a lot of symantec products. at this point we need to restore a .gho file image of an important device. I do not need to hear that ghost no longer supports .gho files. I need solutions. I’ve purchaed the current up to date version of ghost and I want to restore a .gho file. I’m happy to download an unsupported version of ghost to do that. Please tell me urgently how to make this happen.

Toby Seaman Hello?

Gnanamurthy I understand that Toby. I do not have any other options. There are no support documents regarding the old version of Norton Ghost available. I can only help you to restore the files and folders not the entire backup.

Toby Seaman Can you escalate this issue. Presently all you are doing is demonstrating why I should never buy another Symantec product ever.

Gnanamurthy Okay Toby. I will escalate the issue to my supervisor. You will be getting the call back from him within 24 hours.

Gnanamurthy May I have your time zone along with your telephone number and country name?

Toby Seaman Are you sure this will happen? last time this was promised the call back never happened

Gnanamurthy Sure Toby. You will be getting a call back from my supervisor.

Toby Seaman Okay. In the meantime im completely screwed, so I will try to find a proper version of ghost which supports .gho files on bittorrent. I guess you are happy with this since you no longer sell or supply a working version of ghost?

Gnanamurthy Okay Toby. May I have your time zone along with your telephone number and country name?

Toby Seaman Ok. thanks for your permission to download an illegal copy of Symantec ghost.

Toby Seaman My phone number is 0xxxxxxxxxxxx

Toby Seaman My country is England

Toby Seaman My Timezone is GMT

Gnanamurthy Norton does not recommend to download a pirated version from internet.

Toby Seaman It’s not pirated: you just said you don’t sell it anymore and you have utterly and completely failed to assist me in my time of need. It’s not my fault that your version 15 no longer supports .gho files. So I will find a ripped off version that works, I’ll restore my image and wait for a phone call sometime in the future from your supervisor.

Gnanamurthy Is there anything else I can help you with?

Toby Seaman I’m going to put this trsanscript on my Blog as it shows another hilarious support failing at Symantec. Please note that you have no helped me at all so far.

Gnanamurthy I can help you if you have any issues with the Norton Ghost that you have purchased. But .Gho files are created by old version of Ghost which are unsupported and there are no support documents available. So I do not have any other options.

Toby Seaman You could try to help me find out where to get my license downgraded urgently.

Gnanamurthy There is no option to downgrade the Norton Ghost license. If there are any options available , I would be happy to provide it to you.

Toby Seaman That is crazy.

Toby Seaman here is my blog post with your companies poor customer service recorded for all to see:

Toby Seaman

Gnanamurthy Is there anything else I can help you with?

Toby Seaman No, I’m busy searching the internet for an old copy of Ghost which supports .gho files. You have been no help whatsoever.

Gnanamurthy Thank you for contacting Norton support. Have a great day!

PS3 Root Key Broken

News just in is that the Root Keys used to sign content for the PS3 has been broken by ~geohot:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

This is big news as it seems that this key is built into the hardware and can’t be changed.

More info on this issue at Kotaku.

How many 27001 standards?

Please wait for a site operator to respond. You are number 1 in the queue. Your wait time will be approximately 0 minute(s) and 30 second(s).
You are now chatting with ‘Tim’
Your Issue ID for this chat is LTK16502038781X
Tim: Welcome to our Live Chat service.  How can I help you?  Are you or your company an ANSI Member?
you: Hi there Tim. I’m looking to buy PDF versions of ISO27001 and ISO27002 but am a bit confused.
you: there seems to be quite a few versions of both starting at $30 and rising to a few hundred on your ANSI website

you: so for example there is BS ISO/IEC 27001:2005/BS 7799-2:2005 for $144

you: and INCITS/ISO/IEC 27001-2005 for $30
you: and Information Security Package 27001 for $50
you: so I’m somewhat confused.
Tim: There are many adoptions of these standards by other standard developing organizations.  The original standards have the following designations:  ISO/IEC 27001:2005 for $129 and the ISO/IEC 27002:2005 for $206.  Or, you could purchase the two original documents together in the “ISO/IEC 27001 and 27002 IT Security Techniques Package” at a discounted price of $295. 
you: um, so what is the $30 version?
Tim: The $30 version is the INCITS adoption of the ISO/IEC 27001 and ISO/IEC 27002 standards. 
you: and will be completly different?
you: or the words are the same and the header is different
Tim: We can’t say that there hasn’t been changes made to the orginal document.  You will need to contact INCITS for clarification.  
you: but how can it be ISO27001 if they have changed anything?
Tim: That is an agreement between ISO and INCITS.  ANSI does not review the adoptions for changes.  If you’re unsure of the adopted standards, we recommend purchasing the originals by ISO.  
you: but on the INCITS Website it says that the INCITS version is ANSI approved. Thats’ you?
Tim: It has been ANSI approved as an adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: so that must mean that its an acceptable document
you: i.e. ANSI considered it to be not different to the ISO version?
you: I’m just trying to work out if I’m paying $99 more for the same thing.
Tim: You will need to contact INCITS to determine if any changes have been made.  ANSI does not review the body of the standard when it is adopted.   
you: that does not make any sense. you are saying that ANSI adopts a version of a document that might be completely different to the thing it purports to be?
Tim: ANSI does not adopt standards.  INCITS adopted the ISO/IEC original document.  ANSI approved the adoption but did nto review if any changes were made to the document.  ANSI is not the copright holder of the document.  You will need to contact INCITS if you want to find out if changes were made to the document by INCITS.  
you: okay. It soundss really odd to me that from you I can buy about 5 different versions of 27001 and you don’t know whats in any of them except the ISO version.
you: I will indeed contact INCITS
Tim: Thank you.  I’m sure INCITS will be able to answer your questions regarding their adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: thanks Tim. This has been my weirdest conversation for many weeks!

Certificate Fingerprints

There have been some very nasty certificate based vulnerabilities announced recently and these amount to an attacker being able to act as  MITM (Man In The Middle) on pretty much any SSL conversation.  All the attacker has to do is insert themselves somewhere in your traffic chain between you and your target web site.

As these vulnerabilities turn into real exploits, you should be really really really (got the picture?) careful what sites you log into and give your personal info to.

The nature of these attacks will mean that your browser is completely fooled into thinking it is talking to the real or When spoofed, you will most likely experience normal logon and purchasing, but your details are phished for future use.  Even certificate verification checks such as CRL, OCSP Validation and path validation will work as you would expect.  Nasty.

I suggest therefore that for the next few weeks, while we see how bad this really is, you check independently the certs of all sites that you need to log in to.

I have printed out the SSL certs for the sites that I use often so I can check them for myself, but you may want to use this article which has the cert hashes for 4 common sites,,, and of course,

It would be very hard for an attacker to make the fake cert match these hashes, so that’s what you need to check. Bear in mind though this web page could be MITM attacked too, so unless you know your connection to is unspoofable, don’t trust this source either as the pictures could be replaced.

The best bet all around is for you to print out every cert you encounter for the next few weeks and every time you revisit a website, check the cert against your hard copy.  read on for the certs.



So how easy is it really to crack a WEP key?

I keep reading all those articles that decry Wireless as an insecure
pile of old pants.  I thought it would be interesting to actually
try and crack a WEP key just to see how easy it really is.

Generally I err on the side of caution so the traffic on my home
wireless network is also encrypted using SSL and there is a firewall to
prevent any old oik using my internet bandwidth.  I also use MAC
address filters and have any security options that my AP and NICS both
support turned on.

Nevertheless I though it would be smart to try out some wireless attack
techniques.  This is the first article of a series of Practical

I began with my home network up and running normally with my AP set
not to beacon, with 128 bit WEP enabled and a single workstation
running which I’m using to surf normally etc.  MAC level security is enabled so that only designated stations can talk.

The toolkit I used to undertake this project is Security oriented Linux
distro called Auditor.  In a second laptop with a supported NIC, I
booted the Auditor distro.

Once Auditor was booted and running, I made some writeable space I used
the ramdisk as it seemed pretty big.  Next I set up the wireless
card into monitor mode (this is the radio equivalent of putting the NIC
into promiscous mode: it captures averything).

The hack itself was a three stage process:

  • Start sniffing the network capturing packets to file
  • Start retransmitting sniffed packets to cause the IV count to rise
  • Once we have enough (100K+) IV packets, start a crack program to recover the WEP key using the sniffed packets as a source.

I started capturing to a file using the airodump program:

airodump ath0 capture.cap

As well as capturing to disk, the very handily showed the number of
packets captured and specifically the number of  IV packets

Next I ran the aireplay program:
aireplay -i ath0
This began capturing from the network and displayed suitable packets to
transmit.  The trick I found was to select a packet vith the
correct BSSID and which was not addressed to the broadcast
address.  When the IV count did not start to go wild, I just
stopped aireplay and ran it again.

Aireplay caused me a few problems as every few hundred packets the
whole AP seemed to fall over.  The fix seemed to be to ensure that
the laptop that was using the AP remained nice and active and to limit
the transmit rate for aireplay.  Without this change the attack would not have suceeded as the IV count stopped rising.

After around half an hour of fiddling around I had 150K of IV packets captured, so I started the crack program:
aircrack -q 3 -f 2 capture.cap
Aircrack loaded the packets containing the IV’s and commenced a much reduced exhaustive attack.

When I say much reduced I mean that the WEP key was printed on the screen in a little under 6 seconds.

From secured AP to open network in less than an hour.  I guess
it’s now obvious that WEP is not man enough to protect your
network.  Don’t assume that WPA is any better though.  Check
back soon for for articles in this series: coming up soon is a long range attack using a high gain antenna.

TurboTas 2005

Disclaimer: Please note that I tried this technique on my own
network.  If you try this on a network which you do not have
permission to use, you risk prosecution!