Melissa 0xabad1dea


Keybase proof

I hereby claim:

  • I am 0xabad1dea on github.
  • I am 0xabad1dea ( on keybase.
  • I have a public key whose fingerprint is F390 1782 28A0 41E1 042F 9F9B 2B1B 8E3B 75D6 270A

To claim this, I am signing this object:


Dual EC, The Saga Continues: BUT MAYBE I’M BIASED

Bla bla bla this is my personal opinion bla bla bla.

Patents. Can’t live with violating them, can’t live without violating them. The entire concept of patented cryptography is a bit beyond what I have the energy to deal with right now. Whatever. We’re going in.

It didn’t click with me yesterday, reading the crypto news, that I had already quoted one Dan Brown with whom we are now concerned. No, not the one who wrote the novels. One of the other ones. I cited him in my timeline of trying to reconstruct where and when exactly Dual EC DRBG went so wrong. Specifically, the paper has a casual mention (bottom of page 7) that the proof of security relies on initialization value Q being random, because if it is not random, an adversary in-the-know can recover the prestates and everything’s downhill from there. Therefore – and I quote – it is generally preferable for Q to be c


Sorry, RSA, I'm just not buying it

I want to be extremely clear about three things. First, this is my personal opinion – insert full standard disclaimer. Second, this is not a condemnation of everyone at RSA, present and past. I assume most of them are pretty okay, and that the problem is confined to a few specific points in the company. However, “unknown problem people making major decisions at RSA” is a bit unwieldy, so I will just say RSA. Third, I'm not calling for a total boycott on RSA. I work almost literally across the street from them and I don’t want to get beat up by roving gangs of cryptographers at the local Chipotle.

RSA's denial published last night is utter codswallop that denies pretty much everything in the world except the actual allegations put forth by Reuters and hinted at for months by [other sources](http://li


Dear Phiharmonics,

There are a lot of wireless devices in my home and at my workplace and I believe they sometimes interfere with my research. I have some questions about whether your wi-fi energy dots could help me out in harmonizing my living spaces.

1.) What is the effective range of the harmonizing? Do they ever need to be replaced? If so, does more wifi wear them out faster?

2.) Is the harmonizing compatible with all of the IEEE 802.11 wireless standards or only b/g? And Bluetooth?

3.) They look like they're made of copper but you don't specify what, exactly, they are or what's in them. Do they still work if adhered to a conductive surface? Is it okay if they get wet?


Abadidea's Index of Weird Machines in Video Games

A "weird machine" is when user-supplied input is able to create an arbitrary new program running within an existing program due to Turing-completeness being exposed. Sometimes such functionality was deliberately included but it is often the result of exploitation of memory corruption. You can learn more at the langsec site. There is a good argument for weird machines being inherently dangerous, but this index is just for fun.

It is broken into two categories: intentional gameplay features which may be used as weird machines, and exploit-based machines which can be triggered by ordinary player input (tool-assisted for speed and precision is acceptable). Games with the sole purpose of programming (such as Core Wars) are not eligible and plugin APIs don't count. If you know of more, feel free to add a comment to this gist.

Intentional Gameplay Mechanics

View dnparsefail.c
1 2 3 4 5 6 7 8 9 10
#include <stdio.h>
#include <string.h>
/*~ demonstration of unbounded conditions and integer wrap
bugs in a real networking stack by 0xabad1dea
dnparse() is taken from the XINU operating system
slightly tweaked to compile as a unix userland thing ~*/
View rtlsdr-osx.txt
1 2 3 4 5 6 7 8 9 10
rtl-sdr build notes for OSX
using macports
sudo port install cmake
sudo port install libusb
sudo port install pkgconfig
sudo port install sox # for easy audio
git clone git://
cd rtl-sdr/
View tricksy.c
1 2 3 4 5 6 7 8 9 10
// hello clever programmers, would you like to play a game?
// where's the bug?
// by 0xabad1dea :)
#include <stdio.h>
#include <string.h>
int main() {
char input[16] = "stringstring!!!";
char output[8];
View phppasswordfunctions.txt
1 2 3 4 5 6 7 8 9 10
Here is a huge list of functions listed in the PHP manual which take an argument
which contains sensitive data, either directly or as an array element. Use it to
"audit" for statically embedded passwords in "your" codebase. Some of these are
very obscure/deprecated/whatever. The ones with "construct" in the name are
classes called in source like new foo("password");...
View vibespy.rb
1 2 3 4 5 6 7 8 9 10
# trivial skeleton script for seeing Vibe messages that have a location and range that excludes you
# tested july 3rd, 2012
require 'rubygems'
require 'rest_client'
url = ""
# new york city
lat = 40.664167
long = -73.938611
Something went wrong with that request. Please try again.