Saturday, 13 November 2021

Obfuscation for puzzles...

Obfuscation, the art of hiding things in plain sight, is a key part of designing puzzles. Here's one useful example that is much more complex than it might at first appear to be...

Photo by Vishnu Mohanan on Unsplash

Seven Segment Displays

In the 21st Century, LCDs, OLDs and all sort of other sophisticated display technologies make it increasingly easy to provide alphanumeric (or beyond) indications to users. But, some older display technologies still get used, for any number of reasons - from nostalgia to retro-design to simply saving space to pure perversity, and more. 

One such display (nostalgia, not perversity) is the 'Seven Segment' display. Seven LEDs arranged in a figure of '8' shape, and which can display all of the numbers from 0 to 9 by turning on some of the LEDs, or all of them for an '8'. The number '8' is a special humber in some cultures, and in electronics, displaying the number '8' causes the highest current consumption in seven segment displays! 

But seven segment displays can also display more than just the numbers - and this ignores the decimal point or full stop or period LED that is sometimes available to the left or right of the seven LED segments. With a little imagination, the '5' could be a capital (upper case) 'S', the '0' could be a capital 'O', and so on. Requiring more stretching of the imagination, the '9' might be a raised 'g', the '2' might be a capital 'Z'... Just by using those seven segments as raw source material, then many other letters can be produced: capital letters like 'U' and 'P' and 'C', for example. Lower case letters like 't' and 'o' and 'b' and 'd' are okay, but some letters are more challenging. A capital 'Y' can be produced by turning off the top LED in a curly '9', for example. 

But some letters are just plain difficult to produce on a seven segment display. Examples include: M, m, W, w, X,x, e, Q, q, etc. This doesn't mean that they can't be 'expressed' on the display, it means that their appearance might not be immediately obvious. At which point, we have obfuscation.

Seven Segment Font

Preparing puzzles for online use, or the CAD files to enable conference badges or other physical objects, often requires a true type font (almost 'de facto' for many typographical purposes nowadays). But fonts based on seven segment displays aren't all that common...

So here's one based on the coding used on the Synthstrom Audible 'Deluge' groovebox, an amazing piece of musical technology that is part sequencer, part synthesizer, part drum machine, part sample, part DAW and part effects unit, plus a few other parts. For its display. it uses just four seven segment LEDs, plus a few other LEDs underneath buttons, as part of the user interface, with the seven segment displays used for text and numbers (which scroll across - thus increasing the effective width to arguably 'more than 4' characters). The Deluge also comes from New Zealand, which is sort of a link with the 'Kiki' in the picture at the start of this blog post!

From: https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ

As you can see, some of the problematic letters, like lower case 'a' and 'e' have just been turned into their upper case, capital alternative. But the 'M', 'W', 'K' and 'X' are very distinctive, because the lower and upper case are the same, but they are also difficult to read at first glance. Oooh! Obfuscation. 

Even more interestingly, some of the upper case (capital) letters are deliberately turned into lower case, even when an upper case exists. 'o' is an example - it is used for the upper case (capital) and lower case, even though a zero '0' could be used, although that might be confusing in some circumstances... Conversely, some are left as upper case, even when a lower case alternative exists: 'c' and 'u', and maybe 'j'.

But for puzzles, then a font like this is an almost perfect way of providing a mixture of familiarity and unfamiliarity, all at the same time. Careful choice of words enables clues and hints to be given in varying degrees of obscurity: 'CLUE' for example, is easy to read in the font, whilst 'MIX' is much harder at first glance.  

Yes, there are other 'seven segment' fonts, but this one has an electronic music connection, and is pretty distinctive, so it has huge appeal to me for use in puzzles. Curiously, some of the alternatives cheat by using more than seven segments!

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):





Friday, 12 November 2021

Numbers that don't exist...

The images and sounds that you see and hear in movies and on the television are carefully crafted, constructed, produced... and more. Clothes might be 'product placement', but they might also be custom made so that they 'look' of kind of like famous brands, but aren't - which means that showing them on screen isn't advertising, and it isn't trademark, logo or brand infringement. Music might be re-recorded so that it sounds very similar to the real thing, but again, is merely very close - the BBC's Top Gear 'classic 'theme tune is just one example. It might sound like 'Jessica' by the Allman Brothers, but actually it is a cover version, or a re-recording, and as it turns out, there are several versions that all sound like it

Then there are Search Engines on computer screens, which again, look 'almost familiar'...  And URLs... And Operating Systems... This 'nothing you see or hear is real' extends to a whole set of logos, brands, advertising and all sorts of other things which can be covered by copyrights, trademarks, etc. It's a complicated business, and there are people whose job it is to make sure that all of these are thought about - in advance. (Which is, of course, also what Security people do!)

Then there are things that you might be surprised about, like..: Numbers. 

Photo by Claudio Schwarz on Unsplash

Telephone Numbers

Whenever a movie or a television programme uses a telephone number, there will inevitably be some people in the audience who will dial that number. 'Just to see what happens!' is the usual thing that people say when they do this. So, for a popular programme, even a small percentage of 'Let's see...' people trying to dial the number could potentially cause a large shift in the use of the telephone network, or the Internet, or the Mobile/Cell telephone network, and could potentially cause something broadly similar to a Denial Of Service (DOS) Attack...

So, broadcasting numbers in movies and television can be considered to be a security issue. DOS attacks are just one facet of the problem, though. Can you imagine the legal problems if the telephone number happened to be the actual number of a real person or company? Suddenly it has become a privacy problem, or a data breach... But how do you find a number that is guaranteed not to ring someone's phone? Just making up a number at random could easily be a real 'live' number - someone's number!

As it happens, such numbers do exist. In the UK, OFCOM, the telecommunications regulator, maintains and publishes a list of numbers that can be used in movies, television, radio, etc. Here is one set.  

One security-related application of numbers like this is when you are required to give a telephone number as part of a registration process. If you don't want to give your real telephone number, perhaps  because of privacy concerns, then using a number that doesn't exist (and is more or less guaranteed to stay like that) seems like a good alternative. 

Photo by Ryan Born on Unsplash

Test Numbers and Letters

Another number that you might see on screen (or in photographs for advertising) is the credit card, and this time, the reasoning behind not using someone's real number is kind of obvious - and once again, it is a security concern. But how do you test computer systems that use credit cards for making purchases? Do developers use their own personal credit card numbers? Maybe there are special 'test' credit card numbers as well? There are! Here are just some.

Credit card numbers include a check digit that indicates if they are correct, for example. This is so that when quoted over the telephone, or online, they can be immediately validated. Many other similar numbers (or lists of numbers and letters) also have built-in checks. 

Once you get into this mind-set, then all sorts of other numbers pop up. How about street numbers that don't actually exist for a road? How about non-existent Post Codes, Zip Codes, or other postal coding systems? UK Post Codes are interesting, because there's an online way of checking if they are valid, so you cannot use a 'test' or 'unissued' one, because they are invalid. UK Post Codes can be quite specific about the addresses they cover, and so they give away lots of information about the location. Once you start mixing numbers and letters, then just about every method of providing a 'unique' identifier probably has an in-built (and online) way of verifying if it exists, and this may deliberately prevent any generic, test, or anonymous identifiers. 

Predefined List

UK Post Codes lead to another interesting aspect of validation of numbers or letters by software. One of the security-driven responses to web-forms that have text fields in them is to restrict what can be entered: (A-Z, a-z, 0-9), for example. But another approach is to pre-define the contents to a list. So for Post Codes, you might have a pop-up menu that requires the selection of the first letter at the start of the Post Code. There are a limited number of possible entries (A to Z...), so selection is relatively easy/quick, and so if you live in Manchester, you would select 'M'. But you can't enter anything else, other than those that are shown. (Some letters are not used to start UK Post Codes: X and Q are two examples...). So this forces you to enter a real letter for a real location - there is no way to enter a generic or non-existent location.

So a security fix (stopping people type any text into a field) turns into a privacy problem where only a specific entry can be made. This can happen with telephone numbers, where the number is checked and rejected if it is found to be 'invalid'. This sounds okay, until you try to enter international numbers... If the text field is limited to just 0 to 9 'numbers, then how do you add the International Dialing Prefix? ('44' for the UK, for example) The usual convention is to add a + symbol, then the prefix, 44, and then the number, but omitting any leading zero. Except that if you can't enter the '+', then the number starts with 44, and this is going to be automatically rejected by any validation code that knows that telephone numbers always start with '0' (zero). 

The Security/Privacy/Validation Dilemma

Which leads to a difficult area of software design. How do you make software that can interact with people, but which is security-conscious (choosing from a pre-defined list is preferred to a text field that will accept a limited set of characters), which allows anonymity or privacy (not filling in your middle name, your age, your gender...), but which can also be validated to check that you have not put in an incorrect response by accident/mistake/deliberately? This is not an easy triangle to navigate...

Just one emerging example. Before the pandemic, cash was a way of paying for something anonymously. Post-Covid, cash has become much less acceptable, and 'electronic' or 'contactless' payment methods have become much more the 'norm'. But are the payment then anonymous? 

Is the future a world where the need for security and validation of data outweighs personal privacy? Has privacy always been an illusion anyway? 

(And why do some people spell 'dilemma' as 'dilemna', and insist that they were taught that way at school?)  

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):



Wednesday, 3 November 2021

Hardwear.IO Netherlands 2021 Badge Puzzle

Attendees at the Hardwear.IO Netherlands 2021 security conference got a plastic badge with a puzzle on it... Yep, another of my puzzles - or, maybe, two of my puzzles:


Obfuscation is the art of hiding things in plain sight. QR codes are one example - they are a way of obscuring a URL from being read too easily. Of course, if you don't know what they are, then they might appear to be 'magic' or 'secure' in some way. Some obfuscation is so entrenched that it can appear to be 'obvious' - ASCII codes for letters and numbers, for example. Unless, that is, you were raised when EBDIC was the standard... 

Puzzles are logical obfuscations, where the obscuring process can be undone...

The orange plastic makes it quite hard to see some of the numbers, so here's the original diagram:


The idea here was to have as few instructions as possible. The big arrow indicates that there is a left-to-right flow, and presumably the answers go in the boxes on the right. 

As a puzzle creator, one good starting point is to provide clues to how to find the answer, and to make the clues obvious, but not too obvious. So rather than just give you the solution up front, here are a few hints, and if you keep scrolling, then you will find the solution...

Hints


The second box on the lower row looks like 'NL' and so is presumably a clue to the conference being in the Netherlands - which attendees will already know, of course! But what it actually is doing is showing that there is something significant in the strokes used to make the N and the L shapes. 

The box directly above it on the top row is also a clue, but for a different reason. There are 23 question marks, plus an 'A' and a '1'. At first glance, the A and the 1 are almost invisible because of the visual clutter. 

The first boxes on the left contain two very different contents - deliberately. The top box has a 5x5 grid of two digit numbers, and the next box along to the right also has a 5x5 grid... The lower box has 6 rows, and the length varies from 3 to 6 characters. 

And there's that big arrow pointing from left to right... but also pointing to some smaller arrows connecting the two final boxes on the right. Maybe the contents of those boxes are similar in some way?

The top row has a box with just arrows inside it, which could indicate a path of some sort... There are 5 rows again in this box.

The lower row has a 6x11 box with just 1s and 0s. 11 digits is unusual for binary numbers, so interpreting the first one as 0x00010000101000 (and so on) might not be the right approach. Is there another use that an array of 1s and 0s might be used for? Could it be an image mask of some sort? My puzzles tend to be based on hardware (sometimes with software) and so there's often a 70s or 80s bias to my metaphors. 

The top row does have a box that looks like a raster scan - and it is directly above the 6x11 masking box. Could this be a clue as well? 

The left-most box on the top row contains two digit numbers. Many of my puzzles contain ASCII and other codings for numbers. So what sort of tests could you apply to numbers to see if they are ASCII encoded versions of text? If you were investigating a piece of real hardware, looking for how it stored data, especially if it wanted to have some security for the data, would it always be in an ASCII encoded form? 

My puzzles are intended to be educational, particularly for people who want to find out how hardware and security are intermingled in the real world. Knowing how to spot ASCII-encoded characters can often be a good starting point to working out where strings are stored in memory. Knowing that blocks of high entropy data might well be encryption keys is another useful piece of information to have in your mind. And how could high entropy data be hidden? How do you remove entropy so that it isn't as obvious? Could the 6x11 grid of 1s and 0s be doing something with entropy? 

Cryptographers tend to break text into blocks of 5 characters, and the left hand box on the lower row deliberately has between 3 and 6 characters in the rows - and none of the rows has 5 characters! This is not accidental...

The first thing that you tend to see in the puzzle is the big arrow from left to right. There's a circle at the start, so is this meant to be a vector? A pointer? A direction indicator? 

Finally, there are two small dots in the right hand 'empty' boxes. in the diagram above these are shown in black. This might be an additional clue... Almost nothing in my puzzles is there by accident. 

The Solutions


If you are still reading, then you might well be

looking

for

the 

solution.

So,

I

will

try 

to 

make

sure

that

you 

don't

see

the

answer

by

accident.

Top Row


The left hand box on the top row contains two digit numbers. They aren't ASCII-endoded numbers because the letters and numbers in ASCII are from 30 to 122 (decimal). Values below 30 are control characters from the days of teletypes, typewriters, and very slow asynchronous serial communications. Numbers above 97 are lower case letters (a-z) and cryptographers always tend to use capital letters (in blocks of 5, remember?). SOTHE YPROB ABLYA RENOT ENCOD EDINA SCII! 

Did you notice that all of the spaces were removed from the blocks of 5 characters? Old-school 'Enigma'-style cryptographers left out the spaces between words as well. You know how people always say that 'E' is the most used letter in the English language? Well, if you look at ASCII-encoded text, then usually the most commonly occurring number is not 69 (E) or 101 (e), but 32 - which is the 'space' character. Some of my puzzles deliberately leave the spaces in - as a clue that the text is ASCII encoded! 

If not ASCII, then what? The second box on the left on the top row might be a clue. In amongst the question marks, there are two characters: an A and a 1.  The 'A' seems to correspond with the 01 in the 5x5 grid in the first left, top row box, whilst the '1' seems to be associated with the 28. In ASCII, the numbers start with Zero (coding-style) at 48, and go to '9' at 57. So what might the simplest way of arranging the capital letters of the alphabet (A to Z), plus the number digits from 0-9? Well it might start at 0, go, to 9, then A, then to Z. But an index where 01 means zero seems like it is making things a bit obvious, especially when 02 means 1, 03 means 2 and so on. This would means that dates would be in the form <02-32>/<02-13>/<...and 3132 for the current year>, which might be a give-away after a while... 

So, to be contrary to the way that ASCII works, how about putting the numbers after the letters? So 01 is A, through to 26 for Z, and then 27 for Zero, and 28 for 1. And there you have it - one of several ways of arranging the letters and numbers so that they can be indexed with a two-digit number! 

If you substitute the indexed letters and numbers using this mapping, then how do you put them into the final box on the right? Many of my puzzles try to get away from the left to right, top to bottom convention that native English handwriting and typing normally follows (But note that the value of the digits in numbers increases from RIGHT to LEFT!) and use other conventions instead. Japanese and Chinese are particularly interesting here, because although they can be written from left to right, top to bottom, they can also be written top to bottom, right to left... I have often used spirals to try and hide the sequence of letters from a casual inspection, of which more later...

So the 'raster' 'third from the left' top box might be interpreted as a set of vectors, showing how the decoded characters are arranged. If you do this, then the purpose of the black dot will become apparent - it is the 'dot' in Hardwear.IO...

Lower Row


The lower row starts on the left hand side with the 6 rows of 3 to 6 characters, and NO 5 character rows at all. The characters are a mixture of letters and numbers, and so it might be that the plaintext is 'hidden in plain sight', which would be a terrible pun, but exactly the sort of cheeky misdirection that I often include in my puzzles. The box on the second left in the lower row contains another 'raster' diagram, which actually looks like 'NL' spelt out in vectors. But it isn't immediately obvious what the vectors mean...

The third box from the left an the lower row is the 6x11 set of what look like binary numbers, except that they are 11 digits long, which is unusual for binary. If you are thinking 'misdirection' at this point, then you would be completely correct. Thinking of old raster based visual displays, then one of the common techniques used to process images on the screen was to use 'masks' that determined if a pixel in the image would be displayed in the raster, and thus on the screen. So the first, second and third boxes from the left on the top row are actually clues to this being a 'raster'-influenced puzzle...

The third box from the left on the lower row is indeed a mask. It is actually just the second box from the left on the lower row, but mapped onto a 6x11 'raster' or grid. The ones and zeroes do not mean 1 and zero - the 1s are place-holders for the characters that will be displayed, and show where they will be placed on the screen. So the three boxes from the left on the lower row are all indicating the same thing - how the characters in the first box are placed in the final box on the right. 

If you take the NL vector diagram from the second box on the left on the lower row, and use it to 'parse' the characters in the first box from the left on the lower row, and place them in the right hand box according to the mask (using just the 1s), then you get: 'HARDWE' reading upwards from top to bottom as you follow the upwards vector on the first stroke of the 'N'. As you continue, ti spells out a slightly different order of the parts that made up the contents of the top, right hand box - and this is what those twisty arrows connecting the two right hand boxes indicates - the contents are not exactly the same in their layout.

The Solution


Which brings us to the solution:


The solution is thus either:

Hardwear.IO Netherlands 2021 (in all Capitals)

or

Hardwear.IO2021 Netherlands (again in all Capitals)

But, why are they different? To see why, take the top row solution and apply it to the reverse of the process used for the lower row. The bottom row of the contents of the left hand box will end up like this:

HN2021

Which kind of gives away too much...

For the reason behind that, think about how the puzzle was designed. The top row was done first, then the lower row. When the problem was noticed, then the top row could have been reworked, but it was already done, and so I took the easy way out - I used the twisty arrows to indicate that the contents of the two right hand boxes were similar, not the same. And this is exactly what happens in real-world hardware and software - unexpected problems can arise after a lot of work has been done, and the quickest fix is often not ideal. 

So one of the 'tools' that should be in the hardware (or software) reverse engineer's toolbox is the 'unexpected consequences often get fixed very badly' thought. Do you really change the whole design because of a minor mistake and do a total rework, or do you find a smart, quick fix that might compromise some of the security - but who is ever going to find it? Just about every project that I have ever seen will go for the easy fix, not the total rework. And that's one way that vulnerabilities get into hardware - or software. 

In a single puzzle, you have learnt about non-ASCII encoding, how to find ASCII encoding, how to vectorise and mask matrices, and the consequences of not going back and properly fixing mistakes that were unforeseen. This wasn't puzzle solving - it was actually training!

Thanks to Hardwear.IO for their support, and for using my puzzles!

To save you time, searching for more of my puzzles - there's a list here and another puzzle here

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):










 



 


Sunday, 11 July 2021

Hardwear.IO USA 2021 Wall Challenge Extras

Photo by Yogendra Singh on Unsplash

OK, so it may have been a bit difficult to solve this time...

The Wall Challenge that I produced for the Hardwear.IO USA 2021 hardware security conference was a little different to previous puzzles. I've always been a fan of the 'metapuzzle', where everything is interlinked. Cliff Johnson's 'Fool's Errand' is a very refined version of a metapuzzle...

So the Wall Challenge was all about a defective printer, and why it was incorrectly printing the virtual badges for an online conference. As always, the premise is just window-dressing. The intended purpose of a Wall Challange, as I have said many times before, is training people in security hacking: 

How to solve unfamiliar puzzles

Which is why the instructions are often sparse, and the setting is unusual. One way of thinking about it is to imagine the total opposite of a 'Capture The Flag' (CTF) contest, where the setting, purpose, methodology, approach to solving (and more) are all known beforehand, are well understood, and are familiar. In contrast, the best indicator of a high quality Wall Challenge is when people say: 'I haven't seen a puzzle like this before - how do I solve it?' 

Which is why previous Wall Challenges have used underlying mechanisms like resistor colour codes, flags, a CNC machine-engraved plastic conference badge, and more. So what could the theme be for a conference held in the United STATES of America?

Resources

Just as in security, doing the background research is important. In this case, two main resources were used:

https://www.ssa.gov/international/coc-docs/states.html

https://en.wikipedia.org/wiki/United_States (and the pages for individual states...)

Two other implied resources were used, although it was assumed that most conference attendees would be familiar enough with them:

Printers

Conference Badges

This assumption is important, because it means that explanations of how they work, what they do, etc. are not required. 

Finally, two essential online resources for readers of this blog - two YouTube videos:

Questions Only (recommended starting place)

Questions and the Answers (for later...)

Discord

In a real conference, Wall Challenges are sheets of A4 paper, blu-tacked to the wall around the venue. People can see them, they can talk to others about them, and the physical act of standing in front of one, brow furrowed trying to figure it out, is one pf the most effective pieces of advertising known to human beings. Especially motivated problem-solvers like the people at a hardware security hacking conference!

At a virtual conference, an online equivalent is required. The one that is used at Hardwear.IO conferences is Discord - there are other software applications with a similar feature set, but Discord is particularly well-evolved, and is my personal favourite of this type of team messaging application.

In a virtual/online conference, Discord is where the challenges are posted/published. It is also where people chat, discuss, and generally engage in discourse about the challenges - a total analogue of people standing around in front of sheets of paper stuck on the wall... It is also where hints and clues can appear. Here are some from the USA 2021 conference (and others):

(For newbies:)

How to start? Read everything - there are clues everywhere. Try looking for the differences between the cards.

The whole experience is meant to be an analogue of the real hardware hacking experience: You have no idea what is going on inside the hardware, but you can see some external effects...

(Hints for those struggling:)

Is any information missing on the cards?

Everything is a clue... Read the introduction, and everything in the challenge pictures...

Don't know where to start? Look for what should be on the cards. Are there any clues in any of the pictures?

suppose the printer can't fit any more than two red characters into the space... what does it do?

what if the red characters in challenge 1 were the beginning and ending of two words?

the red characters on the left are important!

(Sometimes the hints are themselves clues:)

so what makes the cards in the 2nd challenge different to the 1st challenge?

why is all the printing on the badges in capital letters? could this be important?

is there a typo in challenge 1? shouldn't it be 'HardWear.IO'? what is the abbreviation?

what is going on in the set of red characters in challenge 1?

(Sometimes the hints just repeat what is in the picture, to make it more obvious:)

Ha! - no, I know there isn't a web-site for American Wave Ascenders, Inc.

"...a total state of confusion..." (it's a clue!)

(Associated concepts:)

Georg Cantor

(Responses and clarifications to email queries:)

none of the hardwear.io staff were from spokane! (the printer is confused!)

(Additional clues when people are really struggling:)

the answer to challenge 1 is two US states. the answers to challenges 2 to 6 are one US state in each case...

to solve challenge 7 it helps if you have some of the answers to 1 to 6...

---

Thanks to everyone who participated in the Wall Challenge. It seems that this one was more difficult to solve than I thought. Sometimes the pre-testing doesn't give a good indication of reality...

Oh, and grateful and sincere thanks to Unsplash, who provide me with excellent, nicely-themed photos for several blogs! And they can do the same for you...

Photo by James on Unsplash

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):











Monday, 22 March 2021

A Strange Way To Advertise...

Apart from security, I also dabble in electronic music, and I write a blog on that topic... 

Today, I got an email from a company, asking me if I could 'collaborate' with them by posting something containing a link to an account on a well-known music software company's forum, asking if I was willing to 'work with them' to promote their client, and asking me to make them an 'offer' for this activity. 

So they were asking me to post something like:

"Hey, I know this has nothing to do with electronic music, but this web-site <URL> is wonderful!"

Needless to say, the client is nothing to do with music, and I simply don't do this type of thing, ever. This is SEO/Advertising gone wrong, in my opinion, and I will have nothing whatsoever to do with any company that does this type of promotional activity.

- - - 

Photo by <a href="https://unsplash.com/@jeremystraub?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jeremy Straub</a> on <a href="/s/photos/launch-button?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>
Photo of a decommissioned nuclear missile launch control panel from Jeremy Straub on Unsplash

It have always been intrigued by one of the common 'security' themes that happens in blockbuster movies all the time - the evil bad-person is trying to destroy the planet, and the 'security' people who work for the bad-person are quite willing to assist in making this happen, often going above and beyond what could reasonably be expected, even though this will kill the bad-person, them, their families, the people they know, and absolutely everyone else. 

I have always wondered what possible reward could be motivating these people. It can't be money, because they will be dead. It can't be fame, because everyone will be dead. It can't be loyalty, because the bad-person is going to die as well. It can't be immortality, because they and everyone else will be dead. It can't be notoriety, because apart from some debris (and everyone being dead), there's no way that any visitor from outside the solar system will have any interest in the remains of a planet. 

When I say 'willing to help' the bad person, this usually involves defending them robustly, with weapons, technology, computers, etc. often this requires dedication, persistence, intelligence, determination, loyalty, and more... And these security people are only rewarded with their own deaths, often by their own hands... 

In some scenarios, the script-writers increase the seriousness by having the bad-person wanting to destroy the whole universe - that's everything! I find it even harder to envisage any possible way to motivate people to help with that. 

I'm obviously not meant to be a security person in a blockbuster movie...

- - - 

If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):


Synthesizerwriter's Store
 (New 'Modular thinking' designs now available!)

Monday, 15 March 2021

A Circular Reference:

A friend of a friend told me that they know someone who created a QR code that logged into the QR code generator web-site that they had an account on, so they could save time creating the specially formatted QR codes with the corporate logo, that they placed in all the company publicity and marketing material...  

QR Code for this page
QR Code for this page











(QR codes are just URLs. But as a general rule, anything that stores a 'login' (User ID, Password) is not a good idea, and is a Security Risk. If it gets into the wild (and QR codes are easy to send...) then it would become a Security Threat...

And it you ever wondered what happens if you invert the colours on a QR code... 

(Does this tell you something about how the QR code is encoded / decoded?)


A Poor Reference:

'A friend of a friend told me that they know someone...' is an example of an unreliable InterWeb 'reference' that is either intended as obfuscation (as in this case), humour (perhaps in this case), indirection (maybe the source doesn't want to be revealed), or even seriously (seriously?) as a reference. In almost all cases, this type of phrase contains so many levels of indirection that it isn't really a reference at all.  

But not all poor references are as easy to spot as this one. If you see a reference with a URL, do you check the URL? Would you even pause to check the URL itself before clicking on it? Is this a way of getting normally savvy people who never click on links in e-mails to break their own rules? Is indirection or obfuscation a potential problem because the actual link content is hidden. Surely a shortcut just makes things easier...  And of course, QR codes can sometimes be regarded as more than what they appear because they do have a hidden feature - they are innocuous-looking shortcuts that might bypass safeguards... Luckily, they won't ever be used by phishers, friends of phishers, and friends of friends of phishers*. Never. Ever.

In the wild, have you ever noticed how posters with QR codes often have stickers over the QR code - with another QR code on them. Presumably this is to fix an error in the printing, or an update, or can you think of another reason?

* This statement may not be true.

- - - 

If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):


Synthesizerwriter's Store
 (New 'Modular thinking' designs now available!)

Tuesday, 2 February 2021

Visual metaphors for IT security...

In a world where photos on mobile phones are a way of getting people's attention, what are the visual metaphors for IT/cyber security? 

Locks, safes, Matrix-style 'dropping' green characters, and various cyber-punk staples are all very well-worn cliches. One way of surveying what is 'out there' is to look at an online photo resource. Here's an example of what Unsplash.com came up with from a search for 'computer security':

Photo by Cookie the Pom on Unsplash

Well, it got my attention!

All of which got me thinking, and I'm now thinking about gathering some photos that shout 'IT security' or 'Cyber security' more to me! Watch this space...

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):


Synthesizerwriter's Store
 (New 'Modular thinking' designs now available!)


NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...