Stories with Tag Decryption

• Block YouTube ads on AppleTV by decrypting and stripping ads from Profobuf (2022)

  permalink

  Posted: 2025-03-18 07:59:50

  Verbose tl;dr

  This blog post details a method for blocking YouTube ads on Apple TV by intercepting and manipulating encrypted traffic using pfSense, a firewall and router platform. The author leverages pfSense's ability to decrypt TLS/SSL traffic, then uses a custom Python script to parse and filter Google's Protocol Buffer (protobuf) messages, removing the components associated with advertisements before re-encrypting and forwarding the modified traffic to the Apple TV. This approach eliminates ads without relying on DNS blocking or other methods that YouTube might easily circumvent. The post provides a detailed explanation of the setup process, including installing necessary packages, configuring pfSense, and implementing the Python script.

  This blog post by Eric Draken details a complex method for blocking YouTube advertisements on Apple TV by intercepting, decrypting, and modifying the network traffic responsible for delivering those ads. The core issue stems from YouTube serving ads within the same protocol buffer (protobuf) stream as the video content itself, making simple blocking based on URL or domain insufficient.

  Draken's approach leverages pfSense, an open-source firewall and router distribution, as the primary tool for manipulating this traffic. The process begins with configuring pfSense to act as a transparent proxy, effectively intercepting all network traffic flowing to and from the Apple TV. This interception allows pfSense to analyze the data passing through.

  Since YouTube utilizes HTTPS, the encrypted traffic must be decrypted to analyze the protobuf messages. This decryption is achieved through a man-in-the-middle (MITM) attack, where pfSense intercepts the SSL/TLS handshake and presents its own certificate to the Apple TV, effectively posing as the YouTube server. To facilitate this, the root certificate authority (CA) generated by pfSense needs to be trusted by the Apple TV. Draken explains the process of generating and installing this certificate.

  Once decrypted, the traffic, specifically the protobuf messages containing the video stream and embedded ads, is accessible. Draken utilizes a Python script executed by pfSense, leveraging the python-protobuf library. This script parses the intercepted protobuf data, identifies messages pertaining to advertisements, and effectively removes or "strips" these messages from the stream before forwarding the modified, ad-free stream to the Apple TV.

  The blog post provides detailed instructions on setting up the necessary pfSense components, including the installation of required packages, configuration of the transparent proxy, and setup of the SSL/TLS interception. It also includes the Python script responsible for protobuf manipulation, meticulously explaining the logic behind identifying and removing the ad-related messages. The post highlights the complexity involved in decoding and manipulating protobufs, demonstrating how different protobuf definitions are required based on factors like video resolution and other stream parameters. Furthermore, Draken addresses the maintenance aspect of this method, acknowledging the need to update the protobuf definitions and Python script as YouTube evolves its ad delivery mechanisms. He suggests strategies for maintaining effectiveness, such as monitoring logs for errors and adapting the script to changes in YouTube's protobuf structure.

  • YouTube
  • ad blocking
  • AppleTV
  • pfSense
  • Decryption
  • Protobuf
  • Proxy Server
  • TLS Interception
  • network security
  • Ad Removal
  • 2022

  Summary of Comments ( 385 )
  https://news.ycombinator.com/item?id=43396735

  Verbose tl;dr

  Hacker News commenters generally express skepticism about the effectiveness and practicality of the described method for blocking YouTube ads on Apple TV. Some doubt the claim that all YouTube ads are served via protobuf, suggesting the method is likely to break frequently. Others point out the resource intensiveness of decrypting and re-encrypting TLS traffic on less powerful hardware like the Apple TV. Several commenters propose alternative ad-blocking solutions like Pi-hole or NextDNS, arguing these are simpler and more robust. The privacy implications of MITMing TLS traffic are also raised. While some acknowledge the cleverness of the approach, the consensus leans towards it being more of a proof-of-concept than a practical, long-term solution.

  The Hacker News post discussing the blog post about blocking YouTube ads on AppleTV by decrypting and stripping ads from Protobuf has a moderate number of comments, sparking a discussion around the effectiveness, ethics, and technical aspects of the approach.

  Several commenters express skepticism about the longevity of this method. They predict that Google will likely adapt and change its ad delivery system, rendering this specific decryption technique obsolete. This cat-and-mouse game between ad blockers and ad providers is a recurring theme. Some even suggest that Google might intentionally introduce breaking changes to specifically target this method, while others take a more neutral stance, viewing it as an inevitable evolution in the arms race between ad blockers and platforms.

  The legality and ethical implications of bypassing ads are also debated. While some argue it's within the user's right to control their viewing experience, others point out that YouTube's terms of service likely prohibit such manipulation. This leads to a discussion about the broader issue of ad-supported content and the balance between user experience and content creator compensation.

  Technical details of the implementation are discussed, with some questioning the efficiency and potential side effects of decrypting and re-encrypting the stream in real-time, particularly on less powerful devices like the AppleTV. The use of Protobuf for ad delivery is also mentioned, with some commenters expressing surprise or noting its prevalence in Google's infrastructure.

  Alternative ad-blocking methods are suggested, including Pi-hole and other DNS-based solutions, which some commenters consider more robust and less prone to being circumvented. There's also a mention of using a custom DNS setup to block known ad servers.

  Finally, some users share their personal experiences with ad blocking and express frustration with the increasing prevalence of ads on streaming platforms. This sentiment fuels the discussion about the ongoing struggle between users seeking an ad-free experience and platforms relying on advertising revenue.

• Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours

  permalink

  Posted: 2025-03-17 11:06:24

  Verbose tl;dr

  Researchers have demonstrated a method for cracking the Akira ransomware's encryption using sixteen RTX 4090 GPUs. By exploiting a vulnerability in Akira's implementation of the ChaCha20 encryption algorithm, they were able to brute-force the 256-bit encryption key in approximately ten hours. This breakthrough signifies a potential weakness in the ransomware and offers a possible recovery route for victims, though the required hardware is expensive and not readily accessible to most. The attack relies on Akira's flawed use of a 16-byte (128-bit) nonce, effectively reducing the key space and making it susceptible to this brute-force approach.

  A recent report by Tom's Hardware details a significant breakthrough in combating the Akira ransomware, a malicious software that encrypts victims' files and demands payment for their release. Researchers at Sophos, a cybersecurity firm, have discovered a vulnerability in Akira's encryption implementation that allows for the recovery of encrypted data without paying the ransom. This vulnerability stems from Akira's usage of a relatively weak encryption key generation process. While Akira nominally uses a 256-bit encryption key, providing a theoretically immense number of possible combinations, the actual key generation method produces keys significantly weaker than a true 256-bit key would suggest.

  This weakness allows for a brute-force attack, a method of systematically trying all possible keys until the correct one is found, to become a feasible decryption strategy. Sophos researchers leveraged the immense computational power of sixteen Nvidia RTX 4090 GPUs, high-end graphics cards renowned for their parallel processing capabilities, to perform this brute-force attack. Utilizing these GPUs, they were able to successfully crack the Akira encryption and recover the encrypted data in approximately ten hours.

  This timeframe represents a substantial reduction in decryption time compared to traditional methods, and it highlights the potential of utilizing powerful hardware for breaking relatively weak encryption. While ten hours might still be considered a significant duration in some scenarios, it is substantially faster than the potentially weeks or even months required by other methods or the alternative of succumbing to the ransom demands. The discovery of this vulnerability and the successful demonstration of its exploitability offers a glimmer of hope for victims of Akira ransomware attacks, providing a potential pathway to data recovery without financially supporting criminal enterprises. This breakthrough also underscores the importance of robust encryption key generation in ransomware development, and serves as a reminder of the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. The research by Sophos has significantly weakened the Akira ransomware's effectiveness and could potentially lead to future developments in combating similar threats.

  • ransomware
  • akira
  • Cybersecurity
  • GPU
  • RTX 4090
  • Encryption
  • Decryption
  • brute-force
  • cracking
  • Exploit
  • information security
  • Computer Security
  • Hardware Acceleration
  • Nvidia
  • parallel processing

  Summary of Comments ( 11 )
  https://news.ycombinator.com/item?id=43387188

  Verbose tl;dr

  Hacker News commenters discuss the practicality and implications of using RTX 4090 GPUs to crack Akira ransomware. Some express skepticism about the real-world applicability, pointing out that the specific vulnerability exploited in the article is likely already patched and that criminals will adapt. Others highlight the increasing importance of strong, long passwords given the demonstrated power of brute-force attacks with readily available hardware. The cost-benefit analysis of such attacks is debated, with some suggesting the expense of the hardware may be prohibitive for many victims, while others counter that high-value targets could justify the cost. A few commenters also note the ethical considerations of making such cracking tools publicly available. Finally, some discuss the broader implications for password security and the need for stronger encryption methods in the future.

  The Hacker News post titled "Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours" has generated several comments discussing the implications of using powerful GPUs like the RTX 4090 for cracking encryption.

  Some users express skepticism about the practicality of this approach. One commenter questions the feasibility for average users, pointing out the significant cost of acquiring sixteen RTX 4090 GPUs. They suggest that while technically possible, the financial barrier makes it unlikely for most victims of ransomware. Another user echoes this sentiment, highlighting that the cost would likely exceed the ransom demand in many cases. They also raise the point that this method might only work for a specific vulnerability in Akira and wouldn't be a universal solution for all ransomware.

  Others discuss the broader implications of readily available GPU power. One comment points out the increasing accessibility of powerful hardware and its potential to empower both security researchers and malicious actors. They argue that this development underscores the ongoing "arms race" in cybersecurity, where advancements in technology benefit both sides. Another user suggests that this highlights the importance of robust encryption practices, as the increasing power of GPUs could eventually render weaker encryption methods vulnerable.

  A few comments delve into the technical aspects. One user questions the specific algorithm used by Akira and speculates on its susceptibility to brute-force attacks. Another user mentions the importance of key length and how it affects the time required for cracking, emphasizing that longer keys would significantly increase the difficulty even with powerful GPUs.

  One commenter points out the article's potentially misleading title. They clarify that the GPUs weren't cracking the encryption itself, but rather brute-forcing a password which was then used to decrypt the files. This distinction is important, as it implies a weakness in the implementation rather than the underlying encryption algorithm.

  Finally, a few users offer practical advice. One suggests using strong, unique passwords to protect against this type of attack, emphasizing the importance of basic security hygiene. Another user proposes that the best defense against ransomware remains regular backups, allowing victims to restore their data without paying the ransom.

  Overall, the comments reflect a mix of concerns about the practical implications of using GPUs for cracking ransomware, discussions about the broader cybersecurity landscape, and technical insights into the vulnerabilities highlighted by this specific case.

• Decrypting encrypted files from Akira ransomware using a bunch of GPUs

  permalink

  Posted: 2025-03-14 17:45:33

  Verbose tl;dr

  The blog post details a successful effort to decrypt files encrypted by the Akira ransomware, specifically the Linux/ESXi variant from 2024. The author achieved this by leveraging the power of multiple GPUs to significantly accelerate the brute-force cracking of the encryption key. The post outlines the process, which involved analyzing the ransomware's encryption scheme, identifying a weakness in its key generation (a 15-character password), and then using Hashcat with a custom mask attack on the GPUs to recover the decryption key. This allowed for the successful decryption of the encrypted files, offering a potential solution for victims of this particular Akira variant without paying the ransom.

  The blog post "Decrypting encrypted files from Akira ransomware (Linux/ESXi variant 2024) using a bunch of GPUs" details the author's successful attempt to break the encryption of the Akira ransomware, specifically the variant targeting Linux and ESXi systems that emerged in 2024. This variant employs a combination of AES and RSA encryption, rendering decryption a challenging endeavor. The author meticulously analyzed the ransomware's encryption process, discovering a vulnerability stemming from its implementation of the AES encryption key generation.

  Akira, like many ransomware strains, uses a symmetric encryption algorithm (AES) for encrypting the bulk of the files, ensuring speed. However, this AES key needs to be protected, so it is encrypted using an asymmetric algorithm (RSA) and stored with the encrypted files. The ransomware attackers hold the private RSA key, which is necessary to decrypt the AES key and subsequently the user's files. The author discovered that the Akira variant in question generated the AES encryption keys using predictable methods, deriving them from the current time. This predictable key generation created a limited keyspace, making it feasible to brute-force the AES key using sufficient computing power.

  Recognizing the computationally intensive nature of this brute-force attack, the author leveraged the parallel processing capabilities of GPUs. By implementing a decryption program optimized for GPU execution, they significantly accelerated the key search. The post details the specific GPUs used, emphasizing their hash rate capabilities and the overall speed improvement achieved through GPU acceleration.

  The author describes the iterative process of refining the decryption program and optimizing its performance on the GPUs. This involved testing various configurations and parameters to achieve the highest possible decryption speed. The post further explains the specific steps involved in cracking the encryption, including determining the time window within which the files were encrypted, which narrows down the potential AES keys generated from the timestamp.

  Ultimately, the author successfully decrypted the encrypted files, demonstrating the vulnerability of this particular Akira variant's encryption scheme. The post concludes with a call to action, urging other security researchers to investigate and expose vulnerabilities in ransomware, highlighting the importance of robust key generation practices in safeguarding against such attacks. While the success is tied to this specific variant and its flawed implementation, it serves as a valuable case study in ransomware analysis and the potential of utilizing GPU-accelerated computation for breaking encryption.

  • ransomware
  • akira
  • Decryption
  • GPU
  • Cybersecurity
  • Linux
  • esxi
  • file recovery
  • data recovery
  • Malware
  • information security
  • Encryption
  • parallel processing
  • accelerated computing

  Summary of Comments ( 44 )
  https://news.ycombinator.com/item?id=43365083

  Verbose tl;dr

  Several Hacker News commenters expressed skepticism about the practicality of the decryption method described in the linked article. Some doubted the claimed 30-minute decryption time with eight GPUs, suggesting it would likely take significantly longer, especially given the variance in GPU performance. Others questioned the cost-effectiveness of renting such GPU power, pointing out that it might exceed the ransom demand, particularly for individuals. The overall sentiment leaned towards prevention being a better strategy than relying on this computationally intensive decryption method. A few users also highlighted the importance of regular backups and offline storage as a primary defense against ransomware.

  The Hacker News post titled "Decrypting encrypted files from Akira ransomware using a bunch of GPUs" (linking to tinyhack.com/2025/03/13/...) generated several comments discussing the technical aspects and broader implications of the decryption process.

  Several commenters focused on the brute-force nature of the decryption, highlighting the significant computational resources required, specifically the use of multiple GPUs. They discussed the cost and time involved in such an undertaking, emphasizing that this approach is not a readily available solution for most victims. One commenter pointed out the importance of the relatively short key length (in this specific case) as crucial to the success of the brute-force method. They noted that longer keys would render this approach impractical due to the exponentially increasing computational demands.

  Another commenter questioned the practicality of the solution, suggesting that restoring from backups would be a more efficient approach in most scenarios. This spurred a discussion about the importance of robust backup strategies as a primary defense against ransomware attacks. Others countered that backups are not always foolproof, sometimes being targeted or unavailable, making decryption a viable option in certain situations.

  The conversation also touched upon the ethical implications of publishing decryption tools. One commenter expressed concern that publicly releasing such tools might incentivize ransomware developers to improve their encryption methods, making future attacks more difficult to counter. This sparked a debate about the balance between helping victims and potentially aiding future attackers.

  A few commenters delved into the technical details of the decryption process, discussing the specific algorithms and tools used. They also explored the limitations of the method, emphasizing its dependence on the specific characteristics of the Akira ransomware variant.

  Finally, some commenters expressed appreciation for the author's work, recognizing the effort involved in developing and sharing the decryption tool. They acknowledged the potential benefits for victims, while also acknowledging the complexities and limitations of the approach.

• Learn How to Break AES

  permalink

  Posted: 2025-03-04 17:25:51

  Verbose tl;dr

  The post "Learn How to Break AES" details a hands-on educational tool for exploring vulnerabilities in simplified versions of the AES block cipher. It provides a series of interactive challenges where users can experiment with various attack techniques, like differential and linear cryptanalysis, against weakened AES implementations. By manipulating parameters like the number of rounds and key size, users can observe how these changes affect the cipher's security and practice applying cryptanalytic methods to recover the encryption key. The tool aims to demystify advanced cryptanalysis concepts by providing a visual and interactive learning experience, allowing users to understand the underlying principles of these attacks and the importance of a full-strength AES implementation.

  The blog post, "Learn How to Break AES," by David Wong, presents a comprehensive, interactive tutorial demonstrating various cryptanalytic attacks against simplified versions of the Advanced Encryption Standard (AES). The tutorial is aimed at beginners and intermediate learners interested in practical cryptography, offering a hands-on approach to understanding the vulnerabilities of weakened cipher implementations.

  Wong begins by introducing the core concepts of AES, including its structure as a block cipher, the use of substitution-permutation networks (SPNs), and the different operations within each round: SubBytes (substitution using an S-box), ShiftRows (permutation of bytes within the state), MixColumns (mixing of columns within the state), and AddRoundKey (XORing the state with the round key).

  However, instead of tackling the full AES algorithm immediately, the tutorial uses progressively more complex, reduced-round variants of AES. This pedagogical approach allows learners to grasp the fundamentals of cryptanalysis before confronting the complexity of the full cipher. Each simplified version retains essential AES characteristics, making the learned techniques relevant to understanding the security of the full AES.

  The initial exercises focus on differential cryptanalysis, a powerful technique that exploits the propagation of differences between pairs of plaintexts and their corresponding ciphertexts. Through interactive challenges, users are guided to discover differential characteristics – specific input differences that lead to predictable output differences with a high probability. These characteristics are then leveraged to recover the secret key. The tutorial begins with a 1-round AES variant and progressively increases the number of rounds, illustrating how the complexity of differential cryptanalysis increases with the number of rounds.

  Following differential cryptanalysis, the tutorial delves into linear cryptanalysis. This attack exploits linear approximations of the cipher's operations to deduce information about the key. Similar to the differential cryptanalysis section, interactive exercises guide users through building linear approximations, evaluating their biases, and using these biases to retrieve key bits. Again, simplified AES versions are used to incrementally introduce the concepts and challenges associated with linear cryptanalysis.

  Throughout the tutorial, Wong emphasizes the importance of understanding the mathematical principles underlying each attack. Visualizations and interactive elements help users grasp the complex interactions between the different AES operations and how they contribute to the cipher's security. By breaking down the attacks into manageable steps and providing clear explanations, the tutorial enables learners to develop a practical understanding of cryptanalytic techniques and the strengths and weaknesses of simplified AES versions. While not directly addressing the full AES cipher, the tutorial builds a strong foundation for understanding the principles that contribute to the security of the full algorithm and the challenges involved in attempting to break it.

  • AES
  • Cryptography
  • Cryptanalysis
  • Block Cipher
  • Security
  • Breaking AES
  • Advanced Encryption Standard
  • Cipher
  • Decryption
  • Encryption
  • Computer Security
  • Cybersecurity

  Summary of Comments ( 24 )
  https://news.ycombinator.com/item?id=43257583

  Verbose tl;dr

  HN commenters discuss the practicality and limitations of the "block breaker" attack described in the article. Some express skepticism, pointing out that the attack requires specific circumstances and doesn't represent a practical break of AES. Others highlight the importance of proper key derivation and randomness, reinforcing that the attack exploits weaknesses in implementation rather than the AES algorithm itself. Several comments delve into the technical details, discussing the difference between a chosen-plaintext attack and a known-plaintext attack, as well as the specific conditions under which the attack could be successful. The overall consensus seems to be that while interesting, the "block breaker" is not a significant threat to AES security when implemented correctly. Some appreciate the visualization and explanation provided by the article, finding it helpful for understanding block cipher vulnerabilities in general.

  The Hacker News post "Learn How to Break AES" (linking to an article about breaking weak AES implementations) generated several comments discussing various aspects of AES security and the article's content.

  Several commenters focused on clarifying the nuances of the article's title, emphasizing that the article wasn't about breaking AES itself, but rather exploiting weaknesses in implementations of AES. They pointed out that AES as a cryptographic standard remains strong, and the attacks described targeted specific vulnerabilities in how the algorithm was used, like poor key generation, weak modes of operation, or side-channel attacks. One commenter specifically called out the importance of distinguishing between theoretical and practical attacks, noting that the article's focus was on practically exploitable weaknesses.

  There's discussion about the different types of vulnerabilities exploited, including the use of ECB mode and its inherent insecurity due to leaking information about block patterns. Commenters highlighted how ECB mode should be avoided and recommended safer alternatives like CBC or CTR mode. Related to this, a commenter pointed out the susceptibility of some encryption implementations to padding oracle attacks, where the attacker can deduce information about the plaintext by observing how the system handles padding in encrypted blocks.

  Some comments delve into specific techniques mentioned in the article, such as using known plaintext to break the encryption. One commenter details the process of cribbing, where an attacker with access to both ciphertext and plaintext can potentially recover the key or decrypt other messages.

  Another line of discussion explored the real-world implications of these attacks, with examples like exploiting vulnerabilities in embedded systems or insecure web applications. A commenter highlighted the importance of proper key management and secure random number generation to prevent these types of exploits.

  Finally, a few comments offered additional resources for learning more about cryptography and AES security, including links to books, articles, and tools for analyzing cryptographic implementations.