Sunday, October 16, 2011

Neutral or stability shoes? Hack into your running!


Two month ago, I sprained my ankle. Now that my ankle recovered, I feel comfortable running again. My shoes had about 200 miles on them already so I decided to buy a new pair. I went to Texas Running Company and I discovered a very geeky equipment there, and I could not resist to share it on this blog.

I am not an expert in running shoes business but from what I understand there are two types: neutral or stability. Depending on how you run, you will need one or the other. But how do you know which one is good for you? You could ask somebody to run behind you and look, or you can go the techie way. And of course, this is the way I like the best. :)

In the store, they had a camera positioned right behind a treadmill. We recorded 2 short runs (about 30 seconds for each run) and analyzed them. I was honestly very surprised by the results.

The two pictures below shows the two shoe types. On the left, I was trying neutral shoes; on the right it is stability shoes.


As you can see, my right ankle bends inward when my feet is landing with the neutral shoes. The technical term for it is actually overpronation.

Here is the video of the 2 runs.

Since this is a tech blog, I would like to share how I merge the 2 videos I got from the store. I used Avisynth and VirtualDub with the following script.


clip1=AVISource("run1.avi").AssumeFPS(5, false)
clip2=AVISource("run2.avi").AssumeFPS(5, false)
StackHorizontal(clip1,clip2)

Wednesday, August 3, 2011

Chessboard picture recognition project - part 1



Follow the discussion on YCombinator.

I like to play chess. It is challenging, it requires strategic thinking and it is a great way to clear up your mind. I also like to take my time to play it. It can take a day, a week or even a month! One day I took a picture of the game I was playing to help me to think about it later in the day. This picture gave me the idea to write an application that is capable to analyze the game picture and determine the position of each piece on the board. Maybe someday it could even determine the next best move or continue the game online.

I successfully implemented the first part of the application. This blog post describes how this program is working.


The photo on the left is the original picture I worked on.

Since I have never worked on computer vision, I started by reading about it on wikipedia. I also found a few student's research papers that put me in the right direction such as Scott Blunsden's paper and Chua Huiyan, Le Vinh and Wong Lai Kuan's paper.

The first step is to find the gridlines of the chessboard. I processed the image with a Canny edge detector and then a Hough line detector. I found a Java implementation for these algorithms from Tom Gibara's website and the Vision and Synthetic Environments Laboratory's web site.






The picture below on the left is the output of the Canny edge detector. The green lines on the right picture are the result of the Hough line detection.




The lines found on the picture above are actually the lines of the chessboard. But in some cases, the objects taken in the picture around the chessboard can bring some confusion. On the left picture, the chairs are introducing some lines that are not part of the board. To filter these lines out, I implemented an algorithm to filter 2 larger sets of lines with a 90-degree angle.



Once I got the 2 sets of 9 perpendicular lines, the program finds all the intersection points between these lines on the picture as shown on the picture on the left.

The program then finds the coordinates of each square that forms the chessboard.



At this point, I was able to isolate each square and process them separately. For example, the program is able to determine whether each square is white or black by calculating its average color and comparing it to the black and white colors. The results were correct except for one of the square because a piece of the opposite color was standing on it. Since the color of the squares of chessboard alternates, I could easily identify these errors.





What's next? I probably completed the easiest part of the project. I expect the chess piece recognition algorithm to be quite complex.

If you have a suggestion to help me finish this app, please leave a comment.

I am working on this project just for fun. If you are interested to see what are the real world applications of computer vision in the game industry, check out this web site: http://www.sportvision.com/.

Friday, June 17, 2011

Introduction to Metasploit and Armitage


Today I had a great half-day training on Metasploit and Armitage organized by our local OWASP Austin chapter and hosted by Microsoft. What I learned today was so interesting that I can't resist to share it here.

Raphael Mudge - Designer of Armitage

Metasploit is an open source penetration testing framework. It contains a database of exploits, payloads and post modules. The goal of the training was to find an exploit on a remote machine, run a payload through this exploit and execute a post module (which is what you can do after taking control over the victim's machine). Of course, you can find more detail about it on wikipedia.

Metasploit is a command line tool. To make it easier (and funnier), Raphael Mudge designed Armitage, which is a user interface for Metasploit. Here is how it looks like:
Armitage - GUI for Metasploit

When a machine on the network is comprised, Armitage illustrates it as a monitor wrapped into thunder lights. Perfect for a hacker movie:D

Here are the materials we had for this training:
The youtube video below is the screen-cast of the exercises. I show how to setup the lab environment. Then I demonstrate how to use Armitage to find and use an exploit. The video ends with a demonstration of social engineering where the attacker takes full control over the victim's computer.


When I first started Armitage, it could not connect to the database. I had to kill all ruby processes and reconnect again.Once Armitage started, you may be asked to enter your IP address. If you dont you can always set it later by running the following command in the console; it will set a global variable.

setg LHOST 10.10.10.10

Here are some interesting resources for further reading:

Tuesday, May 31, 2011

Visualization of randomness


As I was writing a function to generate random values, I realized it is hard to tell if the implemented function truly generates random values. A unit test can validate the length and the format of the generated values, but not its randomness.

To identify potential implementation flaws in my random generator, I developed the following tool.


Keep Last 100 Random Values Keep All Random Values
The chart above compares 2 random generators. It shows the frequency for each value generated. By default, the chart keeps the last 100 generated values. You can click on the radio button above the chart to keep track of all generated values.

What I expect to see from a bad random generator is an uneven distribution of the random values.

In the example above, I am comparing the 2 following JavaScript random generators. They both generate a random value from 0 to 9.
function randomGeneratorUsingFloor() { 
 return Math.floor( Math.random() * 10 ); 
}

function randomGeneratorUsingRound() { 
 return Math.round( Math.random() * 9 ); 
}
Can you spot what is wrong with the second implementation? The numbers 0 and 9 have a smaller chance to be generated compared to the other numbers. If this is not obvious on the chart above, select "Keep All Random Values", it should reveal the issue as shown in the picture below.

Math.random() generates a number between 0 and 1. The value generated is then multiplied. In the implementation using Math.floor(), all the values between 0 and 0.99.. will result as a 0. In the implementation using Math.round(), only the values between 0 and 0.49.. will result as a 0.

It appears that this is a common mistake as you can see it on Google Code Hosting and GitHub.

The test I put in place here is very basic. It exists some advanced work such as the Diehard tests. I also found a very creative randomness visualization on random-walk.com.

Monday, May 2, 2011

Why we need strong p4ssw0rds


Back in February 2011, Rick Redman from Korelogic came to present his Supercharged Password Cracking Techniques at the Austin OWASP chapter monthly meeting.

With these techniques, he was able to crack large password database in a very short time using a tool called John The Ripper. In this article, I want to present what are these techniques and what we can do to secure our identities online.

In December 2010, the media group Gawker (Gizmodo.com, Lifehacker.com) was attacked and their 750,000-password database was stolen. The passwords were encrypted with the algorithm DES, but it did not prevent them from being cracked. More recently, the Sony's Playstation Network was also being attacked. More than 75 million passwords, emails, credit card numbers and other personal data have been compromised.

The top left shows the 250 most commonly used passwords from the Gawker database. I built this word cloud with wordle.net. On the right, it is an extract of the password dictionary used by John The Ripper. I built this with a JS library called stratus. If you are currently using one of these passwords for your bank account, you should probably change it quickly!

These decrypted real user passwords not only revealed what are the commonly used passwords but also showed that many people are using the same patterns to build their passwords. Knowing these patterns, it is possible to crack passwords in a much shorter time than using a basic brute force technique.

Here is how you can customize John The Ripper (JTR) to crack encrypted passwords. Please note that I am using an unofficial build of JTR available here. First, you need to create a file containing the passwords to crack. In our example, this file is called pwd2crack.txt and here is the file content:
user1:d0763edaa9d9bd2a9516280e9044d885
user2:a8e003b1180fd689f558657079d05f5a
The file contains the passwords for 2 users: user1 and user2. The passwords are hashed using the MD5 algorithm.

To run John The Ripper, you can use the following command:
>john --wordlist=password.lst --format=raw-MD5 pwd2crack.txt
Loaded 2 password hashes with no different salts (Raw MD5 [raw-md5 SSE2 16x4])
monkey           (user1)
guesses: 1  time: 0:00:00:00 100.00% (ETA: Mon May  2 22:42:22 2011)  c/s: 469428  trying: trinity - hallo
As you can see, JTR was able to crack user1's password almost instantly because "monkey" was in its list of passwords. But JTR was unable to crack user2's password. You can try the default command using the built-in logic to guess the passwords.
>john --format=raw-MD5 pwd2crack.txt
Loaded 2 password hashes with no different salts (Raw MD5 [raw-md5 SSE2 16x4])
Remaining 1 password hash
guesses: 0  time: 0:00:00:04 (3)  c/s: 195765  trying: 39of - 3ayo
guesses: 0  time: 0:00:00:15 (3)  c/s: 2965K  trying: beteng95 - betel197
guesses: 0  time: 0:00:00:43 (3)  c/s: 5430K  trying: swoji1x - swojsem
guesses: 0  time: 0:00:00:55 (3)  c/s: 5817K  trying: ahabh9 - ahabu2
guesses: 0  time: 0:00:01:08 (3)  c/s: 6052K  trying: luk12ay - luk11io
Session aborted
After running this command for a few minutes, my computer got really hot and JTR was still not able to crack user2's password. While JTR is running, press the space bar to print in the console the progress of the operation.

One of the common patterns for password is to add a date at the end of the password, especially the current year. You can configure JTR to use its password dictionary with "2011" at the end of each entry by adding the following to the file john.ini or john.conf.
[List.External:CustomWithYear2011]
void filter() {
 /* calculate word length */
 int length;
 length = 0;
 while (word[length]) length++;

 word[length] = '2';
 word[length+1] = '0';
 word[length+2] = '1';
 word[length+3] = '1';
 word[length+4] = 0;
}
This function, written in C, alters the password to hash before it is compared to the one in pwd2crack.txt. Then you can call JTR with this customization.
>john.exe --format=raw-MD5 --wordlist=password.lst --external=CustomWithYear2011 pwd2crack.txt
Loaded 2 password hashes with no different salts (Raw MD5 [raw-md5 SSE2 16x4])
Remaining 1 password hash
monkey2011       (user2)
guesses: 1  time: 0:00:00:00 100.00% (ETA: Mon May  2 22:06:09 2011)  c/s: 25600  trying: freedom2011 - barney2011
This time JTR was able to crack the second password: monkey2011.

You can get more details about these techniques on the Korelogic website.

Here are a few tips I would recommend:
  • The passwords protecting your most valuable accounts should not be shared with other website
  • Use password that are strong and easy to remember
  • If available, use 2-factor authentication (eg: Paypal, Google, World of Warcraft)
If you are responsible of a website, you can:
  • Raise your users awareness (password strength indicator, trainings)
  • Use a strong hash algorithm to store the passwords (BlowFish)
  • Integrate a second factor of authentication