Última atualização: 12/Feb/2014 RSS


Porquê não desabilitar as Credential Providers padrão do Windows 7

Oi pessoal,

Ontem precisei escrever uma recomendacão sobre os riscos de se desabilitar as Credential Providers no Windows 7 e como funciona esse processo no Windows 8.

Se alguém tiver interesse, o doc é público: [http://tix11.com/downloads/recomendacao-cp-win7-8.pdf]





Reverse engineering my bank's security token

Opps I did it again!

This document, was written by Thiago Valverde and was initially published at [http://blog.valverde.me/2014/01/03/reverse-engineering-my-bank's-security-token/] but for some "unknown" reason it disappeared from there...

The point is, the work/demonstration done by Thiago was truly a very good/amazing work of Reverse engineering and also it offers a service to the community, so it must be free and available.

[http://dcon.com.br/jd.comment/Reverse_Engineering_My_Banks_Security_Token.pdf] (Thx Ygor and Robertux for the pdf)

More details can be found here [https://showyou.com/v/y-k87vSrfhof4/bank-token-implemented-with-an-arduinoclone-ti-stellaris?t=Security%20token&via_user=vegbrasil]




YAPEA - Yet Another Picture Encryption Application


O que é:

Uma aplicação simples, para Android que permite a encriptação de imagens. Esta aplicação é gratuita e de código-fonte aberto (GPL v2). Esta aplicação foi desenvolvida no laboratório de P&D da empresa TIX11.

Pré-requisitos de funcionamento:

Smartphone Android versão maior ou igual 4.0.

O que significa YAPEA?

É um acrônimo das seguintes palavras da língua inglesa: Yet Another Picture Encryption Application. A tradução para a língua portuguesa é: Mais uma Aplicação de Encriptação de Imagens.

Como é feita a encriptação de imagens na Yapea?

Através de criptografia simétrica, nos algoritmos AES (CBC/PKCS5Padding) ou Blowfish (CFB/NoPadding). Os vetores de inicialização são gerados através da coleta de dados únicos do smartphone.

Qual é o tipo de chave criptográfica?

A chave é de 256 bits, derivada de uma senha criada pelo usuário. A derivação é feita por PBKDF2, e o salt para derivação é gerado através da coleta de dados únicos do smartphone. A chave criptográfica é armazenada em arquivo de configuração, para ser verificada na primeira utilização do aplicativo, quando o smartphone é ligado. Uma vez, verificada a chave, a mesma é encriptada e armazenada em memória, porém a qualquer momento, o usuário pode escolher apagar o cache de memória que contém a chave.

Características gerais:

- Resetar a aplicação: O usuário pode a qualquer momento apagar todos os dados da aplicação, inclusive os arquivos de configuração.
- Pânico: O usuário pode configurar uma senha de pânico, para que quando digitada, a mesma apague todas as imagens encriptadas armazenadas.
- Linguagens: A aplicação está traduzida para as línguas portuguesa e inglesa.

Capturas de Tela:




Código Fonte:

O repositório com o código fonte de aplicação é: http://github.com/damico/yapea


José Ricardo de Oliveira Damico - damico at tix11 dot com




SemParar - Hack Básico

A quem possa interessar:

From semparar-hack

From semparar-hack

From semparar-hack

From semparar-hack

Como essa falha poderia ser resolvida? Com um microcontrolador SMD, no conector que fica no carro. Nesse microcontrolador, poderia haver uma chave de funcionamento com o resto do circuito. Além disso na película adesiva, deveria haver um circuito foto-sensível que indicasse ao microcontrolador a presenca do aparelho em uma superfíce exposta ao calor. Nesse caso mesmo que o aparelho fosse efetivamente utilizado durante à noite, haveria uma coleta de dados da superfície onde o aparelho estivesse afixado. Num país como o Brasil, seria natural a deteccão de uma média confiável de que um aparelho como esse em um carro comum, fica exposto ao sol durante um certo período. (30.12.2013)



Militarization of the information: The embarrassment David Miranda

The embarrassment suffered by David Miranda in England, by the fact of being connected to the journalist Glenn Greenwald which is linked to Edward Snowden, is an unacceptable and unjustifiable act that demonstrates a tyrannical and dictatorial behavior. No argument of "protection against terrorism" gives the right to break the human rights of innocent citizens. More than that, anti-terrorism actions can not function as a full authorization for copying digital artifacts from people who are considered/proven free by their nations.

O constrangimento sofrido por David Miranda na Inglaterra, pelo fato de estar ligado ao jornalista Glenn Greenwald e este estar ligado a Edward Snowden, é inaceitável, injustificável e demonstra um ato tirânico e ditatorial. Nenhum argumento de proteção contra o terrorismo dá o direito de quebra dos direitos humanos de cidadãos inocentes. Mais do que isso, ações anti-terrorismo não podem funcionar como uma authorizacão completa para a cópia de artefatos digitais de pessoas atestadamente consideradas livres e honestas por suas nações.




Raspberry Pi as a Temperature Engine


Hi guys, As my first project using Raspberry Pi, I have decided to build an autonomous system that keeps measuring the temperature of a location and sends that data to an internet address using a wireless connection.

After some days dealing with 1-wire DS18B20 sensor I’ve finished a fully working prototype.
All steps of the construction can be seen in the README file of the source-code (which is open) at Github (https://github.com/damico/j-rpi-therm-d).

Also I wrote a small html page where the data collected can be seen in charts:




Palestra no FISL 13: Como implementar autenticação e segurança de 2º Fator com Software Livre

Oi pessoal, abaixo está o pdf da palestra que ministrei no último FISL (13).



Open-Source PSKC file Builder

This is a “Portable Symmetric Key Container” (PSKC) XML Builder written in Java

A really basic implementation of RFC6030 ( [http://tools.ietf.org/html/rfc60308] ).

The idea is to build a small application that generates PSKC xml file based on a txt file with only token serial numbers and its seeds in a HEX string.

The source code can be found @ [https://github.com/damico/PskcBuilder]




Arduino OATH Token

From arduino-oath-token

This is a basic Open-Source implementation of a TOTP (compliant with OATH http://www.openauthentication.org/) code in Arduino.

Basicaly it generates 6 digits OTP based in a EPOCH time stored in a variable called birthTime There is no time drift. The OTP is updated each 30 or 60 seconds.

For HMAC-SHA1 hash this implementation uses the code from Cathedrow / Cryptosuite (https://github.com/Cathedrow/Cryptosuite). However a small change was added to sha1.h and sha1.c: The method size_t Sha1Class::writebytes(const uint8_t* data, int length)

For debug purposes the main important functions are printed to serial output. The entire source-code can be found @ https://github.com/damico/ARDUINO-OATH-TOKEN

This small project was built in order to explain how to implement a OATH token with only open-source tools. Also, this project will be presented at International Free Software Forum (FISL13 http://softwarelivre.org/fisl13/about-the-event)

Also there are two small videos about this project:




XTAL Tester

xtal tester circuit by jdamico

Some days ago I was trying to test a XTAL of 11Mhz with a friend of mine at my home lab. When the xtal was placed in a complete circuit we just attached the scope proof points and we are were able to see the correct measurement at screen of scope. But when the xtal was apart of a circuit we did not find a way to test it. We had two objectives: A fast way to test a xtal to see if it is working or not; A way to measure the exact frequency of it;

To acomplish this task, I've searched over the web for xtal test circuits. Then I found one published by Tony van Roon (VA3AVR) in his very useful/cool site.

How it works:

Transistor Q01, a NPN 2N3904, and its associated components form an oscillator circuit that will oscillate if, and only if, a good crystal is connected to the test clips. The output from the oscillator is then rectified by the 1N4148 signal diode and filtered by C03, a 100pF capacitor. The positive voltage developed across the capacitor is applied to the base of Q02, another 2N3904, causing it to conduct. When that happens, current flows through Led01, causing it to glow. Since only a good crystal will oscillate, a glowing LED indicates that the crystal is indeed OK.

The circuit works very well with 6 - 8Mhz crystals, but for higher frequency crystals (11Mhz) the LED glows very weak. For that reason I've added a 1k potentiometer to enable the adjust of LED's resistance.

In order to test this circuit with oscilloscope, just use the proof points in the where the crystal is connected (see the images bellow).

I've drawn the circuit with gEDA (xtal-tester-jdamico.sch)

xtal tester circuit by jdamico

Here are some images of the building process:

xtal tester circuit by jdamico

xtal tester circuit by jdamico

xtal tester circuit by jdamico

xtal tester circuit by jdamico

xtal tester circuit by jdamico





“Centro de Defesa Cibernética do Exército” in portuguese, which means Center of Cybernetic Defense of Army. It is a Brazilian army initiative (inspired in other cyber-defense agencies from other countries) with some important functions:

- Research in IT Security
- Defense through information systems
- Eventual counter-attacks

Some key arguments (learned from outside experiences) for creation of CDCiber were:

- 9/11 (Several documents stolen from industries and government, which were used to plan the terrorist act.)
- Chinese and Russian cyber attacks against other countries
- Stuxnet: Domain-driven malwares
- Wikileaks: The amount of confidential documents from government leaked and exposed in Wikileaks, reveled a weakness in the efforts to protect sensitive data.
- Brazil growth: More exposure of brazilian market, natural resources as well as some important companies as Petrobras and Compania Vale do Rio Doce, among others.
- Coordinated attacks from LulzSec and Anonymous

Differential* aspects over other/common defense centers:

Ability to find in market, professionals/consultants which required skills to work in the center
Low cost of infrastructure, when compared with common defense centers

*The same differential aspects are used to companies and criminals to build its own defense centers. Therefore these aspects are also a strong argument to build de CDCiber. (23.03.2012)



Playing around with my own Operating System in asm: DamIX

Hi guys,

I would like to share with you my first results writing my own Operating System in ASM.

my own os

DamIX, is a 16bit OS, runs in a floppy disk, in a 64KB segment and a FAT12 fs.


Comment!View Comments


XOR Symmetry

Hi all,

Studying the basics of cryptography using XOR I've decided to to design some XOR graphical representation, as several that we can find in the Web (http://en.wikipedia.org/wiki/Xor). The result can be seen bellow. It is very interesting to see the symmetry of result.

graphic xor

Also the source code is available at: http://damico.github.com/XorGraphicSymmetry/

See you.




Parceria entre Intel e InfoSERVER S/A traz recursos de segurança embarcados no processador

Através da criação do "Identity Protection Technology", IPT, a Intel passa a oferecer em seus processadores i3, i5 e i7 (2a. geração) e posteriormente nos Ultrabooks uma série de recursos de segurança. Tais recursos estão embarcados em uma área do processador chamada de Management Engine (ME). Essa área pode ser acessível através do bus PCI por meio de um Firmware embarcado na BIOS e um driver. Dessa forma diversos algoritimos de gerenciamento de senhas, proteção de identidade e autenticação de transações, que normalmente são feitos via software dependentes do sistema operacional, podem agora ser transferidos para para execução interna no ME dentro do processador e assim garantir a inviolabilidade desses algoritmos. Além disso somente algoritmos assinados por certificados reconhecidos pela Intel poderão rodar nessa área do processador.

Para que os usuários comuns possam se beneficiar dessa tecnologia em acesso a bancos, lojas eletrônicas, redes sociais, etc, essas empressas precisarão que seus sistemas de segurança e autenticação sejam atualizados para funcionar nesse novo padrão. Para isso a Intel estabeleceu parceria com a InfoSERVER S/A para o desenvolvimento de soluções que permitam a integração do mercado.

Para maiores informações:





How to trace WebServices conversation with Wireshark

Create a filter like this:

ip.addr== && ip.addr== and http and xml

It will trace all http/xml conversation between and both as src and destination.

See you!




Java NIO PDF Documents, Presentations and Books references

A friend of mine asked me for Java NIO PDF Documents, Presentations and Books references.

Here is what I have:

- Advanced JavaTM NIO Technology-Based Applications Using the Grizzly Framework
- A Programmer’s Tutorial on Event-Driven Programming, Asynchronous Input/Output, and the Bamboo DHT
- A Study of Java Networking Performance on a Linux Cluster
- Getting started with NIO
- How to Build a Scalable Multiplexed Server With NIO Mark II
- Improving Java Network Programming
- Introduction to NIO: New I/O
- Java NIO
- JAVA NIO FRAMEWORK Introducing a high-performance I/O framework for Java
- Multiple Client Server and Java New-IO (nio) classes
- New I/O in JDK 7
- Scalable IO in Java
- Using the new Java I/O interface in parallel computing

All files are inside this compressed file: [http://dcon.com.br/jd.comment/java-nio-docs.7z]

See you...

(21.10.2011) http://dcon.com.br/jd.comment/java-nio-docs.7z



Presentation Control usign ez430 Chronos Clock in Linux

Hi all,

This is a small implementation of OpenOffice/LibreOffice Impress remote control by Texas Instruments ez430 Chronos Clock in Linux environment.

It was written in Python and also uses xdotool. All steps were commented.


Feel free to use, distribute and modify.

Best Regards,

(05.10.2011) http://dcon.com.br/jd.comment/chronosImpressControl.txt



SQL1084C Shared memory segments cannot be allocated. SQLSTATE=5

The situation:

db2 => connect to dbname
SQL1084C Shared memory segments cannot be allocated. SQLSTATE=5

In Linux, increase the number of following kernel parameters:

kernel.shmmax=15099494000 #Almost the total of RAM Memory, in this case 16GB
kernel.shmall=8099494000 #Half of total of RAM Memory

These parameter must be set at: /etc/sysctl.conf file.

To test if the parameters were accepted issue the command:

#sysctl -p

The response should be something like this:

kernel.sem = 1024
kernel.msgmni = 1024
kernel.shmmax = 15099494000
kernel.shmall = 8099494000

See you!




Why / Why not move/switch to GIT?

Some urls to clarify your decision:





Exemplo de Lambda Expression Tree em C# (C sharp)

Conforme solicitado pelos alunos, segue o link com o exemplo do Exemplo de Lambda Expression Tree em C# (C sharp)




Ver todas as publicações

powered by: DCON Tecnologia da Informação Ltda.