tag:blogger.com,1999:blog-18195060374415297262024-02-02T14:06:20.283-08:00SecuritytirucesBrief thoughts, snippets and observations on security...Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.comBlogger32125tag:blogger.com,1999:blog-1819506037441529726.post-64241471671870048672022-04-18T11:23:00.004-07:002022-04-19T08:45:44.733-07:00NULLCON 12, Berlin, April 2022<p>Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!). </p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6QRYizVrfL459VrFHzS6o6aGKIdI8gGC7xzJIUFQcSdZq6prm8gi6qur_KlGpJWdcnwhrICN0CxzKSdmbo_K8n6J9Z9gc4ACZ5FJO-P3LSMYXG8ybvnzjZkBr8zykh-KQsBXDAbd3JwTeRPtbnZkqSeSSgTNZ2IUa22hrNyw_WDRPkLlhexW5iEmChg/s584/nullcon-badge-cropped.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="584" data-original-width="416" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6QRYizVrfL459VrFHzS6o6aGKIdI8gGC7xzJIUFQcSdZq6prm8gi6qur_KlGpJWdcnwhrICN0CxzKSdmbo_K8n6J9Z9gc4ACZ5FJO-P3LSMYXG8ybvnzjZkBr8zykh-KQsBXDAbd3JwTeRPtbnZkqSeSSgTNZ2IUa22hrNyw_WDRPkLlhexW5iEmChg/w285-h400/nullcon-badge-cropped.jpg" width="285" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The NULLCON 2022 badge...<br /></td></tr></tbody></table><br />There are three, and arguably four, puzzles hidden in the badge, plus a hint, as you will see, to a very different text obfuscation technique that looks like strong crypto, but has a very light CPU overhead. That's quite a bargain for something that most people will dismiss as a silly bit of graphics on the back of a piece of thick cardboard.<p></p><p>Let's start by looking at the grid of characters in the centre section, by rotating it by 90 degrees:</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY7Kz6DmmHN3nSO9TwGNFohOEVzYsaAXxS8KIG4itF6xdFQJ3RtkGEKf14PdKWkqQUvztw7Om7lIEZk3MV-Ff0gGWOvnLfJkRZilUIE0nF76xIfrA9yqY-K1HxXL5Qm8ABqKehmqjta33S8eRe-xRWDlLZzFKSChT4ue7pL0K238lZqIxJxmSue2wmoA/s648/centre-0.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="431" data-original-width="648" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY7Kz6DmmHN3nSO9TwGNFohOEVzYsaAXxS8KIG4itF6xdFQJ3RtkGEKf14PdKWkqQUvztw7Om7lIEZk3MV-Ff0gGWOvnLfJkRZilUIE0nF76xIfrA9yqY-K1HxXL5Qm8ABqKehmqjta33S8eRe-xRWDlLZzFKSChT4ue7pL0K238lZqIxJxmSue2wmoA/w640-h426/centre-0.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Not a word-search grid...</td></tr></tbody></table><p>At first glance, this looks like it might be a word-search grid, and so you might go along the rows and columns, looking for words...</p><p>And you will get 'NULL', '2022' and 'FOR', which isn't very helpful. But you do also get some incomplete words: 'BERLI' and 'SECUR', which looks like they might be 'Berlin' and 'Security' - but the other required letters are in different rows or columns... Also, the 'N' at the beginning of 'NULL' was bigger...</p><p>Underneath the grid of characters, there is the NULLCON logo, although it has a few additions:</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCUYkt2LD5qZU1fImU6WNoGZsivTXw8lGVTb1C3ebY_XfTD_7VJ58aYPEvYrDI8Ykw8B-uVb6224gloye4ECl627WLmLrhKVlhzvglb4V8xLZdY0myAuHEgn5T0jruygU93q3uRxE6wbBQvdwcd4LOiSFdCS7cA3B6CN2RUKDi4BySLGe3AEE01SIiZA/s665/nullcon-logo.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="432" data-original-width="665" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCUYkt2LD5qZU1fImU6WNoGZsivTXw8lGVTb1C3ebY_XfTD_7VJ58aYPEvYrDI8Ykw8B-uVb6224gloye4ECl627WLmLrhKVlhzvglb4V8xLZdY0myAuHEgn5T0jruygU93q3uRxE6wbBQvdwcd4LOiSFdCS7cA3B6CN2RUKDi4BySLGe3AEE01SIiZA/w640-h416/nullcon-logo.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">A slightly modified NULLCON logo...</td></tr></tbody></table><br /><div>The logo starts from a circular blob, along a path indicated by an arrow, and ends up at an exclamation mark, where the dot of the symbol is the end of the path.</div><div><br /></div><div>Imagine that the NULLCON logo is a map, where the path that is indicated is the path that you must follow on the map. Also imagine that the character grid is the map... </div><div><br /></div><div>It seems that the circular blob at the start coincides with the big 'N' at the start of 'NULL', so what happens if you trace along the path? To make it easier to see, the next image colours all the off-path characters in light blue:</div><div><br /></div><div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgV2TB1pR0yqY6kkNJ7iJbNHzjHwLs3mG4SKtvv1KoIe4AK2Wq9NnoJFLZxkq1yt37axLfRI00iIeSU3tJjx2kMYXvJsFdpqGZ5ZQqgQgktb3FXfDUVE349uoDydX8IvBJPdvwvyqxzNrO2ej3Up4k4H1yUftNMuc0yWx0ihBNPUaceJgaZXD-lGPbvw/s857/centre-2.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="857" data-original-width="647" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgV2TB1pR0yqY6kkNJ7iJbNHzjHwLs3mG4SKtvv1KoIe4AK2Wq9NnoJFLZxkq1yt37axLfRI00iIeSU3tJjx2kMYXvJsFdpqGZ5ZQqgQgktb3FXfDUVE349uoDydX8IvBJPdvwvyqxzNrO2ej3Up4k4H1yUftNMuc0yWx0ihBNPUaceJgaZXD-lGPbvw/w484-h640/centre-2.jpg" width="484" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The character grid and the NULLCON logo path...</td></tr></tbody></table><br /> Starting at the 'N' blob, it now reads: 'NULLCON2020BERLINGE' as you trace along the path. it is easier to see this if the background is also light blue:</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjya0ThyUBcZc2gs3J0JVE0oC8-L-cLr-MohPPtwvidf6iG8fGaolqnZ8oWBAJToGDG505s2C3vmVzyNt7keB1aQ4ASKfgEORnVS5DIZZS6QSzayuxvBnajljMuU0IrysSTmhCtL60LsJINbiexasKwKH-3bxpuPcjxGRmlolMvOyx9CHRPZ1gqIR0RyQ/s647/centre-3%20crop.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="435" data-original-width="647" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjya0ThyUBcZc2gs3J0JVE0oC8-L-cLr-MohPPtwvidf6iG8fGaolqnZ8oWBAJToGDG505s2C3vmVzyNt7keB1aQ4ASKfgEORnVS5DIZZS6QSzayuxvBnajljMuU0IrysSTmhCtL60LsJINbiexasKwKH-3bxpuPcjxGRmlolMvOyx9CHRPZ1gqIR0RyQ/w640-h430/centre-3%20crop.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Blue on blue...</td></tr></tbody></table><br /><div>Looking at the logo, the diagonal line across the zero or zed or zee (it depends how you look at it!), is quite a shallow angle, so maybe the path isn't adjacent characters? Aha! From the 'G', you should be able to find an 'E', then and 'R', then an 'A', and finally an 'N' - and turning round again a 'Y' on the right. So the path now reads:</div><div><br /></div><div style="text-align: center;">NULLCON2022BERLINGERMANY</div><div><br /></div><div>Which can be split up into:</div><div><br /></div><div style="text-align: center;">NULLCON 2022 Berlin Germany</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Because, as you should know, cryptographers always:</div><div style="text-align: left;"><br /></div><div style="text-align: center;">USECAPITALLETTERSDONTUSEPUNCTUATIONANDDONTUSESPACES</div><div style="text-align: left;"><br /></div><div style="text-align: left;">If we carry this along the path, then we get the name and part of a phrase from the NULLCOM 2022 web-site (I have added capital letters and punctuation where appropriate...):</div><div style="text-align: center;"><br /></div><div style="text-align: center;">NULLCON 2022, Berlin, Germany. A unique platform for security showcasing!!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The two exclamation marks were added by me, of course!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">And that's the first part of the answer to the badge puzzle...</div><div style="text-align: left;"><br /></div><div style="text-align: left;">---</div><div style="text-align: left;"><br /></div><div style="text-align: left;">At the very top of the badge is some strange text:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWUKrVqL_EFTcUCGxWFtKPMvIUH1BjIE0xh-P_bCi01OUByYZDKRJqpi2My2-Rpu054iMEA-n7XG3CIln4ZO-M-l2mVpJo4-w6vWWPbmY9R8kpI5_fSeWpO3n4m46GS6Hwv1b8TnsHgsG25v3_KuOlzOZekVZRttCA831_-PH0pNe2y8zkTIKWnKa4XQ/s242/puzzle.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="44" data-original-width="242" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWUKrVqL_EFTcUCGxWFtKPMvIUH1BjIE0xh-P_bCi01OUByYZDKRJqpi2My2-Rpu054iMEA-n7XG3CIln4ZO-M-l2mVpJo4-w6vWWPbmY9R8kpI5_fSeWpO3n4m46GS6Hwv1b8TnsHgsG25v3_KuOlzOZekVZRttCA831_-PH0pNe2y8zkTIKWnKa4XQ/w640-h116/puzzle.jpg" width="640" /></a></div><br /><div style="text-align: left;">It looks like it is maybe upside down, or rotated? But no matter what you do with rotations or mirroring, it just doesn't turn into anything readable... But do you notice anything about the NULLCON logo - does it have rotational symmetry? Could this be a clue?</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Let's rotate it by 180 degrees and put the two versions one above the other:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixlOh3C_MM7UsCiCm33zVYXA45l8DsLKetF32j-hbklBvtopJyISNlpjct5MwSpIg_w0jEBLjIw3jUey9XuYv_NSWZNgtTPpCtXiSU541ke5bK138tWno7iqC2uK-gg8FKgeOXv-37rORUKWpCtq4Pp1QtTaqJ9_Nkn_7XnmMuAEWAaTmryAS4xQdzlw/s492/upside-up.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="117" data-original-width="492" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixlOh3C_MM7UsCiCm33zVYXA45l8DsLKetF32j-hbklBvtopJyISNlpjct5MwSpIg_w0jEBLjIw3jUey9XuYv_NSWZNgtTPpCtXiSU541ke5bK138tWno7iqC2uK-gg8FKgeOXv-37rORUKWpCtq4Pp1QtTaqJ9_Nkn_7XnmMuAEWAaTmryAS4xQdzlw/s320/upside-up.jpg" width="320" /></a></div><br /><div style="text-align: left;">You might be able to see that now, the lambda has become a 'y', that weird rounded 'w' has become an 'm', and the rotated 'e' has become an 'e'. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you alternate letters from left to right, then the letters which are the right way up are these:</div><div style="text-align: left;"><br /></div><div style="text-align: center;"><b><span style="font-family: courier; font-size: large;">p z l b a t n u s</span></b></div><div style="text-align: left;"><br /></div><div style="text-align: left;"> and the other alternate letters are rotated by 180 degrees:</div><div style="text-align: left;"><br /></div><div style="text-align: center;"><b><span style="font-family: courier; font-size: large;">u z e y m r i r s</span></b></div><div style="text-align: center;"><b><span style="font-size: large;"><br /></span></b></div><div style="text-align: left;">And if you put these letters together, you get:</div><div style="text-align: center;"><b><span style="font-size: large;"><br /></span></b></div><div style="text-align: center;"><b><span style="font-family: courier; font-size: large;">puzzle by martin russ</span></b></div><div style="text-align: center;"><b><span style="font-size: large;"><br /></span></b></div><div style="text-align: left;">Basically, your eyes are quite happy with rotations and mirroring if they affect the whole of the text, but if you do it on individual characters, then your brain stops being able to read it without a lot of concentration.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">You can use a variant of this technique to obfuscate text to avoid any simple dictionary-based text scanning program from finding any plain text that you have left as strings in a program. Just add 1 (or any other number - this is the 'key') to alternate letters (so A becomes B, etc.) and you have something that no longer looks like text:</div><div style="text-align: left;"><br /></div><div style="text-align: center;"><b><span style="font-family: courier; font-size: x-large;">PVZALFBZMBRUIORVST</span></b></div><div style="text-align: center;"><br /></div><div style="text-align: left;">This also wrecks conventional letter frequency analysis, has high entropy (so <i><b>binwalk</b></i> highlights it as keys!) , and looks like strong crypto, except the 'key' is a single (or double) digit number and there is no ordinary crypto! Just obfuscation!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">There are various things you can do to this to make it even more obscured. Adding '=' instead of spaces makes it look like broken Base-64 URL encoding, for example. Another wrinkle is to rotate through QUJZ?!=+ and use those as spaces, and now it looks like very broken Base-64 URL coding! I'm sure you can figure out a neater variation, and then a fast encode/decode routine (the more obtuse the code, the better - my personal preference is to make it look like an AES routine, because people will then automatically assume that it is AES, and not delve any deeper...).</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><sound of frustrated cryptographer scouring the code, desperately looking for the key transfer mechanism (that isn't there!) so they can decode the above text....></div><div style="text-align: left;"><br /></div><div style="text-align: left;">This text obfuscation is probably worth your time reading this, already!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">---</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The other badge puzzle is simpler, but because it is in two parts, it is harder to spot. Plus, it is so simple that most people will dismiss it as being trivial.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">At the top, there is another NULLCON logo and another character grid, and then another bit of graphic at the bottom:</div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPg569GPUdo4wr2ZTYClLUFIU7mUbFQ0TA73Wu7eFMXYCixddyfn6YFG0h-vzpw0WpzZQFGeY9gEMtY4PSTBLIUzN1VJE9Mb3_c7o59asD8PKmwmj2MhngftnGk1aePn0w3WsBxd2Y737tN8x7DQuTukjbxN2ncYIpmMRGDZl5miQx2s0Ra5NTFezSnQ/s966/goa.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="534" data-original-width="966" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPg569GPUdo4wr2ZTYClLUFIU7mUbFQ0TA73Wu7eFMXYCixddyfn6YFG0h-vzpw0WpzZQFGeY9gEMtY4PSTBLIUzN1VJE9Mb3_c7o59asD8PKmwmj2MhngftnGk1aePn0w3WsBxd2Y737tN8x7DQuTukjbxN2ncYIpmMRGDZl5miQx2s0Ra5NTFezSnQ/w640-h354/goa.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The other puzzle is in two parts...</td></tr></tbody></table><br /><div style="text-align: left;">Note also that the bottom of the badge contains the first 24 characters of the answer to the first 'path map' puzzle, just to make it easier to solve that one!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The top part of this is exactly what it looks like, another path map. This time, by tracing out the logo's path (not the edges!), you get 'GOA' 11 times, followed by 'BER' (Don't forget the turn upwards to get the 'R'!). It turns out that there have been eleven NULLCONs held in Goa, and this is the twelfth NULLCON - the first held in Berlin, Germany. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">The end of the path is a '*' (with 5 ends, not six... which isn't significant), and this leads to the bottom part of the puzzle, where the star points to a 3x9 matrix of dots, some of which are filled in, and some of which are empty. There are two clues to what to do here. The first is the 'puzzle by martin russ' text at the top of the badge - you have to rotate alternate characters by 180 degrees to be able to read all the characters. So rotate the badge 180 degrees (remember that the NULLCON logo has 180 degree rotational symmetry), and look at the 3x9 matrix - it spells: 'LIN'. The second clue is in the name text right at the bottom of the badge - it says: 'NULLCON 2022 Berlin Germany' (as you probably well know by now!). But look at the positioning of the 'Ber' text in the name, and the 'LIN' spelled out in the 3x9 matrix - do you see an alignment?</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbF7jTB4A5c57c3LBlfPRA1MTR4sxGcFhMlPTlTN3rYcb7USU9zpZW9Yb30ZrvMJo2XMVsZmEhYNvmn46EFzdZX-do08GcgEjDLmLQ_4V1JIHAc6_C3Az-_7wrWbD5NjoZSPb6lOZaMiztiueXJRy42KvEp0bc7QYBTIu-lYZtZedORH_PDpAD9UJCw/s966/goa-2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="966" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbF7jTB4A5c57c3LBlfPRA1MTR4sxGcFhMlPTlTN3rYcb7USU9zpZW9Yb30ZrvMJo2XMVsZmEhYNvmn46EFzdZX-do08GcgEjDLmLQ_4V1JIHAc6_C3Az-_7wrWbD5NjoZSPb6lOZaMiztiueXJRy42KvEp0bc7QYBTIu-lYZtZedORH_PDpAD9UJCw/w640-h206/goa-2.jpg" width="640" /></a></div>Yep, the size of the matrix and the arrow are set so that the 'Ber' and the 'Lin' line up, (you go up from the 'r' and you hit the 'L', and then go across backwards) as an extra clue! (plus the rotation aligns the logo again!) I did think about using the '|' vertical character instead of the lower case 'L', but decided that this made it too obvious...</div><div style="text-align: left;"><br /></div><div style="text-align: left;">So the 'puzzle by...' text, and the name text at the bottom of the badge are not accidental, and the size of the matrix and the arrow are connected to them. On a larger scale, this would be called a meta-puzzle...</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The second puzzle is thus a reminder of the history of NULLCON: 11 in Goa, and one in Berlin, Germany.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">So here's a photo of one of the winning entries:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWCK6K7zrIyh5AtDSCf7XyL14UHh7tqRlt2M6rAoMmZtPZLg52bbPwryj-TPN-XyayyDOvFChj5UFXTG-hbq2T2R0ePkEcuFplnfob-47rrY-V8ZQlLL4xDgso4kv4FZpPmb74ECKmbWPaxwMFdEXl2QPAL7JiCijVtbVZMh3RzW4ixxk8LmaKXaZt9Q/s1080/Badge%20Puzzle%20crop.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="957" data-original-width="1080" height="568" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWCK6K7zrIyh5AtDSCf7XyL14UHh7tqRlt2M6rAoMmZtPZLg52bbPwryj-TPN-XyayyDOvFChj5UFXTG-hbq2T2R0ePkEcuFplnfob-47rrY-V8ZQlLL4xDgso4kv4FZpPmb74ECKmbWPaxwMFdEXl2QPAL7JiCijVtbVZMh3RzW4ixxk8LmaKXaZt9Q/w640-h568/Badge%20Puzzle%20crop.jpg" width="640" /></a></div><br /><div style="text-align: left;">What I like about this is the way that an image of the badge itself has been annotated as the answer!</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div><span style="font-family: inherit;"><p><span style="font-family: inherit;">---</span></p><p><span style="font-family: inherit;"><br /></span></p><p><span style="font-family: inherit;">If you find my writing helpful, informative or entertaining, then please consider visiting this link (only one store for all my blogs!):</span></p><div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; orphans: auto; text-size-adjust: auto; widows: auto;"><div style="font-size: 18.72px; font-weight: 700;"><span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)</span></span></div><p style="font-size: 18.72px; font-weight: 700;"></p><div style="font-size: 18.72px; font-weight: 700;"><div style="margin: 0px;"><span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a> (Encourage me to write more posts like this one!)... or...</span></span></div><div><span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><br /></span></span></div></div></div></span></div><div><a href="https://ko-fi.com/W7W5BM4JX" target="_blank"><img alt="Buy Me a Coffee at ko-fi.com" border="0" height="36" src="https://cdn.ko-fi.com/cdn/kofi3.png?v=3" style="border: 0px; height: 36px;" /></a> (Encourage me via a different route entirely...)</div><div><br /></div><div>Or just tell someone else that there's this amazing blog about security</div><div><br /></div><div><br /></div><div> </div><p><br /></p> </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"> </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-65781505405398722112022-03-24T07:55:00.002-07:002022-04-19T08:48:00.208-07:00<p><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;">The ongoing uncertainty in the-world-at-large (just choose your area of concern...) is probably going to increase the risk of cyber attacks, so what can you do to reduce your risks of being affected?</span></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsMCdaEMm02SuXSb9tpHK8jlPGUFXC6yO15352PJGpg8qf4cb53uuTQdVD1bHIg9uprVkKGoPGNN-EkyG7F5KNr0PjbK6opspqe5zAeoPfyJJ_HV0Djv8nyJJTUv3zE8iwxNdt90lXA8-hdu7O7yBk47dm6DjK8ay3Tq15rD14MzVSQqAZXG54ED0HAw/s6016/olieman-eth-r8VbpgMS6Uc-unsplash.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="4016" data-original-width="6016" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsMCdaEMm02SuXSb9tpHK8jlPGUFXC6yO15352PJGpg8qf4cb53uuTQdVD1bHIg9uprVkKGoPGNN-EkyG7F5KNr0PjbK6opspqe5zAeoPfyJJ_HV0Djv8nyJJTUv3zE8iwxNdt90lXA8-hdu7O7yBk47dm6DjK8ay3Tq15rD14MzVSQqAZXG54ED0HAw/s320/olieman-eth-r8VbpgMS6Uc-unsplash.jpg" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Photo by </span><a href="https://unsplash.com/@moneyphotos?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">olieman.eth</a><span style="text-align: left;"> on </span><a href="https://unsplash.com/s/photos/security?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">Unsplash</a></td></tr></tbody></table><p><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;">Here are 5 practical things to do. 1-4 apply to individuals or corporates, 5 is probably developers only...</span></p><p><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;">1. This is a good time to check your backup processes. Many people just make backups and never check that they can do a restore successfully. Get an old computer and try to restore some files to it. You would be surprised at how many people find problems with their backup process just by trying to do a restore. </span></p><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">2. Spear-phishing and phishing attacks, via email, texts and other messaging services, can give bad guys a foot-hold into breaching your systems. Make sure that everyone in your family, group or company knows not to click on links in emails, texts or messages. It doesn’t matter how important the sender is, or how urgent it sounds, or how great the offer is, don’t fall for it - don’t click on links!</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">3. If you have been putting off 2FA or MFA, then now is a good time to implement it. Two Factor authentication, or Multi-Factor Authentication are very good ways of making it much harder for someone to attack your systems. They take a few minutes to add, and make you much more secure against attack.</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">4. The tension in the world is a good opportunity to get people to change to a Password Manager, and to implement stronger, longer passwords - and a different one for every service. Yep - different for everything!</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">5. For developers, the news of the Anonymous hacking of Russian IT systems has probably led to an increased interest in cyber security. Visit<span class="Apple-converted-space"> </span><a href="https://owasp.org/www-project-top-ten/">https://owasp.org/www-project-top-ten/</a> as your first step towards making your code more secure. Visit<span class="Apple-converted-space"> </span><a href="https://owasp.org/www-project-juice-shop/">https://owasp.org/www-project-juice-shop/</a> to start learning about how to make your web-apps more secure. </div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">And a word from me as one of the leaders of the Suffolk Chapter of OWASP:</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;">The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. The Suffolk Chapter has lots of videos on a wide range of cyber security topics: <a href="https://owasp.org/www-chapter-suffolk/">https://owasp.org/www-chapter-suffolk/</a> and we also do live demos of pen testing software, as well as live discussion on many security topics...</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><br /></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; text-size-adjust: auto;"><div>---</div><div><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><br /></p><p><br style="font-family: Times; font-size: medium;" /></p></div></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-26139029545664500252021-11-13T10:55:00.000-08:002021-11-13T10:55:42.285-08:00Obfuscation for puzzles...<p>Obfuscation, the art of hiding things in plain sight, is a key part of designing puzzles. Here's one useful example that is much more complex than it might at first appear to be...</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi5So__AalrqVy-ScdsEBU6bRCFvchID2XZZAcTNFv2g5hvfi8yNSQMc6E7W41tBg1bWyAkIuU24baR9Blmb1N7RyI9072VIgltN7MA921GbhVDgSE5S_XAGnSDoyOGRoxmvXKDk3bSLGPGpY0IYlq0m8qqxMwOCmjOHcCpv31pNMIONlw0Ql4Nvj9qVQ=s2048" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1538" data-original-width="2048" height="480" src="https://blogger.googleusercontent.com/img/a/AVvXsEi5So__AalrqVy-ScdsEBU6bRCFvchID2XZZAcTNFv2g5hvfi8yNSQMc6E7W41tBg1bWyAkIuU24baR9Blmb1N7RyI9072VIgltN7MA921GbhVDgSE5S_XAGnSDoyOGRoxmvXKDk3bSLGPGpY0IYlq0m8qqxMwOCmjOHcCpv31pNMIONlw0Ql4Nvj9qVQ=w640-h480" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Photo by <a href="https://unsplash.com/@vishnumaiea?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Vishnu Mohanan</a> on <a href="https://unsplash.com/s/photos/seven-segment?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></td></tr></tbody></table><h3 style="text-align: left;">Seven Segment Displays</h3><div>In the 21st Century, LCDs, OLDs and all sort of other sophisticated display technologies make it increasingly easy to provide alphanumeric (or beyond) indications to users. But, some older display technologies still get used, for any number of reasons - from nostalgia to retro-design to simply saving space to pure perversity, and more. </div><div><br /></div><div>One such display (nostalgia, not perversity) is the '<a href="https://en.wikipedia.org/wiki/Seven-segment_display" target="_blank">Seven Segment'</a> display. Seven LEDs arranged in a figure of '8' shape, and which can display all of the numbers from 0 to 9 by turning on some of the LEDs, or all of them for an '8'. The number '8' is a special humber in some cultures, and in electronics, displaying the number '8' causes the highest current consumption in seven segment displays! </div><div><br /></div><div>But seven segment displays can also display more than just the numbers - and this ignores the decimal point or full stop or period LED that is sometimes available to the left or right of the seven LED segments. With a little imagination, the '5' could be a capital (upper case) 'S', the '0' could be a capital 'O', and so on. Requiring more stretching of the imagination, the '9' might be a raised 'g', the '2' might be a capital 'Z'... Just by using those seven segments as raw source material, then many other letters can be produced: capital letters like 'U' and 'P' and 'C', for example. Lower case letters like 't' and 'o' and 'b' and 'd' are okay, but some letters are more challenging. A capital 'Y' can be produced by turning off the top LED in a curly '9', for example. </div><div><br /></div><div>But some letters are just plain difficult to produce on a seven segment display. Examples include: M, m, W, w, X,x, e, Q, q, etc. This doesn't mean that they can't be 'expressed' on the display, it means that their appearance might not be immediately obvious. At which point, we have obfuscation.</div><div><br /></div><h3 style="text-align: left;">Seven Segment Font</h3><div>Preparing puzzles for online use, or the CAD files to enable conference badges or other physical objects, often requires a true type font (almost 'de facto' for many typographical purposes nowadays). But fonts based on seven segment displays aren't all that common...</div><div><br /></div><div>So <a href="https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ" target="_blank">here's one</a> based on the coding used on the <a href="https://synthstrom.com/product/deluge/" target="_blank">Synthstrom Audible 'Deluge' groovebox</a>, an amazing piece of musical technology that is part sequencer, part synthesizer, part drum machine, part sample, part DAW and part effects unit, plus a few other parts. For its display. it uses just four seven segment LEDs, plus a few other LEDs underneath buttons, as part of the user interface, with the seven segment displays used for text and numbers (which scroll across - thus increasing the effective width to arguably 'more than 4' characters). The Deluge also comes from New Zealand, which is sort of a link with the 'Kiki' in the picture at the start of this blog post!</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjdMsRjq2ym_YI-9q-bbKFlzHBWbnSltTQFRVaKUdx7G27P-GHOUM8hqXXQW3q1afFkuLMjFyqjBnk5bOEOlxAxknNdFM6CTr7gczN4oLSc6hYVjdSaU7KTxAlpKTL86YQkEVxnnlup_h4ie_P9W5nohfWundvciAibvlKEPw5sr6q0oehFcxw_pIWKoA=s1200" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="800" data-original-width="1200" height="426" src="https://blogger.googleusercontent.com/img/a/AVvXsEjdMsRjq2ym_YI-9q-bbKFlzHBWbnSltTQFRVaKUdx7G27P-GHOUM8hqXXQW3q1afFkuLMjFyqjBnk5bOEOlxAxknNdFM6CTr7gczN4oLSc6hYVjdSaU7KTxAlpKTL86YQkEVxnnlup_h4ie_P9W5nohfWundvciAibvlKEPw5sr6q0oehFcxw_pIWKoA=w640-h426" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">From: <a href="https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ" style="font-family: Helvetica; font-size: 12px; text-align: start; text-size-adjust: auto;">https://github.com/weavermedia/deluge-led-font?fbclid=IwAR0dNTx0U0GPTNHxYrVkdm3UUlq4PMhSv-pJ7M8vC2LipziNfalnWS7d7mQ</a></td></tr></tbody></table><br /><div>As you can see, some of the problematic letters, like lower case 'a' and 'e' have just been turned into their upper case, capital alternative. But the 'M', 'W', 'K' and 'X' are very distinctive, because the lower and upper case are the same, but they are also difficult to read at first glance. Oooh! Obfuscation. </div><div><br /></div><div>Even more interestingly, some of the upper case (capital) letters are deliberately turned into lower case, even when an upper case exists. 'o' is an example - it is used for the upper case (capital) and lower case, even though a zero '0' could be used, although that might be confusing in some circumstances... Conversely, some are left as upper case, even when a lower case alternative exists: 'c' and 'u', and maybe 'j'.</div><div><br /></div><div>But for puzzles, then a font like this is an almost perfect way of providing a mixture of familiarity and unfamiliarity, all at the same time. Careful choice of words enables clues and hints to be given in varying degrees of obscurity: 'CLUE' for example, is easy to read in the font, whilst 'MIX' is much harder at first glance. </div><div><br /></div><div>Yes, there are <a href="https://www.fontget.com/font/lcd-att-phone-timedate/" target="_blank">other 'seven segment' fonts</a>, but this one has an electronic music connection, and is pretty distinctive, so it has huge appeal to me for use in puzzles. Curiously, some of the <a href="https://www.fontget.com/font/patopian-1986/" target="_blank">alternatives</a> cheat by using <a href="https://www.dafont.com/seven-segment.font" target="_blank">more than seven segments</a>!</div><div><br /></div><div>---</div><div><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><br /></p><p><br /></p></div><div><br /></div><div><br /></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-24208342854214383822021-11-12T03:04:00.002-08:002021-11-12T03:04:44.740-08:00Numbers that don't exist...<p>The images and sounds that you see and hear in movies and on the television are carefully crafted, constructed, produced... and more. Clothes might be 'product placement', but they might also be custom made so that they 'look' of kind of like famous brands, but aren't - which means that showing them on screen isn't advertising, and it isn't trademark, logo or brand infringement. Music might be re-recorded so that it sounds very similar to the real thing, but again, is merely very close - the <a href="https://www.bbc.co.uk/programmes/b006mj59" target="_blank">BBC's Top Gear</a> 'classic 'theme tune is just one example. It might sound like '<a href="https://en.wikipedia.org/wiki/Jessica_(instrumental)" target="_blank">Jessica</a>' by the <a href="https://en.wikipedia.org/wiki/The_Allman_Brothers_Band" target="_blank">Allman Brothers</a>, but actually it is a cover version, or a re-recording, and as it turns out, there are <a href="https://topgear.fandom.com/wiki/Jessica_(instrumental)" target="_blank">several versions that all sound like it</a>. </p><p>Then there are Search Engines on computer screens, which again, look 'almost familiar'... And URLs... And Operating Systems... This 'nothing you see or hear is real' extends to a whole set of logos, brands, advertising and all sorts of other things which can be covered by copyrights, trademarks, etc. It's a complicated business, and there are people whose job it is to make sure that all of these are thought about - in advance. (Which is, of course, also what Security people do!)</p><p>Then there are things that you might be surprised about, like..: Numbers. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhhaM4nGernq7x2F2B-8jK2LEIJ0KlL_bHbK0bIjKEmcRfKTftiBTlvEF2bjWHgj-Nm2fAXiXxU0vnn75WYoa1gP3N0lGUa4c0Ox2E-5EbFkr8iyerN_YDwfXIl6GT5NLIkLFlGPWw5XuLeM2L40PQ6hXW4V0LdS9Sd9oZoUt05JXalUJiVA5K29UJ3FA=s2048" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1366" data-original-width="2048" height="426" src="https://blogger.googleusercontent.com/img/a/AVvXsEhhaM4nGernq7x2F2B-8jK2LEIJ0KlL_bHbK0bIjKEmcRfKTftiBTlvEF2bjWHgj-Nm2fAXiXxU0vnn75WYoa1gP3N0lGUa4c0Ox2E-5EbFkr8iyerN_YDwfXIl6GT5NLIkLFlGPWw5XuLeM2L40PQ6hXW4V0LdS9Sd9oZoUt05JXalUJiVA5K29UJ3FA=w640-h426" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Photo by </span><a href="https://unsplash.com/@purzlbaum?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">Claudio Schwarz</a><span style="text-align: left;"> on </span><a href="https://unsplash.com/s/photos/telephone-number?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">Unsplash</a></td></tr></tbody></table><h3 style="text-align: left;">Telephone Numbers</h3><p>Whenever a movie or a television programme uses a telephone number, there will inevitably be some people in the audience who will dial that number. 'Just to see what happens!' is the usual thing that people say when they do this. So, for a popular programme, even a small percentage of 'Let's see...' people trying to dial the number could potentially cause a large shift in the use of the telephone network, or the Internet, or the Mobile/Cell telephone network, and could potentially cause something broadly similar to a Denial Of Service (DOS) Attack...</p><p>So, broadcasting numbers in movies and television can be considered to be a security issue. DOS attacks are just one facet of the problem, though. Can you imagine the legal problems if the telephone number happened to be the actual number of a real person or company? Suddenly it has become a privacy problem, or a data breach... But how do you find a number that is guaranteed not to ring someone's phone? Just making up a number at random could easily be a real 'live' number - someone's number!</p><p>As it happens, such numbers do exist. In the UK, <a href="https://www.ofcom.org.uk/" target="_blank">OFCOM</a>, the telecommunications regulator, maintains and publishes a list of numbers that can be used in movies, television, radio, etc. <a href="https://www.ofcom.org.uk/phones-telecoms-and-internet/information-for-industry/numbering/numbers-for-drama" target="_blank">Here is one set.</a> </p><p>One security-related application of numbers like this is when you are required to give a telephone number as part of a registration process. If you don't want to give your real telephone number, perhaps because of privacy concerns, then using a number that doesn't exist (and is more or less guaranteed to stay like that) seems like a good alternative. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjv9I_Uw47zP_l-GHWhipz73pNxL-Tui4w87vIhmEtQHRe9hDYZh0RJZm2QJwMDs4Bwk96SmYaCBYrE5K-hYA_DcBnFx3TmHLSB3iHCC_cp2qGmTeMaJlmFc2KCHKm0LWwFE4Xlks0zVz0MwBBrEAfG0seOB5VBZCpojPCYPWb3YCutLkDBPX7aYUcdyA=s2048" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1362" data-original-width="2048" height="426" src="https://blogger.googleusercontent.com/img/a/AVvXsEjv9I_Uw47zP_l-GHWhipz73pNxL-Tui4w87vIhmEtQHRe9hDYZh0RJZm2QJwMDs4Bwk96SmYaCBYrE5K-hYA_DcBnFx3TmHLSB3iHCC_cp2qGmTeMaJlmFc2KCHKm0LWwFE4Xlks0zVz0MwBBrEAfG0seOB5VBZCpojPCYPWb3YCutLkDBPX7aYUcdyA=w640-h426" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Photo by <a href="https://unsplash.com/@b0rno?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Ryan Born</a> on <a href="https://unsplash.com/s/photos/credit-card?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></td></tr></tbody></table><h3 style="text-align: left;">Test Numbers and Letters</h3><p>Another number that you might see on screen (or in photographs for advertising) is the credit card, and this time, the reasoning behind not using someone's real number is kind of obvious - and once again, it is a security concern. But how do you test computer systems that use credit cards for making purchases? Do developers use their own personal credit card numbers? Maybe there are special 'test' credit card numbers as well? There are! <a href="https://support.bluesnap.com/docs/test-credit-card-numbers" target="_blank">Here are just some.</a></p><p>Credit card numbers include a check digit that indicates if they are correct, for example. This is so that when quoted over the telephone, or online, they can be immediately validated. Many other similar numbers (or lists of numbers and letters) also have built-in checks. </p><p>Once you get into this mind-set, then all sorts of other numbers pop up. How about street numbers that don't actually exist for a road? How about non-existent Post Codes, Zip Codes, or other postal coding systems? UK Post Codes are interesting, because there's <a href="https://www.royalmail.com/find-a-postcode" target="_blank">an online way of checking if they are valid</a>, so you cannot use a 'test' or 'unissued' one, because they are invalid. UK Post Codes can be quite specific about the addresses they cover, and so they give away lots of information about the location. Once you start mixing numbers and letters, then just about every method of providing a 'unique' identifier probably has an in-built (and online) way of verifying if it exists, and this may deliberately prevent any generic, test, or anonymous identifiers. </p><h3 style="text-align: left;">Predefined List</h3><p>UK Post Codes lead to another interesting aspect of validation of numbers or letters by software. One of the security-driven responses to web-forms that have text fields in them is to restrict what can be entered: (A-Z, a-z, 0-9), for example. But another approach is to pre-define the contents to a list. So for Post Codes, you might have a pop-up menu that requires the selection of the first letter at the start of the Post Code. There are a limited number of possible entries (A to Z...), so selection is relatively easy/quick, and so if you live in Manchester, you would select 'M'. But you can't enter anything else, other than those that are shown. (Some letters are not used to start UK Post Codes: X and Q are two examples...). So this forces you to enter a real letter for a real location - there is no way to enter a generic or non-existent location.</p><p>So a security fix (stopping people type any text into a field) turns into a privacy problem where only a specific entry can be made. This can happen with telephone numbers, where the number is checked and rejected if it is found to be 'invalid'. This sounds okay, until you try to enter international numbers... If the text field is limited to just 0 to 9 'numbers, then how do you add the International Dialing Prefix? ('44' for the UK, for example) The usual convention is to add a + symbol, then the prefix, 44, and then the number, but omitting any leading zero. Except that if you can't enter the '+', then the number starts with 44, and this is going to be automatically rejected by any validation code that knows that telephone numbers always start with '0' (zero). </p><h3 style="text-align: left;">The Security/Privacy/Validation Dilemma</h3><p>Which leads to a difficult area of software design. How do you make software that can interact with people, but which is security-conscious (choosing from a pre-defined list is preferred to a text field that will accept a limited set of characters), which allows anonymity or privacy (not filling in your middle name, your age, your gender...), but which can also be validated to check that you have not put in an incorrect response by accident/mistake/deliberately? This is not an easy triangle to navigate...</p><p>Just one emerging example. Before the pandemic, cash was a way of paying for something anonymously. Post-Covid, cash has become much less acceptable, and 'electronic' or 'contactless' payment methods have become much more the 'norm'. But are the payment then anonymous? </p><p><b>Is the future a world where the need for security and validation of data outweighs personal privacy? Has privacy always been an illusion anyway?</b> </p><p>(And why do some people spell 'dilemma' as 'dilemna', and insist that they were taught that way at school?) </p><p>---</p><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><br /></p><p><br /></p>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-29588919198731780512021-11-03T09:15:00.008-07:002021-11-04T05:14:07.575-07:00Hardwear.IO Netherlands 2021 Badge Puzzle<p>Attendees at the <a href="http://Hardwear.IO">Hardwear.IO</a> Netherlands 2021 security conference got a plastic badge with a puzzle on it... Yep, another of my puzzles - or, maybe, two of my puzzles:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiZnSKe60bCUeyCef4rLzq02syWzZwlraB9y1neFrnMGl-_PkMWoP99Muw6H-DUAJ_aJSHfx8G6fRyMDT8O_PKwrzQcDzH0h5-geyxeJ86HAvAE-fkhkpCjY2uWw5oYDmadCmyYXbcTl6TDXfqrIKSgc9OdM-9SU6S4LftsHc0qM94zMjfbm3mSV22YPw=s2048" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1382" data-original-width="2048" height="432" src="https://blogger.googleusercontent.com/img/a/AVvXsEiZnSKe60bCUeyCef4rLzq02syWzZwlraB9y1neFrnMGl-_PkMWoP99Muw6H-DUAJ_aJSHfx8G6fRyMDT8O_PKwrzQcDzH0h5-geyxeJ86HAvAE-fkhkpCjY2uWw5oYDmadCmyYXbcTl6TDXfqrIKSgc9OdM-9SU6S4LftsHc0qM94zMjfbm3mSV22YPw=w640-h432" width="640" /></a></div><div><br /></div><div>Obfuscation is the art of hiding things in plain sight. QR codes are one example - they are a way of obscuring a URL from being read too easily. Of course, if you don't know what they are, then they might appear to be 'magic' or 'secure' in some way. Some obfuscation is so entrenched that it can appear to be 'obvious' - ASCII codes for letters and numbers, for example. Unless, that is, you were raised when EBDIC was the standard... </div><div><br /></div><div>Puzzles are logical obfuscations, where the obscuring process can be undone...</div><div><br /></div>The orange plastic makes it quite hard to see some of the numbers, so here's the original diagram:<div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgbs2PNWylI-Vc0yPE2GXE98wCaYnuOXJTgcZOLHekGfHdzvlYo0SWT6m8502vp1qC4cgGWUoricsR_IkUffY4AJiqTSJqTWi5Nw06H6E9YgMChqL9kOykx_X1nfTsvj_9KrQld66cOOXg6mPk1ORbls46ETPhRKKgQYtYD4q6dtzwQWlQWin_QJpJLaQ=s2048" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1095" data-original-width="2048" height="342" src="https://blogger.googleusercontent.com/img/a/AVvXsEgbs2PNWylI-Vc0yPE2GXE98wCaYnuOXJTgcZOLHekGfHdzvlYo0SWT6m8502vp1qC4cgGWUoricsR_IkUffY4AJiqTSJqTWi5Nw06H6E9YgMChqL9kOykx_X1nfTsvj_9KrQld66cOOXg6mPk1ORbls46ETPhRKKgQYtYD4q6dtzwQWlQWin_QJpJLaQ=w640-h342" width="640" /></a></div><br />The idea here was to have as few instructions as possible. The big arrow indicates that there is a left-to-right flow, and presumably the answers go in the boxes on the right. </div><div><br /></div><div>As a puzzle creator, one good starting point is to provide clues to how to find the answer, and to make the clues obvious, but not too obvious. So rather than just give you the solution up front, here are a few hints, and if you keep scrolling, then you will find the solution...</div><div><br /></div><h3 style="text-align: left;">Hints</h3><div><br /></div><div>The second box on the lower row looks like 'NL' and so is presumably a clue to the conference being in the Netherlands - which attendees will already know, of course! But what it actually is doing is showing that there is something significant in the strokes used to make the N and the L shapes. </div><div><br /></div><div>The box directly above it on the top row is also a clue, but for a different reason. There are 23 question marks, plus an 'A' and a '1'. At first glance, the A and the 1 are almost invisible because of the visual clutter. </div><div><br /></div><div>The first boxes on the left contain two very different contents - deliberately. The top box has a 5x5 grid of two digit numbers, and the next box along to the right also has a 5x5 grid... The lower box has 6 rows, and the length varies from 3 to 6 characters. </div><div><br /></div><div>And there's that big arrow pointing from left to right... but also pointing to some smaller arrows connecting the two final boxes on the right. Maybe the contents of those boxes are similar in some way?</div><div><br /></div><div>The top row has a box with just arrows inside it, which could indicate a path of some sort... There are 5 rows again in this box.</div><div><br /></div><div>The lower row has a 6x11 box with just 1s and 0s. 11 digits is unusual for binary numbers, so interpreting the first one as 0x00010000101000 (and so on) might not be the right approach. Is there another use that an array of 1s and 0s might be used for? Could it be an image mask of some sort? My puzzles tend to be based on hardware (sometimes with software) and so there's often a 70s or 80s bias to my metaphors. </div><div><br /></div><div>The top row does have a box that looks like a raster scan - and it is directly above the 6x11 masking box. Could this be a clue as well? </div><div><br /></div><div>The left-most box on the top row contains two digit numbers. Many of my puzzles contain ASCII and other codings for numbers. So what sort of tests could you apply to numbers to see if they are ASCII encoded versions of text? If you were investigating a piece of real hardware, looking for how it stored data, especially if it wanted to have some security for the data, would it always be in an ASCII encoded form? </div><div><br /></div><div>My puzzles are intended to be educational, particularly for people who want to find out how hardware and security are intermingled in the real world. Knowing how to spot ASCII-encoded characters can often be a good starting point to working out where strings are stored in memory. Knowing that blocks of high entropy data might well be encryption keys is another useful piece of information to have in your mind. And how could high entropy data be hidden? How do you remove entropy so that it isn't as obvious? Could the 6x11 grid of 1s and 0s be doing something with entropy? </div><div><br /></div><div>Cryptographers tend to break text into blocks of 5 characters, and the left hand box on the lower row deliberately has between 3 and 6 characters in the rows - and none of the rows has 5 characters! This is not accidental...</div><div><br /></div><div>The first thing that you tend to see in the puzzle is the big arrow from left to right. There's a circle at the start, so is this meant to be a vector? A pointer? A direction indicator? </div><div><br /></div><div>Finally, there are two small dots in the right hand 'empty' boxes. in the diagram above these are shown in black. This might be an additional clue... Almost nothing in my puzzles is there by accident. </div><div><br /></div><h3 style="text-align: left;">The Solutions</h3><div><br /></div><div>If you are still reading, then you might well be</div><div><br /></div><div>looking</div><div><br /></div><div>for</div><div><br /></div><div>the </div><div><br /></div><div>solution.</div><div><br /></div><div>So,</div><div><br /></div><div>I</div><div><br /></div><div>will</div><div><br /></div><div>try </div><div><br /></div><div>to </div><div><br /></div><div>make</div><div><br /></div><div>sure</div><div><br /></div><div>that</div><div><br /></div><div>you </div><div><br /></div><div>don't</div><div><br /></div><div>see</div><div><br /></div><div>the</div><div><br /></div><div>answer</div><div><br /></div><div>by</div><div><br /></div><div>accident.</div><div><br /></div><h3 style="text-align: left;">Top Row</h3><div><br /></div><div>The left hand box on the top row contains two digit numbers. They aren't ASCII-endoded numbers because the letters and numbers in ASCII are from 30 to 122 (decimal). Values below 30 are control characters from the days of teletypes, typewriters, and very slow asynchronous serial communications. Numbers above 97 are lower case letters (a-z) and cryptographers always tend to use capital letters (in blocks of 5, remember?). SOTHE YPROB ABLYA RENOT ENCOD EDINA SCII! </div><div><br /></div><div>Did you notice that all of the spaces were removed from the blocks of 5 characters? Old-school 'Enigma'-style cryptographers left out the spaces between words as well. You know how people always say that 'E' is the most used letter in the English language? Well, if you look at ASCII-encoded text, then usually the most commonly occurring number is not 69 (E) or 101 (e), but 32 - which is the 'space' character. Some of my puzzles deliberately leave the spaces in - as a clue that the text is ASCII encoded! </div><div><br /></div><div>If not ASCII, then what? The second box on the left on the top row might be a clue. In amongst the question marks, there are two characters: an A and a 1. The 'A' seems to correspond with the 01 in the 5x5 grid in the first left, top row box, whilst the '1' seems to be associated with the 28. In ASCII, the numbers start with Zero (coding-style) at 48, and go to '9' at 57. So what might the simplest way of arranging the capital letters of the alphabet (A to Z), plus the number digits from 0-9? Well it might start at 0, go, to 9, then A, then to Z. But an index where 01 means zero seems like it is making things a bit obvious, especially when 02 means 1, 03 means 2 and so on. This would means that dates would be in the form <02-32>/<02-13>/<...and 3132 for the current year>, which might be a give-away after a while... </div><div><br /></div><div>So, to be contrary to the way that ASCII works, how about putting the numbers after the letters? So 01 is A, through to 26 for Z, and then 27 for Zero, and 28 for 1. And there you have it - one of several ways of arranging the letters and numbers so that they can be indexed with a two-digit number! </div><div><br /></div><div>If you substitute the indexed letters and numbers using this mapping, then how do you put them into the final box on the right? Many of my puzzles try to get away from the left to right, top to bottom convention that native English handwriting and typing normally follows (But note that the value of the digits in numbers increases from RIGHT to LEFT!) and use other conventions instead. Japanese and Chinese are particularly interesting here, because although they can be written from left to right, top to bottom, they can also be written top to bottom, right to left... I have often used spirals to try and hide the sequence of letters from a casual inspection, of which more later...</div><div><br /></div><div>So the 'raster' 'third from the left' top box might be interpreted as a set of vectors, showing how the decoded characters are arranged. If you do this, then the purpose of the black dot will become apparent - it is the 'dot' in Hardwear.IO...</div><div><br /></div><h3 style="text-align: left;">Lower Row</h3><div><br /></div><div>The lower row starts on the left hand side with the 6 rows of 3 to 6 characters, and NO 5 character rows at all. The characters are a mixture of letters and numbers, and so it might be that the plaintext is 'hidden in plain sight', which would be a terrible pun, but exactly the sort of cheeky misdirection that I often include in my puzzles. The box on the second left in the lower row contains another 'raster' diagram, which actually looks like 'NL' spelt out in vectors. But it isn't immediately obvious what the vectors mean...</div><div><br /></div><div>The third box from the left an the lower row is the 6x11 set of what look like binary numbers, except that they are 11 digits long, which is unusual for binary. If you are thinking 'misdirection' at this point, then you would be completely correct. Thinking of old raster based visual displays, then one of the common techniques used to process images on the screen was to use 'masks' that determined if a pixel in the image would be displayed in the raster, and thus on the screen. So the first, second and third boxes from the left on the top row are actually clues to this being a 'raster'-influenced puzzle...</div><div><br /></div><div>The third box from the left on the lower row is indeed a mask. It is actually just the second box from the left on the lower row, but mapped onto a 6x11 'raster' or grid. The ones and zeroes do not mean 1 and zero - the 1s are place-holders for the characters that will be displayed, and show where they will be placed on the screen. So the three boxes from the left on the lower row are all indicating the same thing - how the characters in the first box are placed in the final box on the right. </div><div><br /></div><div>If you take the NL vector diagram from the second box on the left on the lower row, and use it to 'parse' the characters in the first box from the left on the lower row, and place them in the right hand box according to the mask (using just the 1s), then you get: 'HARDWE' reading upwards from top to bottom as you follow the upwards vector on the first stroke of the 'N'. As you continue, ti spells out a slightly different order of the parts that made up the contents of the top, right hand box - and this is what those twisty arrows connecting the two right hand boxes indicates - the contents are not exactly the same in their layout.</div><div><br /></div><h3 style="text-align: left;">The Solution</h3><div><br /></div><div>Which brings us to the solution:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhhPhP34SepvLboJJFSJdpawEZCbpyxc4kbpOtBt4VUqoCFgbufoFzx1tuVWwSWa13U5OuL40At02TICff2pDpYh872EiEVGMWUdyap31Fv7iQhGyv32KDP0jK1ZpP2rLfqOXsTuFy7lM5oD-kseAbaSvcrXxIei-N5Dxaj6mexcg0VvZaqLgDcymnnMg=s2048" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1108" data-original-width="2048" height="346" src="https://blogger.googleusercontent.com/img/a/AVvXsEhhPhP34SepvLboJJFSJdpawEZCbpyxc4kbpOtBt4VUqoCFgbufoFzx1tuVWwSWa13U5OuL40At02TICff2pDpYh872EiEVGMWUdyap31Fv7iQhGyv32KDP0jK1ZpP2rLfqOXsTuFy7lM5oD-kseAbaSvcrXxIei-N5Dxaj6mexcg0VvZaqLgDcymnnMg=w640-h346" width="640" /></a></div><br /><div>The solution is thus either:</div><div><br /></div><div>Hardwear.IO Netherlands 2021 (in all Capitals)</div><div><br /></div><div>or</div><div><br /></div><div>Hardwear.IO2021 Netherlands (again in all Capitals)</div><div><br /></div><div>But, why are they different? To see why, take the top row solution and apply it to the reverse of the process used for the lower row. The bottom row of the contents of the left hand box will end up like this:</div><div><br /></div><div>HN2021</div><div><br /></div><div>Which kind of gives away too much...</div><div><br /></div><div>For the reason behind that, think about how the puzzle was designed. The top row was done first, then the lower row. When the problem was noticed, then the top row could have been reworked, but it was already done, and so I took the easy way out - I used the twisty arrows to indicate that the contents of the two right hand boxes were similar, not the same. And this is exactly what happens in real-world hardware and software - unexpected problems can arise after a lot of work has been done, and the quickest fix is often not ideal. </div><div><br /></div><div>So one of the 'tools' that should be in the hardware (or software) reverse engineer's toolbox is the 'unexpected consequences often get fixed very badly' thought. Do you really change the whole design because of a minor mistake and do a total rework, or do you find a smart, quick fix that might compromise some of the security - but who is ever going to find it? Just about every project that I have ever seen will go for the easy fix, not the total rework. And that's one way that vulnerabilities get into hardware - or software. </div><div><br /></div><div>In a single puzzle, you have learnt about non-ASCII encoding, how to find ASCII encoding, how to vectorise and mask matrices, and the consequences of not going back and properly fixing mistakes that were unforeseen. This wasn't puzzle solving - it was actually training!</div><div><br /></div><div>Thanks to <a href="https://hardwear.io/" target="_blank">Hardwear.IO </a>for their support, and for using my puzzles!</div><div><br /></div><div>To save you time, searching for more of my puzzles - there's a list <a href="https://securitytiruces.blogspot.com/2020/10/hardweario-wall-challenges-q-and-extras.html" target="_blank">here</a> and another puzzle <a href="https://securitytiruces.blogspot.com/2021/07/hardweario-usa-2021-wall-challenge.html" target="_blank">here</a>. </div><div><p>---</p><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><div style="margin: 0px;"><br /></div><div style="margin: 0px;"><br /></div><p><br /></p></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div> </div><div><br /></div><div><br /></div><div><br /></div><div> <br /><p><br /></p></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-34876638215427090792021-07-11T04:11:00.003-07:002021-11-03T10:17:22.556-07:00Hardwear.IO USA 2021 Wall Challenge Extras<p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHIys9H_5lu7xu4QA9zYvVDEHzViL3a6wglGCkswzLAM43Xw8WK3aOkwcEgmoToBiz9nbLOAD6ZQRe3vGn-Y3h71RuOTp4TDqqvxdJBp7Jks7M8GZcyltHQcrMHbKqEbEhfk54tV6zLlwY/s2048/yogendra-singh-BxHnbYyNfTg-unsplash.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1365" data-original-width="2048" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHIys9H_5lu7xu4QA9zYvVDEHzViL3a6wglGCkswzLAM43Xw8WK3aOkwcEgmoToBiz9nbLOAD6ZQRe3vGn-Y3h71RuOTp4TDqqvxdJBp7Jks7M8GZcyltHQcrMHbKqEbEhfk54tV6zLlwY/w400-h266/yogendra-singh-BxHnbYyNfTg-unsplash.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span face="-apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; color: #111111; font-size: 13px; text-align: left; white-space: nowrap;">Photo by </span><a href="https://unsplash.com/@yogendras31?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="background-color: whitesmoke; box-sizing: border-box; color: #767676; font-family: -apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 13px; text-align: left; text-decoration-skip-ink: auto; transition: color 0.1s ease-in-out 0s, opacity 0.1s ease-in-out 0s; white-space: nowrap;">Yogendra Singh</a><span face="-apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; color: #111111; font-size: 13px; text-align: left; white-space: nowrap;"> on </span><a href="https://unsplash.com/s/photos/problem-solving?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="background-color: whitesmoke; box-sizing: border-box; color: #767676; font-family: -apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 13px; text-align: left; text-decoration-skip-ink: auto; transition: color 0.1s ease-in-out 0s, opacity 0.1s ease-in-out 0s; white-space: nowrap;">Unsplash</a></td></tr></tbody></table><p></p><h1 style="text-align: left;"><b>OK, so it may have been a bit difficult to solve this time...</b></h1><p>The Wall Challenge that I produced for the Hardwear.IO USA 2021 hardware security conference was a little different to previous puzzles. I've always been a fan of the 'metapuzzle', where everything is interlinked. <a href="https://en.wikipedia.org/wiki/Cliff_Johnson_(game_designer)" target="_blank">Cliff Johnson</a>'s '<a href="https://fools-errand.com/" target="_blank">Fool's Errand</a>' is a very refined version of a metapuzzle...</p><p>So the Wall Challenge was all about a defective printer, and why it was incorrectly printing the virtual badges for an online conference. As always, the premise is just window-dressing. The intended purpose of a Wall Challange, as I have said many times before, is training people in security hacking: </p><p style="text-align: center;"><i><b>How to solve unfamiliar puzzles</b></i></p><p>Which is why the instructions are often sparse, and the setting is unusual. One way of thinking about it is to imagine the total opposite of a 'Capture The Flag' (CTF) contest, where the setting, purpose, methodology, approach to solving (and more) are all known beforehand, are well understood, and are familiar. In contrast, the best indicator of a high quality Wall Challenge is when people say: 'I haven't seen a puzzle like this before - how do I solve it?' </p><p>Which is why previous Wall Challenges have used underlying mechanisms like resistor colour codes, flags, a CNC machine-engraved plastic conference badge, and more. So what could the theme be for a conference held in the United STATES of America?</p><h3 style="text-align: left;">Resources</h3><p>Just as in security, doing the background research is important. In this case, two main resources were used:</p><p><a href="https://www.ssa.gov/international/coc-docs/states.html">https://www.ssa.gov/international/coc-docs/states.html</a></p><p><a href="https://en.wikipedia.org/wiki/United_States">https://en.wikipedia.org/wiki/United_States</a> (and the pages for individual states...)</p><p>Two other implied resources were used, although it was assumed that most conference attendees would be familiar enough with them:</p><p>Printers</p><p>Conference Badges</p><p>This assumption is important, because it means that explanations of how they work, what they do, etc. are not required. </p><p>Finally, two essential online resources for readers of this blog - two YouTube videos:</p><p><a href="https://youtu.be/ZR_DF7FY_zQ " target="_blank">Questions Only</a> (recommended starting place)</p><p><a href="https://youtu.be/UBi7Pex7nuE" target="_blank">Questions and the Answers</a> (for later...)</p><h3 style="text-align: left;">Discord</h3><p>In a real conference, Wall Challenges are sheets of A4 paper, blu-tacked to the wall around the venue. People can see them, they can talk to others about them, and the physical act of standing in front of one, brow furrowed trying to figure it out, is one pf the most effective pieces of advertising known to human beings. Especially motivated problem-solvers like the people at a hardware security hacking conference!</p><p>At a virtual conference, an online equivalent is required. The one that is used at Hardwear.IO conferences is Discord - there are other software applications with a similar feature set, but Discord is particularly well-evolved, and is my personal favourite of this type of team messaging application.</p><p>In a virtual/online conference, Discord is where the challenges are posted/published. It is also where people chat, discuss, and generally engage in discourse about the challenges - a total analogue of people standing around in front of sheets of paper stuck on the wall... It is also where hints and clues can appear. Here are some from the USA 2021 conference (and others):</p><p><b>(For newbies:)</b></p><p><i>How to start? Read everything - there are clues everywhere. Try looking for the differences between the cards.</i></p><p><i>The whole experience is meant to be an analogue of the real hardware hacking experience: You have no idea what is going on inside the hardware, but you can see some external effects...</i></p><p><b>(Hints for those struggling:)</b></p><p><i>Is any information missing on the cards?</i></p><p><i>Everything is a clue... Read the introduction, and everything in the challenge pictures...</i></p><p><i>Don't know where to start? Look for what should be on the cards. Are there any clues in any of the pictures?</i></p><p><i>suppose the printer can't fit any more than two red characters into the space... what does it do?</i></p><p><i>what if the red characters in challenge 1 were the beginning and ending of two words?</i></p><p><i>the red characters on the left are important!</i></p><p><b>(Sometimes the hints are themselves clues:)</b></p><p><i>so what makes the cards in the 2nd challenge different to the 1st challenge?</i></p><p><i>why is all the printing on the badges in capital letters? could this be important?</i></p><p><i>is there a typo in challenge 1? shouldn't it be 'HardWear.IO'? what is the abbreviation?</i></p><p><i></i></p><p><i>what is going on in the set of red characters in challenge 1?</i></p><p><b>(Sometimes the hints just repeat what is in the picture, to make it more obvious:)</b></p><p><i></i></p><p><i>Ha! - no, I know there isn't a web-site for American Wave Ascenders, Inc.</i></p><p><i>"...a total state of confusion..." </i><i>(it's a clue!)</i></p><p><b>(Associated concepts:)</b></p><p><i>Georg Cantor</i></p><p><b>(Responses and clarifications to email queries:)</b></p><p><i></i></p><p><i>none of the hardwear.io staff were from spokane! (the printer is confused!)</i></p><p><b>(Additional clues when people are really struggling:)</b></p><p><i>the answer to challenge 1 is two US states. the answers to challenges 2 to 6 are one US state in each case...</i></p><p><i>to solve challenge 7 it helps if you have some of the answers to 1 to 6...</i></p><p><i>---</i></p><p>Thanks to everyone who participated in the Wall Challenge. It seems that this one was more difficult to solve than I thought. Sometimes the pre-testing doesn't give a good indication of reality...</p><p>Oh, and grateful and sincere thanks to <a href="https://unsplash.com/" target="_blank">Unsplash</a>, who provide me with excellent, nicely-themed photos for several blogs! And they can do the same for you...</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz7G86hI7qsiOq9Lxz7JfQPYksNKzvfTV2XsUUm_RjMQfEZMxaCPNW7quHCwExvsWTCys8VnEjD_j0C5oEs5Luddl3SpWoypsLTXdJwU0OH8D3IcebQNJeLg_QrWGgXH3o25bcYrjytCze/s2048/james-HKYbIgpoJmw-unsplash.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1364" data-original-width="2048" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz7G86hI7qsiOq9Lxz7JfQPYksNKzvfTV2XsUUm_RjMQfEZMxaCPNW7quHCwExvsWTCys8VnEjD_j0C5oEs5Luddl3SpWoypsLTXdJwU0OH8D3IcebQNJeLg_QrWGgXH3o25bcYrjytCze/w400-h266/james-HKYbIgpoJmw-unsplash.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span face="-apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; color: #111111; font-size: 13px; text-align: start; white-space: nowrap;">Photo by </span><a href="https://unsplash.com/@fragilejames?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="background-color: whitesmoke; box-sizing: border-box; color: #767676; font-family: -apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 13px; text-align: start; text-decoration-skip-ink: auto; transition: color 0.1s ease-in-out 0s, opacity 0.1s ease-in-out 0s; white-space: nowrap;">James</a><span face="-apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; color: #111111; font-size: 13px; text-align: start; white-space: nowrap;"> on </span><a href="https://unsplash.com/s/photos/unsplash?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="background-color: whitesmoke; box-sizing: border-box; color: #767676; font-family: -apple-system, system-ui, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 13px; text-align: start; text-decoration-skip-ink: auto; transition: color 0.1s ease-in-out 0s, opacity 0.1s ease-in-out 0s; white-space: nowrap;">Unsplash</a><br /></td></tr></tbody></table><br /><p>---</p><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><br /></p><p><i><br /></i></p><p><i><br /></i></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-8179863214581777882021-03-22T04:34:00.000-07:002021-03-22T04:34:05.873-07:00A Strange Way To Advertise...<p>Apart from security, I also dabble in electronic music, and I write a <a href="http://blog.synthesizerwriter.com/" target="_blank">blog</a> on that topic... </p><p>Today, I got an email from a company, asking me if I could 'collaborate' with them by posting something containing a link to an account on a well-known music software company's forum, asking if I was willing to 'work with them' to promote their client, and asking me to make them an 'offer' for this activity. </p><p>So they were asking me to post something like:</p><p>"Hey, I know this has nothing to do with electronic music, but this web-site <URL> is wonderful!"</p><p>Needless to say, the client is nothing to do with music, and I simply don't do this type of thing, ever. This is SEO/Advertising gone wrong, in my opinion, and I will have nothing whatsoever to do with any company that does this type of promotional activity.</p><p>- - - </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4xsMrYtMkt86VRwwNktqCB9jUa3svCtO-j2pBwTXYJaDALF1f3H-WPPEtYusFolf9HV49OiIa_gLRcEZefkxVlL-wcQElZCIKXzNqJdVviEkYQNrl3KO1iLCly2rpYSr71vcTo_CcQRU/s2048/jeremy-straub-0dLM-vKLmUQ-unsplash.jpg" style="margin-left: auto; margin-right: auto;"><img alt="Photo by <a href="https://unsplash.com/@jeremystraub?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jeremy Straub</a> on <a href="/s/photos/launch-button?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>" border="0" data-original-height="1356" data-original-width="2048" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4xsMrYtMkt86VRwwNktqCB9jUa3svCtO-j2pBwTXYJaDALF1f3H-WPPEtYusFolf9HV49OiIa_gLRcEZefkxVlL-wcQElZCIKXzNqJdVviEkYQNrl3KO1iLCly2rpYSr71vcTo_CcQRU/w640-h424/jeremy-straub-0dLM-vKLmUQ-unsplash.jpg" title="Photo by <a href="https://unsplash.com/@jeremystraub?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jeremy Straub</a> on <a href="/s/photos/launch-button?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Photo of a decommissioned nuclear missile launch control panel from <a href="https://unsplash.com/@jeremystraub?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jeremy Straub</a> on <a href="/s/photos/launch-button?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></td></tr></tbody></table><p>It have always been intrigued by one of the common 'security' themes that happens in blockbuster movies all the time - the evil bad-person is trying to destroy the planet, and the 'security' people who work for the bad-person are quite willing to assist in making this happen, often going above and beyond what could reasonably be expected, even though this will kill the bad-person, them, their families, the people they know, and absolutely everyone else. </p><p>I have always wondered what possible reward could be motivating these people. It can't be money, because they will be dead. It can't be fame, because everyone will be dead. It can't be loyalty, because the bad-person is going to die as well. It can't be immortality, because they and everyone else will be dead. It can't be notoriety, because apart from some debris (and everyone being dead), there's no way that any visitor from outside the solar system will have any interest in the remains of a planet. </p><p>When I say 'willing to help' the bad person, this usually involves defending them robustly, with weapons, technology, computers, etc. often this requires dedication, persistence, intelligence, determination, loyalty, and more... And these security people are only rewarded with their own deaths, often by their own hands... </p><p>In some scenarios, the script-writers increase the seriousness by having the bad-person wanting to destroy the whole universe - that's everything! I find it even harder to envisage any possible way to motivate people to help with that. </p><p><b><i>I'm obviously not meant to be a security person in a blockbuster movie...</i></b></p><p>- - - </p><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><br class="Apple-interchange-newline" /><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)<br /><br /></p>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-24077774309271415402021-03-15T05:04:00.002-07:002021-03-22T04:31:18.324-07:00<h3 style="text-align: left;">A Circular Reference:</h3><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;">A friend of a friend told me that they know someone who created a QR code that logged into the QR code generator web-site that they had an account on, so they could save time creating the specially formatted QR codes with the corporate logo, that they placed in all the company publicity and marketing material... </p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI5LiCp2s1qwGAxQaNPmLcvq7iCou-wAzKkcm_C5GCRRoDfc_ZGwP4TRnGnAlHiGQhxadJWox7d1GRo8yMop8IhtX5Sb_0743WLBQnvHHFAxZVv4h_V7MTLnbAjBgltWS26_D4A0YVzR4/s300/frame-inv.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="QR Code for this page" border="0" data-original-height="300" data-original-width="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI5LiCp2s1qwGAxQaNPmLcvq7iCou-wAzKkcm_C5GCRRoDfc_ZGwP4TRnGnAlHiGQhxadJWox7d1GRo8yMop8IhtX5Sb_0743WLBQnvHHFAxZVv4h_V7MTLnbAjBgltWS26_D4A0YVzR4/s16000/frame-inv.png" /></a></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqSX29JbUJ95We8QHbT8lxjPZk7b4Kt4dHRGnF2In352E5elJqcA5Ur0Dkpgy3VhtpRHYEpYZBvUiJ-c3V3Eow8_dbe9X0-4wLSyHen38w5LQN-LvQSkTZ2gFF6x6woxJObJaghdbmV-w/s300/frame.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="QR Code for this page" border="0" data-original-height="300" data-original-width="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqSX29JbUJ95We8QHbT8lxjPZk7b4Kt4dHRGnF2In352E5elJqcA5Ur0Dkpgy3VhtpRHYEpYZBvUiJ-c3V3Eow8_dbe9X0-4wLSyHen38w5LQN-LvQSkTZ2gFF6x6woxJObJaghdbmV-w/s16000/frame.png" /></a><br /></div><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span>(QR codes are just URLs. But as a general rule, anything that stores a 'login' (User ID, Password) is not a good idea, and is a Security Risk. If it gets into the wild (and QR codes are easy to send...) then it would become a Security Threat...</span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span>And it you ever wondered what happens if you invert the colours on a QR code... </span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span>(Does this tell you something about how the QR code is encoded / decoded?)</span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><br /></span></p><h3 style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px; text-align: left;"><span>A Poor Reference:</span></h3><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;">'<i><b>A friend of a friend told me that they know someone...</b></i>' is an example of an unreliable InterWeb 'reference' that is either intended as obfuscation (as in this case), humour (perhaps in this case), indirection (maybe the source doesn't want to be revealed), or even seriously (seriously?) as a reference. In almost all cases, this type of phrase contains so many levels of indirection that it isn't really a reference at all. </span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;">But not all poor references are as easy to spot as this one. If you see a reference with a URL, do you check the URL? Would you even pause to check the URL itself before clicking on it? Is this a way of getting normally savvy people who never click on links in e-mails to break their own rules? Is indirection or obfuscation a potential problem because the actual link content is hidden. Surely a shortcut just makes things easier... And of course, QR codes can sometimes be regarded as more than what they appear because they do have a hidden feature - they are innocuous-looking shortcuts that might bypass safeguards... Luckily, they won't ever be used by phishers, friends of phishers, and friends of friends of phishers*. Never. Ever.</span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;">In the wild, have you ever noticed how posters with QR codes often have stickers over the QR code - with another QR code on them. Presumably this is to fix an error in the printing, or an update, or can you think of another reason?</span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;">* This statement may not be true.</span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;">- - - </span></span></p><p>If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p class="p1" style="-webkit-text-stroke-color: rgb(0, 0, 0); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 12px;"><span style="color: #cccccc;"><span style="color: black;"></span></span></p><p><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><br class="Apple-interchange-newline" /><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)<br /><br /></p>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-15584869556893550092021-02-02T10:25:00.005-08:002021-02-02T10:25:53.766-08:00Visual metaphors for IT security...<p>In a world where photos on mobile phones are a way of getting people's attention, what are the visual metaphors for IT/cyber security? </p><p>Locks, safes, Matrix-style 'dropping' green characters, and various cyber-punk staples are all very well-worn cliches. One way of surveying what is 'out there' is to look at an online photo resource. Here's an example of what Unsplash.com came up with from a search for 'computer security':</p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn_hJs92Bh9oJacFc_znMROmK0W1Mavmx4Me_7KVjhpDEkIqcIhHizpiu1sXo3kS02K7mAsxGlyGrnzGbtRU9bsvBr5EjIrViGCeBa2iOOY5YPI8aef6eCo6CdtT9l4xqlfY1wMFQSdWR-/" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="1365" data-original-width="2048" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn_hJs92Bh9oJacFc_znMROmK0W1Mavmx4Me_7KVjhpDEkIqcIhHizpiu1sXo3kS02K7mAsxGlyGrnzGbtRU9bsvBr5EjIrViGCeBa2iOOY5YPI8aef6eCo6CdtT9l4xqlfY1wMFQSdWR-/w640-h426/cookie-the-pom-siNDDi9RpVY-unsplash.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span face="-apple-system, BlinkMacSystemFont, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; caret-color: rgb(17, 17, 17); color: #111111; font-size: 14px; text-align: start; white-space: nowrap;">Photo by </span><a href="https://unsplash.com/@cookiethepom?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="box-sizing: border-box; color: #767676; font-family: -apple-system, BlinkMacSystemFont, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 14px; text-align: start; text-decoration-skip: ink; transition-duration: 0.1s, 0.1s; transition-property: color, opacity; transition-timing-function: ease-in-out, ease-in-out; transition: color 0.1s ease-in-out, opacity 0.1s ease-in-out; white-space: nowrap;">Cookie the Pom</a><span face="-apple-system, BlinkMacSystemFont, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif" style="background-color: whitesmoke; caret-color: rgb(17, 17, 17); color: #111111; font-size: 14px; text-align: start; white-space: nowrap;"> on </span><a href="https://unsplash.com/s/photos/computer-security?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="box-sizing: border-box; color: #767676; font-family: -apple-system, BlinkMacSystemFont, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif; font-size: 14px; text-align: start; text-decoration-skip: ink; transition-duration: 0.1s, 0.1s; transition-property: color, opacity; transition-timing-function: ease-in-out, ease-in-out; transition: color 0.1s ease-in-out, opacity 0.1s ease-in-out; white-space: nowrap;">Unsplash</a></td></tr></tbody></table><br />Well, it got my attention!<div><br /></div><div>All of which got me thinking, and I'm now thinking about gathering some photos that shout 'IT security' or 'Cyber security' more to me! Watch this space...<br /><p></p><p>---<br /><br />If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><br class="Apple-interchange-newline" /><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)<br /><br /><br /></p></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-13159149919701167682020-10-10T05:30:00.008-07:002022-02-27T02:48:41.904-08:00Hardwear.IO Wall Challenges - Q&As and Extras!<p> Some post-conference extras for the Wall Challenges...</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzzOCgI83i6zfpl2SXU6NCfmOuTibtstbLM5H5PX1q7Gs7lwiuCtNGRNZfUFZhVxAloI0mRqg-xhQP3HwOwVCs6ifNDCfUqNXyb0HiOyPOG4yQnqAjb3EY6S8s61sWeniZg5kWPsWJKFax/s1920/HWIONETHERLANDS2020SIXQA-AD.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzzOCgI83i6zfpl2SXU6NCfmOuTibtstbLM5H5PX1q7Gs7lwiuCtNGRNZfUFZhVxAloI0mRqg-xhQP3HwOwVCs6ifNDCfUqNXyb0HiOyPOG4yQnqAjb3EY6S8s61sWeniZg5kWPsWJKFax/w640-h360/HWIONETHERLANDS2020SIXQA-AD.png" width="640" /></a></div><div><br /></div>Thanks to everyone who entered the Wall Challenges!<div><br /></div><div>The concept of giving the answer away right at the start, and then making the challenge explaining 'why' each question led to that answer, seemed to be very popular! We got more than twice the number of entries compared to the previous Wall Challenge. The email inbox was very busy - there were 65 emails from entrants. And the Discord channel was melodious and mellifluous (and not discordant!).</div><div><br /><h3 style="text-align: left;">Questions</h3><div><br /></div><div>If you didn't enter, and want to get the same experience, here are just the 'questions':</div><div><br /></div><div style="text-align: center;"><span style="color: red; font-size: large;"><b>https://youtu.be/cYKE2tgw-eY</b></span></div><div><br /></div><div>Just pause the video whilst you think...</div><div><br /></div><h3 style="text-align: left;">Answers</h3><div><br /></div><div>And if you want to know the 'whys', then here are the 'answers':</div><div><br /></div><div><div style="text-align: center;"><span style="color: red;"><b><span style="font-size: large;">https://youtu.be/RepW5VTb09c</span></b></span></div><div style="text-align: center;"><span style="color: red;"><b><span style="font-size: large;"><br /></span></b></span></div><div style="text-align: left;">One final thought about the entries: If there had been a prize for 'Most beautifully and clearly laid-out entry', then <strong style="background-color: white; font-family: arial, helvetica, sans-serif; font-size: 14.6667px;">Loïse </strong><span style="background-color: white; font-family: inherit; font-size: 14.6667px;">from <b><a href="https://www.brightsight.com/">Brightsight</a></b> would have won... Unfortunately there was only one prize (for the winner), but my congratulations for a very organised answer! </span></div><div style="text-align: left;"><span style="background-color: white; font-family: inherit; font-size: 14.6667px;"><br /></span></div><h3 style="text-align: left;">Resources</h3><div><br /></div><div>Some entrants did more than just explain why the answer is connected to the question, they provided links to online resources that they used as well. Here are a couple of links to explore:</div><p style="text-align: left;"><b><span style="color: #2b00fe; font-size: large;"><a href="https://gchq.github.io/CyberChef/">https://gchq.github.io/CyberChef/</a></span></b></p><p>CyberChef is a brilliant toolkit for transforming text (and data) in many ways. It makes all sorts of interesting processing quick and easy to carry out, and can save lots of paper and pencil sharpening. The source is a very good indicator of just why Wall Challenges are 'Security Training in Disguise'. </p><p>👍👍👍👍👍 (5 thumbs-up!)</p><p><b><span style="color: #2b00fe; font-size: large;"><a href="https://www.dcode.fr/en">https://www.dcode.fr/en</a></span></b></p><p>dCode is another set of excellent tools that can be very useful in manipulating text and data - plus a lot of other miscellaneous operations and functions. </p><p>👍👍👍👍👍 (5 thumbs-up!)</p><p>Both of these should definitely be in your toolkit!</p><p>Oh, yes, and I can neither confirm nor deny that I may have used some of these online resources (as well as paper, pencil and pen) to create the challenges... </p><p><span style="color: #2b00fe; font-family: inherit; font-size: medium;"><b><a href="https://www.rapidtables.com/convert/number/decimal-to-binary.html">https://www.rapidtables.com/convert/number/decimal-to-binary.html</a></b></span></p><div style="text-align: left;"><span style="font-family: inherit;">Not quite in the same league as the above two examples, but still useful...</span></div><div style="text-align: left;"><span style="font-family: inherit;"><br /></span></div><div style="text-align: left;">👍👍👍 (3 thumbs-up!)</div><h3 style="text-align: left;">Previously on Wall Challenges...</h3><div><br /></div><div>There are more wall challenges, door quizzes and wall games that I have produced over the years. Caution: many of these are considerably more difficult than the ones above.</div><div><br /></div><div>2020 HWIO Virtual Conference: <span> Q<span> </span><span> </span></span><a href="https://youtu.be/M7MWse68EJo">https://youtu.be/M7MWse68EJo</a></div><div><br /></div><div><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> Q&A<span> </span></span><a href="https://youtu.be/_chBxq4P_5Y">https://youtu.be/_chBxq4P_5Y</a></div><div><br /></div><div>2018 Hardwear.io Conference<span> <span> </span>Q<span> <span> </span></span></span><a href="https://youtu.be/O34eoI9H3bM">https://youtu.be/O34eoI9H3bM</a></div><div><br /></div><div><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> Q&A<span> </span></span><a href="https://youtu.be/n_TAkt6uziw">https://youtu.be/n_TAkt6uziw</a></div><div><br /></div><div>MinamiCon 22 <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>Q <span> <span> </span></span><a href="https://youtu.be/civb19tgF2k">https://youtu.be/civb19tgF2k</a></div><div><br /></div><div><span> </span><span> </span><span> </span><span> </span><span> </span><span> <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>Q&A <span> </span></span><a href="https://youtu.be/foF3jxud3oE">https://youtu.be/foF3jxud3oE</a></div><div><br /></div><div>If you browse through my YouTube channel, then you will find even more challenges... (No prizes!)</div><div><br /></div><h3 style="text-align: left;">Ah!</h3><div><br /></div><div>Yep. There's a deliberate error in the example question shown at the start of this blog post. Can you figure out what it is? There's a clue in the picture...</div><p>---<br /><br />If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><br class="Apple-interchange-newline" /><img alt="Synthesizerwriter's Store" src="https://www.martinruss.com/images/SW-store-logo.svg" /><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)<br /><br /><br /><br /></p><p><br /></p></div></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-54379603065605445872020-09-30T09:39:00.004-07:002020-10-10T05:32:32.740-07:00Hardwear.IO 2020 Wall Challenges <p>The <a href="http://Hardwear.IO">Hardwear.IO</a> conference is online on the 1st and 2nd of October 2020, and they used me for some of the pre-publicity! As usual, I've submitted some Wall Challenges for people to try and solve, and here's a visual clue that may or may not help...</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNk6pVO7ZrQxle4xFXAq5IOvQZGi_dkaTGbN6WB7UMRpWg7OKYx_ou2i4Bx5n4IfbM6Npx1y8prk7CWb9bI_j0jZY20pMqY_qndiH-kAbqCHwrVh7t7z2bCs3i2I7t6aEUHpvCtAL8anP8/s1083/hwionl2020.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="737" data-original-width="1083" height="435" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNk6pVO7ZrQxle4xFXAq5IOvQZGi_dkaTGbN6WB7UMRpWg7OKYx_ou2i4Bx5n4IfbM6Npx1y8prk7CWb9bI_j0jZY20pMqY_qndiH-kAbqCHwrVh7t7z2bCs3i2I7t6aEUHpvCtAL8anP8/w640-h435/hwionl2020.png" width="640" /></a></div>My Wall Challenges are a way to get you to look at the world differently. Hardware is an interesting mix of the old, the new, the obscure and the arcane, and often requires you to think in two or more directions at once. <div><br /></div><div>Here's an example of multi-directional thinking: </div><div><br /></div><div>You have hired a pen-tester company to check your latest piece of hardware. The tester starts their analysis by trying to brute-force the hidden RS232 terminal via the pins that you tried to obfuscate by spreading them across the board, not silk-screening them, and making them look like ATE test-points and unpopulated thru-holes. Of course, the tester finds them disarmingly quickly. The User ID is totally obvious, and the password is just 8 numbers. so you are expecting that to be cracked pretty quickly as well. But after a day or so, the tester is not looking happy, and has not gleefully told you the UID and password. What might be happening?</div><div><br /></div><div>1. One of the developers lied to you and deliberately set a very long password.</div><div>2. There's a bug in the terminal login code and it won't actually accept any password!</div><div>3. The tester thinks the obvious User ID must be a honey trap, and is trying other routes into your micro-controller.</div><div>4. The tester's USB-to-Serial adapter is broken.</div><div>5. The tester hacked your hardware in a few minutes, has all of your micro-controller code, and has IDA'd it so he knows just about everything about how it works - but is worrying that it was too easy and doesn't dare tell you!</div><div><br /></div><div>Actually, the tester's brute force programme was broken and wasn't brute forcing at all... </div><div><b><br /></b></div><div><b>Post-conference Wall Challenge Extras: </b></div><div><br /></div><div>https://securitytiruces.blogspot.com/2020/10/hardweario-wall-challenges-q-and-extras.html</div><div><br /></div><div><p>---<br /><br />If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br /><br /></p><div><div style="margin: 0px;"><a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div></div><p><a class="bmc-button" href="https://teespring.com/en-GB/stores/synthesizerwriters-store" target="_blank"><br class="Apple-interchange-newline" /><img alt="Synthesizerwriter's Store" src="https://www.martinruss.com/images/SW-store-logo.svg" /><span style="margin-left: 5px;">Synthesizerwriter's Store</span></a> (New 'Modular thinking' designs now available!)<br /><br /><br /><br /></p><p><br /></p></div><div><br /></div><div><br /><p><br /></p><p><br /></p></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-68686594139644741102020-05-27T03:02:00.000-07:002020-05-27T03:42:45.691-07:00How to edit an old blog post so that it looks like a prediction...In a world where fake news seems to be a major part of the news, then it is interesting to see just how easy it is to break the trust that people put into 'systems' and their senses. '<br />
<br />
For senses, then 'I only trust what I can touch with my own hands, or see with my own eyes' is one example, which counterfeit goods, photoshopped images and 'deep fake' videos show isn't a very reliable way to assess if something is genuine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg57kpdlw4jGkibu9RT5UZnzgovL5VSEQhGD022W31-ch3-8YXi64vpjRCA-7UXrZyoFwMt5stxCviLC6bJ4CDoyGPjZ-k5zR0nT0qMwcUD15Q5BZnRJhBa76szbcuiwDVYJOUjC_e4sKQA/s1600/TheNews-final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="93" data-original-width="344" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg57kpdlw4jGkibu9RT5UZnzgovL5VSEQhGD022W31-ch3-8YXi64vpjRCA-7UXrZyoFwMt5stxCviLC6bJ4CDoyGPjZ-k5zR0nT0qMwcUD15Q5BZnRJhBa76szbcuiwDVYJOUjC_e4sKQA/s640/TheNews-final.png" width="640" /></a></div>
<br />
For systems, then a time-stamped published blog post seems like it might be a modern digital equivalent of the classic 'Photo of a newspaper fixes the earliest possible date when the photo could have been taken...' scenario. So a blog post, which is stamped with the time and date that it as published, might seem to be a good way of showing when you first published a thought, idea or comment.<br />
<br />
Unfortunately, the design of many systems is not perfect, and sometimes it doesn't do what it appears to do. Blog posts, for instance. The time and date that are shown in Google Blogger (which is what I use to publish this blog) are when it was first published. Any changes after that do not change the time or date, because a blog (from 'web log') is meant to be a series of 'diary'-like entries, and you don't generally edit your diary... So the design of a blogging application (or program, as they used to be called!) has a time-stamp for the publishing date as a key requirement, but there's no requirement at all for time-stamping any edits, and in fact, if you did change the time-stamp for each edit, then it would stop being a log. Even worse, suppose that a picture, photo, graphic, web-site, web-page, or an article in the published blog post was replaced or updated (the original disappeared, for instance), then changing the publishing date changes the time and date of the blog even though none of the major part of the text has changed. What happens when a different advert is placed in the blog post?<br />
<br />
So, by design, the time-stamping in Google Blogger (and many other blogs) is a useful way to find out when a blog post was first published. But that is all. Any subsequent edits are probably not reflected in the 'published on' time and date stamp.<br />
<br />
A security-minded person looks at this design and sees a flaw. Most people will look at the 'published on' time and date stamp and assume that it means when the blog post was published. The analogy with the time and date printed at the top of a newspaper is firmly locked in many people's minds. Even if edits were time-stamped, then how do you know you can trust the time-stamping process? Winding back the date on a computer so that '30-day' trials of software continue to work is a very old approach - and triggers an interesting 'vulnerability/mitigation' escalation 'ladder' if you try to stop it happening. These things boil down to: "How much time and effort is it worth to you, trying to make this perfect?', because whatever you do to try and secure your time-stamp will probably introduce one or more new possibilities for subverting it, albeit with more required effort. And nothing is perfect!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Edea_keSwBxMIfvi7LhoMmkfurVK-7fjTEiMAkBW_h4PxZKO-bYlihF8gZkAkLZGdNoeGPjsztCAyHBfTcbswaTjnTa9wzcA8SXJLYPFBH_dGcIVkxzRfc_r0-70UUtgvo58pjNC5JOR/s1600/screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1011" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Edea_keSwBxMIfvi7LhoMmkfurVK-7fjTEiMAkBW_h4PxZKO-bYlihF8gZkAkLZGdNoeGPjsztCAyHBfTcbswaTjnTa9wzcA8SXJLYPFBH_dGcIVkxzRfc_r0-70UUtgvo58pjNC5JOR/s640/screenshot.png" width="640" /></a></div>
<br />
So, if you look at <a href="https://securitytiruces.blogspot.com/2018/10/the-september-2018-azure-south-central.html">this blog post</a>, from the 2nd of October 2018, you will see an edit that I made today to a blog post from more than 2 years ago... but the published date and time were not affected. As you can see, it looks like I had a bad feeling about 2020 way back in 2018 - or maybe I didn't and I just edited the blog post. Does this prove anything? Well, it proves this:<br />
<br />
<div style="text-align: center;">
<i>Don't trust blog posts - except blog posts that tell you not to trust blog posts! </i> </div>
<br />
So editing is easy! And a little bit of 'thinking ahead' provides an interesting principle: if you publish a blog post a few times every month for a few years, then you can go back at any time in the future and edit it to say anything at all! I'm now wondering what I should predict next...<br />
<br />
The Catch!<br />
<br />
This wouldn't be a security blog post if there wasn't a 'gotcha'! Yep, whilst Google Blogger (or other blog apps) display the time-stamp for when the post is published, there are ways to find out when it was altered as well. The <a href="https://archive.org/web/">Internet 'Wayback Machine'</a> grabs web-pages (Only 439 billion or so - not all of them!) and so can be used as a 'view into the past' - but it also allows pretty detailed investigations of when something has been changed. Now hacking the Wayback Machine is a possibility to cover tracks, but...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfOcRP8jnXZm4774qKzvRvtbQQn3IR-zRZQVoOoRTItZI5Dz1ZkpbD7r38fWgeoyGguk9Bz95Mlf7hIeZMGVIR8GmnRUs_GRe58hh5yvht8gWoFahurp2BGIQ8SVlemkieHhviDLZDHbx-/s1600/wayback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="153" data-original-width="801" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfOcRP8jnXZm4774qKzvRvtbQQn3IR-zRZQVoOoRTItZI5Dz1ZkpbD7r38fWgeoyGguk9Bz95Mlf7hIeZMGVIR8GmnRUs_GRe58hh5yvht8gWoFahurp2BGIQ8SVlemkieHhviDLZDHbx-/s640/wayback.png" width="640" /></a></div>
<br />
This is probably a good moment to remind you that useful resources like the Wayback Machine need money, so I encourage you to go to the web-page and donate! I have donated!<br />
<br />
---<br />
<br />
Whilst you are thinking about donating to the <a href="https://archive.org/web/">Internet Wayback Machine</a>, then if you also find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-89304381612951683032020-05-15T05:05:00.001-07:002020-05-15T05:06:54.429-07:00The considered view is better than the initial reaction...Some time ago, when lockdown first started, there was a lot of mainstream media coverage about how insecure some videoconferencing apps were. As always happens these days, some security companies may have been tempted to use this as a way to get publicity by releasing reports detailing their investigation into the risks of using those videoconferencing apps, plus some videoconferencing marketing people might have considered using this as an opportunity to promote their product, and all of this was then reported by mainstream media with a variety of biases and hidden agendas, plus the ongoing desire to capture eyeballs and clicks. I've been intrigued for a while by the view that says that 'Fake News' is a new phenomenon, because I have always thought of all news 'information' as being potentially flawed and requiring a critical appraisal. More broadly, the:<br />
<br />
<div style="text-align: center;">
<i>'Trust no source, check everything'</i></div>
<div style="text-align: center;">
<i><br /></i></div>
<div style="text-align: left;">
approach has always been very useful insurance. One example that I'm familiar with is that some editions of some of the standard text-books on analogue filter design have contained errors in some of the formulas (or formulae). The tricky bit here is 'some', because this means that the usual </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<i>'check in a couple of reference works' </i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
approach can fail, because they might both contain the same error! Also, in an online world, what counts as a 'reference work' these days? I have always been intrigued by the way that YouTube and other online social media platforms use words like 'authoritative' when describing sources of information - they don't use words like 'legal' or 'experts' or 'scientists' or 'legislators'. Now appearing to be 'authoritative' would seem to be rather subjective to me, whereas acquiring 'expert' status can be objectively assessed, albeit with caveats because the assessment can be flawed. 'Edition n contains errors, whilst edition n+1 fixes previous errors, but may still contain a different set of errors' is one way of looking at it.</div>
<br />
When the mainstream media report on security, then there is a spectrum of opinions from security practitioners about how well they do it, ranging from 'They don't understand', through 'Most of this is kind of true, but...' to 'They understand'. My usual reaction is something like: 'They are describing some of the basic levels of this, but many of the important nuances and fine detail are missing, because to simplify a complex subject for a general audience is obviously a challenge.'<br />
<br />
On Twitter I said that my first source of news was from inside the security community, and that Bruce Schneier or Brian Krebs (or Matthew Green, but I kept the Tweet short) would be my preferred way to get an initial informed view on any security issue that the mainstream media were talking about. And yes, I'm well aware that it is rare for the mainstream media to talk about security, and that the time delays in publishing specialised blogs and mainstream news are different. And no, the order wasn't meant to be significant!<br />
<br />
So here we are some time after lockdown started, and this is probably a good time to look and see what the 'considered' opinions are.<br />
<br />
Here's <a href="https://www.schneier.com/blog/archives/2020/04/secure_internet.html">Bruce Schneier</a> giving some thoughts, which refers to an <a href="https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF">NSA survey </a>and another one from <a href="https://blog.mozilla.org/blog/2020/04/28/which-video-call-apps-can-you-trust/">Mozilla</a>, plus another from <a href="https://blog.cryptographyengineering.com/2020/04/03/does-zoom-use-end-to-end-encryption/">Matthew Green</a>, and some on a specific app from <a href="https://krebsonsecurity.com/tag/zoom/">Brian Krebs</a> ... Many security companies and organisations have published guides on 'Things to Consider' when using a videoconferencing app or 'working at home'. - here are some examples from <a href="https://www.kaspersky.com/blog/zoom-security-ten-tips/34729/">Kaspersky</a> , <a href="https://www.itgovernance.co.uk/blog/is-zoom-safe-to-use">ITGovernance</a> , the <a href="https://www.ncsc.govt.nz/newsroom/zoom-security-advice-for-public-servants/">New Zealand NCSC</a> , and a the <a href="https://www.ncsc.gov.uk/guidance/home-working">UK NCSC</a> ...<br />
<br />
It is very interesting to take the surveys and to compare them to a lot of the mainstream media headlines, articles and some social media 'statements' that appeared in the first days of the lockdown. What you find is, and I'm repeating this deliberately: 'They are describing some of the basic levels of this, but many of the important nuances and fine detail are missing, because to simplify a complex subject for a general audience is obviously a challenge.' For me, it is interesting to see how many of the statements like 'X does end-to-end encryption (or choose your own feature of interest), Y does not.' are not backed up by the surveys - either as 'X and Y do not', or more interestingly and relevantly: 'it isn't as simple as that...'.<br />
<br />
So is the considered view better than the initial reaction? I would guardedly say: 'Yes', but that's not a complete and definitive 'yes'. It depends...and that opens up a whole series of <a href="https://en.wikipedia.org/wiki/Principle_of_explosion">interesting things to explore</a> about truth...<br />
<br />
---<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-71579216441474553002020-05-06T08:08:00.001-07:002020-05-15T05:04:02.239-07:00One day there's going to be an automated security disclosure...I was just a little surprised when Instagram sent me a message that appeared to 'express an opinion'...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJ84CSLvyk_-AZl5pfRauTanqZO54D8NLQegXrSLg5PLID2J9li7-ZzHhORsm09yGm3YYtdQgEBUFBWj0VJfbE-fMacy7DofoV8Xc0JQ7tjik2vwJquV8w7S9gN4_4TFRmHamvo9rxcXy/s1600/Goldfrapp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="283" data-original-width="1161" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJ84CSLvyk_-AZl5pfRauTanqZO54D8NLQegXrSLg5PLID2J9li7-ZzHhORsm09yGm3YYtdQgEBUFBWj0VJfbE-fMacy7DofoV8Xc0JQ7tjik2vwJquV8w7S9gN4_4TFRmHamvo9rxcXy/s640/Goldfrapp.png" width="640" /></a></div>
<br />
But it set me thinking about how easy it would be for a developer to write an automated message template that leaks confidential information via an unexpected side-channel... Risk assessment of tiny scripts that do apparently innocuous things, anyone?<br />
<br />
Names are interesting things. I once tried to get a hi-tech music themed sticker printed by one of the on-line drop-shipping companies and the artwork was rejected because of a copyright strike. I had used the word: 'Device', as in an electronic music device, but this was flagged up because 'Device' was the name of an American industrial metal band in 2012, and so was trademarked...<br />
<br />
---<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-32704655269221997612020-05-04T10:13:00.002-07:002020-05-07T03:25:37.325-07:00Hardware.IO - my tiny bit of a major Virtual Conference! aka 'What are Wall Challenges'?I was busy during April 2020. Several deadlines all conspired to converge on the same 'month end' delivery date. But one of them was the sort of project that I really like: puzzles!<br />
<br />
Antriksh at <a href="https://hardwear.io/">Hardware.IO</a> asked me if I could reprise the 'Wall Challenges' that I did for the 2017 and 2018 Hardwear.IO conferences in Den Haag (The Hague) in The Netherlands. '<i>21 mysterious A4 pages blu-tacked to the walls with only a brief explanation'</i> is something I've been doing for various events for some time, and it is a low-key, often mostly overlooked facet of the whole event - except for the people who get into it. If you go to one of the big, serious, 'suits' events, then you find teams of people who turn up just for the 'Capture the Flag' penetration or 'Capture the Signal' radio competitions etc., and they are usually pretty totally focussed on that for the whole event.<br />
<br />
My 'Wall Challenges' are several opposites at the same time: they are carefully crafted training exercises, just like a 'Capture the Flag' contest; but they are also deliberately abstracted, which isn't a CTF or CTS feature. They are also fun challenges! So I thought that this might be a good time to look at what they are for, and why you might like to consider immersing yourself in one next time you see a sheet of paper stuck on the wall...(physical or virtual!).<br />
<h3>
Wall Challenges - what are they?</h3>
If you've ever wondered how people acquire an assured, casual ease with some technical subjects: 'facility' is one of the words that sometimes gets used, then one way to do it is not to read lots, or watch videos or attend lectures/seminars. Instead, actually doing something is often another good way to build familiarity, explore the limits of what you know (or don't know), and maybe extend your boundaries a bit. This is your cue: keep reading and do some WallChallenges!<br />
<br />
Wall Challenges are apparently simple problems that are often harder than they appear, and doing them is good for you! If you ever wanted a Sudoku that was more than just a few numbers in squares, or that required programming to solve, or that went into the mathematics or theory a bit more, then you might find that Wall Challenges are exactly what you are looking for.<br />
<br />
What sort of topics are covered? Things like <b>Binary, Hex, Number bases, ASCII, ROT-13, Hashes, Look-up tables, Modulo arithmetic, Pointers, Pictograms, Anagrams, Cryptic clues, Codes, the Periodic Table, Lateral thinking, Critical thinking</b>, and more. Solving them can often be done with just pen and paper, although some require a spreadsheet, and the harder ones can require some programming (Python is what I've used...). In the course of finding solutions, you will also acquire a collection of interesting look-up tables (ASCII, Periodic Table...) that often have interesting histories and are very good things to know for Pub Quizzes or<a href="https://www.bbc.co.uk/programmes/b00lskhg"> Only Connect</a> (My Team didn't get onto TV, by the way...).<br />
<br />
There's a school of thought that making things simple is both a work of genius and a genius-level way of making it look trivial. When Einstein wrote 'E=mc squared' then it looked simple enough, but the ramifications were universe-altering. Now, Wall Challenges aren't quite at that level, but they can change the way that you think...and that's the whole point. These aren't trivial ways to pass time, they are intended to make you think about things that might well be useful in Penetration Testing, Risk Assessments, Threat Modelling, Security Analysis, White and Black-hat Hacking, and so on and so on.<br />
<br />
I'm going to show examples, and in each and every case, the answer will be 'Cryptography', and it will be in capitals, which is supposedly how 'real' cryptographers do writing (sometimes). Not the crypto of block-chain currencies, but the 'hidden writing' of encryption, AES, CIA and several other three-letter acronyms (that's Confidentiality, Integrity and Availability), of course...). The Wall Challenges shown here are deliberately simple and easy to solve, plus you already know the answer! Real Wall Challenges are a bit harder, and some, like the ones you find at hardware security conferences like <a href="https://hardwear.io/">Hardwear.io</a>, are very hard indeed.<br />
<br />
Anyway, here's the first Wall Challenge, which is called 'Bounce':<br />
<br />
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>YCHRPYAPRTGO</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Okay, so even though I've given you the answer, you are probably struggling to see how we went from cryptography to that! What you need are some strategies to get you started, and the first of these is:</span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: inherit;"><b>Strategy 1: Start at the ends and scan across, skipping to see if anything looks interesting.</b></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Well, the first letter is 'Y', reading from left-to-right, and 'Y' is the last letter of </span>CRYPTOGRAPHY, but continuing gives 'YCHRPY' which isn't CRYPTOGRAPHY backwards (which is YHPARGOTPYRC, of course). The other end is 'O', and going right-to-left across gives 'OGTRPA' which isn't helping much either. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
So let's repeat that, but skipping every other letter, and we get 'YHPARG' and 'OTPYRC'. Woah! That's CRYPTOGRAPHY backwards isn't it? So if we start at the C, second letter in from the left, and miss out every other letter, then we get 'CRYPTO' as we go across from left-to-right, and then we need to reverse direction and go right-to-left to get 'GRAPHY'. So at the end of the word, we 'bounce' and reverse direction. Maybe there should be a brick wall graphic on the piece of paper on the right hand-side? </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
So, we now know that doing a bit of adjusting of the order of letters can hide a word, but what use is that? Well, one of the basic transformations that encryption algorithms like AES use is shuffling the order of the data bytes...</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here's the second Wall Challenge, which is called 'Inside out':</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>PARG</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>HRCO</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>YYPT</b></span></div>
<div style="text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">Starting at the 'P' on the left and going across to the right doesn't give anything useful (PARG might be the start of PARGETER, but it is an unusual word, and there aren't any 'E's!), so try right-to-left from the 'G' - which gives 'GRAP' and we know that is in the middle of the word we are looking for... But in a real challenge then we would not know what the hidden word is, and so this wouldn't be that useful. </span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
What<span style="font-family: inherit;"> we </span>probably<span style="font-family: inherit;"> need is a revised strategy:</span></div>
<div style="text-align: left;">
<div style="text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
</div>
<div style="text-align: left;">
<div style="text-align: center;">
<span style="font-family: inherit;"><b>Strategy 1: Start at the ends and scan across, vertically and diagonally, skipping to see if anything looks interesting.</b></span></div>
</div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">If we do this from the lower left hand 'Y', then we get 'YHP', and if we turn the corner at the 'P' to go across to the right, then we get 'YHPARG', which is the end half of CRYPTOGRAPHY, but reversed. If we carry on going round then we eventually hit the 'Y' where we started, so let's turn and carry on in a spiral, which takes us all the way to the 'C', giving 'YHPARGOTPYRC', which is CRYPTOGRAPHY backwards again. So this time, the word was </span>written 'inside out', as a spiral from the initial letter 'C'. Here's me trying to make it more obvious by using coloured letters for the first three letters in the spiral:<br />
<br />
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>PARG</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>H<span style="color: red;">RC</span>O</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>Y<span style="color: red;">Y</span>PT</b></span><br />
<div style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b><br /></b></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">...and then the last letters...</span></div>
<div style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b><br /></b></span></div>
<div style="text-align: center;">
<span style="color: red; font-family: "courier new" , "courier" , monospace; font-size: large;"><b>PARG</b></span></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b><span style="color: red;">H</span>RC<span style="color: red;">O</span></b></span></div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"></span><br />
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b><span style="color: red;">Y</span>Y<span style="color: red;">PT</span></b></span></div>
</div>
</div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
What have we learned this time? Well, it seems that people who are used to reading from left-to-right can find it difficult to go from right-to-left, and that turning things into a 4x3 grid and using a spiral is hard to read. So the shuffling that encryption algorithms carry out looks like it can be effective at obfuscating (a fancy way of saying 'concealing') the sequence of letters in a word. Now, I'm not aware of any cryptographic algorithms that use spirals - they tend to just shuffle or rotate rows or columns. But spirals occur all over the place in nature, and people like them, so there may well be a bias in my usage of them.<br />
<br />
The third challenge changes tack, and goes for numbers instead of letters, and is called 'Index':<br />
<br />
<div style="text-align: center;">
<b><span style="font-family: "courier new" , "courier" , monospace; font-size: large;">3 18 25 16 20 15 7 18 1 16 8 25</span></b></div>
<br />
Whenever numbers appear in a Wall Challenge, then you use another strategy:<br />
<br />
<div style="text-align: center;">
<b>Strategy 2: Are the numbers in decimal, hex or another base?</b></div>
<b><br /></b>
In this case, the numbers appear to be decimal. Often the '3' will be shown as '03' to make you think that it might be in hexadecimal or some other base. Notations like 0x8E for indicating hexadecimal numbers are quite rightly used in programming to make it unambiguously perfectly clear that the '8E' is in hex, but in Wall Challenges there are no rules, and so clues like '0x' are rare. In fact, if I did use that notation, then it would probably be mis-direction!<br />
<br />
Oh, nearly forgot:<br />
<br />
<div style="text-align: center;">
<b>Strategy 0: There are no rules, standard practices or conventions. (The bad guys break them all the time anyway.)</b></div>
<br />
So we have a list of numbers which might be decimal, so what do we do next? A variation of Strategy 1 is a good starting point: look at the ends, and then scan across and find the largest and smallest numbers. In this case, 3 and 25 are the ends, 1 is the smallest value, and 25 is the largest value. This information is full of clues - can you think of something that comes in a set with about 25 different members?<br />
<br />
How about the alphabet? 26 letters... So starting on the left, what is the 3rd letter of the alphabet? 'C'. The 18th? Er, and here you get to the first lookup table. Open your favourite spreadsheet of choice and create a table that has the numbers from 1 to 26 in the first column, and then the letters from A-Z in the second column. Voila - you now have a useful Wall Challenge solving aid, and the beginnings of a collection of tables about symbols and numbers that you will be using a lot. Here's what I produced:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuoCZnONwRaE2rLNZVq7b-atWyCpz6VkRv9JbKYrat7SAn5jWDzhaW7RMPDeIGyhQZ60kSE18AcjtXclBhCccthxKL7jSBmP7nZ5Yt-wyqUpXNEX1FG9A-nvfTtiNE7eJX1u8wLGyF_Pq9/s1600/alphabet-table.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1196" data-original-width="459" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuoCZnONwRaE2rLNZVq7b-atWyCpz6VkRv9JbKYrat7SAn5jWDzhaW7RMPDeIGyhQZ60kSE18AcjtXclBhCccthxKL7jSBmP7nZ5Yt-wyqUpXNEX1FG9A-nvfTtiNE7eJX1u8wLGyF_Pq9/s400/alphabet-table.png" width="152" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Producing lookup tables like this also has a strategy:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b>Strategy 3: Whenever you need a look-up table, make one, save it, and add a few extra columns so you are better prepared for next time...</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
For this table, I added the third column, which is a reversed index to the alphabet. This is good preparation for what myself and lots of other security analysts call 'The T-Shirt Effect'. We all wish that we had a T-Shirt that says on it: 'There's no way that would ever happen!', because this occurs every time in a Risk Assessment or Threat Modelling session - there's always someone who says these words. In fact, governments around the world probably heard the same or similar words when they looked at the risk of a problem with a new virus epidemic at any time in the last decade...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Anyway, the table makes looking up the 18th letter of the alphabet much easier: 'R'. Going across from left to right, converting from the index number to the corresponding letter of the alphabet, we get: 'CRYPTOGRAPHY' just like you knew we would.</div>
<br />
The fourth introductory Wall Challenge is a bit different, and is called 'Standard Interchange':<br />
<br />
<div style="text-align: center;">
<b><span style="font-family: "courier new" , "courier" , monospace; font-size: large;">67 82 89 80 84 79</span></b></div>
<div style="text-align: center;">
<b><span style="font-family: "courier new" , "courier" , monospace; font-size: large;">71 82 65 80 72 89</span></b></div>
<br />
This time, the ends are bigger than the previous example, at which point experienced Wall Challenge solvers use another strategy:<br />
<br />
<div style="text-align: center;">
<b>Strategy 4: Is the range of numbers 26, 36, or some other small number that might contain an alphabet and numbers?</b></div>
<br />
The lowest is 65, and the highest is 89 which is a range of 24, so immediately you should be suspecting something based on the alphabet. Now 65 is one of those 'magic' numbers that shouts out for attention, because the capital letter A is 65 in ASCII, the 'American Standard Code for Information Interchange'. 89 is Y, and so it looks like this is the time to get or make an ASCII lookup table for your collection.<br />
<br />
If you replace 67 with the ASCII letter equivalent, you get 'C'. 82 is R, 89 is Y, and before you know it, you have: 'CRYPTOGRAPHY'.<br />
<br />
There's an interesting thing to note here. The index table for the alphabet is actually a sub-set of part of the ASCII table - if you add 64 to the first column then it decodes CYRPTOGRAPHY perfectly fine, and this could be added as a fourth 'Shifted ASCII column'... But the ASCII table has lots of other characters in it - numbers, lowercase letters and all sorts of symbols, plus characters that control what a printer does (line feed, carriage return and those curious references back to mechanical printers that borrowed terminology and actions from mechanical typewriters...), as well as characters that don't actually print anything. If you go beyond the 127th character, then ASCII changes from something which is pretty consistent everywhere, to something with lots of alternatives. This 'Extended ASCII' is still standard, it's just that there are lots of standards covering all the variations.<br />
<br />
So a nefarious puzzle-setter who wanted to hide some text might well make the capital A have the value 65, but that doesn't mean that it is automatically ASCII. Suppose B was 64, and C was 63? The correct reaction at this point is to already have your spreadsheet open and be adding a column, by the way...<br />
<br />
That completes this first introduction to Wall Challenges. If you want more examples, then there are a few posts in this blog that contain them, and attending a Hardwear.io or Nullcon conference might get you a view before anyone else...<br />
<h3>
Resources</h3>
<a href="https://www.youtube.com/watch?v=M7MWse68EJo">My YouTube channel</a>. Go to the 'Playlists' and look for 'Wall Games'. There are quite a few other videos here to look at, covering topics like security, anime and music...<br />
<br />
<a href="https://www.youtube.com/watch?v=M7MWse68EJo">Hardwear.IO Virtual Con 2020 Questions Only</a> - this is the 'Questions Only' version of the Wall Challenges from the Hardwear.IO Virtual Conference 2020 held online on the 30th of April and 1st of May 2020.<br />
<br />
<a href="https://youtu.be/_chBxq4P_5Y">Hardwear.IO Virtual Con 2020 Questions and Answers</a><br />
<br />
<a href="https://youtu.be/O34eoI9H3bM">Hardwear.IO 2018 Questions</a><br />
<br />
<a href="https://youtu.be/n_TAkt6uziw">Hardwear.IO 2018 Questions and Answers</a><br />
<br />
<a href="https://youtu.be/D1ld88Ibwxw">Hardwear.IO 2017 Questions</a><br />
<br />
<a href="https://youtu.be/vsrS8W1mzc0">Hardwear.IO 2017 Questions and Answers</a><br />
<br />
<a href="https://hardwear.io/">Hardwear.IO are excellent hardware security conferences! </a><br />
<br />
<a href="https://nullcon.net/website/about-nullcon.php">Nullcon is a recommended security conference...</a><br />
<br />
<a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge.html">The Nullcon 2020 Badge meta-puzzle...</a><br />
<br />
---<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; margin: 0px;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"></span></span></div>
<br />
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b><span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><br /></span></b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b><br /></b></span></div>
Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-30112922191676047082020-05-02T09:23:00.002-07:002020-05-02T09:25:08.212-07:00Entropy - what is it, what does it mean and why is it useful?Entropy is fascinating. It is a measure of the disorderliness of a system - and so, not unsurprisingly, it has a tendency to increase. You can't un-bake a cake, as they say. Organising, sorting and tidying are all counter-measures, but like recycling, it turns out that the real universe is more complex and tricky to work with than you might hope, and so trying to do 'the right thing' often has the opposite effect.<br />
<br />
Measuring entropy is one of the activities that cryptographers use when designing random number generators. I always like the irony of a universe where there is an increasing amount of disorder, but when you want to make a source of random-ness, then it always seems to be infected with hidden layers of predictability. Random noise seems to be one of those nice ideas that is very difficult to obtain in practice, because there are a huge number of repetitive, predictable sources of information that drown out the random-ness. So random noise generation becomes a search for how to remove bias, or interference from non-random sources, followed by the refinement of statistical techniques to show how successful the removal has been.<br />
<br />
As I have noted before, the better the encoding and encryption technique used, the more the resulting output looks like random noise. My 'think about things from a different viewpoint' brain takes that and inverts it, arriving at the conclusion that truly random noise must contain hidden information - but we just don't know the key (or the coding scheme!) and so can't decode it. I'm sure there is lots of money to be made from this type of thing, and, of course, <a href="https://en.wikipedia.org/wiki/The_Bible_Code_(book)">there is</a>!<br />
<br />
Hackers also use entropy, but often for different reasons. If cryptographers have put lots of effort into making encryption produce noise-like data, then one way to look for encrypted data is to look for randomness. Firmware is a good place to look, because it is usually an intrinsic part of the underlying platform that services are built on, and so is an appealing target. So hackers look at firmware in a number of ways, which I always think of as different 'filters'...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyU5_mFj0USXRvEOfMaNapfXnnpar_MyTjyUF7OVeKqvK4jn0C9PPslgyaD4DjFtKuisAQaGYZeCN8fx6QCrljB9P0Oo8G-MmZXxIzfCUjj_aLNAR-n1UzhKRsOp-sdZPMrcP95csmhaSg/s1600/HexFiend.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="554" data-original-width="1024" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyU5_mFj0USXRvEOfMaNapfXnnpar_MyTjyUF7OVeKqvK4jn0C9PPslgyaD4DjFtKuisAQaGYZeCN8fx6QCrljB9P0Oo8G-MmZXxIzfCUjj_aLNAR-n1UzhKRsOp-sdZPMrcP95csmhaSg/s640/HexFiend.png" width="640" /></a></div>
<br />
The first filter that most people use is my old favourite: ASCII characters and strings. Open the extracted firmware (or data file containing it!) in a hex editor, and look for readable characters - for some reason, hex editors always seem to have a strict ordering of columns: index on the left, then the data in hex, and then the same data in ASCII printable characters. In the old 8-bit days, then you could expect to see lots of strings containing everything that appeared on the screen as text, plus lots of things that the programmer probably didn't want you to ever see: debug messages, passwords or cheat codes for reviewers/managers, initialisation settings, and more. As time has gone on, there is less and less useful information to be found, but sometimes... Wherever valuables are hidden, then there are people who will make tools to help the search. So truffleHog is just one example of a utility that searches for interesting strings on GitHub, and there are lots of other 'Information Gathering' and 'Reconnaissance' tools that will attempt to locate strings. The example screenshot above shows HexFiend, a hex editor for MacOS, looking at itself...<br />
<br />
What I look for in a hex editor, of course, is the ability to add offsets, to rotate, to invert and to do other 'ASCII-obscuring'-related processes in order to try and locate obfuscated strings...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGE79-MM_naqRfoe6hxPyk0B5nqTd2fFViWIVRklixQKHrI3dd1IDL5Xw7DvyM25qn-9Okr2z71CgX_FFXDt9CPsh6Ere9K6oQqDq_GwWJ0f7vzOGdpomwnkHurEjq5kKbDnFPWluhLDF7/s1600/entropy2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="933" data-original-width="1253" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGE79-MM_naqRfoe6hxPyk0B5nqTd2fFViWIVRklixQKHrI3dd1IDL5Xw7DvyM25qn-9Okr2z71CgX_FFXDt9CPsh6Ere9K6oQqDq_GwWJ0f7vzOGdpomwnkHurEjq5kKbDnFPWluhLDF7/s640/entropy2.png" width="640" /></a></div>
<br />
Another filter that is used relates to randomness. Utilities like binwalk provide a graph that shows Entropy on the vertical axis, and index (position within the file) on the horizontal axis (binwalk does lots of other things too!). The binwalk example file shows exactly the sort of graph that the hacker probably isn't looking for: on the left, a short block with low entropy, followed by a big block with an entropy of about 0.6, followed by another short block with low entropy, then a block of about 0.5... and finally, a long block with low entropy. Nowhere in this graph is a flat block up at the 1.0 level, which would usually be inferred to mean either encrypted data, or better, keys!<br />
<br />
(As often happens, one thing leads to another, so this thinking about binwalk took me in a very different direction, which will feature in a future blog post...)<br />
<br />
The problem with just typing <span style="font-family: "courier new" , "courier" , monospace;">>binwalk -E filename.bin</span> and then looking at the graph is that people get told that a flat line at 1.0 means encrypted or key data (with a short flat spike probably indicating keys!), a rough line peaking at 1.0 but with little spikes down to 0.9 or so means compressed, flat areas with zero entropy are just fixed data, and anything else is code. There's a problem here, and it relates to knowing what entropy is.<br />
<br />
Remember that entropy is a measure of disorder. So when it is up at 1.0, it means that each successive value is very different to the previous one, and so on. - random values! Conversely, down at 0, it means that each successive value is no different to the previous one, etc. Note that 'no different' does not mean: '00 00 00 00 00...', it means lots of repeated values. So the graph doesn't show the values, it shows the variability instead.<br />
<br />
With all of this in mind, we can now think about hiding data. If I was trying to hide keys or encrypted code inside firmware, knowing that people would use binwalk to find those keys, then all I need to do is to change the variability of the keys or encrypted code. One simple way to do this is to just add zero bytes (or any other value) every n bytes. If we add 00 every other byte then we have an entropy of zero for the 00 bytes, and 1 for the keys or code, giving an overall entropy of 0.5. We have doubled the size of the data, but for keys this does not matter, and extracting the keys is trivial! However, if you look at the obscured key data in a hex editor, then all of those 00 bytes will be obvious...<br />
<br />
Alternatively, you could split the keys or code into nibbles: half bytes. So 7E would become 70 and 0E. If I do this to lots of data, then there are only 32 different values: 0-F followed by 0, or 0 followed by 0-F. The entropy is now not anywhere near 1.0 any longer, because all those zeroes reduce the variability - you can predict that there will be a zero either at the start or the end of the two character hex digit. But the data isn't fixed either (it isn't just 7E 7E 7E 7E 7E...), and so the entropy is about 0.5. Not only that, but looking at the data in a hex editor, it is going to be much harder to spot the zeroes. The cost of this better obfuscation is that the extraction of the keys is slightly harder... So now the key data isn't going to be obvious in either binwalk or a hex editor. In other words, you can 'design' the entropy of your data if you know what is being measured.<br />
<br />
When I wrote this, it didn't seem that special. But now, when I go back to it, the idea that you can edit your data so that you control the entropy is very interesting indeed! It kind of takes back some of the power that randomness takes away from you...<br />
<br />
---<br />
<br />
Many articles these days use clickbait techniques to get your click, and then break that trust by never actually answering any of the questions they pose. So, let's prevent this right here and now:<br />
<br />
Entropy - what is it?<br />
<br />
The second sentence (I've never recovered fully from the Amazon review of my book where someone counted the number of pages before I actually said what something did...) tries to describe entropy without being a definition: 'a measure of the disorderliness...' . But two sentences later, my favourite is the 'un-bake a cake' metaphor. Maybe I should have said: You can't un-write a blog post...'!<br />
<br />
Entropy - what does it mean?<br />
<br />
This is the real fascinating thing about entropy: the more efficient you encode or encrypt something, the higher the entropy, and the more it stands out and waves a flag saying: 'Here I am!'. And the mitigation that I suggest is to reduce that efficiency by making it bigger! I suppose that having it secure and hard to find is a good compromise, but I'm now wondering if there is a way of reducing the entropy algorithmically that is hard to detect - and ultimately, the optimum way of doing that would probably also look something like noise - but special noise that has the effect of reducing the entropy of the actual data than looks like noise because it is efficiently encrypted or encoded. Unfortunately, I'm not a good enough cryptographer to to able to figure out if this can be done, but I'm always open to feedback!<br />
<br />
Entropy - why is it useful?<br />
<br />
The third paragraph is my 'reverse way of looking at the way the world works' moment: You can use entropy as a measure of how good your encoding or encryption is. I've always loved the way that this is the opposite of sayings like 'the perfect shape is a circle...'. Playing double jeopardy then, it follows that the more ordered a system is, the worse the encoding or encryption. In this case, the universe contains a lot of very badly encoded and encrypted information, and I am very, so very glad that we don't have the keys or the algorithms!<br />
<br />
---<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<div class="separator" style="clear: both;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"></span></span></div>
<br />
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-64807340054005852602020-03-19T08:50:00.001-07:002020-04-24T16:32:36.047-07:00Puzzles and security - a synergistic relationship?Apparently, human beings are hard-wired to detect patterns. Sometimes this is <a href="https://en.wikipedia.org/wiki/How_to_Create_a_Mind">good</a>, but sometimes it can be <a href="https://en.wikipedia.org/wiki/Apophenia">too effective</a>, or <a href="https://en.wikipedia.org/wiki/Pareidolia">misleading</a>, or <a href="https://en.wikipedia.org/wiki/Electronic_voice_phenomenon">subject-to-multiple-interpretations</a>... A cynic might rewrite it as:<br />
<br />
<div style="text-align: center;">
Humans are hard-wired to detect patterns, even when the patterns aren't there...</div>
<br />
Patterns are very important in security, or, to put it another way: the hiding of patterns is often very important in security. Encryption is a good example of a way of hiding the patterns of ASCII-encoded text data and making them look slightly more noise-like. 'Obfuscation' is that wonderful word for hiding something in plain sight. I always remember something that was drilled into me when I worked on audio encoding:<br />
<br />
<div style="text-align: center;">
The better the coding scheme, the more the output looks like noise.</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
And this hooks very nicely into the way that people use entropy as a way to find encoded data - plain program code has low entropy, but encrypted passwords (or other important/valuable data) have high entropy. So scanning code for high entropy sections would seem to be a good way of finding interesting encrypted data...</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Unfortunately, one of the obvious things to do when you start to protect data with encryption is to hide it in similar data. Encryption is not the only way to increase the entropy of program code, of course, just applying a simple compression scheme would also work. This 'one action leads to a corresponding follow-up action, which then leads to another action...' is the 'climbing a ladder' escalation analogy that can be used to model all sorts of interchanges. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Puzzles are interesting because they can train you to look at problems in many different ways, and breaking assumptions - one of the other things that humans are very good at is making assumptions, of course. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
So, let's look at one of the puzzles on the <a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge.html">Nullcon 2020 badge</a> (and the <a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge-answers.html">answers</a>), and see how it encourages potential puzzle solvers (like security analysts and cryptographers) to think laterally.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here's what part of the top of the badge looks like:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif-XJABJZFM5rqqaAKLexo1LFAZT0g0E4ibGHDaxAC8-ka9-DsLkea-iB0KfYElsdpm46RUtg1ktm5EZO_taWxcMqWm-we1KPCzR6XgB5BqaOTUy82rGFWLkalmrXGYr_sjWYKfxh41Wqi/s1600/actual+final+badge+-+ascii+extract.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="115" data-original-width="977" height="45" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif-XJABJZFM5rqqaAKLexo1LFAZT0g0E4ibGHDaxAC8-ka9-DsLkea-iB0KfYElsdpm46RUtg1ktm5EZO_taWxcMqWm-we1KPCzR6XgB5BqaOTUy82rGFWLkalmrXGYr_sjWYKfxh41Wqi/s400/actual+final+badge+-+ascii+extract.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
(There's something about the look of 'fluorescent green plastic' that makes it appear super-cool!)<br />
<br />
Puzzle setters like myself know that there are clues that give away typical encodings that are used for text, so any numbers between 46 and 122 (decimal) would tend to suggest an ASCII encoding (A-z, plus 0-9 plus '.' and '/'), which would be confirmed by having lots of '32's indicating spaces. In this case, the initial number is '00', which is deliberate misdirection, and is based on people initially looking at the beginning and ending of sequences - putting the 32 mid-sequence kind of hides it amongst the other numbers.<br />
<br />
So the '00' is hopefully going to cause some people to immediately reject this as being ASCII-encoded text, but then if they look closer, they will see the '32' and note that all the other numbers are between 48 and 122... Which means that it probably is ASCII-encoded text, but that the first character is different or special in some way. One thought at this point might be that this is an index: the first piece of encoded text might be preceded by a zero, and so other encoded text would then be examined to see if the initial numbers were 01, 02 03, etc. But the other number puzzles on the badge do not follow this sequence (so one obfuscation method that a puzzle setter could potentially use would be to deliberately offset ASCII-encoded text so that the first number is an ascending index or offset...) and so there must be something else about the number '00'. Looking it up on an ASCII table quickly reveals the secret: 00 is the decimal number that represents the archaic non-printing 'NULL' character, and given the name of the conference for this badge (Nullcon!), it is obvious that the Null character is being used to replace four ASCII numbers with a single shortcut number!<br />
<br />
One can imagine a puzzle setter who exploits this to encode other words with appropriately similar extensions using the ASCII characters outside of the ./A-z, 0-9 (46-122) range. If the fictional conference called 'DevCan' wanted a badge, then this could be encoded with 127 (character for 'DEL' (delete)), then 08 ('backspace'), then 11 ('VT', the 08 ('backspace'), then 24 (character for 'CAN' (cancel)). Thus giving 127 08 11 08 24 for encoding DevCan. That 127 is a dead giveaway, so I suspect that the hex versions would be used instead: 7F 08 0B 08 18.<br />
<br />
For Hex-encoded ASCII, then the numbers that people look for are 2E to 7B (./0-9A-z), so those two 08s and the 18 are good misdirection!<br />
<br />
If the puzzle solver approaches things from the opposite end of the sequence (often a good technique to try), then the last four numbers are all inside the 0-9 range of 48-57 (decimal), and so are obviously numbers. Decoding them to '2020' is another strong clue that this is ASCII-encoded text.<br />
<br />
Finally, there's the 32, which is like a waving red flag to anyone who is looking for ASCII-encoded text! One approach that a puzzler might take would be to replace this with another character: 00 (Null) being one candidate. But in this case, 00 is already used, so another character would be used. Using 00 (Null) as a replacement character for 'Space' might be something that a specific puzzle setter has used previously, of course, and so knowing who set the puzzle might be useful. Conversely, puzzle setters might strive to avoid using the same obfuscation methods more than once. <br />
<br />
One difference between a puzzle and real world decoding is that puzzle setters like to give clues. The 32 in the middle of this sequence is one example, but for a conference called Nullcon, with a badge that has the word 'Nullconium' as well as 'Nullcon' written in a weird 'falling-over' books font, then there are lots of pointers to 'Nullcon' being a likely candidate for some encoded text on the badge - especially given the 'Periodic Table tile' / 'Top Trumps card' metaphor of the badge design.<br />
<br />
If you have read this far, then you should now have had a glimpse of how puzzles like the Nullcon badge can encourage you to take an <a href="http://stoney.sb.org/eno/oblique.html">oblique</a> look at problems, and thus may help you to solve your next challenge in an inventive and unusual way. And the world definitely needs <a href="https://www.enoshop.co.uk/product/oblique-strategies.html">novel solutions</a>!<br />
<br />
<div class="separator" style="clear: both;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;">---</span></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"><br /></span></span></div>
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<div class="separator" style="clear: both;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"></span></span></div>
<br />
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: auto; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<br /></div>
<br />
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-89475205406093471722020-03-13T09:46:00.003-07:002020-05-07T03:28:37.317-07:00Nullcon 2020 Conference Badge AnswersThe Nullcon Goa 2020 Conference Badge is a meta-puzzle. There is lots of data all over it, and it obviously has some meaning, but it isn't the usual 'little bit of manufacturer metadata in the corner' stuff, or even a <a href="https://en.wikipedia.org/wiki/Verhoeff_algorithm">Verhoeff</a> checksum. At a security conference, then there is almost no need to have any further instructions - the badge is intrinsically a challenge to people whose modus operandi is to question everything.<br />
<br />
Of course, it might all mean nothing. Unless someone published the answers. If you don't want to know what all that data means, then stop reading now and click away (<a href="https://itsallgreektoanna.wordpress.com/2019/01/29/a-very-short-introduction-to-the-undeciphered-aegean-writing-systems/"> Try this as a distraction!</a> ). If you carry on reading, then welcome down the rabbit hole!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio8VjRmTIpUOxemI4OOQSdoLlqe3j0RpuNDBT_4uEW219chLsIt7Jt84fOTEcc4X7hRdixb2PNSzgEMAac1bblKh28966fB0_yShv9Q4JLfkTfgWu2dPgEc8NVMiiulztLjksTzOIANeep/s1600/Slide6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio8VjRmTIpUOxemI4OOQSdoLlqe3j0RpuNDBT_4uEW219chLsIt7Jt84fOTEcc4X7hRdixb2PNSzgEMAac1bblKh28966fB0_yShv9Q4JLfkTfgWu2dPgEc8NVMiiulztLjksTzOIANeep/s400/Slide6.png" width="267" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The badge was laser etched onto clear plastic (Now this is tricky - I'm not sure if that gorgeous green/orange plastic is 'clear' or 'transparent' - language is an impressively imprecise communication medium!) The design was produced as a DXF file, and has two slots for the lanyard, plus three other holes/circles (manufacturing detail!) There are more than twenty interconnected puzzles (hence the word: meta-puzzle) on the badge, and it looks very cool! </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
(In the graphics that follow, I have deliberately left room around the central area so that when you print out this blog, there is plenty of room for notes and calculations...)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first thing that you probably notice is the central 'tile', which looks like an entry in an alternative <a href="https://en.wikipedia.org/wiki/Alternative_periodic_tables">Periodic Table</a> - or maybe one from a <a href="https://www.scientificamerican.com/article/does-the-multiverse-really-exist/">different universe (paywall)</a> in the <a href="https://www.scientificamerican.com/article/multiverse-the-case-for-parallel-universe/">multiverse (not paywalled)</a>, where the elements are slightly different... A Google search for Nullconium doesn't reveal much, and assuming that it is a Latin word is satisfyingly self-referential. 'Nu' isn't an abbreviation for any element, either. ( <a href="https://www.lenntech.com/periodic/name/alphabetic.htm">Link to useful list for puzzle designers</a> ) Atomic numbers as high as 2000 are way beyond current physics, and 2000+ fails as an atomic number because it isn't unique. The mass number of 20.167 is all wrong as well - it should be larger than the atomic number! At this point, it should be clear that this isn't a tile for an element - but an eye-catching device to gab your attention. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Warning: if you don't want to know, stop reading now!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3>
The Answers!</h3>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZdDYyP-yBpvtisYZo5JSo0wAMhOg6Qzg-np0ZCAoOmAfTArWQXu8wC6rwc704eaItMGV1L4kXeNrlt6HOAgK6QbLzIni846yYPiLNb5-cQMF7qu8gW9L7CHf_lo_OUIbWlOhk7oLAPo69/s1600/Slide7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZdDYyP-yBpvtisYZo5JSo0wAMhOg6Qzg-np0ZCAoOmAfTArWQXu8wC6rwc704eaItMGV1L4kXeNrlt6HOAgK6QbLzIni846yYPiLNb5-cQMF7qu8gW9L7CHf_lo_OUIbWlOhk7oLAPo69/s640/Slide7.png" width="427" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;">The 2000+ is a reference to one of the many year numbering systems that are in use around the world. In the Gregorian Calendar, the current year is 2020, the 20th year of the 21st century. So the 2000 is a hint, and the 20.167 is 20 years, plus .167 of a year, which is meant to be the elapsed part of the year to the beginning of March when Nullcon Goa 2020 started. The 1st of March is day 54 out of 365, which is 0.147, so Nullcon obviously started after that... Day 61 is the 8th of March, which is the day after the last day of the conference. Nullconium thus appears to have the unusual property that the mass number of its most stable isotope increases over the course of a year, then resets, increments and continues to rise: two concatenated sawtooth waveforms...</span></div>
<br />
The green holes/circles allow a 20-sided regular icosagon to be drawn, which is unlikely to be very useful in most security-related areas, but it is interesting that it is another occurrence of '20'... This also highlights an interesting security consideration: The green layer has been interpreted by the badge manufacturer as the 'holes/drill layer' and so they have cut or drilled holes at those points (and probably wondered why I didn't put targets instead of circles! But I forgot this, and so added the screen '+' sign to the middle hole as a extra clue (as it says in the diagram above). I should have moved the green cross to another layer so that it got laser-etched and would be visible...<br />
<br />
Of course, a security-minded person quickly realises that this is a classic potential vulnerability - the designer made a mistake that is subtle and hard to spot, but which may have consequences that the designer wasn't anticipating. In my case, a clue was missing and the diagram above highlights this! This type of vulnerability is not restricted to DXF files, of course: any place where two things are affected when only one was supposed to be, or when the coder assumes that two things are related when they shouldn't be, crops up in all sorts of coding situations. A bug like this is very hard to spot because people are very good at seeing patterns and associating things as groups - and in this case, this is exactly wrong - the hole and the '+' symbol should definitely be on two different layers. For a security analyst, this gives a clue to how to find this type of potential vulnerability: look for things that are out of context, exceptions or variations, or where multiple similar things happen at once - you can almost guarantee that a copy/paste/modify will have been done wrong, or that one or more references or paths or pointers will be wrong. people are very good at king this type of mistake, and very bad at spotting their mistake. Hiding in plain sight!<br />
<br />
On the lowest edge of the badge are what look like books on a book-shelf, with some them falling over. You either see it immediately, or else you suddenly can see it when it is pointed out to you - a binary visual interpretation. once seen, you can't un-see it! These spell 'Nullcon' in a rather arcane way, but serve as a clue to some of the other numbers around the edge... I always try to include hints and pointers to things to get people started...<br />
<br />
Having said this about leaving clues: the two holes for the lanyard do not have any significance (and 'lanyard-puzzles' are another related class of meta-puzzle!). This is probably the most difficult challenge on the badge. As in many security-related investigations, the hardest problem to solve is one that is not a problem with an answer!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE88gTCYdUFpLu8aHDFKQVDC-iH69RdKresCNmYPOdfvwnsQvZgR24Tbn1z4V0BBABslL5gY9-lT5z2AGsFOLWIU9cycwkCWkf0B0EEFyQ9BtsBB6A6suYNiMVDqQzKVY4A_a1U4tl9EL4/s1600/Slide8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE88gTCYdUFpLu8aHDFKQVDC-iH69RdKresCNmYPOdfvwnsQvZgR24Tbn1z4V0BBABslL5gY9-lT5z2AGsFOLWIU9cycwkCWkf0B0EEFyQ9BtsBB6A6suYNiMVDqQzKVY4A_a1U4tl9EL4/s640/Slide8.png" width="428" /></a></div>
<div class="" style="clear: both; text-align: left;">
The 'book-shelf' clue leads nicely into the data around the top edges. From the left, clockwise, these get gradually more difficult. CLLNNOU is just the letters in 'Nullcon' sorted alphabetically, which leads to 3522143, which is just the alphabetical positions in CLLNNOU (1223345) undone by forming NULLCON (3522143) and then reversing the order. Over on the right hand side, the 1876^2 + 2767 gives a result of 3,522,143, which is the non-reversed order of the letters of a sorted Nullcon. </div>
<div class="separator" style="clear: both; text-align: left;">
The long row of two digit numbers at the top of the badge is just Nullcon 2020 in 'ASCII', but using character 00 with its meaning of 'Null' instead of spelling out 'NULL' as 78, 85, 76, 76. So not quite normal ASCII... But the inclusion of 2020 is also a clue for the other two sets of numbers. 04 08 04 00 is meant to look like ASCII, but is actually a number: 4,080,400, which is 2020^2, and 4080400 is the same 2020^2 again, but this time shown without commas. At this point, you are probably thinking that 'Nullcon' and '2020' seem to be the answers to the challenges, but this is not true for all of the challenges... </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkm5L2W6R6X3rLVDfZrFK1TKUX5eWgHhv9c2pa9ZdiqaV-SPVIigGt1Vll6BgSfFrjYfeqoF7iWo1NhNsRQPpRUk-u28tmC9t2sfcm5VYGAeXES3rXE5l11UKW-4ziFneWx-IsyEW1_JB/s1600/Slide9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkm5L2W6R6X3rLVDfZrFK1TKUX5eWgHhv9c2pa9ZdiqaV-SPVIigGt1Vll6BgSfFrjYfeqoF7iWo1NhNsRQPpRUk-u28tmC9t2sfcm5VYGAeXES3rXE5l11UKW-4ziFneWx-IsyEW1_JB/s640/Slide9.png" width="428" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Underneath the 'tile', there are four rows of numbers and symbols. In general, the numbers are numbers, whilst the symbols are used to indicate the number base that has been used to express the number. So the top left number of 3744 is to the left of an octagon, and turns out to be 2020 in octal (base 8), even with a typo in the diagram! (The missing '4' - which is not missing for any reason other than a typo!) The 011 111 100 100 to the right is also in octal, but binary octal (which is octal expressed in binary form!): '011' is 3, '111' is 7, etc. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next row has what looks like binary again, because it is! The '\' symbol indicates binary just as the octagon indicates base 8. I did consider using Unary (base 1), where no symbol at all indicates zero, a single 1 represents 1, 11 is 2, 111 is 3, 1111 is 4, and so on, but decided that having 2020 1's in a row was going to be difficult to count! By using the '\' symbol as a clue that the base changes, the four pentagons indicate base 20, which is slightly outside most people's experience. Anyway, 510 is 2020 in base 20, which looks like there's some interesting patterning going on, and I'm sure that <a href="https://www.youtube.com/channel/UCoxcjq-8xIDTYp3uz647V5A">Numberphile</a> et al on YouTube have covered this... (I'm reasonably sure, but didn't search too hard for it...) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next row down has base 5, base 18 (well outside my usual path!) and what looks like it might be an ethernet address... <span style="font-family: "times" , "times new roman" , serif;">Well, it is, for the <span style="background-color: white;">Tsinghua University in Beijing, China, but this is base 10: decimal, and those dots are shorthand for 'multiply'. So it means 101 x 5 x 2 x 2 = 2020. I'm very fond of giving you a repeated pattern and then suddenly jumping to something entirely different. Lulling you into a false sense of security, as they say!</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;">Now that the context switch has happened, the final row is in base 10 (decimal), then hex (base 16) and then hex again. 45^2 - 5 = 2020, which is interesting, and 7E4 does look like hex, but it's just a straight conversion from 2020. D^2 - B1 is just hex arithmetic to try and test your agility. </span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;">At this point, you might think you were finished. But there is one final puzzle - the numbers on the right hand side...</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTfDeSAUISGzdLtl8yXm_SHrlRVrm_jMSU0SJxTeQRKO1NzmmEkytdi9P3YLRqSv9GfSFT3QViKLrL1MWe-IqqEJnICGCY9Dnm-kgQhoBbs7HgkWweYDqlHbqpZxqK1qwIuqZ2FhR3hyphenhyphenlq/s1600/Slide10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTfDeSAUISGzdLtl8yXm_SHrlRVrm_jMSU0SJxTeQRKO1NzmmEkytdi9P3YLRqSv9GfSFT3QViKLrL1MWe-IqqEJnICGCY9Dnm-kgQhoBbs7HgkWweYDqlHbqpZxqK1qwIuqZ2FhR3hyphenhyphenlq/s640/Slide10.png" width="428" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
26, 20, 9 and 0 aren't ASCII, and they don't seem to be 2020 in any base. So what are they? If you replace the values in the rows with the number bases that are used, then you just get a grid of numbers. But if you add them up (clue is the + in front of the numbers on the right) then you get a very special number: <a href="https://en.wikipedia.org/wiki/42_(number)">42</a>. (42 is special in <a href="https://en.wikipedia.org/wiki/The_Hitchhiker%27s_Guide_to_the_Galaxy_(novel)">lots of ways</a> !) I didn't use the Catalan 5-significance of 42 in this meta-puzzle - that would be for a maths conference, not a security conference...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Finally, after all of those 'Nullcon's and '2020's, we get to a different special number: '42'. Yay!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
(It would have been boring if that was a 2020 as well, wouldn't it? Of course, 48.0952381..... x 42 is 2020, but that's another story.)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I hope you found the 42. If not, you now know how to find it!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And a summary!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOn2ZSxhuuKHWk_1SC_KCYkb7ejhiuQVCTxi1i8Wqda4Nn_puNXaSo6QdjpyhiitnYc9RyLqrDT_eGqXsp-e-LjdhQ0clTJKovTl95nwGVZRkKsRROCAWDvNrGArSXDENiVKJwGgVs7N5f/s1600/Slide11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="640" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOn2ZSxhuuKHWk_1SC_KCYkb7ejhiuQVCTxi1i8Wqda4Nn_puNXaSo6QdjpyhiitnYc9RyLqrDT_eGqXsp-e-LjdhQ0clTJKovTl95nwGVZRkKsRROCAWDvNrGArSXDENiVKJwGgVs7N5f/s640/Slide11.png" width="428" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
---</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3>
More...</h3>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To find the first part of this post on the Nullcon badge, visit <a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge.html">this page...</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you want more depth about one of the challenges above, then please visit <a href="https://securitytiruces.blogspot.com/2020/03/puzzles-and-security-synergistic.html">this page...</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
---</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I would like to thank the wonderful people at Payatu Technologies, who organise Nullcon, for great conferences (hardware.io, for example), and for asking me to do this badge design for Nullcon Goa 2020. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;">---</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"><br /></span></span></div>
If you find my writing helpful, informative or entertaining, then please consider visiting this link for my Synthesizerwriter alias (I write several blogs, and it makes sense to only have one donation page!):<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<div class="separator" style="clear: both;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"></span></span></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white;"> </span><span style="background-color: white; color: #3c4043;"> </span> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-3829163356929233152020-03-01T06:22:00.001-08:002020-03-19T08:46:00.259-07:00Nullcon 2020 Conference BadgeOne of my many sidelines is creating meta-puzzles, as popularised by <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjV7rn2t_nnAhVNiFwKHZm2BgkQFjAAegQIAhAB&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCliff_Johnson_(game_designer)&usg=AOvVaw3fVKfqgMPxfxe_hPkE-ng-">Cliff Johnson</a> back in the 1980s. If you have never immersed yourself in an experience like <a href="https://fools-errand.com/">The Fool's Errand</a>, then meta puzzles are hard to describe. Suffice it to say that myself and a colleague spent far too much time trying to solve the inter-related puzzles contained inside.<br />
<div>
<br /></div>
<div>
Since then, I've done my own homages to Cliff in the form of 'Wall Games'. These are puzzles on pieces of A4 paper: blu-tacked to the wall at Christmas parties, conferences like hardware.io, the waiting areas for escape rooms, and various other places. Sometimes the puzzles are hard (some of the <a href="https://hardwear.io/">hardwear.io</a> wall game puzzles required writing code to solve them!) and sometimes they are easy, and I try to not repeat the same idea twice. But the key concept is that everything is interlinked.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikmllrUTIWprM_bQUsi58wcnvVZKSpL6zCO9RU4f4v8c-ruhECjy4gpWuNhlrqwdTFYpJudqoE9E8BVpZXDcnV6W-sYl_l14YqyeRQ-aWlTQhvuhw2DXE781ri-NXzuuQmM8-jUMWtcxk-/s1600/IMG_6531.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikmllrUTIWprM_bQUsi58wcnvVZKSpL6zCO9RU4f4v8c-ruhECjy4gpWuNhlrqwdTFYpJudqoE9E8BVpZXDcnV6W-sYl_l14YqyeRQ-aWlTQhvuhw2DXE781ri-NXzuuQmM8-jUMWtcxk-/s320/IMG_6531.JPG" width="240" /></a></div>
<div>
<br /></div>
<div>
The Nullcon 2020 conference badge is another variation on the same idea. There are a number of hidden references on the badge, and your task is to decode them. Nothing on the badge is there by accident - everything has a meaning. Some of the puzzles are numerical, some are word-related, some are conceptual, and some are graphical. The only clues that you get are the badge, and the conference title.<br />
<br />
Oh yes, and I have always loved the way that transparent green and orange plastic looks when laser-printed! For an even more amazing 'spirit level' experience, try putting <a href="https://en.wikipedia.org/wiki/Fluorescein">fluorescein</a> in water...</div>
<div>
<br /></div>
<div>
After the conference has finished, I will post the a<a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge-answers.html">nswers here on this blog</a>, in case you missed the reveal at the conference...<br />
<br />
---<br />
<br />
I also publish a couple of other blogs. One of them is devoted to detailed technical explorations of <a href="http://blog.synthesizerwriter.com/">hi-tech electronic music</a>. Sometimes it does stray onto other topics - like a very popular post that reveals how to <a href="http://blog.synthesizerwriter.com/2019/06/storing-text-on-dropbox.html">store text on Dropbox</a> using zero bytes from your storage allocation...<br />
<br />
---<br />
<br />
The title of this blog is a kind of meta puzzle as well. There's a very easy way to remember how to spell it...<br />
<br />
---<br />
<br />
And the answers to the badge challenges? They are <a href="https://securitytiruces.blogspot.com/2020/03/nullcon-2020-conference-badge-answers.html">here...</a><br />
<br />
---<br />
<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting this link:<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />
<br />
<div style="margin: 0px;">
<br /></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-23288998573019301242020-01-20T08:06:00.002-08:002022-02-27T02:42:33.465-08:00Phishing...and a little bit of analysis...It was a strange email. Not from a name that I recognised. But it praised a post in my music technology blog <a href="http://blog.synthesizerwriter.com/">http://blog.synthesizerwriter.com</a> , mentioned an obscure link from a two year old blog post, and then used this as the hook to entice me into clicking on a link.<br />
<br />
The choice of link was interesting. From a blog where just about ALL of the links are about music, technology or music technology, the choice was one about creative writing (OK, so I do slip the occasional left-field link into blog posts...). Having a link to the original blog post itself was interesting and tempting to click on to save time, but I didn't click on it, and instead I went directly to the actual blog post source. <Sound of lots of clicking...> Having reminded myself that I did indeed include an 'off the beaten track' link at the end of the blog post, I then looked at the increasing suspicious email.<br />
<br />
So I checked the actual email address, and yep, the name wasn't the same (close, but not the same), plus it was a gmail address, so it was already starting to score quite highly on my 'possible phishing' suspicion counter. The link it so desperately wanted me to click on wasn't quite as ordinary as it appeared, and, like the name at the end of the email, was in a different font size. At this point the suspicion counter was too high and I deleted the email.<div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjGLw-dTm_iZB6LmFJKb21PDy7eHef8DA2zwqgsAWw7bl0e3Y23dG8Dq7XOhNIFT-FbGzZU5rhWxYQiLXVaHLa2TYjR7ok-dcXQLfhEwtpDV02gn4M6wPq-pEdQrdfvJK978Q05S98yZiJt8HX4OWh4BhJI1DbJ1E1ZPOjGW93iEANTVEAucFMDAP0nQA=s1080" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="649" data-original-width="1080" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEjGLw-dTm_iZB6LmFJKb21PDy7eHef8DA2zwqgsAWw7bl0e3Y23dG8Dq7XOhNIFT-FbGzZU5rhWxYQiLXVaHLa2TYjR7ok-dcXQLfhEwtpDV02gn4M6wPq-pEdQrdfvJK978Q05S98yZiJt8HX4OWh4BhJI1DbJ1E1ZPOjGW93iEANTVEAucFMDAP0nQA=w400-h240" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Photo by </span><a href="https://unsplash.com/@ujesh?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">Ujesh Krishnan</a><span style="text-align: left;"> on </span><a href="https://unsplash.com/s/photos/delete?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText" style="text-align: left;">Unsplash</a></td></tr></tbody></table><div><div>
<br />
Not that long ago, phishing emails tended to routinely use urgency (only 24 hours left, do this now, urgent...) as one of the main ways that they tried to get you to click on the link payload. This email was different, because it was attempting to appeal to my vanity by praising this blog, in the hope that I would then click on the poisoned link payload. Normally this would probably raise it closer in my mind to what is called 'spear-phishing', which is where the email is targeted to an individual, but it didn't seem to be that specific. So my suspicion is that this was just what passes for ordinary routine phishing nowadays, and is consigned to the same virtual waste bin as all of those emails with names of people I know that say that I must open this link because I will love it, or I must see it, etc., and where again the name and the email address don't match... Or reminders about TV licence renewal, or refunds for Tax, or...<br />
<br />
I apologise for stating the obvious, but the occasional reminder about<br />
<br />
<div style="text-align: center;">
<b><i>not clicking on links in emails that are even slightly suspicious</i></b></div>
<br />
is always good, imho. It could save you from all sorts of bad stuff. Just delete suspicious emails.<br />
<h3>
Security analysis</h3>
There is a school of thought that says that anything that analyses phishing emails, even to remind people to be vigilant, is dangerous because it helps the creators of the emails to improve their emails and make them more dangerous. My counter-argument would be that there is a lot of analysis already available on the Interweb (and elsewhere (French for 'She Swears', btw)), and nothing that I have mentioned is new or notable - plus there is always the chance that someone will read this who hadn't ever thought about the dangers of malicious emails!<br />
<br />
More broadly, there is an opinion that says that just about everyone has already had most of their details leaked in one data breach or another anyway, and so phishing gradually becomes counter-productive, since it is trying to find the access details for an increasingly rare resource: people whose details haven't been leaked in a breach. It's a bit like the instruction that you get in corporates not to go into work when you have a cold. When no-one in the office has a cold then this makes sense, but when everyone has a particularly virulent cold (or flu, for example) then it becomes a 'lock-out' instruction and can create major problems. If everyone is out with a cold, then who is there to tell people when it is safe to return? Even if there is someone around who might be able to tell people when it is okay to return, that person might get a cold too! Game theory is interesting like that, and phishing emails seem to be following some of the classic paths of 'how processes work'. <br />
<br />
Trigger words like 'everyone' are useful clues in analysis. One hears about high school pupils where allegedly 'everyone' in their class has a pony. Deeper analysis by cautious and/or cash/credit-challenged parents seems to indicate that 'everyone' has an actual numerical value of slightly greater than 1 person...<br />
<br />
Another trigger word is 'unique'. Here the numerical value is strictly 1, and no adjectives are allowed, so 'totally unique' has no meaning, and neither does 'completely unique' or any other combination. (Although 'uniquely unique' does appeal to my sense of the ridiculous!) Unique is inherently, intrinsically 'total', 'complete', and any other adjective that advertisers and copy-writers try to insert before it. Of course, every security solution, every cryptographic algorithm, (etc.), and every method of phishing detection has to be unique as well, otherwise it wouldn't be worth advertising, would it?<br />
<br />
Using multiple trigger words in a single sentence is usually not a good idea for examination by a security analyst. 'Everyone is unique' now has a minimum numerical value of 1, which implies that everyone else does not need to take a course on philosophy as soon as possible. (Oh, and 'as soon as possible' is another trigger phrase: does it mean 'now, regardless of other tasks'; or does it mean 'later, when time is available and no more urgent tasks are left to do?)<br />
<br />
The end-point of analysis is supposed to be good advice. Does this mean that trigger words should be avoided? (Oh, and recursion in analysis can cause problems too...)<br />
<br />
<br />
If you find my writing helpful, informative or entertaining, then please consider visiting this link:<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div></div>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-21521417411158828892019-11-03T07:38:00.004-08:002019-11-05T02:04:27.895-08:00Threat Analysis Template Speadsheet - FreeThe world out there is complex. All too often, things are made very complicated - sometimes for very good reasons, but sometimes it feels like the twisty little passages are there because some people just like having lots of twisty little passages...<br />
<br />
In a probably vain attempt to try to reduce the entropy of the universe, here's a quick and simple attempt to produce something which I have searched for and failed to find on the Interweb: a simple Threat Analysis Template spreadsheet that isn't tied to a vast workflow and methodology where you need ample supplies of commitment, time and resources. Instead, there's a single page with 8 steps, a cut-down ranking system (1-4, where you can usually ignore 1 and 2), and some built-in guidance as to what you need to do at each of the steps, with examples.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ00Ym0jT0RrEKBjZAFic5Oa3iGEXdD1TerDp4HBQChO5NsmMinLCf668kkdakfKi_BQZD5q_fEG5DcgqUpixEaYo-UTobuCUmPkE3bOQJpoiCfry38Zig03uNH56lcaO1JDwYZxBbtA5W/s1600/Threat+Analysis+Template+screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="807" data-original-width="964" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ00Ym0jT0RrEKBjZAFic5Oa3iGEXdD1TerDp4HBQChO5NsmMinLCf668kkdakfKi_BQZD5q_fEG5DcgqUpixEaYo-UTobuCUmPkE3bOQJpoiCfry38Zig03uNH56lcaO1JDwYZxBbtA5W/s320/Threat+Analysis+Template+screenshot.png" width="320" /></a></div>
<br />
This isn't intended as a replacement for Microsoft's excellent SDLC, or ETSI's amazingly detailed TVRA, or the <insert appropriate adjective here> OWASP Application Threat Modelling (ATM) (or any other approach!) - it's a quick and dirty, simple and easy-to-use, 'get you started' starter example intended to at least get you walking along the yellow brick road, with no Toto or other companion required (and stumbling, crawling, or indeed, most other methods of progress-making along a path are all okay as well!). Moving to any more sophisticated methodology ought to be reasonably straight-froward from this initial point, when and if you want to move onwards and upwards.<br />
<br />
To use it, you will need to gather relevant experts, make sure that their bosses are not in the room, and display the spreadsheet on a projector or a shared piece of paper (A3 is good!). Then just work from left to right, thinking about the topic. First identify the 'Asset' that you are protecting, and assigning a ranking number (1-4) as appropriate - in this case you are answering the question: how important is the Asset? Then take the highest ranked Assets, and get the experts to think about how someone might steal them, stop them working, break them, get them to do something they weren't meant to do, etc. When the experts come up with a way (and they may well do so!) for something bad to happen to that precious Asset, then assign that a ranking number as well, and look at the ranking numbers: if the Asset is ranked 1 or 2, and the Threat is 1 or 2 (that's a 'low value' Asset and a 'not very worrying' Threat) then you probably don't need to do anything else, but if you get 3s or 4s then you need to move across to the right and start describing what the vulnerability is that makes the Threat viable... And so on across the spreadsheet columns.<br />
<br />
Probably the most important column is the last one, where you assign Actions to people to do something about the Threat(s) that have been identified. The best way to get things to happen is to make sure that people know what they have to do, when they have to have finished, and to know that someone will chase them up about it if they haven't bothered to do anything about it. You may be able to figure out a number of motivational techniques to encourage completion.<br />
<br />
<h3>
Getting the spreadsheet template.</h3>
<br />
<b><span style="color: blue;"><a href="https://drive.google.com/open?id=1SGQ6n2BlAN_2kurBUTCf0K0tWJqRISuh">You can get the spreadsheet here.</a> </span></b>There's a 'download' icon disguised as a tray with an arrow pointing down into it (at the top right hand side of the screen), that you need to click on, and then things will happen with your electronic digital calculating thingy box.<br />
<br />
<a href="https://drive.google.com/open?id=1SGQ6n2BlAN_2kurBUTCf0K0tWJqRISuh"><b>Download the Spreadsheet</b></a><br />
<br />
Did I mention that the <a href="https://drive.google.com/open?id=1SGQ6n2BlAN_2kurBUTCf0K0tWJqRISuh"><b>spreadsheet</b></a> is free?<br />
<br />
---<br />
<br />
Here's a link to click on if you find my writing informative, useful, or even mildly amusing in places:<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a><br />
<br />
<br /></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-4361146127277007072019-06-27T08:02:00.001-07:002019-06-27T08:11:22.046-07:00Storing text on Dropbox...Sometimes amazing stuff crops up by accident. I use Dropbox, the cloud-based online storage service, to store files that I want to share between my computers. mobile, etc. Dropbox has served me well for many years, and I have rarely needed to contact their customer support.<br />
<br />
However, a chance happening alerted me to something interesting that I hadn't considered before. Someone sent me a 'download-only' link to their Dropbox so that I could get some files, but one of those files was just a placeholder for a file that they would upload later to complete the set. All perfectly ordinary stuff that people use to do business every day.<br />
<br />
But that placeholder was interesting. I accidentally tried to download it along with all of the other files. But it wouldn't download and I got an alert warning me that it was 'zero bytes' long. It was at this point that I got interested, and I generated some test files to learn exactly how Dropbox stored them. It seems that if you store a zero length file, you can give it a short title (a few words), and it will occupy zero bytes of your Dropbox storage quota. Now zero length files are easy to produce - I just used an ASCII editor (<a href="http://blog.synthesizerwriter.com/2019/04/plain-text-in-macos-for-nyquist-plug.html">I did a whole blog post on the topic from a couple of months ago...</a>) and named and saved the empty file direct to Dropbox. After a bit more experimentation, here's the resulting directory listing from my Dropbox 'Files' page (slightly edited):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJZbQ-ROjoVnHKWtzGvK5Z6f4EDs1mgf3uBx45AwzLKm8MSEFR2SGfVVWPfGcvvFrYJ797JJ_LLJfIh0k_s99vUS5KabWBiqjSp36F7Ly_JMfGVFDDnSFP4urggCINerikaq9c-xr6UIit/s1600/Dropbox+zero+byte+files+with+titles+-+blue.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="910" height="454" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJZbQ-ROjoVnHKWtzGvK5Z6f4EDs1mgf3uBx45AwzLKm8MSEFR2SGfVVWPfGcvvFrYJ797JJ_LLJfIh0k_s99vUS5KabWBiqjSp36F7Ly_JMfGVFDDnSFP4urggCINerikaq9c-xr6UIit/s640/Dropbox+zero+byte+files+with+titles+-+blue.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see, I wasn't particularly inventive in my choice of words, but just in case, I contacted Dropbox customer support to let them know that it is possible to store text on Dropbox without affecting your storage quota, and they agreed with my analysis. They also pointed out that you could also use folder names...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now I tend not to use the browser interface to Dropbox very much, but the directory page is interesting. It gives you a timed list of your activity on Dropbox, so for my recent activity, it showed the lines from Shakespeare in order, scrolling vertically as each new line was added... </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Now, this was very cool! Dropbox effectively gives you, for free, a performance tool that lets you publish short lines of text on Dropbox, where those lines of text from the file titles are displayed on a web page, in order, and timestamped. So as each empty file is added to Dropbox from a browser or just dropped into the local Dropbox folder on your computer, the Shakespearean soliloquy gets displayed one line at a time, using the text from the title of the file, with previous lines scrolling upwards or downwards (you can control this from the directory page)... No need to refresh the page - it just works.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The only catches are: </div>
<div class="separator" style="clear: both; text-align: left;">
- the title has to be short enough (you can see that some of those lines are getting close to being truncated), and </div>
<div class="separator" style="clear: both; text-align: left;">
- you can't put any punctuation in the text, except for symbols that would be allowed in file names anyway...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Well, I didn't think just virtual thespians at this point, I also thought about song lyrics. It seems that you could store song lyrics (assuming you have the rights to do so, of course), one line at a time, on Dropbox, with the right timing, and Dropbox will scroll them on the display as they are received. And this costs you nothing extra on top of whatever you normally pay for Dropbox. The files are empty, so they don't add to your storage quota! Making an app that does timed saves of empty files with titles from the individual lines in a text file is not that difficult, and Dropbox does everything else... </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'm now wondering if there is anything else that can be done with free text storage... Subtitles, commentaries, live comments, etc. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I asked Dropbox Customer Support if it was okay to publish this, and they said it was fine. So now you know too! I know it's only minor and trivial really, but for me, it is fascinating to discover that something like this is possible. My analysis follows below for those who are interested in system design...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
(I'm just wondering what Charlie Brooker of 'Black Mirror'-fame would make of this...)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://communities.theiet.org/groups/blogpost/view/60/277/6562">Here's another media-oriented blog post that I did recently...</a></div>
<h3>
</h3>
<h3>
Analysis</h3>
<div class="separator" style="clear: both; text-align: left;">
Here's some serious analysis of this as a system design problem. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Whenever you design a system, there are the things you want it to do, and a security analysis will give you pointers towards things that you don't want it to do. You can do risk analysis on those unwanted features, and decide on appropriate mitigations to reduce the residual risk to acceptable levels. But there's a hole in this very conventional process, and that is the things that you didn't specify that also are not security risks. These are the unexpected features, and they can be very interesting.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Risk analysis for security has evolved over a long time, and it has a sophisticated set of processes, approaches, tools and practitioners that are all based on lots of experience of looking at systems from a very specific viewpoint - security. These days, an additional and allied parallel activity has become important because of legislation like GDPR, and that is Privacy. Once again, there are processes, etc., and practitioners who are skilled at looking at systems from that viewpoint, and again the analysis leads to risks which result in mitigations to minimise the residual risk, etc. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But there's that interesting hole where the 'things that you didn't specify the system to do, but it does them anyway, and they don't have any security or privacy implications'. These things fly 'under the</div>
<div class="separator" style="clear: both; text-align: left;">
radar' and I've never seen very much in the way of any formalisation of process or approach to identifying them, assessing them, and deciding if mitigations are appropriate. Unintended consequences are probably acceptable to some level with simple, non-networked systems that aren't critical in an way - for life-support, emergency cover, critical infrastructure, etc. But as systems become more interconnected, more networked, more 'Cloud'-based, then that little word 'unintended' starts to become more significant. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In the case outlined above, a design would look at what can happen, and would assess it based on the consequences. Having folder names and file titles outside of the storage quota may seem like a pragmatic solution to a user wanting to know how much storage they are using, but actually, the user's viewpoint of the storage differs from the actual storage that a provider like Dropbox has to provide, because the filing system itself uses storage, and users would probably not want to pay for that storage, even when it turns out that they could actually be using it themselves to store information for free.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What is more concerning are the repercussions of the unintended (or maybe, 'assessed as insignificant') features of a system when that system becomes stressed in some way. My completely uninformed suspicion is that the designers of the Dropbox system probably assumed that users would store files in folders, and that the titles of the files and folders would be insignificant in size in comparison to the actual content of the files themselves. But all it takes is someone to make an app that uses Dropbox as a filing system for song lyrics, subtitles, commentaries, etc., and things might start to escalate. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first protection mechanism that would probably be hit would be a limit on the number of folders or files within folders. But if I had designed this, then I would be expecting that this would be linked to a lot of storage as well. The 'user story' for lots of files of zero length isn't something that I would have thought of, and so is an 'unexpected' feature that I would have probably missed in my design. And if a designer misses a feature, then is it tested thoroughly? I'm pretty sure that the consumed storage is a key parameter used to monitor a user's account - I know this because Dropbox is very good at telling me how much storage I use, and especially when I'm getting close to using it all up. Selling me additional storage is good for me and good for Dropbox. But if lots of users were to start using a filing system that exploited the folder and file name 'free' storage feature, then the number of files and folders being used might start to become an important parameter for Dropbox, because suddenly the design rules that said that the storage required for that purpose was insignificant in comparison to the actual chargeable storage space consumed by files uploaded by users, would be wrong...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Changes in design rules when you have a system launched and operational can be awkward, and they can even be potentially expensive, or maybe catastrophic. One of the reasons that I contacted Dropbox when I found out about the zero length file storage was because I was curious about their response. Dropbox were very open about the storage, and agreed that I could publish this blog on what I had found. It will be very interesting to see what happens next... </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now if I was Dropbox, then I would be assessing exactly what the consequences might be if a lot of apps started loading the Dropbox system with file and folder title metadata, and those design rules would probably be revisited. Additional checks and catches might be put in place to check for lots of zero length files, and limits for the number of zero length files could be announced and policed. Processes for designing solutions might be revisited, and new checks and balances added to try and catch unintended consequences in future designs.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But actually, there's something much more interesting that Dropbox could do, in parallel to this. They now have a lead in the 'analysis of unintended consequences of plain ordinary features in large systems', and by the time they have done all of the analysis and fixes, they will be world experts in what you need to do to mitigate against this type of potentially lurking problem. This sort of 'hard-earned' practical and theoretical expertise from actually solving a real-world problem is worth a LOT of money, and the next unintended consequence in someone else's system might be something much more damaging and dangerous, particularly if it isn't something that security or privacy risk analysis would have caught (and by its nature, it very probably will be!). At this point, that Dropbox expertise could well be one of their most precious commodities...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have to thank Dropbox customer support for their help in this. They were wonderful.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<b>All free!</b><br />
<b><br /></b>All of the analysis here on this blog is free, of course, (I am a CISSP in the real-world until October 2019, but this is pro bono because it is fascinating...) but donations are always welcome!<br />
<br />
<div>
<div style="margin: 0px;">
<a class="bmc-button" href="https://www.buymeacoffee.com/synthwriter" target="_blank"><img alt="Buy me a coffee" src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg" style="cursor: move;" /><span style="margin-left: 5px;">Buy me a coffee</span></a></div>
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-22865654522956106702018-10-02T07:18:00.003-07:002019-11-05T02:05:44.333-08:00Blog recommendationAnother blog that you might like to follow: <a class="linkified" href="https://blog.cryptographyengineering.com/" rel="nofollow noreferrer" target="_blank" title="https://blog.cryptographyengineering.com/">https://blog.cryptographyengineering.com/</a>Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-20754666539895372972018-10-02T07:17:00.003-07:002020-05-27T01:34:10.466-07:00The September 2018 Azure South Central US IncidentThe Microsoft analysis and post-mortems, followed by some press coverage of the Azure South Central US 'incident'.<br />
<ul>
<li><a class="linkified" href="https://azure.microsoft.com/en-us/status/history/" rel="nofollow noreferrer" target="_blank" title="https://azure.microsoft.com/en-us/status/history/">https://azure.microsoft.com/en-us/status/history/</a></li>
<li><a class="linkified" href="https://blogs.msdn.microsoft.com/vsoservice/?p=17405" rel="nofollow noreferrer" target="_blank" title="https://blogs.msdn.microsoft.com/vsoservice/?p=17405">https://blogs.msdn.microsoft.com/vsoservice/?p=17405</a></li>
<li><a class="linkified" href="https://www.datacenterdynamics.com/opinions/hit-azure-outage-watch-out-hurricane-florence/" rel="nofollow noreferrer" target="_blank" title="https://www.datacenterdynamics.com/opinions/hit-azure-outage-watch-out-hurricane-florence/">https://www.datacenterdynamics.com/opinions/hit-azure-outage-watch-out-hurricane-florence/</a></li>
<li><a class="linkified" href="https://rcpmag.com/articles/2018/09/11/microsoft-cloud-outage-postmortem.aspx" rel="nofollow noreferrer" target="_blank" title="https://rcpmag.com/articles/2018/09/11/microsoft-cloud-outage-postmortem.aspx">https://rcpmag.com/articles/2018/09/11/microsoft-cloud-outage-postmortem.aspx</a></li>
<li>---</li>
<li><a class="linkified" href="https://www.theregister.co.uk/2018/09/17/azure_outage_report/" rel="nofollow noreferrer" target="_blank" title="https://www.theregister.co.uk/2018/09/17/azure_outage_report/">https://www.theregister.co.uk/2018/09/17/azure_outage_report/</a></li>
<li><a class="linkified" href="https://www.zdnet.com/article/microsoft-south-central-u-s-datacenter-outage-takes-down-a-number-of-cloud-services/" rel="nofollow noreferrer" target="_blank" title="https://www.zdnet.com/article/microsoft-south-central-u-s-datacenter-outage-takes-down-a-number-of-cloud-services/">https://www.zdnet.com/article/microsoft-south-central-u-s-datacenter-outage-takes-down-a-number-of-cloud-services/</a></li>
<li><a class="linkified" href="https://www.techrepublic.com/article/five-lessons-from-microsofts-azure-cloud-outage/" rel="nofollow noreferrer" target="_blank" title="https://www.techrepublic.com/article/five-lessons-from-microsofts-azure-cloud-outage/">https://www.techrepublic.com/article/five-lessons-from-microsofts-azure-cloud-outage/</a></li>
<li><a class="linkified" href="https://hub.packtpub.com/why-did-last-weeks-azure-cloud-outage-happen-heres-microsofts-root-cause-analysis-summary/" rel="nofollow noreferrer" target="_blank" title="https://hub.packtpub.com/why-did-last-weeks-azure-cloud-outage-happen-heres-microsofts-root-cause-analysis-summary/">https://hub.packtpub.com/why-did-last-weeks-azure-cloud-outage-happen-heres-microsofts-root-cause-analysis-summary/</a></li>
</ul>
<div>
As an experiment, here's a prediction: 2020 is going to be a difficult year.</div>
Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0tag:blogger.com,1999:blog-1819506037441529726.post-83698482874279015572018-10-02T07:16:00.000-07:002018-10-02T07:16:07.299-07:00Bad Security is getting harder and harder to denyBad Security is getting harder and harder to deny:<div>
<br /><a class="linkified" href="https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/" rel="nofollow noreferrer" target="_blank" title="https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/">https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/</a></div>
Synthesizerwriterhttp://www.blogger.com/profile/13668943829180629830noreply@blogger.com0