Author: HeadCrash

The Ready Player One Approach to Defense

The Idea

Back when the hardware wars were real and there were standing battlefronts in every playground about what platform was best there was very little in the way of hardware standardisation. This was before the consoles stole the hearts of all children and parents had stopped believing the lies about computers being used for homework or organising Dad’s vinyl collection and Mum’s recipes.

We’re talking pre-IBM supremacy, before x86 architecture would take over the world. This is the time of the dinosaurs. The Motorola 68000, the ARM, and the Zilog. These chips are mostly mothballed now and consigned to the dustbin of history and the shelf of nostalgic enthusiasts. That is apart from the ARM of course who’s descendents still dominate the mobile and low power markets.

Named after the book by Ernest Cline which celebrates, nay revels in retro-gaming culture this thought experiment utilises older operating systems to protect the user from outside agents through sheer dint of their very obsolescence. The idea is that if there’s no active support, there’s no active malware. Probably.

I was inspired by the idea behind Qubes which uses a compartmentalised approach to security. Each task that the user may want to perform is kept distinct from any other by having the user spawn a new virtual environment. I have thought a few times about using containers via Docker for something similar but the RPO (That’s Ready Player One) sounded like a lot more fun and might make my childhood relevant again, however briefly.

The Reality

My immediate concerns for RPO as a workable solution are performance and interoperability .

Performance

Yes, the hardware I am going to try and emulate is sometimes over 20 years old but it still takes an absolutely horrendous amount of CPU power to create and run another chip entirely in memory, especially multiply. It’s entirely possible to cripple the host machine with too many emulated CPUs and environments. Another issue is that because we’re theoretically using non x86 images we can’t use something easy such as Oracle’s VirtualBox for our emulation, instead having to roll our own via the slightly more esoteric QEMU. To get the most out of any system that’s considered there should be a near-tin Hypervisor to handle the spinning up, down, and switching between environments.

Interoperability

Theoretically if you can fool your guest OS into mounting or reading a FAT32 partition it should be possible to pass files between your environments. There are myriad devices which do this in hardware to allow people to have every single game written for their preferred machine on a single Micro SD card using this same approach, I’m just suggesting a shared folder between guests.

The Butter Zone

The sweet spot in terms of OS maturity is the point where it was last released on proprietary hardware and not turned into another short-lived and under-supported Linux distro, when it has nothing in common with the rest of the world as it exists now. Getting a hold of the ROM images, system BIOS and OS disks etc is an exercise in internet legal grey areas which I will leave for the reader.

My current list is:

  • BeOS 5 on BeBox (Dual 133MHz PowerPC 603)
  • AmigaOS 4 on Amiga 4000T (25MHz Motorola 68040)
  • TOS 4 on Atari Falcon (16MHz Motorola 68030)
  • RISC OS on Acorn A5000 (25MHz ARM3)
  • Amstrad CP/M on Amstrad (4MHz Zilog Z80A)

As a child of the 80s I wanted the Zilog CPU to represented but I can’t honestly see a use for it other than nostalgia. Not even good nostalgia like Spectrum or Commodore, Amstrad nostalgia. Only weirdos had Amstrads.

Letting go…

Let’s face it, there’s going to be a metaphorical ton of stuff that you’re not feasibly going to be able to achieve with your RPO device. If the file you want to open is something that was created post-1994 then you’re probably out of luck. Unless someone has come along and written a PDF parser for the Amiga OS (it’s not actually outside the realm of possibility) then you’re probably going to have to forgo that 20MB doc. Less is more as they say.

The Amstrad had a full suite of office suitable tools even back in the 80s on 8bit hardware but you might not really recognise it as such today. I’m sure that by the time the Amiga and Atari STs came to the end of their respective lives there were much more fully featured office applications available. Possibly even terminals and command line access for useful things such as SSH and IRC.

RISC OS as the only operating system in this list still under active development has a full selection of internet tools available for use and even has modern builds specifically for the Raspberry Pi if you were so inclined.

Summing Up

Used alongside a modern operating system for when you absolutely need to check Facebook or Twitter, open a PDF, work on your presentation or whatever it is that can’t be done in a 16bit environment I think there’s a useful charm in working with emulated obsolete machines, not only from a security but also from a media archaeology perspective.

Plus you get the added benefit of being able to play Syndicate on the Amiga which was easily the best version ever made.

Much like my previous article on Zalgo obfuscation, this is just a proof-of-concept and not meant for actually protecting one’s butt in the field unless one really likes flying by the seat of one’s pants.

Fullstack is a Fallacy

Rockstar. Ninja. Guru. All these bombastic adjectives have been used when employers and especially IT recruiters have been searching for talented new blood to join their teams. They’re also essentially meaningless. A term tacked on to job titles to make them look relevant and ‘with it’. They’re not. You can now add “Fullstack” to that list. Like “Rockstar” employers are trying to get something for nothing.

Fullstack as a principle is meant to describe that the developer who should be applying to the position has a solid grasp of all the technologies from the server, through the middleware, to the front-end and can write applications securely and safely across all of them.

Which stack are we talking about? Node, Mongo, Redis, Elasticsearch? Angular, Python, NoDB? PHP with PostgreSQL? Your stack might be incredibly different to mine. LAMP, WAMP, MAMP was a standard for a long time and of course things must change as all things do but without industry definition “Fullstack” is just another square to mark off on your BS bingo card.

This is why I think it’s a damaging precedent to set. I don’t want the guy who grinds my keys to be the guy that fixes my car, or my window cleaner to examine a sick pet. The same is true with technology. If you want a fast well-maintained server you get a sys-admin or sys-ops person to do it, you don’t get your database engineer to build you a responsive front-end and so on.

In an industry where personnel are already expected to keep up-to-date with the current latest tech as well do their job and sometimes even learn old tech to fix problems from the past it’s demoralising to see listings for Fullstack only positions and be made to feel that one might be under qualified among their peers. In many cases, I would say the majority, it’s just not true, it’s the greed and ignorance of recruiters trying to seem hip.

So no, I’m not “Fullstack”, I’m a specialist. And so are you.

The Zen of Cheese Sandwiches and 90s Technology

There’s an old Tibetan koan (probably) that goes along the lines of “to make a cheese sandwich from scratch one must first invent the universe”. I’m not going to bother looking up if that’s true or not but you get the gist of what I’m saying here I think.

I’ve been making a new personal site for prospective employers and also because I’ve got a bit of spare time on my hands. The two facts are not mutually exclusive. With the zen cheese sandwich in mind I’ve been bootstrapping my way to a new website. I’m probably going to use an off-the-shelf CMS because there’s only so much my poor brain can handle at any one time and at the moment it’s all front-end technologies.

When I started I thought “I do the same thing every time I start a new project, I should build a boilerplate.” So I built a boilerplate so I can check it out of github and get on with work rather than spend precious minutes or hours or whatever on setting up.

“I really want to learn about PJAX (Pushstate with AJAX)” so I started writing a vanilla JS PJAX library.

“I can’t have an asynchronously loaded site without having some sort of YouTube/Github progress signifier” I told the cat as there’s nobody in the house for a week and my grip on reality is slipping somewhat. So I built a small CSS3 animation progress bar.

“My layout sucks, I should do it in Flex. But I hate using Flexbox.” So I built a simple flexgrid CSS tool.

I’m sure you can see what’s happening here. Cheese sandwich in hand I was building the universe.

That’s when things started getting weird. Well, weirder anyway. The base level of weird is quite high around here. Now that I could spin up a project in a matter of seconds things there’s no reason not to for any and all ideas I may have at any given time. This week alone I’ve started and pushed to a dozen brand new repositories. The nadir (or pinnacle perhaps dependent of viewpoint) of which might be my reintroduction to the web of the <blink> tag.

You’re welcome Internet (fuck you AP, I won’t do what you tell me). Next up I might have a stab at a marquee tag for the new millennium*. Once I get my website built of course.

* Marquee was never deprecated! Can you imagine my surprise when I tried to start this project and there was text dutifully marching from right to left as if the 90s had never left.

How We Sewed Our Own Straight Jacket

Google recently announced its initiative to improve the mobile browsing experience of all net users via its Accelerated Mobile Pages project, AMP.

AMP is a direct competitor to Facebook’s Instant Articles functionality but abstracted from the platform as a standard or protocol rather than within the context of Facebook’s walled garden.

I say walled garden because of the 1.5 billion active Facebook users 30% access the service through a mobile app of some sort. Unless you’ve specifically set it up to not do so it uses an internal browser. I have no figures to hand about how many people have changed their default Facebook browser to be one of their own choosing. My instincts tell me that it’s very few. Why is this an issue? If you ask my mother or my youngest niece what the Internet is they would most likely respond “Facebook”. Facebook is becoming a platform in its own right. And content creators, journalists and publishers both are treating it as such. I’ve heard figures from online media agencies that cite numbers as high as 50% to sometimes as high as 90% conversion rates on Facebook posts. That’s a lot of eyes on articles and for some publications that’s the difference between life and death. I get it.

The AMP proposition is a sub-set of the HTML standard which eschews all JS (read none at all), ads, and embeds. I’m not saying that the spirit with which this was suggested is bad per-se but that perhaps by following our knee-jerk reaction against the popularity of Facebook’s Instant Articles we’re going to accidentally create a tiered system akin to the one that net neutrality believers are still trying to fight. Why do I mention Net Neutrality? Because AMP suggests a selection of tags specifically for a small group of preferred vendors with tags such as amp-twitter and amp-youtube. This codifies the web as it exists at the moment. Fine. For now. But what if the landscape changes? What if an unknown video streaming provider becomes the de-facto media delivery service ahead of YouTube?

Oh wait, it can’t because who’s going to use it if it doesn’t work out of the box?

One of the beautiful things about the Open Web is the ability to make your own bad decisions about what technologies you use and to badly implement them however you see fit. That’s how people learn. It’s certainly how I learned. By picking apart code and stitching my own creations together from what I thought I had gleaned. Without this ability the web becomes static, inert and unchanging.

Some of us old internet dinosaurs used to have to wrangle the then new markup language HTML 4.0, then later the better but still incredibly flawed XHTML1.0 specification before being presented with HTML5. HTML5 is great. A video is a video, audio is audio, and all of the old favourites such as iframes and objects and embeds still work with no muss or fuss. Back in the days before broadband when mobile telephones were small things that had monochrome screens and about 24 characters of space total, way before the iPhone would come along and change our lives forever there *was* a mobile internet markup language. Wireless Markup Language. WML was a pared down and fairly ugly web technology which used the idea of cards. It was pretty unpleasant. Then mobile networks caught up, we have faster than broadband wireless speeds on our handsets. They started to access the web as our desktops did. We were given CSS3 and its media queries to allow us to make all this look presentable on our pocket machines. So why the need for AMP or Facebook Instant Articles? Because we’ve bloated the web with so much tracking and third party javascript that even with 4G access pages take 8 seconds or more to load. It’s our own broken web and impatience that’s prompted Facebook and Google to try and fix it for us. But it’s as far from the Open Web as it’s possible to get. What we have are competing standards, one a proprietary initiative by a would-be-platform that seeks to become the Internet and another by a coalition of worried parties who want a language of whitelisted third-party service providers. At least that last one is Open Source and you can roll your own support if you have to.

So how do we go about solving this issue? Well one way would be to speed up web page delivery. Stop commodifying the user quite so much. Do websites really need to know where you’ve been and what you’ve clicked? I would say not. If you’ve not helped your friends and family block tracking and ad software as a matter of course you’re remit in your responsibility to their security and online safety. Ads are potentially poisonous and have been the vector for a good number of high profile malware attacks.
If you create websites push back against injecting more tracking. Write cleaner more efficient code. Use less libraries, maybe switch from jQuery to Aerogel or use vanilla JS for more things if it reduces your bloat. Optimise your images and videos. Start your design phase with a mobile first methodology. Uglify your CSS and JS (add maps to this though, you still want to a) be able to use the developers tools to read your work and b) you’re a good netizen and want people to read your output and be inspired).
From a user point of view you can install ad-blockers and tracker blockers like Adblock and Ghostery on your laptop.

There are wifi Adblockers available for mobile devices too, they will also speed your experience up. It’s up to us to keep the web free by not making the tracking of users profitable or useful.

Are there alternatives?

Yes. Sort of. A lot of this technology is in it’s infancy. So much so in fact that FBIA and AMP seem to have got the drop on Mozilla and other open source heavy hitters. One hopeful is the CPP.

This is an open note and I will be adding more points as I think of them.

Mac Homebrew and avr-gcc woes


checking whether clang++ accepts -g... yes
checking whether g++ accepts -static-libstdc++ -static-libgcc... no
checking for gnatbind... no
checking for gnatmake... no
Press ENTER or type command to continue
checking whether compiler driver understands Ada... no
checking how to compare bootstrapped objects... cmp --ignore-initial=16 $$f1 $$f2
Press ENTER or type command to continue
checking for objdir... .libs
checking for the correct version of gmp.h... yes
checking for the correct version of mpfr.h... yes
checking for the correct version of mpc.h... yes
checking for the correct version of the gmp/mpfr/mpc libraries... yes
checking for version 0.10 of ISL... no
checking for version 0.11 of ISL... no
checking for version 0.12 of ISL... no
configure: error: Unable to find a usable ISL. See config.log for details.

Some background here, I’ve been trying to get the toolchain for my mechanical keyboard set up but for some reason when I was using homebrew I could never get the avr-gcc installed due to a failed isl dependency. No matter what I read and tried I couldn’t get the make script to use the right isl version. I installed and uninstalled isl lord alone knows how many times. I installed and uninstalled the right version of isl012 but couldn’t link the headers correctly. Even the last resort of a symbolic link in my opt folder did nothing.

I have now fixed it.

All you need to do is:

$brew edit avr-gcc

Change the two lines depends_on 'isl' and "__with-isl=#{Formula["isl"].opt_prefix}" to isl012 and you’re good to go.

$brew install avr-gcc

It *should* install the dependency for you and have the bonus of not making your other build chains break due to rolling back. No more failing out on an implicit repository head too far ahead of the make file. I wish there was a way of switching to a previous stable version in homebrew without having to tap formulas using the git switch trigger in a one liner as standard. Something like $brew switch isl 012 would be good but for some reason only some repos support that syntax, postgresql for example.

Seriously, fuck you computer.

Turkish Identity Theft

An ongoing story in which idiots continue to input their email addresses incorrectly or do not know about GMail’s dotname policy.

I have now gained ownership of the online job search identity of one Hüseyin Kaya on Yenibiris.com. Let’s hope he doesn’t depend on it.

Let me point out that I didn’t go looking for this, they sent me a link using my email address and all I did was click it and say I’d forgotten my password. That’s it. Now it’s mine. Also I don’t make a habit of clicking random links from emails.

Obfuscation through Non-Standard Character Selection

There’s been a lot of discussion about obfuscation, cryptography and steganography and the like over the last week or so here in the FU:Comp bunker. Various methods of encryption, obfuscation and diverse other ways of futzing with Big Bother came up but this one floated to the surface as standing out as having some fairly interesting points.

What we’re trying to achieve here is the most basic way possible of preventing automated systems from reading your text. What we are definitely not trying to do here is show anyone how to make it impossible for outside agents to access your sensitive data.

I took the following phrase from the Hacker’s Manifesto as archived in Phrack Magazine #07 from ’96.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

I then ran it through the open-sourced online text mangler at Lunicode using the “bent” method which then spat out:

į ąʍ ą հąçҟҽɾ, ąղժ էհìʂ ìʂ ʍվ ʍąղìƒҽʂէօ. Ӌօմ ʍąվ ʂէօք էհìʂ ìղժìѵìժմąӀ, ҍմէ վօմ çąղ’է ʂէօք մʂ ąӀӀ… ąƒէҽɾ ąӀӀ, աҽ’ɾҽ ąӀӀ ąӀìҟҽ.

Note that you’ll need a unicode font installed to see this.

Then I took a screenshot of the textbox and sent it through an OCR converter. I’m only displaying the best result I got because Google Docs just could not even and others just returned blank files.

Obfuscated text before OCR
Obfuscated text before OCR
Deobfuscated text via OCR
Deobfuscated text via OCR

As you can see it’s not perfect but it’s broken up enough of the meaning that I think a cursory scrape wouldn’t pick up anything of note.

Key:

  1. NFI – Computer didn’t even get anywhere close so this is essentially just noise.
  2. Correct – Computer guessed this word.
  3. Incorrect – Computer guessed this word incorrectly.
  4. Incorrect – Computer guessed this word also incorrectly but was close.

1 am a mafia, aqd tcis is M4 Maqifesto. bled M214
Stop this individaal, 13;“;qu caq’l; stop as allafter
all, we’re all alike.

This method is intended for person to person use only, it’s incredibly easy for someone to glance at the text and read it but currently impossible for a computer to grasp the context and therefore meaning of a conversation it may have intercepted.

This could be made stronger by adding nonsense words into your written vocabulary, using some sort of shorthand like 13375934k or using multiple levels of the same technique.

Using a dictionary spellchecker and matching against the most likely word probably would have netted the computer the correct matches for “Maqifesto” and “individaal” so that’s a thing to be wary of.

Pros:

  1. Mostly resistant to OCR.
  2. Definitely resistant to automated content searches as long as point 1 remains true.
  3. Easily read by humans.

Cons:

  1. Resistant to searches. You’re going to want to remember where you parked your documents, kids. And already know what’s in them.
  2. Easily read by humans, even those who you don’t know are looking. Over your shoulder, say.
  3. Lunicode is bidirectional

Useful links

I just stole something and it wasn’t (entirely) my fault

When I was checking through my daily-use-nothing-sensitive gmail inbox I noticed that I had a dropbox invitation for 48GB free and a message from Samsung asking to verify an account. At first I thought that this was a phishing technique I hadn’t seen before, build trust by sending related emails sort of thing, until I looked at the recipient address.
Something many people don’t know about gmail is that it handles names in a particular way. Period delineated names get parsed as if they had no period.
For example forename.surname@gmail.com is exactly the same as forenamesurname@gmail.com

To make things worse when you’re signing up for a new address it won’t tell you that and will allow you to go through the whole process with no warnings. The upshot of this that as a new shiny email address owner you don’t actually get emails, the owner of the address without the periods gets them. That’s what happened to me today.

So I clicked the dropbox link and gained 48GB of free data due to the automated service at the dropbox end.

I’ll admit that I probably shouldn’t have also clicked the account activation link from Samsung but I was curious as to how much information I could get from these two sources. Samsung did send a password reset link but I decided not to follow it as I thought that might be a step too far even in the name of research.

I’ve decided to be a good netizen and report the issue in the hope that it can be resolved and will report back if anything happens.

#update of sorts#

Still no response from any of the players in this sorry tale. I really hope that Muhyiddin Abdul Rahim isn’t too annoyed at his lack of Dropbox space.

I had a read an article from the gmail support forums and the official word is that any gmail address with my username and any number of periods in it is exactly the same as the one without so I guess Google is off the hook. Your move Dropbox/Samsung.

#update of sorts 2#

Dropbox Support got back to me via Twitter and I’ve forwarded them here and also provided them more information so hopefully they’ll be able to get this sorted.

#update 3#
Dropbox messaged me directly via Twitter and told me that they’ve managed to attribute the lost space to the correct user now and have also allowed me to keep the same amount of space for myself too. I don’t think I could have asked for a better resolution than that.

Backing up

You get one get out of jail free card. Mine was used up when I thought I’d lost two of the most important scripts in recent memory. I looked through all my emails, every SD card I could find (mostly RPi drives now), a bunch of laptops… nothing. I was beginning to get the panic sweats.
Luckily I hadn’t actually checked my main work machine.
There they were. They’re now backed up to BitBucket and my NAS whilst they get tied to a larger repository of moving parts to become something greater.
Remember kids, if it ain’t backed up it ain’t safe.