As you say, the first few test numbers correspond just to simple divisor checks:-
Prime 3 paired with check number 6 (binary 110). So 1 << (n % 3) will only ever be 'safe' if n % 3 == 0, which is 'super bad' as you put it.
(2^3)-2 = 6
(2^5)-2 = 30 so this is a similar division check
(2^7)-2 = 126 ditto
I think these are just here as distractions as it starts to sometimes do different things at p=11
11 is paired with check number 1026, which is (2^10)+2 not (2^11)-2). So under what conditions does:-
( 1 << (n % 11) ) & 1026 != 0
Given 1026 only has two bits set (1024 and 2) it's a rather specific test for (n%11) = 1 or 10. All other residues would be safe.
Don't have time to investigate further for the other primes and check numbers but I can only think of some kind of p-1 or p+1 smoothness they can detect this way.
> Also, I'm having a bit of a hard time understanding the attack.
He forces them to connect to his own AP and forwards all traffic to the destination so that the client is unaware it has been redirected.
He then forces the client to re-install the key which (on anything that is derived from wpa_supplicant e.g. Linux, Android, etc) the client has blanked out after first use, so the key it reinstalls is now all zero bytes.
He can continue to forward the traffic to the destination so that the client gets responses, but now he can decrypt all of the traffic too.
For clients that re-install the correct key (which the account does not recover in any way) the attacker has to rely on snooping enough encrypted data in order to perform a birthday attack as the key re-installation also resets the frame counters which leads to nonce-reuse which is a problem in ciphers like AES-GCM.
> The client is forcibly disconnected from the WiFi network and reconnects to the attackers network instead.
The client is tricked into moving to what it thinks is the same WiFI network running on a different channel, but is actually the attackers network instead.
> The attacker doesn't need to know the WPA2 password but it accepts the connection setting the encryption to zeros.
The attacked doesn't need to know the WPA2 password and (for Android and Linux clients) the client then defaults to an encryption key of all zero bytes.
> The client thinks it is connected to the original wifi network and continues as normal.
Yes.
> Wifi traffic is intercepted and unencrypted.
Wifi traffic is intercepted and can be decrypted (since the encryption key - all zero bytes - is now known).
Except the attack doesn't get you access to their wireless network. It allows you to redirect someone from their wireless network to your own (spoofed) wireless network and then you can snoop the traffic.
Depends, for a first time buying couple it's a 10% deposit (plus £45k for stamp duty) and then a combined salary of £225k (assuming 4x multiplier on combined income). Sure ~£110k/year is firmly in the top quartile of dev salaries, but not out of the question.
More than likely a couple who are already earning ~£70k/year each probably already have some equity in a current home, so a £1m home might not be much of a step up for them.
I probably will too (currently on an iPhone 5) given that my current strategy is to replace my phone every 2 years by buying a refurbished model with 12 month warranty for ~£150 from eBay. I usually get ~£50 or so for each old phone so the physical phone only costs me £4 a month.
4GB data (4G), unlimited texts and unlimited minutes for ~£20 a month here in the UK. Was always amazed at the price of plans in the US, luckily I never had to pay my own bill when I lived there.
Domestic flights within the UK don't require passports (although the airlines may require some form of ID to be presented in order to get boarding passes).
> Personally though, I love the taste and enjoy the experience of "waking up" with a cup of coffee over the course of the first 20 minutes of the day.
Yep, which is why I switched to decaf. Still the same taste (there are ok decaf coffees out there) but none of the bad effects of excessive caffeine.
(Most decaf still has ~10% of the caffeine of regular coffee, but even with 4 or 5 cups of decaf a day it's not enough for dependency; I get no withdrawal symptoms if I stop for any length of time).
I still drink the odd normal coffee (if someone/somewhere doesn't have decaf) but a maximum of one a day otherwise it will affect my sleep that night; it also gives me a proper coffee buzz for the short period after drinking it.
> I'll drink my 3-4 cups of black filtered coffee a day with a good conscience.
Sounds similar to what I used to drink. I now drink similar amounts of decaf black coffee a day and sleep a whole lot better. This is partly why I quit and definitely why I won't go back to regularly drinking normal coffee (it's been 6 years or so).
(Yes, I know decaf still contains ~10% of the caffeine of normal coffee, this just means I'm down to the equivalent of half a cup of coffee a day, which is below dependency levels as I get no withdrawal effects if I stop this for a few days.)
> We also have to port our own servers to another service, and fast.
Once you've done that you should look at what other services you rely significantly upon and see about mitigating the risk there by having an alternative ready to go (or even sharing the load).
At a previous startup we realised we relied wholly upon Mandrill and so reimplemented the sending code so that half of the emails went out via Mandrill and the other half by SendGrid. A stunt like the above just requires a quick reconfigure to make all emails go via the alternative provider whilst we (with less panic) add another new alternative provider to share the load. It also helps build up a positive reputation before cutting over straight away.
(This wasn't about splitting the emails amongst free tiers to keep it free, we were far away from moving up to a paid tier even with all emails going through one provider.)
Hopefully he will also slowly eradicate the existing unethical behaviour.