Sunday, December 4, 2022

Leaving Academic Philosophy: One of My Best Decisions


 

 

 

 

 

 

 

 

 

 

One of the best decisions I've ever made in my life was the decision to leave the academic field of Philosophy at age 23 (after I recieved my Master's at 22 and briefly taught at a California State University). I was smart enough to know the job prospects were abysmal, and humble enough to realize I wasn't some super genius or well-connected person who would beat the odds. And unlike quite a few of my Christian philosopher friends at the time, I was wise enough to know that the idea of going into Philosophy for apologetics reasons was foolish: proving Christianity is true beyond reasonable doubt was and is impossible - there will always be reasonable unbelief; few people read one's philosophy papers anyways; philosophers don't have dibs on critical thinking or truth; and conformist pressure would push one away from Philosophy of Religion into fields that were more "safe" from a career perspective, completely defeating the purpose of sacrificing a high-paying "boring" career to do what one loves (philosophizing on the most important of issues - God). I also knew at the time - even before the worst of the "woke" craze kicked in (e.g., regarding transgender ideology), that there would be conformist pressure to not speak one's mind regarding social issues. In fact, I remember the chairman of the Philosophy department advising me to not discuss abortion in class because irrational people would get emotional and because some of my students would have had abortions. And this was back in 2016!

All this to say that my decision has proven to be a truly wise one. The job market now is virtually impossible to break into, and many of my erstwhile conservative Christian philosopher friends who pursued a PhD are now scared to their boots to even publicly say something as trivially true as that a man can't become a woman and vice versa. Their misguided notions of "conquering philosophy for Christ" met a brick wall called reality, and years in the guild has rendered them dumb cowards (and I use 'dumb' in the proper old sense of the word).

Now, I hardly follow the latest news in the guild anymore, but here's a recent example of how hard it is to get a Philosophy job and why you shouldn't pursue a PhD in Philosophy (completely aside from the groupthink present in the academy): I know someone who I consider a true genius with all the right credentials: quite a few publications in great academic journals, graduated from a top 3 PhD Philosophy program, completed a prestigious postdoc, is highly technical, etc. And guess what? This individual just got hired as a visiting assistant professor - not even a tenure-track professor - at some college I have never even heard of before. That's how bad the market is.

In conclusion, stay away from academic philosophy - stay very far away. You don't need to be a professional philosopher to do great philosophical work. You don't need to be a academician to have a good philosophy of life. Indeed, these days I tend to trust the common man's view of the world and ethics over and above the view of the ivory tower philosophy professor.


Sunday, August 21, 2022

How To Recover the Password for an Encrypted Veracrypt Container

Veracrypt, the successor of Truecrypt, is a free and open-source encryption software. Think of it like Microsoft's Bitlocker -- except it is free and completely open source.[1]

In this blog post, I will briefly show you how to recover the password for a (non-system) Veracrypt container if you still remember a substantial part of it. I've managed to recover my own partially forgotten passwords using the methods I detail below. Essentially, we will be conducting a hybrid attack on the PBKDF2-derived key for the Veracrypt container -- i.e., a hybrid between a dictionary attack and a brute-force attack. The tools that we will make use of are any Linux distribution (Debian, Red Hat, etc.), Python, and Hashcat, a powerful and open-source password cracker.[2]

Let us begin. The first thing to bear in mind is that the first 512 bytes of a Veracrypt container is a header which contains all the necessary ingredients to calculate the key to your container (e.g., the salt). Below is a detailed table of (at least) what is contained in the first 512 bytes.


 

Note that the header is the first 512 bytes only in standard volumes or containers, not in system volumes. In the latter, Veracrypt documentation specifies that the header is the last 512 bytes of the first logical track. This is what the documentation states:

The first 512 bytes of the volume (i.e., the standard volume header) are read into RAM, out of which the first 64 bytes are the salt (see VeraCrypt Volume Format Specification). For system encryption (see the chapter System Encryption), the last 512 bytes of the first logical drive track are read into RAM (the VeraCrypt Boot Loader is stored in the first track of the system drive and/or on the VeraCrypt Rescue Disk).
In any case, we want to extract this derived key-hash and then check to see if it matches any of our computed hashes from a word list. If we get a match, then we will know that we have recovered our password! So the first thing we want to do is to extract these initial 512 bytes. This can be easily done in the Linux command line; just type the following in your terminal:

dd if=[container name] of=[anything] bs=512 count=1



"If" stands for "input file," and "of" stands for "output file." "bs" just means bytesize, and "count" just means how many iterations of the bytes to go through. So the above terminal command will produce the same output as the following:

dd if=[container name] of=[anything] bs=1 count=512



Alternatively, you can just run the following Python code to the same effect (just be sure to change the file names accordingly):

with open("in-file", "rb") as in_file, open("out-file", "wb") as out_file: out_file.write(in_file.read(512))

 

We have now extracted the header from the Veracrypt container. As we shall soon see, Hashcat has an option that will automatically recognize a Veracrypt header and compute the derived key from the information contained therein (e.g., from the salt and key-derivation function used). But first, let's generate the wordlist we will pass to Hashcat.

Now, for the sake of the demonstration here, we'll keep it simple. So let's say that our password that we forgot was ACHILLESheel2385. Furthermore, let's say that we remember ACHILLESheel, and that there was a 1 - 5 digit number at the end. So, taking a step back, it should be clear what we need to do: produce a word list containing every character set that matches the following RegEx pattern:

/ACHILLESheel\d{1,5}/

Thankfully, there's a great Python module that will construct all the strings that match a specified RegEx pattern -- exrex. In your terminal, type the following command (but just make sure that you have the exrex module installed):

python exrex.py 'ACHILLESheel\d{1,5}' -o wordlist

 

This will generate a wordlist of ACHILLESheel{all combinations of five digits} in wordlist.txt of your current working directory. We are now ready to use Hashcat. If you type "hashchat -h" in your terminal you should see that hashcat has a lot of numerical numbers associated with different types of hashing algorithms and software, including Veracrypt. Hashcat basically has preprogrammed binaries that are used to compute the hashes made from a wide variety of algorithims and programs. The numerical value that we are looking for is 13721, as this is Hascut's reference for Veracrypt's default encryption settings. There are other non-default options that Hashcat has, but 13721 is the one we are looking for.



So all the preparation is done: we are now ready to to run hashcat and crack the password! Type in the following command:

hashcat -m 13721 --status out-file wordlist.txt



Note that if you see that the 111110 passwords are taking too long to crack on your system, you can just "cheat" and use a different regex pattern that will drastically decrease the computing time (since this is just an example). For example, you can use /ACHILLESheel23\d{2}/. This will cut the password wordlist down from 111110 to 100! After you run Your output should be something like the following:

So there you have it  -- this is the process for successfully recovering a Veracrypt password that you partially remember! It's important to underscore that the more of your password you remember, the way easier it is to crack it. If you don't have any idea of what your password is, and just remember that it is very long and complex, it's very likely that all the computers in the world wouldn't be able to crack the password for aeons!

----------------------------------------------------------------------------

[1] In general, I believe that FOSS that is widely used is more secure than closed-source software counterparts. This is for the simple reason that FOSS is open-source software and so, if it is quite prominent (like Veracrypt, Signal, DD-WRT, Ansible, Ubuntu, Libre Office, Android, etc.), it should have undergone more security-expert scrutiny than its closed-source counterparts. Indeed, it should be continuously undergoing more scrutiny than its commercial closed-source counterparts. Now, one may argue that the sword cuts both ways here: the open-source nature of FOSS means that there are more malicious developers with access to the code base and actively trying to develop exploits against it. Thus, for example, there is more malware written against (closed-source) Windows operating systems than there is written against (open-source) Linux operating systems. While this is true, I still think that the sword cuts more in the way of security than insecurity here, as I doubt that critical vulnerabilities discovered by an APT open-source software will go undetected by the rest of the world's security experts for much longer than similar bvulnerabilities in closed-source software. The latter are simply lack boxes. There's no way for the world's security community to tell whether such software is safe and free of backdoors. So my view is that when it comes to security, FOSS is king. And I believe most infosec experts would agree. 

[2] We could also use Crunch, a program that generates password wordlists based on user-defined parameters. But if one knows RegEx it should be easier to use the Python module exrex to generate wordlists based on specified RegEx patterns. One can use a tool like RegExPal to check if one's desired output text(s) matches one's RegEx pattern.