Tuesday, 14 November 2017

Trying to be a trapeze artist

Prior to transitioning, there was always a strange relationship between me and my clothes. Over the past few years, I’ve tried to change aspects of my style to try and at least have something for me to like and still could never find myself satisfied--case in point being my attempt to like three piece suits and an attempt to wear masculine pants that weren't black, denim, or grey. When I began to wear more feminine clothes I found myself actually looking at styles and liking them and now have a huge love for fashion.

However, the aspect of completely shedding the clothes I felt were assigned to me was not an immediate thing I attempted to accomplish. When I remarked to a friend about not being worried about my transitioning but still unable to let go of my former clothes, she stated that I was simply being a trapeze artist and all I was doing was just trying prepare myself to fully launch to the next bar.


I’ve been finding lately that my gender cues have been throwing people off. Occasionally I’d get gendered correctly and then out of the blue I wouldn’t. These are all based on visual cues and not the verbal ones which are a different kettle of fish. Is it simply the clothing? Is it the length of my hair? Has the changes the hormones made to my body been significant enough to make something in me appear female? Is it just my glasses?

It’s those sort of questions that I end up coming up with that lend me to think about what it is that prevents me from letting go of that bar.

I know for a fact that I do tend to speak a lot less these days simply because I am unsure of how my voice sounds to others. I’ve been fortunate enough to be able to afford a speech therapist who specialises in working with transgender persons; and because of this I know that I can speak with a feminine pitch. However, because of the way our mouths and ears work together, it’s very difficult for me to gauge how I sound without the aide of a computer program or mere opinions of those around me.


Again, another reason to think what is preventing me from leaping from the bar I am on to the next is simply that.

So what do I do? I am stuck with whatever my body gives me while I feed it these hormones. These hormones have done me wonders since I’ve been on them both physically and mentally (the latter being the most significant to me), but certain physical traits can only be dealt with by me and those I pay to help me out--a good example being the aggressive laser hair removal I’ve been engaging in for most of the year.

What I’ve decided to do at least as part of loosening my grip on the bar is to start getting rid of those clothes I opened up this entry about. There were a few suggestions from friends on what to do with them including just outright burning them, but I don’t feel like that is responsible of me. I’ve opted to give them to Qmunity, of whom have graciously informed me that they do have a clothes donation service in place to provide clothing to low-income transgender persons in the Metro Vancouver area.

Perhaps that is what I need to remember: I am fortunate and privileged and as a result that the idea of having to make use of such a service for myself to benefit has never crossed my mind. I am lucky enough to know that as I engage in the act of trapeze that even if I slip and fall I am likely to not hurt myself too much or at least for too long as I have a safety net waiting to catch my fall, allowing me to safely attempt to do the act once again.


So here are some boxes of clothes I’m giving to Qmunity to hopefully help someone else climb back up.

Sunday, 22 October 2017

That time when North Korea developed Wii games

A while ago, my friend, Misty put out a tweet asking about about a company called Nosotek, which was reported as having made video games. The part that stood out was this:
Nosotek is known for developing computer games for various platforms, such as iPhone, j2me and Wii; including Pyongyang Racer, a browser-based racing video game developed in 2012, to promote tourism to North Korea.
So what Wii game or games originated from North Korea? Down the rabbit hole we went to figure this one out.

The first thing I quipped about was a news article from 2011 that included the following statement:
North Korea is also making computer games (including Facebook games, Wii, Blackberry, iPhone and iPad games) for foreign clients such as Dutch companies.
The part that stands out is the mention of "Dutch companies" which then circles back to Nosotek.  The two foreign investors involved as per the linked Wikipedia article are Felix Abt and Volker Eloesser. Abt is a Swiss national whose background is in investment in North Korea, but Eloesser (a Dutch national) is actually directly involved in the video game industry.

Eloesser's MobyGames profile seems to indicate involvement going back into the 1980s. However, when you look at the list of games, there are no Wii games mentioned and the most recent entry was from 2007 for a J2ME game.

We know that it is very likely he was involved as Nosotek's Internet Archive page made mention of him being president of the organisation.


We also know based on the same archive that it made mention that it was involved in Wii development!


I eventually dug up another article that laid claim to a Men in Black game having been developed by the Nosotek team.
And what are the games in question? Games based on the Men in Black movies and a bowling game based on the Big Lebowski, both of which are over a decade old.
However, some re-reading of the article and Misty's digging lead to the suggestion that it was mobile ports and not anything released for a home console. There was a Men in Black game released in 2012 that may fit with the whole timeline, but it was developed by another developer--Fun Labs, based in Romania and is a subsidiary of Activision. It's possible it may be the subsidiary outsourcing aspects of development to another party, but we do have some further evidence to say that it's not the case.

Let's keep this screenshot of the MIB Wii game in mind as we talk about a video that was released about Nosotek:


About 38 seconds into this YouTube video showing Nosotek's studios, we see a game being played on what I can assume is Wii development kit with a completely different HUD:


The red device you see on the left is a Wii RVT-H development kit, which is rather different than your typical Wii as it has an internal hard drive! The timestamp on the photo is also important to keep in mind here.


The black box on the bottom left is a Wii NDEV kit--also strangely in a seemingly different office. One thing we overlooked in our tweet thread were two 3D models.


These models are way too detailed to be meant for a mobile game at the time. So what Wii games involved a chicken in 2009? Well, none, but one did in 2010 and its box art strikes a really stark resemblance to the 3D model we've just seen.


Chicken Riot was released in 2010 by City Interactive, a Polish studio. It's basically a game where you shoot chickens--what a really strange premise. Here's a trailer:


The thing that is interesting here is that City Interactive and Nosotek have no obvious connection. However, CI claims that it developed the game, so did they contract it out to Nosotek? 

We have no concrete evidence to say that this Chicken Riot game is using the same models as the promo video, but the comparison is way too much of a coincidence. 

But then the rabbit hole gets larger. Remember Abt from earlier? Well here's a Flickr photo that he posted in 2013:


While the posted photo isn't all that interesting, the caption is:
Nosotek has quietly churned out various popular games, including one “very big” role-playing game for the Nintendo Wii.
So what is this "very big" RPG?

Unfortunately this is where the rabbit hole runs out. What I did notice is that the trailer for Chicken Riot shows a game that is seemingly different from what is being shown on that display connected to the red development kit, but because we're dealing with a low-resolution promotional video and basically an obscured HUD on the TV, it's difficult to say what it really is.

If someone can figure this out, please do let me know!

Apple A/UX on a SCSI2SD

I really, really like 680x0 Macintoshes; in particular my Quadra 800. I've had it for a few years after buying it for the intention of running Apple A/UX, an operating system long forgotten.

If you're unfamiliar with A/UX, it was a System V-based operating system that ran the Macintosh Toolbox alongside. This meant that you had a full-fledged UNIX operating system that was capable of running your typical Macintosh System software parallel to local X11 applications. It was really Apple's first foray into environments that strayed away from their traditional model.

I've long had an interest in this operating system as it is neat to think that we could have ended up in a world where System V instead of BSD ruled the roost at Apple. Apple struggled a lot in the 90s with trying to port their flagship operating system to IBM PCs (codenamed "Star Trek"), tried to reinvent the whole wheel with Copland (cancelled when Jobs took back the helm), and its eventual flirting with both Be and NextSTEP, with the latter leading to what was initially Rhapsody, then Mac OS X, and finally macOS.

Yes. I do happen to like Apple history.

Going back to the project, I have had this Quadra 800 sitting in storage for years but knew one day I'd probably be able to get around to this project. Eventually, I got the urge to do it and ordered an SCSI2SD, a device that allows me to emulate an HDD. This was ideal to me as I can swap out the drive at will should I ever decide that I want to run a different OS on this machine.


Getting it configured is relatively easy. You need to make sure of a few things however:

  • You'll have to have a customised copy of HD setup installed on a floppy disk to get the drive initialised. I'll be providing a disk image and details a bit later here.
  • Make sure that you can somehow get easy access to the USB and SD card slots. My solution works fairly well if you don't mind having something sticking out.
  • Do not bother to use anything larger than 4 GB as your SD card. I tried with a 16 GB SD card and it was painful.
Regarding getting easy access, this is my solution:



In my case, I bought a micro-USB extension cable as well as a microSD one too. I have them sitting outside of the case through a slot on bezel (not shown). You don't really need access to the micro-USB port but I do recommend it as there are tools available for the SCSI2SD that allow you to troubleshoot and debug what is going on.



Once you got the device hooked into your Macintosh, you're going to need to create a new drive. This requires you to boot into an environment that allows you to run the Apple HD SC Setup tool. What I opted to do is actually buy a USB floppy drive and a bunch of floppy disks in order to boot into a System 7 environment. However, while normally if you're running a standard SCSI HDD on your Mac that you can use any disk image with SC Setup on it, since we're dealing with an HDD that doesn't have an Apple compatible firmware, we're going to have to do something slightly different.

Instead of making you pull your hair as you try and patch a 25-year old application to recognize non-Apple drives, I'm just going to give you a disk image to boot off of instead. You can download this, image it to a diskette (it may even image to a CDR if you try), and then boot off of it.
disktools.7z
MD5: 7c5299dae9e19ea041bc04ffd0552868
Size: 1,213,948 bytes
Once you've booted it you can then use any A/UX installation guide! I won't be covering this part but will share a few screenshots of its successfully installing!








You may run into disk errors as you've seen above, but otherwise it works!

I'll be publishing a few more entries on this as I go along. One of my goals is to get the machine to run fairly up to date libraries. Of course with its meagre 33 MHz 68040 CPU and 64 MB of RAM, it will not be at all very fast. I could consider installing an upgrade board to increase the CPU speed, but I am hampered by the fact that the SCSI bus itself is fairly slow and will always be a bottle neck--just because it has solid state storage doesn't mean it will be fast!

More to come!

Friday, 20 October 2017

Getting your hands on TransLink's SkyTrain audio files

If you look at this screenshot here, I am staring at a number of audio files that contain announcements from TransLink's SkyTrain system. This means that I have station name announcements for every stop on the Expo and Millennium Lines as well as the associated chimes and extra messages.


I do not have any of the Canada Line announcements for reasons I'll explain later.

This was inspired by Seattle's Sound Transit having released said files last year.

The annoying part in all of this is that TransLink is forbidding me from distributing these files even if I stipulate that they're not to be used for commercial purposes. This is despite the fact that I have received them under the rules of the Freedom of Information and Protection of Privacy Act (FIPPA).

Here's how the e-mail exchange went post-release:

Dear Cariad,

The recordings have been provided in response to a Freedom of
Information request. Any further dissemination or use of the
recordings requires TransLink's prior written consent. In order to
assess whether consent would be granted, TransLink will need to
receive information about the purpose and time period of the intended
use. If consent is granted, TransLink and the person requesting
consent would need to enter into an agreement regarding the use of
recordings. If you are interesting in seeking consent to use the
recordings, please send your request to
commercialprograms@translink.ca.

Yours truly,

Colleen
My initial reply:
So if I were to disseminate them on my blog and make clear that 
they're not to be used for commercial recordings without TransLink's 
written consent then that would be acceptable?

Thanks,
Cariad
Okay. So let's see what they say:
Hi Cariad,
Our Commercial Programs area would have to answer your question.
I've copied them on this reply.
Colleen
Ugh...
Dear Cariad,

Further to Colleen's response below, any further dissemination 
(including on your blog) is not permitted.
Should you want to request consent, please include all of the details 
on your request for use, background and context for TransLink's 
consideration.

Best regards,
Wendy

While I am not a lawyer, this seems to be violating the spirit of the FIPPA laws. As a result of this frustrating e-mail exchange I cannot distribute these files and am not up for fighting this further. I can however make it easy for anyone to file a request for these files so you can do goofy things like have the SkyTrain door closing chime as your text messaging notification sound.

So what did I do to get them? Simple! I asked via their customer feedback form!

Fill out the form as per usual with your details, that you require a response, and that this is regarding SkyTrain (use anything for the date of occurrence) and then include the following in the details box:

This is a request to have audio files containing train announcements for SkyTrain's Expo and Millennium Lines. You may cite FOI request 2017/512 filed by Cariad Keigher as reference to the contents being requested.

The request will take probably 45 days to complete upon which you'll get access to a "secure" portal to retrieve the files and be able to engage in any further communications.

Because Canada Line is not operated under the TransLink umbrella in the same way (thanks, Gordon Campbell), they opted to not provide the files citing that it isn't a safety or privacy issue.

I've decided to complain to the Office of the Information and Privacy Commissioner (OIPC) since it is my understanding that there should be no limitations on disseminating the information I received from TransLink--that and ProTrans BC (operator of the Canada Line) should in my mind still be subject to honour this request. I can understand their request to not have these audio files used for commercial purposes, but it seems really ridiculous that they cannot just attach a licence to these files.

Wednesday, 27 September 2017

Review: My Lesbian Experience with Loneliness


Years back, I used to write for a student paper and would review music and movies. I think that a healthy thing for me to do again is talk about the things I've read and watched that are notable and well I guess this graphic novel is a great way to start!

Recently, a few friends suggested I pick up Nagata Kabi's My Lesbian Experience with Loneliness. I've seen a lot of remarks on social media about how good of a story it is and had been thinking about it for some time. Looking for another book to read, it was a cheap Kindle pick up for $10 CAD on Amazon, and it was completely readable in a single evening.

This a true story by Kabi that centres on her discovering her non-heteronormative nature and her inability to effectively socialise due to her sheltered life. While it is given from a non-Western cisgender woman's point of view, the topic of parental acceptance is front and centre and can be relate-able for any sort of queer person.

Parental acceptance is a topic that has resonated with me since my adolescence and even more so since coming out as transgender. Kabi discusses it in great detail about how her relationship with her mother has always been complicated and it is later in the book that she comes to realise how it relates to her sexuality.

Being that it is a graphic novel, it offers some visualisations that written words could not allow the reader to imagine. From how her first sexual encounter went, to how she behaved at work, and to how she interacts with her mother all offer something that is deep. The interactions with the lesbian escorts definitely show the confusion and awkwardness Kabi faced, but offer a bit of humour at the same time.

I definitely cannot give this book the review it deserves but I can safely say that it is worth picking up for an evening read.

Monday, 18 September 2017

My name is Cariad Keigher and I am transgender

One of the things that I've struggled with is an overall dislike for myself. I've dealt with it since my teens, resulting in anger, depression, and anxiety. Treating it as a mental illness has only either made me numb to life itself or caused others around me that I hold dear to find me frustrating or exhausting to deal with. This is not healthy; and earlier this year I opted to address it head on.

My name is Cariad Keigher and I am a transgender woman. I've been aware of this since 12-years old and this year I started to transition. My preferred pronouns are "she" or "her"--simple as that. If you're curious about the name, it's Welsh (meaning "sweetheart" or "dear") and I chose it because I wished to keep my first initial but was rather dismayed with the options for Irish names, so a short hop across the pond I went.

"Caoimhe" was a consideration but I already have enough problems with my last name!

Hi! I may not seem super feminine-looking but trust me, I am a girl.

I've always been jealous of other women. The experiences they have, the ability to socialise as one, the acceptance to present as one, and the "normality" to be called one have to me for as long as I can remember been a distant thought. I always thought of it as ludicrous, that this was just me being ill, and that I was a "creep" because I never fully understood what I am.

For many years, it never occurred to me that transgender women can in fact be lesbians and it wasn't until I fully separated the concept of gender and sexuality myself did any of that make sense. I felt caught in a trap until then; thinking that my thoughts and desires had to be something else. Experiences as a teen in terms of the women I'd date and how I felt about myself never added up and as a result took me decades to come to this conclusion.

There are of course lots of consequences for my choosing to transition. Men are very much dominant and hold privilege in the technology sector, something of which I benefited greatly from. I may lose friends, family members may object, and there many in the general public that hold disdain for those that identify opposite that of what they were assigned at birth. Transgender persons have found themselves accosted, discriminated against, assaulted, and even murdered just because there are members of society that are unable to keep their prejudices in check.

It has meant a lot of changes in my personal life that have not been easy to accept. This is not a topic I wish to dive into in this entry though.

Studies point out that at least a third of all transgender persons contemplate suicide compared to 5-15% of the youth population--and this is just for Canada, a country that has transgender rights enshrined in federal law. Suicide is a difficult subject for me to discuss however; I will refrain from discussing it further.

The point here is simply this: I didn't choose to be born this way. Nobody chooses their sexual orientation, gender identity, skin colour, or the place they're born. I don't get why I was born nor why I am the way I am, but what I will say is that I will live life as honestly as I can.

I have my foot on the accelerator pedal and so far I have no desire to take it off.

I highly recommend reading Julia Kaye's Up and Out web comic. (Source)

One anecdotal story I'll share is how during Pride Vancouver this past summer, I saw three teenage girls hanging out together. Two of them appeared to be cisgender whereas the third was seemingly "different". There was no indication whether or not she was transgender and it's irrelevant to the story why she stood out from the others, but the point was that she was accepted by the other two and they were having a good time at Pride.

While I will never get to experience what she has, I will say that I am happy to see that those younger than me have resources available to them that were otherwise unthinkable when I first became aware of myself. There are many out there who have opted to accept others for what they are and I feel that this is the best way as a species to move forward.

There are a few things you can do to help me here:

  1. Please do not refer to my former name as I will not answer to that. My former e-mail address is still valid and will remain so for the foreseeable future. If you have me in your contact list under this name, please change it. You can shorten it to "Cari" if we know each other personally.
  2. The use of pronouns is important.
  3. I am not "transgendered", "tranny", "transsexual", or whatever--these are terrible terms and you should avoid them. If you can, call me a "trans woman" or even better, a "woman".
  4. Don't feel bad if you somehow make a mistake here. I still do.
  5. I don't need any financial support so if you want to do something to benefit me, please donate to your local LGBTQ+ group. I live in a country that offers help to transgender persons in the healthcare system so I will never be asking for help there.

Many people have helped me over the past year and I want to pay it forward as that seems to be the best way considering my privilege. Much of what I am dealing with is being documented just so someone else doesn't have to be as blind as I have been in trying to sort out things.

Sarah is an excellent person and you should follow her Twitter.

Additionally, I am paying it forward by offering ten free copies of Queer Privacy, a book compiled by Sarah Jamie Lewis. I cannot recommend the book enough if you're a queer person and are interested in privacy in the digital age. These books are already prepaid for by me so do not hesitate to use the details below to get yourself a copy. I want everyone to read this book.

September 19, 2017 - 09:45 PDT
I have ten links below that'll get you free ebook copies of Queer Privacy. They're set to be first-come, first-served so when they're gone, they're gone!
https://leanpub.com/queerprivacy/c/1CTtZocZiVu9
https://leanpub.com/queerprivacy/c/B0cHjuo9PJCX
https://leanpub.com/queerprivacy/c/wLBU4sK0H2Xp
https://leanpub.com/queerprivacy/c/IG8jI4ahkCGx
https://leanpub.com/queerprivacy/c/yqFaomtyF8XH
https://leanpub.com/queerprivacy/c/Xg6DIVQbIYMM
https://leanpub.com/queerprivacy/c/8GNFpb970sDX
https://leanpub.com/queerprivacy/c/2VIInmfy7dcu
https://leanpub.com/queerprivacy/c/ZlrPDNAGyEEJ
https://leanpub.com/queerprivacy/c/ZFwRYFsXO23P
Lastly! If you're still following my old Twitter account, it has been retired. I plan to delete its tweets over the coming weeks and have migrated to a new account under the name @KateLibC. It'll still cover my antics and others' in information security, but I guess you'll be seeing more gender and sexuality-related content as well.

Last lastly! The use of "Kate" in my online handle has nothing to do with my name. It's a play on the name "Kate Libby" from Hackers. You should get the rest if you've dealt with programming or a UNIX-like operating system.

For certain lastly! You can always send me questions you may be embarrassed to ask by visiting my CuriousCat profile. I will pick and choose which questions I answer however.

Monday, 1 May 2017

Working with the McAfee Web Gateway API

If you ever find yourself in a situation where you need to work with this device via its API, be prepared to hate everything about it.

With nothing in the way of things like API keys or anything remotely close to it, you're stuck using a username and password to do any sort of remote commands. To add to this, you'll also need to make sure that you do not use an account that you want to log in with manually because the appliance cannot discern between multiple sessions for whatever reason. Also, if you find that you've accidentally lost your session and then want to do anything further, you'll have to go make a cup of coffee, do a little of yoga, and then hopefully after ten or so minutes it'll allow you to work once again.

That is the magic of the McAfee Web Gateway REST API. And because I do not wish to let anyone else experience the nauseating pain that this appliance gave me, I have been a nice person and wrote an entire Python interface so you can save yourself the frustration provided by its terrible, inaccurate documentation.

Some of the features I wrote into it include the following:

  • Listing appliances
  • Listing lists
  • Viewing list entries
  • Inserting into lists
  • Saving data
  • Avoiding a stroke

I gave it a thought to write some more features into it but opted not to because I was just interested in blocking content.

Also, if you do decide to make it block content, make sure that you do not have any sort of short timeouts on whatever you have because if you have any appliances that are connected via a slow network link (like less than 10 Mbit), you'll have to wait until they're updated because when you talk to the central appliance it pushes out the new XML config you just created to all of them and then gives a response.

Anyway, hopefully this saves you a few grey hairs.

Tuesday, 14 March 2017

Beating BSides Vancouver 2017 CTF using a search engine

A group separate from the BSides Vancouver organizing team put on a CTF the past two days (archive) with a prize of a four-month SANS Netwars Continuous Subscription. However, it appears that the CTF organizers (who are separate from the conference organizers) have been engaging in some shenanigans with regards to the challenges.


This came on my radar when a TinyCTF challenge from 2014 showed up and I ended up looking at the other challenges to see what was done. The ones that were not borrowed from TinyCTF were most documentation or forensics-related which I assume was created by the CTF organizers.

Challenge Name Type Points Flag Details
Choo Choo! Puzzle 50 snc 52 Link
Fore! Web 250 it's_a_h0le_in_0ne Link
Undocumented Instruction in x86 Puzzle 75 LOADALL Link
BFF..or P? Puzzle 100 esolangs_for_fun_and_profit Link
It's OK to be a CISsy! Puzzle 250 3,8,7,4,9,5,6,1,2 N/A
Hail Caesar Crypto 50 ITSHAPPENING N/A
Crypto for you sir! Crypto 100 no_this_is_not_crypto_my_dear Link
First time flag test Crypto 100 hello_world Link
János the Ripper Crypto 250 ev3n::y0u::bru7us?! Link
Movie Time! RE 100 poppopret Link
Ooooh! What does this button do Dexter? RE 250 w4nn4_j4r_my_d3x Link
Gandalf! RE 500 s0me7hing_S0me7hinG_t0lki3n Link
Sound Bites! Misc 250 infosec_flagis_sound Link

The annoying aspect of this is that with 'Crypto for you sir!' it ends up being wrong when you solve it. Here is the ciphertext:

XMVZGC RGC AMG RVMG HGFGMQYCD VT VWM BYNO, 
NSVWDS NSGO RAO XG UWFN AF HACDGMVWF. AIRVFN AII AMG 
JVRRVC-XVMC, FYRBIG TVIZ ESV SAH CGQGM XGGC RVMG NSAC A RYIG 
TMVR NSG SVWFG ESGMG NSGO EGMG XVMC WCNYI NSG HAO FVRG IVMH 
JARG MVWCH NV NAZG NSGR VTT NV EAM. OVWM TIAD YF "CV NSYF YF 
CVN JMOBNV RO HGAM", YC IVEGMJAFG, EYNS WCHGMFJVMGF YCFNGAH 
VT FBAJGF, FWMMVWCHGH XO NSG WFWAI "TIAD" NAD ACH JWMIO 
XMAJGF. GCUVO.

When decoded it comes out as this:

BROKEN MEN ARE MORE DESERVING OF OUR PITY, 
THOUGH THEY MAY BE JUST AS DANGEROUS. ALMOST ALL ARE 
COMMON-BORN, SIMPLE FOLK WHO HAD NEVER BEEN MORE THAN A MILE 
FROM THE HOUSE WHERE THEY WERE BORN UNTIL THE DAY SOME LORD 
CAME ROUND TO TAKE THEM OFF TO WAR. YOUR FLAG IS "NO THIS IS 
NOT CRYPTO MY DEAR", IN LOWERCASE, WITH UNDERSCORES INSTEAD 
OF SPACES, SURROUNDED BY THE USUAL "FLAG" TAG AND CURLY 
BRACES. ENJOY.

You'd assume that based on that you'd want to use flag{no_this_is_not_crypto_my_dear} as your flag, but nope, get rid of the "flag" and curly braces as well. This lack of flag formatting behaviour repeated itself across all of the other answers that were borrowed from TinyCTF.


Now in their defence, they did say in the challenge that you are to submit it without the braces, but why not just write your own caesar cipher? Automated deciphering was used here, so why not just use a generator to create something original?


Of the 2,325 points I list above, 350 were solutions that they likely created themselves--I did not bother attempting the rest of the challenges. In the case of Choo Choo, it was literally watching a YouTube video and looking at the markings on the second train to come up with an answer. Of course, since there was inconsistencies across the flags where you either used underscores or you didn't and since there were at least three markings on the train, you pretty much stood a good chance to get it wrong because they only gave you four chances to get it right.


Actually, take away 50 more points because as I was writing this I decided to just look into Choo Choo further and it turns out to have been used for Ghost in the Shell Code. Really, could have they just looked for some other railfan video? This explains the further flag inconsistencies going on here.




In fairness, there were challenges put in place to allow for all backgrounds in information security to partake, which explains why you'd get questions like PCI-DSS questions about whether VoIP is in play in an assessment (which is asked twice) or how to order CIS controls (CISsy), but then why turn around and ask about undocumented Intel instructions to access extended memory?


Reading documentation for a CTF is not unusual but this just reeks of laziness.

At this point I would like to say that I am done covering the problems here, but then it gets worse: even the list of tools they suggest in the CTF are borrowed from AwesomeCTF without any attribution. Granted, the list is licensed in a manner where zero attribution is required, but it just goes to show the level of originality put into how things were being done by the CTF organizers. At least the rules appear to have been written by them.

But since one of the rules is to not share the flags, doesn't that mean that the CTF organizers themselves are breaking their own rules?

Also, how long did they take to put this together? The hints are baffling me.


Almost a year? Surely they could have at least changed the flags or come up with better content than whatever this was. Did they use these challenges for another event? It is my understanding that the same team ran something similar for BSides Calgary.

In full disclosure here, I was previously a conference organizer for BSides Vancouver and in 2015 I helped coordinate the first proper CTF using challenges we actually wrote ourselves with anticipated solutions for each of them. I know that it is fact that the conference organizers are again not the ones who oversaw the event (I did speak with them about the matter), so blame for the reuse of these challenges should not fall on them.

However, for the CTF organizers, why did you do this? Was this a mistake? How? If you're going to offer up a prize, put some thought and originality into your work.

Friday, 10 February 2017

Running AFL on Bash for Windows

Recently I wrote about using Virtual Machine Manager in Bash on Windows (or Windows Subsystem for Linux aka "WSL"), and since then I have been playing around with getting other utilities I use in a native Linux environment.

One utility is American Fuzzy Lop (AFL), a fuzzing tool for finding vulnerabilities within Linux ELF binaries. It has been since ported to fuzz Windows PE binaries natively, but since we're able to run ELF binaries within WSL, why not fuzz them too?

If you're running Bash on Windows and have tried to compile AFL before, you probably have run into this problem:

shmget() failed

This error results from WSL having limitations on shared memory--specifically the lack of /dev/shm. By default, AFL will outright refuse to compile because these system functions simply do not exist.

One of the most recent builds of Bash on Windows includes support for shared memory functions that AFL requires in order to compile.
Along with support for the following shared-memory syscalls which are widely used by a number of Linux tools including PostgreSQL.

  • shmct
  • shmget
  • shmdt
  • shmat
The catch here is that the mainline Windows 10 version of WSL has yet to be updated to address this problem so you must be in the Windows Insider program in order to reap the benefits of these functions. Once you've enrolled and have updated, you can confirm the version of WSL by checking the version of Linux using uname.

If you're up to date you should see this version:
Linux mycomputer 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 x86_64 x86_64 GNU/Linux
If you're not up to date then it'll show the following:
Linux mycomputer 3.4.0+ #1 PREEMPT Thu Aug 1 17:06:05 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
Assuming you're successful you should be able to follow the instructions provided by AFL and begin fuzzing.


I'm still testing it out but at least we now know that it should compile and run fine on the surface. You will notice that the way the screen is drawn that it will look a bit wonky while running.

One thing I feel the need to add is if you're using an SSD, AFL is definitely a great way to reduce the lifespan of your drive. Instead, I recommend creating a RAM disk within Windows and then accessing it normally. I have tested ImDrive and it works just fine within WSL.

Friday, 27 January 2017

Anti-virus is worthless

I get a kick out of reading reactions by the anti-virus industry, rose-coloured glasses views from academia, or anecdotes from those who work in the IT industry whenever someone writes a constructive criticism of anti-virus solutions.

Let me put it out there before I go any further, Robert O'Callahan is correct when he says that you should disable your anti-virus solution--unless it came with your operating system such as it does in Windows 10. And for disclosure here: I did briefly work for an anti-virus vendor.

Whenever an argument is made for the value that anti-virus doesn't provide, you are bound to get the following reactions from anyone I mentioned before:

  • [Insert testing programme here] has given [AV product] the best detection rate in the industry for [year]!
  • I use [AV product] and I have never gotten malware.
  • [Software vendors] should open up their APIs to make anti-virus much easier to work with.
  • The anti-virus industry creates the malware.
  • If you went without anti-virus for [period of time] you'll eventually catch malware!
I could go on and on about these reactions but I think this well summarizes the absentmindedness that certain pro-anti-virus persons give:



It's obvious which light bulb a sane person would choose.

Tavis Ormandy has demonstrated extremely well through Google's Project Zero initiative (and before that with Sophail) that anti-virus applications have ticking time bombs sitting within their suites. From remote file retrieval, installing shady remote access tools, improper sandboxing, Node.JS debuggers, to permitting possible collisions in SSL certificates are just a sampling of the nearly five dozen vulnerabilities discovered by one single human being. 

That is just what is being published in the open. If you are aware of an anti-virus vulnerability, Zerodium will pay for remote code execution attacks. There have been suggestions that they go for at least $20,000 to $50,000 USD.

So let's pretend now that the problems with anti-virus being typically poorly coded just simply don't exist: are they still worth using?



No.

The commonly forgotten trait about anti-virus is that it either has to predict the malware's existence through heuristics or it has to have knowledge of its past artifacts via signatures. Both of these require teams of people to write the protections to handle either approach while at the same time being mindful of the fact that for every detection they make, they could be missing a thousand others. The dirty secret that the AV industry really hates to talk about is how their approach simply cannot scale.

Part of the approach that a majority anti-virus industry has opted to go about deflecting this is to add more value to their product by redefining themselves as "endpoint solutions". In the past decade, we've seen features like application whitelisting, web content filtering, and physical device control in order to make it seem like their product is more useful than if it was just simply doing AV.

Another angle to take is come out with outlandish claims that your product can detect everything using some new obscure method that nobody else in the industry has come up with. 

This is sort of the approach that Cylance has taken where they claim that their magic algorithm can stop malware even if they haven't seen it before. Unfortunately, there are lots of anecdotes that their product has an extremely high false positive rate which sort of makes sense if they can predict future malware: detect everything and anything without pause. 

However, testing their product and being open about what your experience with them is difficult because they require an NDA to get a proof of concept demonstration going in an enterprise environment. In one instance, a friend of mine was demonstrating it, posted about it on an open forum, and apparently Cylance responded negatively, citing the agreement. 

This job posting by them reveals a lot however:



I guess all of these contractual restrictions make sense seeing that the engine is likely coded in C#, as suggested in this job posting. The whole anti-virus industry relies on obfuscation of their practices and it's either going to be done by being closed source which is really everyone or by making it so nobody can actually poke around by stipulating such in a contract.

No vendor has a better approach than the other; they're all the same. You either have it never firing on actual malware or have it fire on everything as if it were Chicken Little.

So let's make some useful suggestions here on how to actually protect your computer:
  1. Use the anti-virus your operating system provides. If it doesn't have one, don't install one. Likely if it doesn't have one already, it's either a Mac, you run Linux, or your Compaq from 2005 needs to be replaced with something running Windows 10.
  2. Keep the operating system up to date. If Windows 10 rebooting on you is so inconvenient, you're a lost cause--the most recent update lets you defer up to a month by the way.
  3. Install ad blockers and use something other than Internet Explorer or Edge such as Chrome which sandboxes things fairly well.
  4. Don't follow random guides on the Internet to allow you to make changes to your system that somehow make things go "faster". More often than not they're done by people who don't know what they're doing.
  5. Don't use pirated software or pirate any content. Netflix is cheap, Spotify is free if you tolerate ads, and honestly there are tonnes of open source solutions for whatever you need to do.
Don't waste your money or bandwidth on an anti-virus solution that will just create more holes.

Anti-virus is worthless.