Skip to main content

HTML Core Obfuscator

It's time for HTML of the future to give us the ability to obfuscate data in-memory. If password fields were stored as obfuscated values, then there would be a very low chance of a password recovery by any person or any exemplary skill. Plus, we wouldn't have to rely upon client-side JS to do hash obfuscation.

I suggest a simple extension to the input form element:

[ input type='password' obfuscator='sha512;salt=FooFooFoo' ]

We would define our own salt, or no salt, to keep the hash consistent (homomorphic) across creation and challenge.

This can be done with JS but it doesn't prevent malicious adware JS from exploring the DOM and getting the "value()" property of an input element that is named "password".

Pretty please?


Popular posts from this blog

How To Cancel ATT Uverse

I was a subscriber to the AT&T Uverse service for a little over 2 years. In that time, we had experienced good service for the first year, and then it sucked. After 12 months, or there in, the service degraded quickly, and would stop working all together at times. At first it would die for a short period of time, usually when we were not home. Then it would get progressively worst, until there was an entire week of no service. We had technicians at the house trying to fix the service, but it would repeat the behavior quite consistently.

On January 15th we finally gave up and switched to a lesser service, COX TV and Internet. In the past we had cable service and it was always reliable, but not as good as the AT&T digital service. COX doesn't have nearly as many HD channels, but that's not enough. We needed internet to be reliable, and AT&T couldn't deliver that.

Cancelling the AT&T service was a nightmare. Try to find anything about such things on their web si…

Splunk To root or Not To root

Today I added some add-ons to my splunk and did some sysadmin on the server. Restarted and noted the splunkd was not running. Ahh, well, that's typical. Starting the splunk daemon is easy enough:

Start Splunk - from the people who made splunk.

There are two ways to start splunk, as you can read from above. One is to run the "splunk" process from your root shell after logging in. This will run splunk as root. The other is to use the nifty systemctl service script to daemonize the process.

Prior to today, I had the same problem and ran the splunk process as root. This was foolish. If you happen to have once started splunk as root, and then successfully started splunk as the "splunk" user, you will find that your splunk login page is empty. You get the background picture, but no input controls.

Damn. Google that, nada. Damn again.

Today, I learned alot more about selinux and permissions and labels, so I investigated the "web_service" log (/opt/splunk/var/…

The Hack on HACK

Pull up Bing (www.bing.com) and search on "Hack Fund." There you will see the PureFunds ISE Cyber Security ETF [2]. This is an exchange traded fund [1], meaning that a constellation of computers is constantly monitoring this fund's price and making long and short positions to take micro profits all through the trading day. The fund is made up of security technology companies who are directly involved in the infosec world. You will have to become an investor in the fund to get the full prospectus of the funds that are being traded. On the PureFunds web site [2] you can see the top 10 holdings in the fund, such as IL, SAIC, PFPT, FTNT, SPLK. Wait, Splunk? Indeed, the log file analysis company, Splunk, Inc. [3], is part of the HACK fund. That's an interesting addition to the fund. This post is not about the analysis of the holdings, but rather a warning about the fund. Recently Kaspersky Labs claimed to have been hacked by external "nation state" hackers [4]