Sunday, October 28, 2018

Challenges for October 2018 SecTalks London

She loves the computer by glennwilliamspdx from flickr (CC-BY)

Last month I ran another round of London SecTalks CTF.

There were 10 challenges, and the winner got 9/10 of them during the event (and last one on the following weekend), so difficulty level was about right.

Challenge files and code used to generate them available on github.

There are no answers below, but some serious hints which might make it too easy.

For previous rounds, see posts about September 2017, November 2017, May 2018, and July 2018 CTFs.

Archive (5 points)

A small variant of the 16-level 16-way nested archive, to test for basic Unix scripting skills. This time using RAR.

MonoRSA (10 points)

It's RSA-encrypted message, but it uses only one prime, not two. This is extremely insecure, and can be trivially broken, but you still need to do some math.

BCRYPT (15 points)

Each letter of the flag was encrypted with bcrypt. It's easy to break, as long as you know how bcrypt works, which isn't quite the same as plain hashes, so it was causing a bit of confusion.

RSA RNG (20 points)

It's Debian weak RSA key attack all over. We have target's public key and encrypted message. Also a lot of other people's public keys, all generated using same bad RNG. If two keys share a prime it's easy to break them, even if direct factoring isn't viable.

Python (25 points)

Small bit of reverse engineering - small Python password validator obfuscated with one of online tools for it.

MultiRSA (30 points)

A little known fact about RSA is that it works just fine with more than two primes. So this challenge uses 16 - which is fine, except key size was not adjusted appropriately, so each of those primes is small enough to break it.

Binary (35 points)

Binary password validator, provided in two versions (Linux and OSX) for convenience. It was compiled with -O3 which made its encrypting loops unroll, and what was very trivial code turned into hard to understand vectorized mess. Then again, actually running the program might reveal something interesting.

SVG XOR (40 points)

The flag is written in SVG flag, which was encrypted with a XOR cipherer. This turned out to be quite easy, as SVG files have a lot of structure which can be used to attack this.

FPGA (45 points)

Probably the most original challenge this time. A netlist of NAND gates which can validate the flag and tiny emulator were provided. Can you figure out the inputs necessary to get the validator to accept?

This was the only challenge without anyone solving it during the event, but there were some solutions afterwards.

Tweets (50 points)

A flag was hidden in collection of Donald Trump's tweets, encrypted with monoalphabetic cipher. Great exercise for frequency analysis.

Sunday, October 21, 2018

My current GTD system

She works hard for the money... by Tamer Akça from flickr (CC-NC)

I don't know if there's any way to do GTD properly. I've been trying so many tools, and it always feels like no setup works properly, but if I don't do some kind of GTD then my life instantly falls apart and I never achieve anything, or even stay on top of everyday responsibilities.

In all likelihood if I write this post again in a few years, it will be a fairly different list. Anyway, for other people who try to do GTD, here's my current setup.

Core of the system

The most important part is private git repository which also happens to be mirrored on Dropbox using magic of symlinks.

Inboxes

One recent complication is how often I'm with just a phone, and often offline on a train to make it even worse. The least shitty solution I found is Google Keep. In the past I carried a tiny pen and a stash of post-it notes with me, but that's a bit less practical. Most other software I tried really doesn't like working with limited connectivity.

A big downside of Google Keep is that it's hard to copy a list from the web UI and paste in somewhere, without going through the hassle of exporting to temporary Google Docs document and copy&pasting from there. Someone should seriously write a Chrome extension to improve that part, and well, that someone might end up being me.

I probably should give Google Keep alternatives another try, since Google products don't have very high half-life.

Big section of the core system is inbox folder with anything that hasn't been processed yet.

I have a physical wicker basket at home for letter and related physical stuff to check.

I think on paper a lot, so I often generate a lot of paper mindmaps and lists. Once I'm done with them, they land in the inbox.

Incoming emails which requires some further actions get a star. I never delete any emails, so those stars are the only indication that it's not done. Some people delete or archive stuff and treat their email inbox as a TODO list, and that just feels really weird, but if it works for you.

Usual GTD lists

The core system contains the usual GTD lists like Projects and Next Actions.

I don't divide Next Actions by context, since there's no meaningful context for most of them.

Reference System

I have a physical reference system consisting of a bunch of ring binders with contents inside organized alphabetically by tag. That's mostly for things like bank statements, bills, and other boring paperwork which I might refer to every now and then.

I also have a ref folder on Dropbox - not related to that git repository - which contains all the digital stuff.

Emails stay in Gmail, as they're very easily searchable there.

Calendar

This is a bit awkward, as I use a mix of Google Calendar and old text file based system.

Calendars I use are:
  • upcoming events
  • saved dates for potential upcoming events
  • any periodic actions I want to do every N weeks or months - mostly boring cleanup, backups, reviews etc.
  • birthday calendar
Possibly it would make sense to move to just purely Google Calendar system.

Planning

This might be the most interesting part, as I found I need multiple different kinds of planning to make things work:
  • the usual lists of GTD next actions
  • ad-hoc planning like at start of the day usually happens on paper - by the end of the day what's left of that list goes into inbox
  • weekly goals list to keep me focused - it's typically about 10-15 goals, and I'm aiming at 80%+ Partial Success or better rating. Those lists are not meant to be modified once created. If something fails for a good reason, it fails. Any unachieved goals (including Partial Success) go into inbox.
  • rolling goals list for next 12 months - I keep it as Google Docs document and update what's in progress, done, or definitely failed with some color coding. This documents gets updated whenever needed. Every 3 months or so I archive old document, clean up done or failed things, and create a new one.

Weekly Goals List

The biggest risk of GTD is that a lot of things will get done (as far as failure modes go, it's not the worst one), but whole areas of life where progress is most difficult get neglected.

Because the most important function of those lists is helping to balance different aspects of life, anything where I achieved meaningful progress towards stated goal counts as Partial Success, even if it's still very far from being finished.

Of course since Partial Success is still not finished, it still needs to go onto the next list.

I'm aiming at 80%+ completion rate because typically a few things will just not work around due to external circumstances.

If same thing fails multiple times, then it's a very strong indicator that it needs a lot more planning.

Rolling Annual Goals List

You know how people are best behaving in January after they make their New Year's resolution, but then usually give up by March? People completely miss the point thinking that such resolutions are ineffective - they're extremely effective, you just need to refresh it often.

The list is about 4 pages of Google Docs, and lists many highly specific goals, hopefully covering every aspect of life. This includes many more meaningful goals, but also lists movies, games, and books I'd like to enjoy over the next 12 months.

Most goals on the list are very specific and measurable, but it's not always possible, so some vague entries, and some refer to ongoing practices. If the goal itself is not specific enough, I try to have some more specific subgoals.

12 months feel like about the right perspective for this list. It's really difficult to think in longer term perspective in concrete enough terms, and for shorter perspective it would be guaranteed that many life aspects will go unaddressed.

Whenever I update this list, I try to have a chat about it with certain special people.

Cooperation

The system is private and difficult to share even if I wanted. Occasionally I want to discuss some plans with others, and for this I usually use Google Docs and Google Calendar - or talk about that in person, which also works.

Other lists

I keep Waiting For lists, mostly for things I ordered.

I keep Someday Maybe lists, for things which are not really actionable, but I might get there someday.

I keep Social lists for people I'd like to keep in my life - I check it every now and then, and if I'm at risk of losing contact because everyone is too busy, I try to arrange something.

I used to have Shopping list, but since I do overwhelming majority of my shopping in Tesco online and Amazon, I just throw whatever I need into relevant basket, and every now and then order what's in those baskets.

Logs

And they're not really part of the GTD flow, but I keep a lot of different logs, measuring and writing things every day.

And everything else

And I also have beeminder setup, but it only tracks things like exercise, so it's fairly peripheral to the system. I tried to use it more, but most interesting things might be specific, but not necessarily quantifiable in the way beeminder wants, and usually giving something long term goal with weekly commitment is not actually the best idea.

That's the rough outline of my system.

Big 5 Bonus

And that's what a person who's a few standard deviation high on Conscientiousness is like. Also about as high on Openness to Experience, extremely low on Neuroticism, and somewhere halfway on Extraversion and Agreeableness.

Music I like

Piano Cat I by Nina A. J. G. from flickr (CC-ND)

I mostly listen to music on youtube - or songs I downloaded from youtube with the glorious youtube-dl to dumb devices for listening while offline.

140%

I listen to them at 140% speed. I've been watching everything at high speed so much, 140% is my neutral speed, that's the lowest I can go without anything seeming to be artificially slow.

Nowadays my speeds are:
  • 140% - neutral speed - music, movies, some denser TV shows like Game of Thrones
  • 180% - medium fast - most TV shows like Family Guy
  • 200% - fast - podcasts, audiobooks, let's plays, conference videos, nearly everything on youtube that's not music
  • 220% - very fast - some particularly slow sources like Tolarian Community College
This means I'm really limited to youtube as my only place for music, and to "unofficial" download sites as my only source for shows and movies. I tried Spotify and Amazon Prime, but they have no speed control, and that's insane in this day and age.

I guess I can watch things at 100% in cinema or when watching it with someone, but that's an exception, and it still feels artificially slow.

By the way, if you know of any source of music or streaming that has speed control, good quality, and good selection (not just in US), I'm definitely interested.

Youtube for music

The great things about youtube is that it has basically everything, it's free, and ad blockers work perfectly on it, at least on desktop. I guess they recently added some sort of subscription service for people who feel sad about using ad blockers, and I'm not philosophically opposed to that, but I didn't have any time to investigate that. 

The worst thing about youtube is total lack of metadata. Also people thanking their Patreons for a minute after each song while I'm trying to listen on shuffle. And it's basically useless on the phone with no or limited connectivity.

The so-so thing about youtube is its recommendation algorithm. It's not completely useless, but it keeps suggesting stuff to me a one line python script would know not to (if vocalist.gender == "male": return False).

Their fancy subscription service solves none of the problems I have, just a problem ad blockers already solve.

Metadata

But seriously, what really annoys me is that I youtube never bothered to provide any metadata for its song.

There's a plugin which tries to parse song titles with regular expressions, but it's not very good. It's sort of OK for "official" songs, but it's failing for almost every independent artist who mostly do cover songs.

So mostly for my own future reference, here's a list of artists I've been recently listening to a lot, in alphabetical order, manually extracted from my youtube watch history. I tried to categorize them into mainstream and independent artists, but it was fairly futile.

The List

If by any chance you're enjoying similar music, and you have any fun recommendation, send me the links.