Saturday 13 November 2021

Obfuscation for puzzles...

Obfuscation, the art of hiding things in plain sight, is a key part of designing puzzles. Here's one useful example that is much more complex than it might at first appear to be...

Photo by Vishnu Mohanan on Unsplash

Seven Segment Displays

In the 21st Century, LCDs, OLDs and all sort of other sophisticated display technologies make it increasingly easy to provide alphanumeric (or beyond) indications to users. But, some older display technologies still get used, for any number of reasons - from nostalgia to retro-design to simply saving space to pure perversity, and more. 

One such display (nostalgia, not perversity) is the 'Seven Segment' display. Seven LEDs arranged in a figure of '8' shape, and which can display all of the numbers from 0 to 9 by turning on some of the LEDs, or all of them for an '8'. The number '8' is a special humber in some cultures, and in electronics, displaying the number '8' causes the highest current consumption in seven segment displays! 

But seven segment displays can also display more than just the numbers - and this ignores the decimal point or full stop or period LED that is sometimes available to the left or right of the seven LED segments. With a little imagination, the '5' could be a capital (upper case) 'S', the '0' could be a capital 'O', and so on. Requiring more stretching of the imagination, the '9' might be a raised 'g', the '2' might be a capital 'Z'... Just by using those seven segments as raw source material, then many other letters can be produced: capital letters like 'U' and 'P' and 'C', for example. Lower case letters like 't' and 'o' and 'b' and 'd' are okay, but some letters are more challenging. A capital 'Y' can be produced by turning off the top LED in a curly '9', for example. 

But some letters are just plain difficult to produce on a seven segment display. Examples include: M, m, W, w, X,x, e, Q, q, etc. This doesn't mean that they can't be 'expressed' on the display, it means that their appearance might not be immediately obvious. At which point, we have obfuscation.

Seven Segment Font

Preparing puzzles for online use, or the CAD files to enable conference badges or other physical objects, often requires a true type font (almost 'de facto' for many typographical purposes nowadays). But fonts based on seven segment displays aren't all that common...

So here's one based on the coding used on the Synthstrom Audible 'Deluge' groovebox, an amazing piece of musical technology that is part sequencer, part synthesizer, part drum machine, part sample, part DAW and part effects unit, plus a few other parts. For its display. it uses just four seven segment LEDs, plus a few other LEDs underneath buttons, as part of the user interface, with the seven segment displays used for text and numbers (which scroll across - thus increasing the effective width to arguably 'more than 4' characters). The Deluge also comes from New Zealand, which is sort of a link with the 'Kiki' in the picture at the start of this blog post!

From: https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ

As you can see, some of the problematic letters, like lower case 'a' and 'e' have just been turned into their upper case, capital alternative. But the 'M', 'W', 'K' and 'X' are very distinctive, because the lower and upper case are the same, but they are also difficult to read at first glance. Oooh! Obfuscation. 

Even more interestingly, some of the upper case (capital) letters are deliberately turned into lower case, even when an upper case exists. 'o' is an example - it is used for the upper case (capital) and lower case, even though a zero '0' could be used, although that might be confusing in some circumstances... Conversely, some are left as upper case, even when a lower case alternative exists: 'c' and 'u', and maybe 'j'.

But for puzzles, then a font like this is an almost perfect way of providing a mixture of familiarity and unfamiliarity, all at the same time. Careful choice of words enables clues and hints to be given in varying degrees of obscurity: 'CLUE' for example, is easy to read in the font, whilst 'MIX' is much harder at first glance.  

Yes, there are other 'seven segment' fonts, but this one has an electronic music connection, and is pretty distinctive, so it has huge appeal to me for use in puzzles. Curiously, some of the alternatives cheat by using more than seven segments!

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):





at No comments:
Labels: , , , , , , , , , , , , ,

Friday 12 November 2021

Numbers that don't exist...

The images and sounds that you see and hear in movies and on the television are carefully crafted, constructed, produced... and more. Clothes might be 'product placement', but they might also be custom made so that they 'look' of kind of like famous brands, but aren't - which means that showing them on screen isn't advertising, and it isn't trademark, logo or brand infringement. Music might be re-recorded so that it sounds very similar to the real thing, but again, is merely very close - the BBC's Top Gear 'classic 'theme tune is just one example. It might sound like 'Jessica' by the Allman Brothers, but actually it is a cover version, or a re-recording, and as it turns out, there are several versions that all sound like it

Then there are Search Engines on computer screens, which again, look 'almost familiar'...  And URLs... And Operating Systems... This 'nothing you see or hear is real' extends to a whole set of logos, brands, advertising and all sorts of other things which can be covered by copyrights, trademarks, etc. It's a complicated business, and there are people whose job it is to make sure that all of these are thought about - in advance. (Which is, of course, also what Security people do!)

Then there are things that you might be surprised about, like..: Numbers. 

Photo by Claudio Schwarz on Unsplash

Telephone Numbers

Whenever a movie or a television programme uses a telephone number, there will inevitably be some people in the audience who will dial that number. 'Just to see what happens!' is the usual thing that people say when they do this. So, for a popular programme, even a small percentage of 'Let's see...' people trying to dial the number could potentially cause a large shift in the use of the telephone network, or the Internet, or the Mobile/Cell telephone network, and could potentially cause something broadly similar to a Denial Of Service (DOS) Attack...

So, broadcasting numbers in movies and television can be considered to be a security issue. DOS attacks are just one facet of the problem, though. Can you imagine the legal problems if the telephone number happened to be the actual number of a real person or company? Suddenly it has become a privacy problem, or a data breach... But how do you find a number that is guaranteed not to ring someone's phone? Just making up a number at random could easily be a real 'live' number - someone's number!

As it happens, such numbers do exist. In the UK, OFCOM, the telecommunications regulator, maintains and publishes a list of numbers that can be used in movies, television, radio, etc. Here is one set.  

One security-related application of numbers like this is when you are required to give a telephone number as part of a registration process. If you don't want to give your real telephone number, perhaps  because of privacy concerns, then using a number that doesn't exist (and is more or less guaranteed to stay like that) seems like a good alternative. 

Photo by Ryan Born on Unsplash

Test Numbers and Letters

Another number that you might see on screen (or in photographs for advertising) is the credit card, and this time, the reasoning behind not using someone's real number is kind of obvious - and once again, it is a security concern. But how do you test computer systems that use credit cards for making purchases? Do developers use their own personal credit card numbers? Maybe there are special 'test' credit card numbers as well? There are! Here are just some.

Credit card numbers include a check digit that indicates if they are correct, for example. This is so that when quoted over the telephone, or online, they can be immediately validated. Many other similar numbers (or lists of numbers and letters) also have built-in checks. 

Once you get into this mind-set, then all sorts of other numbers pop up. How about street numbers that don't actually exist for a road? How about non-existent Post Codes, Zip Codes, or other postal coding systems? UK Post Codes are interesting, because there's an online way of checking if they are valid, so you cannot use a 'test' or 'unissued' one, because they are invalid. UK Post Codes can be quite specific about the addresses they cover, and so they give away lots of information about the location. Once you start mixing numbers and letters, then just about every method of providing a 'unique' identifier probably has an in-built (and online) way of verifying if it exists, and this may deliberately prevent any generic, test, or anonymous identifiers. 

Predefined List

UK Post Codes lead to another interesting aspect of validation of numbers or letters by software. One of the security-driven responses to web-forms that have text fields in them is to restrict what can be entered: (A-Z, a-z, 0-9), for example. But another approach is to pre-define the contents to a list. So for Post Codes, you might have a pop-up menu that requires the selection of the first letter at the start of the Post Code. There are a limited number of possible entries (A to Z...), so selection is relatively easy/quick, and so if you live in Manchester, you would select 'M'. But you can't enter anything else, other than those that are shown. (Some letters are not used to start UK Post Codes: X and Q are two examples...). So this forces you to enter a real letter for a real location - there is no way to enter a generic or non-existent location.

So a security fix (stopping people type any text into a field) turns into a privacy problem where only a specific entry can be made. This can happen with telephone numbers, where the number is checked and rejected if it is found to be 'invalid'. This sounds okay, until you try to enter international numbers... If the text field is limited to just 0 to 9 'numbers, then how do you add the International Dialing Prefix? ('44' for the UK, for example) The usual convention is to add a + symbol, then the prefix, 44, and then the number, but omitting any leading zero. Except that if you can't enter the '+', then the number starts with 44, and this is going to be automatically rejected by any validation code that knows that telephone numbers always start with '0' (zero). 

The Security/Privacy/Validation Dilemma

Which leads to a difficult area of software design. How do you make software that can interact with people, but which is security-conscious (choosing from a pre-defined list is preferred to a text field that will accept a limited set of characters), which allows anonymity or privacy (not filling in your middle name, your age, your gender...), but which can also be validated to check that you have not put in an incorrect response by accident/mistake/deliberately? This is not an easy triangle to navigate...

Just one emerging example. Before the pandemic, cash was a way of paying for something anonymously. Post-Covid, cash has become much less acceptable, and 'electronic' or 'contactless' payment methods have become much more the 'norm'. But are the payment then anonymous? 

Is the future a world where the need for security and validation of data outweighs personal privacy? Has privacy always been an illusion anyway? 

(And why do some people spell 'dilemma' as 'dilemna', and insist that they were taught that way at school?)  

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):



at No comments:
Labels: , , , , , , , ,

Wednesday 3 November 2021

Hardwear.IO Netherlands 2021 Badge Puzzle

Attendees at the Hardwear.IO Netherlands 2021 security conference got a plastic badge with a puzzle on it... Yep, another of my puzzles - or, maybe, two of my puzzles:


Obfuscation is the art of hiding things in plain sight. QR codes are one example - they are a way of obscuring a URL from being read too easily. Of course, if you don't know what they are, then they might appear to be 'magic' or 'secure' in some way. Some obfuscation is so entrenched that it can appear to be 'obvious' - ASCII codes for letters and numbers, for example. Unless, that is, you were raised when EBDIC was the standard... 

Puzzles are logical obfuscations, where the obscuring process can be undone...

The orange plastic makes it quite hard to see some of the numbers, so here's the original diagram:


The idea here was to have as few instructions as possible. The big arrow indicates that there is a left-to-right flow, and presumably the answers go in the boxes on the right. 

As a puzzle creator, one good starting point is to provide clues to how to find the answer, and to make the clues obvious, but not too obvious. So rather than just give you the solution up front, here are a few hints, and if you keep scrolling, then you will find the solution...

Hints


The second box on the lower row looks like 'NL' and so is presumably a clue to the conference being in the Netherlands - which attendees will already know, of course! But what it actually is doing is showing that there is something significant in the strokes used to make the N and the L shapes. 

The box directly above it on the top row is also a clue, but for a different reason. There are 23 question marks, plus an 'A' and a '1'. At first glance, the A and the 1 are almost invisible because of the visual clutter. 

The first boxes on the left contain two very different contents - deliberately. The top box has a 5x5 grid of two digit numbers, and the next box along to the right also has a 5x5 grid... The lower box has 6 rows, and the length varies from 3 to 6 characters. 

And there's that big arrow pointing from left to right... but also pointing to some smaller arrows connecting the two final boxes on the right. Maybe the contents of those boxes are similar in some way?

The top row has a box with just arrows inside it, which could indicate a path of some sort... There are 5 rows again in this box.

The lower row has a 6x11 box with just 1s and 0s. 11 digits is unusual for binary numbers, so interpreting the first one as 0x00010000101000 (and so on) might not be the right approach. Is there another use that an array of 1s and 0s might be used for? Could it be an image mask of some sort? My puzzles tend to be based on hardware (sometimes with software) and so there's often a 70s or 80s bias to my metaphors. 

The top row does have a box that looks like a raster scan - and it is directly above the 6x11 masking box. Could this be a clue as well? 

The left-most box on the top row contains two digit numbers. Many of my puzzles contain ASCII and other codings for numbers. So what sort of tests could you apply to numbers to see if they are ASCII encoded versions of text? If you were investigating a piece of real hardware, looking for how it stored data, especially if it wanted to have some security for the data, would it always be in an ASCII encoded form? 

My puzzles are intended to be educational, particularly for people who want to find out how hardware and security are intermingled in the real world. Knowing how to spot ASCII-encoded characters can often be a good starting point to working out where strings are stored in memory. Knowing that blocks of high entropy data might well be encryption keys is another useful piece of information to have in your mind. And how could high entropy data be hidden? How do you remove entropy so that it isn't as obvious? Could the 6x11 grid of 1s and 0s be doing something with entropy? 

Cryptographers tend to break text into blocks of 5 characters, and the left hand box on the lower row deliberately has between 3 and 6 characters in the rows - and none of the rows has 5 characters! This is not accidental...

The first thing that you tend to see in the puzzle is the big arrow from left to right. There's a circle at the start, so is this meant to be a vector? A pointer? A direction indicator? 

Finally, there are two small dots in the right hand 'empty' boxes. in the diagram above these are shown in black. This might be an additional clue... Almost nothing in my puzzles is there by accident. 

The Solutions


If you are still reading, then you might well be

looking

for

the 

solution.

So,

I

will

try 

to 

make

sure

that

you 

don't

see

the

answer

by

accident.

Top Row


The left hand box on the top row contains two digit numbers. They aren't ASCII-endoded numbers because the letters and numbers in ASCII are from 30 to 122 (decimal). Values below 30 are control characters from the days of teletypes, typewriters, and very slow asynchronous serial communications. Numbers above 97 are lower case letters (a-z) and cryptographers always tend to use capital letters (in blocks of 5, remember?). SOTHE YPROB ABLYA RENOT ENCOD EDINA SCII! 

Did you notice that all of the spaces were removed from the blocks of 5 characters? Old-school 'Enigma'-style cryptographers left out the spaces between words as well. You know how people always say that 'E' is the most used letter in the English language? Well, if you look at ASCII-encoded text, then usually the most commonly occurring number is not 69 (E) or 101 (e), but 32 - which is the 'space' character. Some of my puzzles deliberately leave the spaces in - as a clue that the text is ASCII encoded! 

If not ASCII, then what? The second box on the left on the top row might be a clue. In amongst the question marks, there are two characters: an A and a 1.  The 'A' seems to correspond with the 01 in the 5x5 grid in the first left, top row box, whilst the '1' seems to be associated with the 28. In ASCII, the numbers start with Zero (coding-style) at 48, and go to '9' at 57. So what might the simplest way of arranging the capital letters of the alphabet (A to Z), plus the number digits from 0-9? Well it might start at 0, go, to 9, then A, then to Z. But an index where 01 means zero seems like it is making things a bit obvious, especially when 02 means 1, 03 means 2 and so on. This would means that dates would be in the form <02-32>/<02-13>/<...and 3132 for the current year>, which might be a give-away after a while... 

So, to be contrary to the way that ASCII works, how about putting the numbers after the letters? So 01 is A, through to 26 for Z, and then 27 for Zero, and 28 for 1. And there you have it - one of several ways of arranging the letters and numbers so that they can be indexed with a two-digit number! 

If you substitute the indexed letters and numbers using this mapping, then how do you put them into the final box on the right? Many of my puzzles try to get away from the left to right, top to bottom convention that native English handwriting and typing normally follows (But note that the value of the digits in numbers increases from RIGHT to LEFT!) and use other conventions instead. Japanese and Chinese are particularly interesting here, because although they can be written from left to right, top to bottom, they can also be written top to bottom, right to left... I have often used spirals to try and hide the sequence of letters from a casual inspection, of which more later...

So the 'raster' 'third from the left' top box might be interpreted as a set of vectors, showing how the decoded characters are arranged. If you do this, then the purpose of the black dot will become apparent - it is the 'dot' in Hardwear.IO...

Lower Row


The lower row starts on the left hand side with the 6 rows of 3 to 6 characters, and NO 5 character rows at all. The characters are a mixture of letters and numbers, and so it might be that the plaintext is 'hidden in plain sight', which would be a terrible pun, but exactly the sort of cheeky misdirection that I often include in my puzzles. The box on the second left in the lower row contains another 'raster' diagram, which actually looks like 'NL' spelt out in vectors. But it isn't immediately obvious what the vectors mean...

The third box from the left an the lower row is the 6x11 set of what look like binary numbers, except that they are 11 digits long, which is unusual for binary. If you are thinking 'misdirection' at this point, then you would be completely correct. Thinking of old raster based visual displays, then one of the common techniques used to process images on the screen was to use 'masks' that determined if a pixel in the image would be displayed in the raster, and thus on the screen. So the first, second and third boxes from the left on the top row are actually clues to this being a 'raster'-influenced puzzle...

The third box from the left on the lower row is indeed a mask. It is actually just the second box from the left on the lower row, but mapped onto a 6x11 'raster' or grid. The ones and zeroes do not mean 1 and zero - the 1s are place-holders for the characters that will be displayed, and show where they will be placed on the screen. So the three boxes from the left on the lower row are all indicating the same thing - how the characters in the first box are placed in the final box on the right. 

If you take the NL vector diagram from the second box on the left on the lower row, and use it to 'parse' the characters in the first box from the left on the lower row, and place them in the right hand box according to the mask (using just the 1s), then you get: 'HARDWE' reading upwards from top to bottom as you follow the upwards vector on the first stroke of the 'N'. As you continue, ti spells out a slightly different order of the parts that made up the contents of the top, right hand box - and this is what those twisty arrows connecting the two right hand boxes indicates - the contents are not exactly the same in their layout.

The Solution


Which brings us to the solution:


The solution is thus either:

Hardwear.IO Netherlands 2021 (in all Capitals)

or

Hardwear.IO2021 Netherlands (again in all Capitals)

But, why are they different? To see why, take the top row solution and apply it to the reverse of the process used for the lower row. The bottom row of the contents of the left hand box will end up like this:

HN2021

Which kind of gives away too much...

For the reason behind that, think about how the puzzle was designed. The top row was done first, then the lower row. When the problem was noticed, then the top row could have been reworked, but it was already done, and so I took the easy way out - I used the twisty arrows to indicate that the contents of the two right hand boxes were similar, not the same. And this is exactly what happens in real-world hardware and software - unexpected problems can arise after a lot of work has been done, and the quickest fix is often not ideal. 

So one of the 'tools' that should be in the hardware (or software) reverse engineer's toolbox is the 'unexpected consequences often get fixed very badly' thought. Do you really change the whole design because of a minor mistake and do a total rework, or do you find a smart, quick fix that might compromise some of the security - but who is ever going to find it? Just about every project that I have ever seen will go for the easy fix, not the total rework. And that's one way that vulnerabilities get into hardware - or software. 

In a single puzzle, you have learnt about non-ASCII encoding, how to find ASCII encoding, how to vectorise and mask matrices, and the consequences of not going back and properly fixing mistakes that were unforeseen. This wasn't puzzle solving - it was actually training!

Thanks to Hardwear.IO for their support, and for using my puzzles!

To save you time, searching for more of my puzzles - there's a list here and another puzzle here

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):










 



 


at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...