Skip to main content

Benjamin Oakes

Photo of Ben Oakes

Hi, I'm Ben Oakes and this is my geek blog. Currently, I'm a Ruby/JavaScript Developer at Liaison. Previously, I was a Developer at Continuity and Hedgeye, a Research Assistant in the Early Social Cognition Lab at Yale University and a student at the University of Iowa. I also organize TechCorridor.io, ICRuby, OpenHack Iowa City, and previously organized NewHaven.rb. I have an amazing wife named Danielle Oakes.

Filtering for the month February, 2017. Clear

Google announces the first practical technique for generating a SHA-1 collision

by Ben

This is big news.

We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.

Source: Announcing the first SHA1 collision – Google Online Security Blog

The technology community still uses SHA-1 for many things.  One of the most concerning implications of this team’s technique is that it implies attacks against Git, which uses SHA-1 for every commit.  Imagine if you had a tag (a SHA-1 sum) that referred to two different sets of changes: a benign changeset on your machine and a malicious changeset on GitHub.  Then you deploy that tag and the malicious code runs instead of the code you expected.

As far as I know, such an attack on Git hasn’t been demonstrated yet, but in theory, I think you could replace a SHA-1 commit as I described.  I bet someone will demonstrate that someday.  (Think of padding files with bogus comments until you get the checksum you want.)  It would be difficult (though not impossible) to switch Git to SHA-256, but I don’t know of any efforts to do that — though Git 2.11 is starting to acknowledge that abbreviated SHA-1 checksums do collide in practice.

Will such an attack happen today or tomorrow?  Probably not; it takes a huge amount of resources right now.  However, computation is cheaper than ever; I bet attackers will start to use services like Travis CI for computations like this, like I’ve heard is starting to be done with Bitcoin mining in pull requests on open source projects.

The best mitigation I’m currently aware of is cryptographically signing your commits, and this may be a catalyst for that to become standard practice.

JWT: JSON Web Tokens

by Ben

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

Source: JWT.IO

If you think good architecture is expensive, try bad architecture

by Ben

Source: Daniel Bryant on Twitter

Black Bean, Tofu, Spinach Miracle

by Ben

Ingredients:

1 package wild rice
3 tablespoons olive oil
1 onion, diced
Spices, to taste
Garlic powder
Basil
Sage
Oregano
Thyme
Tumeric
Black pepper
Parsley
Ginger
Coriander
1 pound extra firm tofu, drained and cubed
1 package mushrooms
1 (16 ounce) can black beans, drained
1 package spinach or kale

Directions:

Cook rice according to package directions.
Heat oil in frying pan or wok over medium heat. Add onion and spices.
Add tofu and sauté.
Add mushrooms and black beans once tofu begins to brown.
Add kale or spinach.
Combine rice with the tofu mixture and simmer briefly.

Also good in spinach flavored wraps.