Monday 18 April 2022

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!). 

The NULLCON 2022 badge...

There are three, and arguably four, puzzles hidden in the badge, plus a hint, as you will see, to a very different text obfuscation technique that looks like strong crypto, but has a very light CPU overhead. That's quite a bargain for something that most people will dismiss as a silly bit of graphics on the back of a piece of thick cardboard.

Let's start by looking at the grid of characters in the centre section, by rotating it by 90 degrees:

Not a word-search grid...

At first glance, this looks like it might be a word-search grid, and so you might go along the rows and columns, looking for words...

And you will get 'NULL', '2022' and 'FOR', which isn't very helpful. But you do also get some incomplete words: 'BERLI' and 'SECUR', which looks like they might be 'Berlin' and 'Security' - but the other required letters are in different rows or columns... Also, the 'N' at the beginning of 'NULL' was bigger...

Underneath the grid of characters, there is the NULLCON logo, although it has a few additions:

A slightly modified NULLCON logo...

The logo starts from a circular blob, along a path indicated by an arrow, and ends up at an exclamation mark, where the dot of the symbol is the end of the path.

Imagine that the NULLCON logo is a map, where the path that is indicated is the path that you must follow on the map. Also imagine that the character grid is the map... 

It seems that the circular blob at the start coincides with the big 'N' at the start of 'NULL', so what happens if you trace along the path? To make it easier to see, the next image colours all the off-path characters in light blue:

The character grid and the NULLCON logo path...

 Starting at the 'N' blob, it now reads: 'NULLCON2020BERLINGE' as you trace along the path. it is easier to see this if the background is also light blue:

Blue on blue...

Looking at the logo, the diagonal line across the zero or zed or zee (it depends how you look at it!), is quite a shallow angle, so maybe the path isn't adjacent characters? Aha! From the 'G', you should be able to find an 'E', then and 'R', then an 'A', and finally an 'N' - and turning round again a 'Y' on the right. So the path now reads:

NULLCON2022BERLINGERMANY

Which can be split up into:

NULLCON 2022 Berlin Germany

Because, as you should know, cryptographers always:

USECAPITALLETTERSDONTUSEPUNCTUATIONANDDONTUSESPACES

If we carry this along the path, then we get the name and part of a phrase from the NULLCOM 2022 web-site (I have added capital letters and punctuation where appropriate...):

NULLCON 2022, Berlin, Germany. A unique platform for security showcasing!!

The two exclamation marks were added by me, of course!

And that's the first part of the answer to the badge puzzle...

---

At the very top of the badge is some strange text:


It looks like it is maybe upside down, or rotated? But no matter what you do with rotations or mirroring, it just doesn't turn into anything readable... But do you notice anything about the NULLCON logo - does it have rotational symmetry? Could this be a clue?

Let's rotate it by 180 degrees and put the two versions one above the other:


You might be able to see that now, the lambda has become a 'y', that weird rounded 'w' has become an 'm', and the rotated 'e' has become an 'e'. 

If you alternate letters from left to right, then the letters which are the right way up are these:

p z l b a t n u s

 and the other alternate letters are rotated by 180 degrees:

u z e y m r i r s

And if you put these letters together, you get:

puzzle by martin russ

Basically, your eyes are quite happy with rotations and mirroring if they affect the whole of the text, but if you do it on individual characters, then your brain stops being able to read it without a lot of concentration.

You can use a variant of this technique to obfuscate text to avoid any simple dictionary-based text scanning program from finding any plain text that you have left as strings in a program. Just add 1 (or any other number - this is the 'key') to alternate letters (so A becomes B, etc.) and you have something that no longer looks like text:

PVZALFBZMBRUIORVST

This also wrecks conventional letter frequency analysis, has high entropy (so binwalk highlights it as keys!) , and looks like strong crypto, except the 'key' is a single (or double) digit number and there is no ordinary crypto! Just obfuscation!

There are various things you can do to this to make it even more obscured. Adding '=' instead of spaces makes it look like broken Base-64 URL encoding, for example. Another wrinkle is to rotate through QUJZ?!=+ and use those as spaces, and now it looks like very broken Base-64 URL coding! I'm sure you can figure out a neater variation, and then a fast encode/decode routine (the more obtuse the code, the better - my personal preference is to make it look like an AES routine, because people will then automatically assume that it is AES, and not delve any deeper...).

<sound of frustrated cryptographer scouring the code, desperately looking for the key transfer mechanism (that isn't there!) so they can decode the above text....>

This text obfuscation is probably worth your time reading this, already!

---

The other badge puzzle is simpler, but because it is in two parts, it is harder to spot. Plus, it is so simple that most people will dismiss it as being trivial.

At the top, there is another NULLCON logo and another character grid, and then another bit of graphic at the bottom:

The other puzzle is in two parts...

Note also that the bottom of the badge contains the first 24 characters of the answer to the first 'path map' puzzle, just to make it easier to solve that one!

The top part of this is exactly what it looks like, another path map. This time, by tracing out the logo's path (not the edges!), you get 'GOA' 11 times, followed by 'BER' (Don't forget the turn upwards to get the 'R'!). It turns out that there have been eleven NULLCONs held in Goa, and this is the twelfth NULLCON - the first held in Berlin, Germany. 

The end of the path is a '*' (with 5 ends, not six... which isn't significant), and this leads to the bottom part of the puzzle, where the star points to a 3x9 matrix of dots, some of which are filled in, and some of which are empty. There are two clues to what to do here. The first is the 'puzzle by martin russ' text at the top of the badge - you have to rotate alternate characters by 180 degrees to be able to read all the characters. So rotate the badge 180 degrees (remember that the NULLCON logo has 180 degree rotational symmetry), and look at the 3x9 matrix - it spells: 'LIN'. The second clue is in the name text right at the bottom of the badge - it says: 'NULLCON 2022 Berlin Germany' (as you probably well know by now!). But look at the positioning of the 'Ber' text in the name, and the 'LIN' spelled out in the 3x9 matrix - do you see an alignment?

Yep, the size of the matrix and the arrow are set so that the 'Ber' and the 'Lin' line up, (you go up from the 'r' and you hit the 'L', and then go across backwards) as an extra clue! (plus the rotation aligns the logo again!) I did think about using the '|' vertical character instead of the lower case 'L', but decided that this made it too obvious...

So the 'puzzle by...' text, and the name text at the bottom of the badge are not accidental, and the size of the matrix and the arrow are connected to them. On a larger scale, this would be called a meta-puzzle...

The second puzzle is thus a reminder of the history of NULLCON: 11 in Goa, and one in Berlin, Germany.

So here's a photo of one of the winning entries:


What I like about this is the way that an image of the badge itself has been annotated as the answer!

---


If you find my writing helpful, informative or entertaining, then please consider visiting this link (only one store for all my blogs!):

Synthesizerwriter's Store (New 'Modular thinking' designs now available!)

Buy me a coffeeBuy me a coffee (Encourage me to write more posts like this one!)... or...

Buy Me a Coffee at ko-fi.com (Encourage me via a different route entirely...)

Or just tell someone else that there's this amazing blog about security


 


   



 




Thursday 24 March 2022

The ongoing uncertainty in the-world-at-large (just choose your area of concern...) is probably going to increase the risk of cyber attacks, so what can you do to reduce your risks of being affected?

Photo by olieman.eth on Unsplash

Here are 5 practical things to do. 1-4 apply to individuals or corporates, 5 is probably developers only...

1. This is a good time to check your backup processes. Many people just make backups and never check that they can do a restore successfully. Get an old computer and try to restore some files to it. You would be surprised at how many people find problems with their backup process just by trying to do a restore. 

2. Spear-phishing and phishing attacks, via email, texts and other messaging services, can give bad guys a foot-hold into breaching your systems. Make sure that everyone in your family, group or company knows not to click on links in emails, texts or messages. It doesn’t matter how important the sender is, or how urgent it sounds, or how great the offer is, don’t fall for it - don’t click on links!

3. If you have been putting off 2FA or MFA, then now is a good time to implement it. Two Factor authentication, or Multi-Factor Authentication are very good ways of making it much harder for someone to attack your systems. They take a few minutes to add, and make you much more secure against attack.

4. The tension in the world is a good opportunity to get people to change to a Password Manager, and to implement stronger, longer passwords - and a different one for every service. Yep - different for everything!

5. For developers, the news of the Anonymous hacking of Russian IT systems has probably led to an increased interest in cyber security. Visit https://owasp.org/www-project-top-ten/ as your first step towards making your code more secure. Visit https://owasp.org/www-project-juice-shop/ to start learning about how to make your web-apps more secure.   

And a word from me as one of the leaders of the Suffolk Chapter of OWASP:

The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. The Suffolk Chapter has lots of videos on a wide range of cyber security topics: https://owasp.org/www-chapter-suffolk/  and we also do live demos of pen testing software, as well as live discussion on many security topics...

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):



Saturday 13 November 2021

Obfuscation for puzzles...

Obfuscation, the art of hiding things in plain sight, is a key part of designing puzzles. Here's one useful example that is much more complex than it might at first appear to be...

Photo by Vishnu Mohanan on Unsplash

Seven Segment Displays

In the 21st Century, LCDs, OLDs and all sort of other sophisticated display technologies make it increasingly easy to provide alphanumeric (or beyond) indications to users. But, some older display technologies still get used, for any number of reasons - from nostalgia to retro-design to simply saving space to pure perversity, and more. 

One such display (nostalgia, not perversity) is the 'Seven Segment' display. Seven LEDs arranged in a figure of '8' shape, and which can display all of the numbers from 0 to 9 by turning on some of the LEDs, or all of them for an '8'. The number '8' is a special humber in some cultures, and in electronics, displaying the number '8' causes the highest current consumption in seven segment displays! 

But seven segment displays can also display more than just the numbers - and this ignores the decimal point or full stop or period LED that is sometimes available to the left or right of the seven LED segments. With a little imagination, the '5' could be a capital (upper case) 'S', the '0' could be a capital 'O', and so on. Requiring more stretching of the imagination, the '9' might be a raised 'g', the '2' might be a capital 'Z'... Just by using those seven segments as raw source material, then many other letters can be produced: capital letters like 'U' and 'P' and 'C', for example. Lower case letters like 't' and 'o' and 'b' and 'd' are okay, but some letters are more challenging. A capital 'Y' can be produced by turning off the top LED in a curly '9', for example. 

But some letters are just plain difficult to produce on a seven segment display. Examples include: M, m, W, w, X,x, e, Q, q, etc. This doesn't mean that they can't be 'expressed' on the display, it means that their appearance might not be immediately obvious. At which point, we have obfuscation.

Seven Segment Font

Preparing puzzles for online use, or the CAD files to enable conference badges or other physical objects, often requires a true type font (almost 'de facto' for many typographical purposes nowadays). But fonts based on seven segment displays aren't all that common...

So here's one based on the coding used on the Synthstrom Audible 'Deluge' groovebox, an amazing piece of musical technology that is part sequencer, part synthesizer, part drum machine, part sample, part DAW and part effects unit, plus a few other parts. For its display. it uses just four seven segment LEDs, plus a few other LEDs underneath buttons, as part of the user interface, with the seven segment displays used for text and numbers (which scroll across - thus increasing the effective width to arguably 'more than 4' characters). The Deluge also comes from New Zealand, which is sort of a link with the 'Kiki' in the picture at the start of this blog post!

From: https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ

As you can see, some of the problematic letters, like lower case 'a' and 'e' have just been turned into their upper case, capital alternative. But the 'M', 'W', 'K' and 'X' are very distinctive, because the lower and upper case are the same, but they are also difficult to read at first glance. Oooh! Obfuscation. 

Even more interestingly, some of the upper case (capital) letters are deliberately turned into lower case, even when an upper case exists. 'o' is an example - it is used for the upper case (capital) and lower case, even though a zero '0' could be used, although that might be confusing in some circumstances... Conversely, some are left as upper case, even when a lower case alternative exists: 'c' and 'u', and maybe 'j'.

But for puzzles, then a font like this is an almost perfect way of providing a mixture of familiarity and unfamiliarity, all at the same time. Careful choice of words enables clues and hints to be given in varying degrees of obscurity: 'CLUE' for example, is easy to read in the font, whilst 'MIX' is much harder at first glance.  

Yes, there are other 'seven segment' fonts, but this one has an electronic music connection, and is pretty distinctive, so it has huge appeal to me for use in puzzles. Curiously, some of the alternatives cheat by using more than seven segments!

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):





Friday 12 November 2021

Numbers that don't exist...

The images and sounds that you see and hear in movies and on the television are carefully crafted, constructed, produced... and more. Clothes might be 'product placement', but they might also be custom made so that they 'look' of kind of like famous brands, but aren't - which means that showing them on screen isn't advertising, and it isn't trademark, logo or brand infringement. Music might be re-recorded so that it sounds very similar to the real thing, but again, is merely very close - the BBC's Top Gear 'classic 'theme tune is just one example. It might sound like 'Jessica' by the Allman Brothers, but actually it is a cover version, or a re-recording, and as it turns out, there are several versions that all sound like it

Then there are Search Engines on computer screens, which again, look 'almost familiar'...  And URLs... And Operating Systems... This 'nothing you see or hear is real' extends to a whole set of logos, brands, advertising and all sorts of other things which can be covered by copyrights, trademarks, etc. It's a complicated business, and there are people whose job it is to make sure that all of these are thought about - in advance. (Which is, of course, also what Security people do!)

Then there are things that you might be surprised about, like..: Numbers. 

Photo by Claudio Schwarz on Unsplash

Telephone Numbers

Whenever a movie or a television programme uses a telephone number, there will inevitably be some people in the audience who will dial that number. 'Just to see what happens!' is the usual thing that people say when they do this. So, for a popular programme, even a small percentage of 'Let's see...' people trying to dial the number could potentially cause a large shift in the use of the telephone network, or the Internet, or the Mobile/Cell telephone network, and could potentially cause something broadly similar to a Denial Of Service (DOS) Attack...

So, broadcasting numbers in movies and television can be considered to be a security issue. DOS attacks are just one facet of the problem, though. Can you imagine the legal problems if the telephone number happened to be the actual number of a real person or company? Suddenly it has become a privacy problem, or a data breach... But how do you find a number that is guaranteed not to ring someone's phone? Just making up a number at random could easily be a real 'live' number - someone's number!

As it happens, such numbers do exist. In the UK, OFCOM, the telecommunications regulator, maintains and publishes a list of numbers that can be used in movies, television, radio, etc. Here is one set.  

One security-related application of numbers like this is when you are required to give a telephone number as part of a registration process. If you don't want to give your real telephone number, perhaps  because of privacy concerns, then using a number that doesn't exist (and is more or less guaranteed to stay like that) seems like a good alternative. 

Photo by Ryan Born on Unsplash

Test Numbers and Letters

Another number that you might see on screen (or in photographs for advertising) is the credit card, and this time, the reasoning behind not using someone's real number is kind of obvious - and once again, it is a security concern. But how do you test computer systems that use credit cards for making purchases? Do developers use their own personal credit card numbers? Maybe there are special 'test' credit card numbers as well? There are! Here are just some.

Credit card numbers include a check digit that indicates if they are correct, for example. This is so that when quoted over the telephone, or online, they can be immediately validated. Many other similar numbers (or lists of numbers and letters) also have built-in checks. 

Once you get into this mind-set, then all sorts of other numbers pop up. How about street numbers that don't actually exist for a road? How about non-existent Post Codes, Zip Codes, or other postal coding systems? UK Post Codes are interesting, because there's an online way of checking if they are valid, so you cannot use a 'test' or 'unissued' one, because they are invalid. UK Post Codes can be quite specific about the addresses they cover, and so they give away lots of information about the location. Once you start mixing numbers and letters, then just about every method of providing a 'unique' identifier probably has an in-built (and online) way of verifying if it exists, and this may deliberately prevent any generic, test, or anonymous identifiers. 

Predefined List

UK Post Codes lead to another interesting aspect of validation of numbers or letters by software. One of the security-driven responses to web-forms that have text fields in them is to restrict what can be entered: (A-Z, a-z, 0-9), for example. But another approach is to pre-define the contents to a list. So for Post Codes, you might have a pop-up menu that requires the selection of the first letter at the start of the Post Code. There are a limited number of possible entries (A to Z...), so selection is relatively easy/quick, and so if you live in Manchester, you would select 'M'. But you can't enter anything else, other than those that are shown. (Some letters are not used to start UK Post Codes: X and Q are two examples...). So this forces you to enter a real letter for a real location - there is no way to enter a generic or non-existent location.

So a security fix (stopping people type any text into a field) turns into a privacy problem where only a specific entry can be made. This can happen with telephone numbers, where the number is checked and rejected if it is found to be 'invalid'. This sounds okay, until you try to enter international numbers... If the text field is limited to just 0 to 9 'numbers, then how do you add the International Dialing Prefix? ('44' for the UK, for example) The usual convention is to add a + symbol, then the prefix, 44, and then the number, but omitting any leading zero. Except that if you can't enter the '+', then the number starts with 44, and this is going to be automatically rejected by any validation code that knows that telephone numbers always start with '0' (zero). 

The Security/Privacy/Validation Dilemma

Which leads to a difficult area of software design. How do you make software that can interact with people, but which is security-conscious (choosing from a pre-defined list is preferred to a text field that will accept a limited set of characters), which allows anonymity or privacy (not filling in your middle name, your age, your gender...), but which can also be validated to check that you have not put in an incorrect response by accident/mistake/deliberately? This is not an easy triangle to navigate...

Just one emerging example. Before the pandemic, cash was a way of paying for something anonymously. Post-Covid, cash has become much less acceptable, and 'electronic' or 'contactless' payment methods have become much more the 'norm'. But are the payment then anonymous? 

Is the future a world where the need for security and validation of data outweighs personal privacy? Has privacy always been an illusion anyway? 

(And why do some people spell 'dilemma' as 'dilemna', and insist that they were taught that way at school?)  

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):



Wednesday 3 November 2021

Hardwear.IO Netherlands 2021 Badge Puzzle

Attendees at the Hardwear.IO Netherlands 2021 security conference got a plastic badge with a puzzle on it... Yep, another of my puzzles - or, maybe, two of my puzzles:


Obfuscation is the art of hiding things in plain sight. QR codes are one example - they are a way of obscuring a URL from being read too easily. Of course, if you don't know what they are, then they might appear to be 'magic' or 'secure' in some way. Some obfuscation is so entrenched that it can appear to be 'obvious' - ASCII codes for letters and numbers, for example. Unless, that is, you were raised when EBDIC was the standard... 

Puzzles are logical obfuscations, where the obscuring process can be undone...

The orange plastic makes it quite hard to see some of the numbers, so here's the original diagram:


The idea here was to have as few instructions as possible. The big arrow indicates that there is a left-to-right flow, and presumably the answers go in the boxes on the right. 

As a puzzle creator, one good starting point is to provide clues to how to find the answer, and to make the clues obvious, but not too obvious. So rather than just give you the solution up front, here are a few hints, and if you keep scrolling, then you will find the solution...

Hints


The second box on the lower row looks like 'NL' and so is presumably a clue to the conference being in the Netherlands - which attendees will already know, of course! But what it actually is doing is showing that there is something significant in the strokes used to make the N and the L shapes. 

The box directly above it on the top row is also a clue, but for a different reason. There are 23 question marks, plus an 'A' and a '1'. At first glance, the A and the 1 are almost invisible because of the visual clutter. 

The first boxes on the left contain two very different contents - deliberately. The top box has a 5x5 grid of two digit numbers, and the next box along to the right also has a 5x5 grid... The lower box has 6 rows, and the length varies from 3 to 6 characters. 

And there's that big arrow pointing from left to right... but also pointing to some smaller arrows connecting the two final boxes on the right. Maybe the contents of those boxes are similar in some way?

The top row has a box with just arrows inside it, which could indicate a path of some sort... There are 5 rows again in this box.

The lower row has a 6x11 box with just 1s and 0s. 11 digits is unusual for binary numbers, so interpreting the first one as 0x00010000101000 (and so on) might not be the right approach. Is there another use that an array of 1s and 0s might be used for? Could it be an image mask of some sort? My puzzles tend to be based on hardware (sometimes with software) and so there's often a 70s or 80s bias to my metaphors. 

The top row does have a box that looks like a raster scan - and it is directly above the 6x11 masking box. Could this be a clue as well? 

The left-most box on the top row contains two digit numbers. Many of my puzzles contain ASCII and other codings for numbers. So what sort of tests could you apply to numbers to see if they are ASCII encoded versions of text? If you were investigating a piece of real hardware, looking for how it stored data, especially if it wanted to have some security for the data, would it always be in an ASCII encoded form? 

My puzzles are intended to be educational, particularly for people who want to find out how hardware and security are intermingled in the real world. Knowing how to spot ASCII-encoded characters can often be a good starting point to working out where strings are stored in memory. Knowing that blocks of high entropy data might well be encryption keys is another useful piece of information to have in your mind. And how could high entropy data be hidden? How do you remove entropy so that it isn't as obvious? Could the 6x11 grid of 1s and 0s be doing something with entropy? 

Cryptographers tend to break text into blocks of 5 characters, and the left hand box on the lower row deliberately has between 3 and 6 characters in the rows - and none of the rows has 5 characters! This is not accidental...

The first thing that you tend to see in the puzzle is the big arrow from left to right. There's a circle at the start, so is this meant to be a vector? A pointer? A direction indicator? 

Finally, there are two small dots in the right hand 'empty' boxes. in the diagram above these are shown in black. This might be an additional clue... Almost nothing in my puzzles is there by accident. 

The Solutions


If you are still reading, then you might well be

looking

for

the 

solution.

So,

I

will

try 

to 

make

sure

that

you 

don't

see

the

answer

by

accident.

Top Row


The left hand box on the top row contains two digit numbers. They aren't ASCII-endoded numbers because the letters and numbers in ASCII are from 30 to 122 (decimal). Values below 30 are control characters from the days of teletypes, typewriters, and very slow asynchronous serial communications. Numbers above 97 are lower case letters (a-z) and cryptographers always tend to use capital letters (in blocks of 5, remember?). SOTHE YPROB ABLYA RENOT ENCOD EDINA SCII! 

Did you notice that all of the spaces were removed from the blocks of 5 characters? Old-school 'Enigma'-style cryptographers left out the spaces between words as well. You know how people always say that 'E' is the most used letter in the English language? Well, if you look at ASCII-encoded text, then usually the most commonly occurring number is not 69 (E) or 101 (e), but 32 - which is the 'space' character. Some of my puzzles deliberately leave the spaces in - as a clue that the text is ASCII encoded! 

If not ASCII, then what? The second box on the left on the top row might be a clue. In amongst the question marks, there are two characters: an A and a 1.  The 'A' seems to correspond with the 01 in the 5x5 grid in the first left, top row box, whilst the '1' seems to be associated with the 28. In ASCII, the numbers start with Zero (coding-style) at 48, and go to '9' at 57. So what might the simplest way of arranging the capital letters of the alphabet (A to Z), plus the number digits from 0-9? Well it might start at 0, go, to 9, then A, then to Z. But an index where 01 means zero seems like it is making things a bit obvious, especially when 02 means 1, 03 means 2 and so on. This would means that dates would be in the form <02-32>/<02-13>/<...and 3132 for the current year>, which might be a give-away after a while... 

So, to be contrary to the way that ASCII works, how about putting the numbers after the letters? So 01 is A, through to 26 for Z, and then 27 for Zero, and 28 for 1. And there you have it - one of several ways of arranging the letters and numbers so that they can be indexed with a two-digit number! 

If you substitute the indexed letters and numbers using this mapping, then how do you put them into the final box on the right? Many of my puzzles try to get away from the left to right, top to bottom convention that native English handwriting and typing normally follows (But note that the value of the digits in numbers increases from RIGHT to LEFT!) and use other conventions instead. Japanese and Chinese are particularly interesting here, because although they can be written from left to right, top to bottom, they can also be written top to bottom, right to left... I have often used spirals to try and hide the sequence of letters from a casual inspection, of which more later...

So the 'raster' 'third from the left' top box might be interpreted as a set of vectors, showing how the decoded characters are arranged. If you do this, then the purpose of the black dot will become apparent - it is the 'dot' in Hardwear.IO...

Lower Row


The lower row starts on the left hand side with the 6 rows of 3 to 6 characters, and NO 5 character rows at all. The characters are a mixture of letters and numbers, and so it might be that the plaintext is 'hidden in plain sight', which would be a terrible pun, but exactly the sort of cheeky misdirection that I often include in my puzzles. The box on the second left in the lower row contains another 'raster' diagram, which actually looks like 'NL' spelt out in vectors. But it isn't immediately obvious what the vectors mean...

The third box from the left an the lower row is the 6x11 set of what look like binary numbers, except that they are 11 digits long, which is unusual for binary. If you are thinking 'misdirection' at this point, then you would be completely correct. Thinking of old raster based visual displays, then one of the common techniques used to process images on the screen was to use 'masks' that determined if a pixel in the image would be displayed in the raster, and thus on the screen. So the first, second and third boxes from the left on the top row are actually clues to this being a 'raster'-influenced puzzle...

The third box from the left on the lower row is indeed a mask. It is actually just the second box from the left on the lower row, but mapped onto a 6x11 'raster' or grid. The ones and zeroes do not mean 1 and zero - the 1s are place-holders for the characters that will be displayed, and show where they will be placed on the screen. So the three boxes from the left on the lower row are all indicating the same thing - how the characters in the first box are placed in the final box on the right. 

If you take the NL vector diagram from the second box on the left on the lower row, and use it to 'parse' the characters in the first box from the left on the lower row, and place them in the right hand box according to the mask (using just the 1s), then you get: 'HARDWE' reading upwards from top to bottom as you follow the upwards vector on the first stroke of the 'N'. As you continue, ti spells out a slightly different order of the parts that made up the contents of the top, right hand box - and this is what those twisty arrows connecting the two right hand boxes indicates - the contents are not exactly the same in their layout.

The Solution


Which brings us to the solution:


The solution is thus either:

Hardwear.IO Netherlands 2021 (in all Capitals)

or

Hardwear.IO2021 Netherlands (again in all Capitals)

But, why are they different? To see why, take the top row solution and apply it to the reverse of the process used for the lower row. The bottom row of the contents of the left hand box will end up like this:

HN2021

Which kind of gives away too much...

For the reason behind that, think about how the puzzle was designed. The top row was done first, then the lower row. When the problem was noticed, then the top row could have been reworked, but it was already done, and so I took the easy way out - I used the twisty arrows to indicate that the contents of the two right hand boxes were similar, not the same. And this is exactly what happens in real-world hardware and software - unexpected problems can arise after a lot of work has been done, and the quickest fix is often not ideal. 

So one of the 'tools' that should be in the hardware (or software) reverse engineer's toolbox is the 'unexpected consequences often get fixed very badly' thought. Do you really change the whole design because of a minor mistake and do a total rework, or do you find a smart, quick fix that might compromise some of the security - but who is ever going to find it? Just about every project that I have ever seen will go for the easy fix, not the total rework. And that's one way that vulnerabilities get into hardware - or software. 

In a single puzzle, you have learnt about non-ASCII encoding, how to find ASCII encoding, how to vectorise and mask matrices, and the consequences of not going back and properly fixing mistakes that were unforeseen. This wasn't puzzle solving - it was actually training!

Thanks to Hardwear.IO for their support, and for using my puzzles!

To save you time, searching for more of my puzzles - there's a list here and another puzzle here

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):










 



 


Sunday 11 July 2021

Hardwear.IO USA 2021 Wall Challenge Extras

Photo by Yogendra Singh on Unsplash

OK, so it may have been a bit difficult to solve this time...

The Wall Challenge that I produced for the Hardwear.IO USA 2021 hardware security conference was a little different to previous puzzles. I've always been a fan of the 'metapuzzle', where everything is interlinked. Cliff Johnson's 'Fool's Errand' is a very refined version of a metapuzzle...

So the Wall Challenge was all about a defective printer, and why it was incorrectly printing the virtual badges for an online conference. As always, the premise is just window-dressing. The intended purpose of a Wall Challange, as I have said many times before, is training people in security hacking: 

How to solve unfamiliar puzzles

Which is why the instructions are often sparse, and the setting is unusual. One way of thinking about it is to imagine the total opposite of a 'Capture The Flag' (CTF) contest, where the setting, purpose, methodology, approach to solving (and more) are all known beforehand, are well understood, and are familiar. In contrast, the best indicator of a high quality Wall Challenge is when people say: 'I haven't seen a puzzle like this before - how do I solve it?' 

Which is why previous Wall Challenges have used underlying mechanisms like resistor colour codes, flags, a CNC machine-engraved plastic conference badge, and more. So what could the theme be for a conference held in the United STATES of America?

Resources

Just as in security, doing the background research is important. In this case, two main resources were used:

https://www.ssa.gov/international/coc-docs/states.html

https://en.wikipedia.org/wiki/United_States (and the pages for individual states...)

Two other implied resources were used, although it was assumed that most conference attendees would be familiar enough with them:

Printers

Conference Badges

This assumption is important, because it means that explanations of how they work, what they do, etc. are not required. 

Finally, two essential online resources for readers of this blog - two YouTube videos:

Questions Only (recommended starting place)

Questions and the Answers (for later...)

Discord

In a real conference, Wall Challenges are sheets of A4 paper, blu-tacked to the wall around the venue. People can see them, they can talk to others about them, and the physical act of standing in front of one, brow furrowed trying to figure it out, is one pf the most effective pieces of advertising known to human beings. Especially motivated problem-solvers like the people at a hardware security hacking conference!

At a virtual conference, an online equivalent is required. The one that is used at Hardwear.IO conferences is Discord - there are other software applications with a similar feature set, but Discord is particularly well-evolved, and is my personal favourite of this type of team messaging application.

In a virtual/online conference, Discord is where the challenges are posted/published. It is also where people chat, discuss, and generally engage in discourse about the challenges - a total analogue of people standing around in front of sheets of paper stuck on the wall... It is also where hints and clues can appear. Here are some from the USA 2021 conference (and others):

(For newbies:)

How to start? Read everything - there are clues everywhere. Try looking for the differences between the cards.

The whole experience is meant to be an analogue of the real hardware hacking experience: You have no idea what is going on inside the hardware, but you can see some external effects...

(Hints for those struggling:)

Is any information missing on the cards?

Everything is a clue... Read the introduction, and everything in the challenge pictures...

Don't know where to start? Look for what should be on the cards. Are there any clues in any of the pictures?

suppose the printer can't fit any more than two red characters into the space... what does it do?

what if the red characters in challenge 1 were the beginning and ending of two words?

the red characters on the left are important!

(Sometimes the hints are themselves clues:)

so what makes the cards in the 2nd challenge different to the 1st challenge?

why is all the printing on the badges in capital letters? could this be important?

is there a typo in challenge 1? shouldn't it be 'HardWear.IO'? what is the abbreviation?

what is going on in the set of red characters in challenge 1?

(Sometimes the hints just repeat what is in the picture, to make it more obvious:)

Ha! - no, I know there isn't a web-site for American Wave Ascenders, Inc.

"...a total state of confusion..." (it's a clue!)

(Associated concepts:)

Georg Cantor

(Responses and clarifications to email queries:)

none of the hardwear.io staff were from spokane! (the printer is confused!)

(Additional clues when people are really struggling:)

the answer to challenge 1 is two US states. the answers to challenges 2 to 6 are one US state in each case...

to solve challenge 7 it helps if you have some of the answers to 1 to 6...

---

Thanks to everyone who participated in the Wall Challenge. It seems that this one was more difficult to solve than I thought. Sometimes the pre-testing doesn't give a good indication of reality...

Oh, and grateful and sincere thanks to Unsplash, who provide me with excellent, nicely-themed photos for several blogs! And they can do the same for you...

Photo by James on Unsplash

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):











Monday 22 March 2021

A Strange Way To Advertise...

Apart from security, I also dabble in electronic music, and I write a blog on that topic... 

Today, I got an email from a company, asking me if I could 'collaborate' with them by posting something containing a link to an account on a well-known music software company's forum, asking if I was willing to 'work with them' to promote their client, and asking me to make them an 'offer' for this activity. 

So they were asking me to post something like:

"Hey, I know this has nothing to do with electronic music, but this web-site <URL> is wonderful!"

Needless to say, the client is nothing to do with music, and I simply don't do this type of thing, ever. This is SEO/Advertising gone wrong, in my opinion, and I will have nothing whatsoever to do with any company that does this type of promotional activity.

- - - 

Photo by <a href="https://unsplash.com/@jeremystraub?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jeremy Straub</a> on <a href="/s/photos/launch-button?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>
Photo of a decommissioned nuclear missile launch control panel from Jeremy Straub on Unsplash

It have always been intrigued by one of the common 'security' themes that happens in blockbuster movies all the time - the evil bad-person is trying to destroy the planet, and the 'security' people who work for the bad-person are quite willing to assist in making this happen, often going above and beyond what could reasonably be expected, even though this will kill the bad-person, them, their families, the people they know, and absolutely everyone else. 

I have always wondered what possible reward could be motivating these people. It can't be money, because they will be dead. It can't be fame, because everyone will be dead. It can't be loyalty, because the bad-person is going to die as well. It can't be immortality, because they and everyone else will be dead. It can't be notoriety, because apart from some debris (and everyone being dead), there's no way that any visitor from outside the solar system will have any interest in the remains of a planet. 

When I say 'willing to help' the bad person, this usually involves defending them robustly, with weapons, technology, computers, etc. often this requires dedication, persistence, intelligence, determination, loyalty, and more... And these security people are only rewarded with their own deaths, often by their own hands... 

In some scenarios, the script-writers increase the seriousness by having the bad-person wanting to destroy the whole universe - that's everything! I find it even harder to envisage any possible way to motivate people to help with that. 

I'm obviously not meant to be a security person in a blockbuster movie...

- - - 

If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):


Synthesizerwriter's Store
 (New 'Modular thinking' designs now available!)

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...