Saturday, June 30, 2018

UK was never much of a democracy

Your Queen by garykemble from flickr (CC-NC)

The concept of "democracy" is very loaded, but let's focus on its most basic part - people vote, and whoever gets majority of votes gets to run the government for the next few years. UK fails this standard miserably.

Here's percentage of votes in Parliamentary elections received by whoever got to run the government over last hundred years. And it wasn't any better before:
  • 1918 - 38.4%
  • 1922 - 38.5%
  • 1923 - 38.0% (minority government)
  • 1924 - 46.8%
  • 1929 - 37.1% (party which "won" didn't even get plurality)
  • 1931 - 55.0%
  • 1935 - 47.8%
  • most countries continued having regular elections during wartime, but UK didn't even bother
  • 1945 - 47.7%
  • 1950 - 46.1%
  • 1951 - 48.0% (party which "won" didn't even get plurality)
  • 1955 - 49.7%
  • 1959 - 49.4%
  • 1964 - 44.1%
  • 1966 - 48.0%
  • 1970 - 46.4%
  • Feb 1974 - 37.2% (party which "won" didn't even get plurality)
  • Oct 1974 - 39.2%
  • 1979 - 43.9%
  • 1983 - 42.4%
  • 1987 - 42.2%
  • 1992 - 41.9%
  • 1997 - 43.2%
  • 2001 - 40.7%
  • 2005 - 35.2%
  • 2010 - 59.1% (coalition)
  • 2015 - 36.9%
  • 2017 - 42.4% (minority government)
So in 27 elections, there were only 2 cases where government was actually backed by majority of the votes. And usually these weren't narrow margins just a bit under 50% (like George Bush in 2000 or Donald Trump in 2016) - it's routine for parties to govern with just 35%-40% support.

In fact it's more common for a party to "win" without even getting plurality than for someone to actually get genuine democratic mandate.

There's a lot of concern about democracy fading worldwide. When you look closer, maybe there wasn't that much of it in the first place.

Wednesday, June 13, 2018

Challenges for May 2018 SecTalks London

そんな目で見ちゃダメだねぇ by amika_san from flickr (CC-ND)

Last month I ran another round of London SecTalks CTF.

There were 8 challenges as before. And again, the winner only did 7 of 8 on time, the last one (Monoalphabetic) only after the event.

Challenge files and code used to generate them available on github.

There are no answers below, but some serious hints which might make it too easy.

For previous rounds, see posts about September 2017 and November 2017 CTFs.

Invisible Flag (5 points)

It's a third iteration of the zip challenge.

There's a zip file containing 16 zip files inside. And each contains 16 more zip files. And so on for 16 levels, until you get to the flag.

For a small additional complication, the flag is completely invisible, and made out of different types of Unicode spaces. Replacing special spaces with different characters will reveal it.

Perl (10 points)

It's a very simple password validator written in very straightforward Perl.

The validator is mostly a sequence of commands like

s/^(.{7})i(.*)$/\2\1/;

Which removes character "i" from 8th position, and swaps everything before and after it. If the answer is empty, the validation is successful.

The easy way to solve it is to work backwards from an empty answer.

Almost Invisible Flag (15 points)

The challenge is an image with 1s and 0s written onto it in a very faint color. Once you figure that out, and transcribe the numbers into a binary file, it's a zip. Unpacking it reveals the flag.

React.js (20 points)

It's a react.js based validator. Validator is build of component layers, first layer checks length of the password, then each layer checks one character and passes the data to next layer with some transformations applied.

React Developer Tools for Chrome can be quite helpful for this.

This can be solved in many ways. You could brute force each layer with a simple script, or turn React code into a recursive function, and solve in an old fashioned way.

RSA (25 points)

For this challenge p and q are very close to each other. In fact they differ by just 2. There's a very simple attack for such case.

Monoalphabetic Cipher (30 points)

This challenge is a bit of text with flag embedded in it, encrypted by monoalphabetic cipher - all lower case letters, upper case letters, digits, spaces, punctuation each getting separate character.

The trick is that symbols used by the cipher are all emoji, which doesn't make the challenge any harder, just more fun.

The slight difficulty is that the text is not actually in English, so statistical methods can suffer a small detour. It's actually in German.

This was the only challenge that wasn't solved in time, but I don't think it's really that hard or time consuming.

I really like challenges about classical ciphers, but I don't want the solution to be simply copypasting it on quipquip.

PDF (35 points)

The challenge is a PDF file encrypted by a XOR key. The content is just a result of Chrome's print to PDF function. For extra challenge the flag is censored with a black bar over it, but that's very easy to workaround.

PDFs have a lot of plaintext inside, so there's a ton to work with, however it's somewhat unpredictable where that plaintext is located.

The key is three lower case English words without spaces.

A surprise extra challenge is that I accidentally left newline character at end of the key, which I only noticed during the challenge and told the contestants.

Javascript (40 points)

It's a very simple Javascript validator, obfuscated with jsfuck to only use 6 charecters.

I expected that people would need to write a simple JSFuck decoder, and that's why it's worth so many points, but most people just used Chrome debugger instead to solve this challenge really quickly.