Cryptography everywhere

Halfway through my first week, I learned already a lot of new things. Monday was pretty chill, did some touring in the city with the secretary and got to know my boss in person. Everyone was friendly and easy going. In the afternoon I got introduced to the company’s products and fields of business which are Smart-card systems and Public Key Infrastructures (PKI). Yesterday and today I got extensive workshop-sessions from my daily supervisor. We covered A LOT.

We started of with the basic concepts and techniques of the Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE) API’s, basically the components that put security and crypto into the Java platform. I got drilled in symmetric and asymmetric cryptography algorithms, with all the flavors. Going from CBC to EBC to ECC. Hybrid cryptographic concepts, signing of files and PKI’s. It was overwhelming and nice to learn. But needless to say a mild headache got the better of me today. Oh, and to top it off: some of the slides were in German. Jup, German. But my supervisor was very good in explaining it in perfect English. So I had that going for me, which is nice.

Tomorrow I start on the real job , which I cannot really disclose the details of but basically it’s penetration testing/information extraction in an Android environment. Anyhow, very interesting start of the internship and everybody is nice, friendly and more important, they are experts in their respective fields, simply amazing.



PS: Did you know that intelliCard forked the open-source BouncyCastle library and adapted it for Android! Awesome, I know 😀 :

PPS: My daily supervisor is a security wizard. The things he knows is from my perspective, endless. He wrote a lot of useful software: Take a look at the FileBrowser: simply the most useful swiss army knife every IT-guy needs. (PUN INTENDED)

Grote avonturen beginnen klein

Before I left, someone special gave me a small card with the text “Grote avonturen beginnen klein”, which in english translates to “Big adventures start small”. It couldn’t be closer to the truth. First sunday in Switzerland, I am simply impressed by the nature and the city. You can find photographs on my FB-stream.

It started, indeed, very small. Searched for an internship online, applied, did an interview and got the internship. It all flew by so fast, and tomorrow morning it’s my first day on the job.

The surrounding nature is ridiculously beautiful. I can walk from the apartment to the side of the lake in, I think, 2 minutes. Got a flatscreen in the room, got a living room with an even bigger flatscreen. Hell, even a kitchen with a Nespresso machine 😀 (heaven on earth for computer geeks).  Also got fitness machines, no excuses there I guess.

That will be all for now. Swiss greetings,


View of the lake on 2 minutes from the apartment.

View of the lake on 2 minutes from the apartment.

Prepping for that internship

Sooooooo. For everybody who does not follow my Facebook-feed or heard me in the last couple of months, I will be doing an internship in Switzerland for two months. I will probably be blogging about my stay in Switzerland a lot, so anybody interested can subscribe or just follow twitter or fb for updates about this blog.

Now we got those administrative messages  out of the way, my first actual blogpost about my internship. I am still at home, prepping like a maniac for my first long stay abroad. Luckily my mom is doing the major part of the ‘work’, so my part of the job is reduced to saying : “yes I need that” or “no mom, I have enough of those things already”.

I’ll be driving to Switzerland saturday morning, my parents are accompanying me and will drop me off safely at the apartment. Yes I am spoiled, no I am not ashamed for having lovely parents ;-).

The internship itself is situated in the field of security engineering, penetration testing and (big surprise) Android development. Not necessarily in that order. I am very excited for my first work experience in these major fields, which are undoubtedly the most interesting ones for me.  I am interested in security since we had a computer with windows 95 and my dad had put a password on it.  I wanted to bypass the goddamn thing, which gave birth to my (healthy) interest in cyber security. The Android-part of my geek personality started 5 years ago, when I bought my first Android device and which kickstarted my enthusiasm and passion for this mobile-piece-of-art platform.  I think it’s pretty clear that I am very excited to learn a lot in these fields, things I can impossibly learn in an academic environment.

What can you expect from this blog for the next two months? Probably pictures and stories about my stay, not much about my internship or technical details since I signed NDA’s and I don’t want to risk leaking critical information. Look at me all acting mature and responsible.

Signing off here for now. Next blog post will probably come from a swiss IP-address.



Interviewing at Google

Yesterday I had two technical interviews for a software engineering internship position at Google. This article is an attempt to motivate people to apply and tell them what to expect. So, here we go.

The first Google engineer called me around 14:30. The connection was not optimal from the interviewers side so instead of a phone interview we had a Google Hangout interview. We shared a Google word document where I should write all my code (yes, a plain and simple Google doc).

The interviewer was nice to talk to, his first question was : “What made you apply at Google ?”. Well, everybody knows that I am an Android geek/enthusiast/dreamer. So that was my answer. Also, interning at Google will give you experience in the field which you can impossible learn in school. Things like for example : scaling of systems, coping with huge datasets, an extremely large codebase, etc. After that we proceeded towards the first question, which was something like this :

Question 1 : Assume you have a sentence represented by a string-object. Write a function (in Java) that will swap all vowels with a vowel at the end of the sentence. So for example : “United States => “Enated Stitus”.

Basically the approach here, is to work with an array of characters and work your way down the sentence using 2 pointers. One pointer points to a vowel on the left half of the string, the other to the right half of the string. If the right pointer is smaller than the left pointer, work is done and you can return the string.

I did OK on this question, had a little bug with my pointers that were incremented in the wrong place. But the interviewer pointed me to it, and I resolved it rather quickly.

Question 2 : Write a class called CollectionsIterator that is capable of iterating over a set of iterators. Make sure this class can hold Iterators of any type.

The interviewer thought this was the difficult question but I found it rather easier than the string traversal. Approach is again, rather easy. Create a class that implements the Iterator<E> interface. Use a field for a current_iterator and a field for the main_iterator. The main_iterator will loop over all the iterators and the current_iterator is the one that is providing the elements of a certain collection in the set of collections. Sounds easy, but tricky when implementing the hasNext() method. In the end, my first solution was perfect and that concluded the end of the first interview.

After a 15 minutes break I got the second interview. This one was by phone and again on a shared Google doc. This interview was not as good as the first one. The question was also more difficult than the first one.

Question 3 : Write a function that has as input a list of strings and will print to stdout strings that are rotational equivalent line per line. So all strings on one line are rotational equivalent.

I struggled the most with this question, due to the fact the interviewer started with the question : “Do you have any experience with rotation ciphers ?”. Sure I do know what they were, but never really implemented one so I didn’t know all the details about them. This threw me off a bit, but in the end you didn’t need to know exactly how they work. Just the notion how a string can be rotated over the alphabet.

So the approach I took for this question was looping over the strings and computing their fingerprint. Basically the fingerprint(String s) function should be a function that returns the same string for every rotational equivalent string. This can be achieved by using the convention that the first character of every string should be ‘a’. So we calculate the distance from the current first char to ‘a’. (only taking into account the chars a->z) and we rotate the whole string over this distance. We then use a HashMap to store a mapping “fingerprint -> set<rotational equivalent strings>”. In the end we write a prettyPrint() method which will iterate over the set and print out one set of rotational equivalent strings per line.

I needed some help, the interviewer for example pointed out to use a fingerprint method. After this I came up with the whole solution. A last question was what I thought was good/bad about my approach. At this point I perfected my code and told why I used some data-structures (like hashmaps and sets).

In the end it was a pleasant experience, much better than interviewing at Facebook. I have a good feeling, but if I don’t make it now , I can’t really be sad as I couldn’t do much more. At least I’m chasing dreams, as everybody should do !



I am hacked, so what ?

Often I hear people say they don’t really bother with security on their computers or smartphones. Very often those people use arguments as “I don’t have important information” or “I know what I do, I don’t need protection”.

Now, what truly bothers me is the fact that people don’t look beyond their own interest. They don’t know that once one of your accounts is hacked, your friends are vulnerable for cyber crimes too. Since the uprising of social networks, a certain hack is widely used and has always been the most exploited, it’s called social engineering.

Proof of concept : Imagine your Facebook account gets hacked. The attacker controls your login and can use your entire account. At this point, if you got no personal information on your account because you’re just using it to browse Facebook, you’re lucky. But the chances of that being true is, well let’s face it, very small. Everybody that has a Facebook account puts certain private information online, for (hopefully if you used the correct settings) all of your friends to see.

The cracker has now enough information to take over your identity, combined with other information coming from search engines. He monitors your Facebook account and sees your friend updating his status “Excited, just bought a new laptop online”. Chances are the attacker will sent your friend an e-mail, impersonating the staff of PayPal or some creditcard company. A lot of people are fooled to give up their CC info by this method called ‘phishing’. In particular your friend is vulnerable as he as just bought something online, so for him it’s easy to assume something went wrong with his payment, and hence answers the mail.

The attacker goes on and sends something to your friend. ‘Hi man, check out this photo from you, took it last night at the party.’ Chances are your friend is now infected with a trojan horse or a keylogger.

Hope the bigger picture becomes clear, once an account of yours gets compromised, you don’t only risk your own identity and safety but also the ones you’re connected to. As the attacker has now the ability to use your trusted reputation to perform his attacks.

Some tips :

– Never, ever, ever, …. , surf to unencrypted sites when using a public AP. Always use the https:// prefix when supported. This gives some protection against sniffing your passwords.
– Never, ever, ever, …. , give up CC info in mails. Company’s will never ask you that. The same holds for login credentials.
– Never, ever, ever, …. , follow a link without checking the URL. A link like is probably a trap.
– Always use a firewall. Experience crackers can circumvent this, but at least you’re protected against script kiddies.
– Always use anti-virus in the unfortunate event you’re bound to use a Windows system ( :p ).

Maybe a more technical post is coming in the future that explains how crackers can circumvent your firewalls and anti-virus systems.



Why I didn’t get the Internship at Facebook

So last Friday I had a big opportunity to get an internship at Facebook. Made it to the final round and had to do one last technical interview.
Those are not the most fun to do, but hey I took a shot. It was pretty clear that the data structures I learned about in my first bachelor year needed some dusting.

I had my first exam Friday morning and was stressed to the max, afterwards I tried to prepare for the interview by doing some exercises from “Cracking the Coding Interview”. Excellent book, I would really recommend it. In the evening at 21.16 an American landline number showed up on my cell screen. Jup, there it was.

Interview started rather chill and the engineer (awesome guy btw) at the other end of the line asked about: what drives me for becoming a software engineer, and what I considered were the less fun parts of being a software engineer (CLASS DIAGRAMS !). We continued on to the technical part, oh boy stress was building up.

So the question was :

Consider a professor that wants to check two paper assignments from two different students on cheating. Design a function hasCheated(String s1, String s2, int N) that returns true if the two papers, represented by the strings, have a common content of at least length N.

I think I went into a limbo. The first 5 minutes I had it visualized what I wanted to do, but it felt like I forgot how to code. The engineer calmed me down and said to just start with a naive approach. So I started and came up with an O(n^3) approach, worst algorithm I had ever written. But now I started to feel confident again, and I improved the code to an average linear complexity. The engineer then told me to imagine that the String.contains() and String.substring() do not exist in Java and you only have an array of characters. Implement these functions and reflect again on your complexity.

After 30 minutes of coding we stopped and he asked if I had questions for him, about his work,life,..

Hell yeah ! How often do you get a chance to speak with a Facebook engineer. So I asked him how they handle the massive scaling issues at Facebook (he is on the memcache-team) and how a typical day at the office looks like. After that my time was up, was on the phone for about 50 minutes. Pretty exhausted and glad the day ended.

And about half an hour ago I got a message that my technical skills we’re not quite of the level they expect from their interns. But the engineer stated that he would certainly recommend to re-apply next year as I finish my masters degree then. (I can go straight to the last round, jeej !) I don’t feel I could have done more, maybe on a day where I didn’t had an exam and I had to only stress about the interview, the conditions could be better. As I look back now, I could implement this without a problem and choose better data structures than the ones I used during the talk. But things went how they went, and I’m already glad I had this huge experience !

Prior to Facebook, I already had an awesome offer in Switzerland which is more security related than I would be doing at Facebook. So I’ll spend my summer in Switzerland, which is also very cool, especially doing an internship that contains all aspects of my (cyber) passions : Android and Security !



Why dreams are worth chasing in 2014.

Exams exams exams, yet writing a blog post is ideal for taking a break from the books. What follows is maybe something people did not expect to read from me, as it is a rather personal blog post.

Last couple of weeks a lot changed and a lot is happening in my life. Some things are changing for the good, others I wished I saw changing differently. But what became apparent is the fact we should build our own happiness.

Sure, you could wish somebody a happy 2014. But in the end what are you really wishing him ? You’re wishing the person that he can do stuff which makes him feel happy. For me the ideal way to make me feel happy is to work and try to achieve dreams. You make your own opportunities for achieving your dreams, don’t wait and think “Wish I could do that” or “In order to achieve my dreams, X has to happen”. Yeah you’ll fail one time, two times, maybe even a hundred. But in the end isn’t that better than not trying at all ?

For me, one thing is sure. Coming week is one big step towards a personal dream and I’ll take every chance, I worked hard for it and sacrificed at lot of things/moments for it. Yes, the chances are not really in my favor, but hell at least I can say I tried.

Work on dreams, and make yourself happy. Nobody else will do it for you. Now back to my books !



Android systems , secure or not ?

By the end of this current year, 1.4 billion smartphones will be in use: 798 million of them will run Android, 294 million will run Apple’s iOS, and 45 million will run Windows Phone, according to a new study by ABI Research.

Source: BusinessInsider

This is an incredible number of smartphone users which are connected to the big wide web. But how secure are they ? Is it possible for a mobile operating system to be secure ? Or is it insecure from the roots up ?

As you already might guess I will only be covering the Android part, not surprisingly they have the bigger marketshare. So, how do you ‘test’ a secure mobile system ?

A system can be locked down extremely but this can have an impact on the user friendliness, where do you draw the line ? How do we test if a given Android system is secure. Do we forget the user friendliness or are we considering the bigger picture : a secure , user friendly, Android system. I think considering the bigger picture is a more realistic impact as it includes the user’s behavior, which makes up a great part of the system’s security.

Let’s take a look at the security mechanisms Android has implemented for save distribution of applications. Android applications are shared through the Google Play Store. Android has two important security mechanisms which involve distribution and installation of apps in order to protect the installing user from malicious actions.

  • applications need to be signed
  • applications need permissions to access phone functions

Applications need to be signed with a special unique key that a developer can obtain. The signing of an application can be thought of as providing the application of a digital certificate. With this certificate Android aims on establishing trust relationships between applications. For example consider an app which we call “AppX”. If “AppX” is first installed, it is signed with a specific private key. If the developer upgrades “AppX” to “AppX2”, he needs to use the same key which he used to sign “AppX”. This creates a trusted relationship between “AppX” and “AppX2”, because only the developer that holds the key for “AppX” can develop an upgrade for the app. But is this waterproof ?

Probably u know the answer already because else I wouldn’t have hinted it. Well, no this is not waterproof. A rather invasive bug was found in the signing process.

The core issue is that Android package (APK) files are parsed and verified by a different implementation of “unzip a file” than the code that eventually loads content from the package: the files are verified in Java, using Harmony’s ZipFile implementation from libcore, while the data is loaded from a C re-implementation.

The way that these two implementations handle multiple files with the same name occurring in the zip file differs. The way the Java implementation reads the file is that it goes through the “central directory” and adds each entry to a LinkedHashMap. The key the entry is stored using is the name of the file.

Later, the PackageParser goes through each entry in the zip file, verifying that the file was signed with a consistent signature. This code iterates over the LinkedHashMap. The result is that only the last entry with a given name is considered for signature verification: all previous duplicates are discarded.

Source : Saurik

This is a rather technical explanation of the bug, so a more noob explanation follows. As .APK files are nothing more than JAR files, this is where the problem lies. Where a JAR stands for Java ARchive, a sort of folder with all your Java code. If you want to ensure the integrity of a JAR as a self-contained entity such as an Application then the ability to sign individual files is not a requirement. In fact it is difficult to see in what circumstances the ability to sign individual files and only individual files could be a requirement.

Because it is only possible to sign individual files, a signed JAR is really nothing more than a collection of files which may or may not be signed and the verification of a signed JAR is a very convoluted way of determining into which category each file belongs. All of which leads us to question of what signed JARs are actually for ?

The ability to package files in this way was presumably considered useful when the specification was produced but it is clear that it is a decidedly sub-optimal way of attempting to ensure the integrity of an Application made up of a number of files which have been packaged as a ZIP file.

While signed JARs undoubtedly constitute a flexible mechanism for doing something, its just not clear what, they do so at a cost.

As we have seen the cost is the complexity of the verification process and the inconclusiveness of the result.

The process of verification is ridiculously complicated and consequently dangerously error-prone which is not what you want from something which is a key part of ensuring the security of your platform. (Source : Simon Lewis)

Now, what can a user do about this ? Nothing much actually. The bug is known for some time now, the only actions Google has taken so far was to change something in the .APK submission in the play store. A fix to the devices is coming with Android 4.3 . Older devices need to install the CyanogenMod custom ROM. They have included the 4 LINE BUGFIX, which google failed to deliver OTA.

Next up on the list was “Permissions”. Every app needs specific permissions to access phone functions. As an example I will include permissions my currently developing app needs :

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_INTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="" />

These permissions look like they’re asking a lot, but the only access they give to the phone are :

  • The use of internet
  • Ability to write to SD card(= caching images) and internal memory (= for settings)
  • Read error log on crash to send back a detailed error log to me
  • Google Cloud Messaging service
  • Accessing the network state , to check if there’s an internet connection
  • And wake lock, my app uses a service that needs to run with or without the app running , so the services needs a wake lock

These permissions will be shown to the user upon install. So this is the part where the user’s common sense plays a big part. If you want to play a game and the game asks for a whole list of permissions, the game is usual spyware. It will collect as much info as it can and will send it back to a server. The maintainers of this server will use the information to sell to advertising companies. So reading through the permissions is not time lost, as they can be pretty invasive on the privacy of the phone user.

So I did not reach a conclusion, as it as a whole research on its own (maybe a master thesis ? 😉 ). But I hope I gave some pointers that there’s a huge gap between user friendliness and optimal security of a mobile system. Any comments or questions, shoot !

Help, my child is on Facebook !

Often I get the question : “What is your view on online privacy with all those social networks invading it ?”. Well, in short I usually answer it with : “Dangerous if you don’t know how to use it. Easy,awesome and interesting when used correctly.” I will only focus on the dangers, because I think everybody knows how awesome and interesting social networks are when used safe.

Connected with the world

People usually forget they are connected with the internet, by extend to almost the whole world. Internet is rather a dark place. However you should not fear it, but you should travel it with a torch in your hand. How does this relate to Facebook you may ask ? Well, Facebook is connected through the internet, without internet Facebook would not exist. I find it ridiculous how a ten year old can make an account and connect with almost 2 billion people with some clicks on a button. Aight, I hear you, it’s not Facebook’s fault. I agree, but some things must change in society’s view on social networks.

Dark corners of Facebook

Parents should be aware of the dangers a social network can have. Children are the weakest to fall for phishing attacks. Hackers are constantly sharking on children’s forums trying to get login information. A sentence often used “Omg, is this you on this photograph ?!”, sounds familiar ? Hackers are interested in this information for the sole purpose of selling it to a criminal organization. More specifically, to child traffickers. They use the info from these profiles to generate false passports. Nowadays a Facebook profile is almost a blueprint of someone’s life. This is dangerous in many ways. Not to forget for personal attacks on victims or robbery’s.

Children should be taught how to use social networks. Chances are if you ask children in a classroom : “Who has a Facebook profile ?” that almost everybody puts their fingers up.

I am disgusted

I am disgusted with the educational organization in my country, Belgium. Mainly, we have two kinds of schools. Public state schools and Catholic schools. I was shocked by the latter. They cancelled the IT course and defend it by saying it should be integrated into the other courses. I agree with the fact that it should be integrated in different courses. But I am strongly, STRONGLY recommending to have additional hours of IT course. LEARN CHILDREN TO USE A COMPUTER. What better way to learn children about the dangers on social networks than in schools ? They should know how to safely use a computer in general. Children should not be the victim of a retarded ideology (Yes! I am looking at you, Catholic education).

I simply cannot understand how a society, so entangled with computers, does not educate their children appropriate when it comes to cyber security. *sarcasm* The fact I had to teach my IT teacher what PHP was in my 3th year of secondary school is totally out of the picture. */sarcasm*

It’s our duty

It’s our duty, as a parent, brother, sister, teacher to educate our children. People should understand what impact computers can have in our life. Privacy is a valued thing, that needs, nay demands protection. The era that computers were for the rich is past us. Almost everybody has access to a computer, yet few have an appropriate basic understanding on how to use it safe. Reach out to me with any questions or comments. Please share this idea with other, whoever you think should know this.

BBJam 10 : Day 1

Hi guys, what up !? First blog post in a long time, will be a short one though. Here’s what happend today :

First up  we took the Eurolines bus that took us to Amsterdam after a 3.5 hours busride. After that we arrived at the Sarphati hostel and dropped our bags. (I get a free room the next time I come if I mentioned them in my blog 😉 )

The BlackBerry Jam 10 reception and TweetUp started around 5 p.m. , here we talked with several BlackBerry partners along with a beer. Some interesting partners were there , with a lot of interesting content. For example :

Marmelade : A framework to port any C++ code to Android,iOS,BlackBerry or Windows. Without overhead or less performance, they claim. Hard to believe, but okay.CAM00085

Application Developer Alliance : A community where you find everything you need to know about building,funding and distributing webapps or mobile apps. Free membership for now, so subscribe!

Further there were also : Sencha, Unity 3D, Evernote,TenCode and many more.

This took pretty much the whole evening, and was interesting. Excited to start the real work tomorrow at 10.30 a.m. more coverage to come ! Keep an eye out on twitter if you want to know my thoughts and things live on BlackBerry 10 Jam Europe 2013, Amsterdam.

Cheers !