Monday, July 29, 2019

Challenges for July 2019 SecTalks London

Dewey by angela n. from flickr (CC-BY)

Another CTF, another victory. I won the June 2019 London SecTalks CTF and it was up to me to write challenges for July.

There were 12 challenges, theme of the challenges being Hacker-Archeology. It turns out that was too much, as only 10/12 challenges got even one solve, and nobody got more than 4. Even with very generous hint drops during the event.

Challenge files and code used to generate them are available on github.

There are no answers below, but some serious hints which might make it too easy.

For previous rounds, see posts about September 2017November 2017May 2018July 2018, October 2018February 2019, and April 2019 CTFs.

SHAR (5 points)

Self-extracting Shell archive nested 8 levels deep. It only works on Linux, OSX shell can't extract Linux-created SHAR files, showing what a dumb format this is.

XBM (10 points)

A weird way to encode image into C headers. While totally obsolete, a lot of tools still support it.

Maya (15 points)

An image with a sequence of Maya numerals, each encoding ASCII symbols. It seems people were confused by the fact that multi-digit Maya numerals are stacked vertically.

PCX (20 points)

PCX file with flag on it, but both foreground and background colors having same RGB color, so color palette would need to be adjusted to actually see it.

ECB (25 points)

A signed cookie server which would only sign cookies without admin=yes, and it would only give you the flag if you sent it signed cookie with admin=yes.

It's a classic cryptography attack on ECB mode, rearranging blocks within or between cookies.

SED (30 points)

SED is an obsolete programming language for text stream processing, and the challenge was a simple flag validation script which was just a sequence of regexp replace rules.

Nobody noticed that, but that SED script was also totally valid Perl 5 script.

CBC (35 points)

A signed cookie server which would only sign cookies without admin=yes, and it would only give you the flag if you sent it signed cookie with admin=yes.

It's a classic bit flipping attack on CBC.

MD4 (40 points)

A signed cookie server which would only sign cookies without admin=yes, and it would only give you the flag if you sent it signed cookie with admin=yes.

It's a classic length extension attack.

Midi (45 points)

A midi file with flag encoded in Morse code, played on an Ocarina instrument suggestively named "Morse Ocarina".

It could be done either by hand, or by converting note lengths in Midi format to dots and dashes. I think everybody ended up doing it by hand.

DOS (50 points)

A very small COM file flag validator. It was extremely simple, but a lot of tooling like Ghidra has trouble with COM files, as they're too old to be relevant.

It got zero solves, which was fairly surprising, as flag validator is really simple:

# Initialize counter in BX
  mov bx, 0xd7ab

# Get ASCII code of next character into AL
  mov ah, 0x1
  int 0x21

# Add AX to the counter, check if correct
  add bx, ax
  cmp bx, 0xd911
  jnz near 0x19d

# Repeat for next character

Differences between constants being compared are 256 + ASCII code of each letter (first being 0x166 or 256 + "f").

Hieroglyphs (55 points)

Monoalphabetic cipher encoded into Egyptian hieroglyphs. The text was very long English text with spaces removed.

It's really simple for anyone who ever did monoalphabetic cipher breaking through statistical analysis, so that many points mostly being potentially quite time consuming, but it didn't even take people that much time.

Perl 6 (60 points)

In remote past Perl 6 used to be the language of the future. That future never came.

The challenge is a flag validator in Perl 6 aggressively using many unusual Perl 6 operations. I'm not really surprised that nobody succeeded at solving it.

Friday, July 19, 2019

Some Thoughts on Stepmania

The Dancing XiaoChou 3 by qchen from flickr (CC-NC-ND)

Back in 2009 I even wrote a rant about Stepmania, and here's another one.

In my younger days I did a lot of Dance Dance Revolution, and every now and then I come back to it.

I'd like to play with some modern songs. Supposedly official games exist, but they have like 50 songs per game, plus a few "$5 for 3 songs" DLCs, and mostly only work on some weird-ass consoles.

Basically the only option for it is using Stepmania, and downloading some user-made songpacks.

So what's wrong with all this

The first problem is that music is totally free online on youtube and such, but Big Copyright would never allow a healthy ecosystem of dance games, because they just love the whale exploitation model of "$5 for 3 songs", and the market is too small for someone to force them to be reasonable.

Stepmania tries to avoid any direct entanglements with all those copyright issues, and unfortunately that means it avoids actually trying to solve the problems.

User-made song packs have mixed quality

So I got a bunch of random songpacks, basically keyword matching artists I might like.

The songpacks are basically whatever the author decided to throw there, so I'm generally only interested in very small portion of each, but let's say I keep them all, as at this stage I don't know if those songs are any good or not.

Most of user-made content is decent enough, but it's far too common that there's bullshit songs with ratings like 12-20, which are presumably meant for the keyboard, or maybe arcade machines with safety rail, since it would be unsafe to even try on a soft dance mat, regardless of one's skill level.

There's plenty of songs which are poorly synced. There's plenty of songs which have very questionable ratings, and are actually a lot harder than other songs at same ratings.

This wouldn't be a huge deal if there was a way to filter that out easily, but there isn't.

Stepmania UI is atrocious, especially when you have a lot of songs

All right let's say I have a few thousand songs now. Stepmania will take forever to actually start, like literally over 15 minutes. It seems latest version and SSD finally made it tolerable, but seriously, just checking that a few thousand tiny files didn't change shouldn't take this kind of crazy time.

The next problem is how to actually choose those songs. Stepmania decided to copy dance mat only UI from arcade machines, without any keyboard backup. So instead of taking 1 second to type song title or artist name, it takes literal minutes to scroll through thousands of songs to get there, even at highest speed.

The UI has other issues - like it seems that I end up triggering song options about 1 in 10 times when trying to just start a song, and it registers it as Start button being pressed twice for whichever reason.

There's a lot of weird combos to control the UI, but other than "difficulty up", "difficulty down", and "change sort order" I have no idea what they are, and there's nothing intuitive about it. There should just be goddamn menus and keyboard controls for those rarely used functionality.

Once song starts playing it's pretty much fine.

Ideas for solutions

So it seems I have the same complaints today I had a decade ago.

Anyway, let's talk possible solutions.

These days it's just easier to write cross-platform games in something civilized, with Electron or whatever. Stepmania isn't really a terribly complicated program, so if anyone felt like it, they'd probably have something kinda working in a few days, and it would probably have better performance and usability even at such early point.

Much more interesting is automated step files filtering and analysis. Step files are literally asking for a neural network analysis to flag broken ones, figure out correct difficulty, and so on. Prototypes to just generate step files outright exist, and filtering/analysis should be a lot easier. It just needs to be takes out of research paper and given to users.

A far more interesting idea is just taking songs from youtube or whenever, and doing everything automatically from that point, but that's quite questionable. Stepmania songs are generally ~100s remixes of ~200s songs, so that would already be a major difference. The whole step file process might be too computationally expensive.

How would it work in practice

I feel first step would be writing some parsers to take step files in variety of kinda documented custom formats and export them as some json. It's probably going to be quite tedious, but nothing difficult.

Then figuring out how to interact with dance mats. Most of them are just USB HID devices, so it shouldn't be too hard. In principle Electron supports WebUSB, so dance mat support should be quite straightforward, at least when everything goes right.

With these two, getting simple Stepmania-like program with Electron shouldn't be hard, and that could be a platform for all those crazy ideas.

I'm not hating here

Stepmania is still one of the most successful Open Source games ever. I just think something much better is possible.

EDIT - USB APIs in browser

Well, I tried to use WebUSB API and Gamepad API in Chrome, both supposedly supported, and they don't see my dance mat on Windows or on OSX.

It's possible I'd have more luck with Electron.

EDIT - Stepmania keyboard shortcuts

And it turns out Stepmania actually added some keyboard navigation recently. So if I have songs sorted by artist I can press Control-M to go to M etc. That's fine to reach Katy Perry, maybe less so for Avril Lavigne. Still, even that little change cuts scrolling time by more than half.

Saturday, July 13, 2019

Eric Swalwell is wrong and Nancy Pelosi is right

donkey tuft by Tarnie from flickr (CC-NC-ND)

I bet you did not see this one coming.

Eric Swalwell was one of 20 candidates for Democratic presidential nomination. The only notable moment of his whole candidacy was the "pass the torch" moment during debates, where he used Joe Biden's own words to basically attack Joe Biden for being too old. I strongly believe that there should be mandatory retirement age for politicians, so he had a point there.

Anyway, Eric Swalwell's campaign was going nowhere, he gave up before even second round of debates, and after giving up he gave exit interview to 538 politics podcast, and that's what this is about.

Extremist Drift

Debates were notorious for how far left most candidates went compared with mainstream Democrats of just a few years ago, like Barrack Obama, Hillary Clinton, or Nancy Pelosi. Positions like abolition of borders, free healthcare for illegal immigrants, abolition of private health insurance, forced busing, racial reparations and other extremist positions had far more support that one would have guessed.

In a way the winner of the debates was Donald Trump. His approval rate improved after Democratic debates, and is currently at -7.5%. It's still negative, but it's far better than his the usual -10% to -20% range, and if this extremist drift continues, Democrats might manage to scare off all potential moderate voters.

Swalwell's Argument

During exit interview, Eric Swallwell was asked about that.

His response was that the most important feature of a candidate is "authenticity", and that going "far to the left" is absolutely fine, and no risk whatsoever in general election.
Democrats tiptoe around the issues that are perceived as unpopular, whereas Republicans have no problem leading with very unpopular issues [...] and they don't pay a price at the ballot box.
He believes that Trump's victory proves it.

He also openly advocates violating the Constitution in the same statement, but let's not get there.

It's bullshit

US economy is doing better than it did in living memory. Unemployment rate is as low as it last was in the 1960s.
Inflation has been low and stable. Stock market is at unprecedented heights.
Tax cuts mean most working people have a lot of extra money personally (except for rich people in high tax states). All the secondary metrics like wages growth, gas prices, healthcare access, and so on are doing just fine.

In foreign policy, no new wars were started, for the first time in it's hard to tell how many presidencies. ISIS which spread during Obama's term and overran multiple countries was swiftly crushed. There weren't any major terrorist attacks, or other foreign disasters.

Fundamentals models don't have an amazing track record at predicting elections, but it's a pretty safe prediction that with everything an average person cares about going so much better than basically ever, whoever presides over that should be super popular and crush any challenges 1984 style, right?

Well, that's what would have happened if president Marco Rubio or Mitt Romney was presiding over it.

It's Trump specifically being such a turd that makes these elections a 50:50 thing.

How Trump won

Trump was the most unpopular presidential candidate in recorded history. Fotunately for him, it just so happened that his opponent Hillary Clinton was the second most unpopular presidential candidate in recorder history. She was so unpopular she lost to a totally unknown black half-Kenyan guy with name "Barrack Hussein Obama", in spite of DNC establishment doing all they could to force her though. She was so unpopular she nearly lost to a senile openly socialist Jew who wasn't even in the party, and only managed to somehow got through thanks to DNC establishment forcing her candidacy even harder. She was so unpopular she lost to Donald Trump.

In such Giant Douche vs Turd Sandwich elections Trump just so happened to have better ran campaigns, and barely squeezed the victory.

He did not become any more popular since then. As an aside, Hillary Clinton is now even more unpopular than Trump, but fortunately for Democrats she's not running for the third time.

Trump only managed to win in 2016 because his opponent was so unpopular, and the economy was still only slowly recovering.

In 2020 he has far easier job - no sitting president could ever lose with fundamentals doing so well, unless he's literally a Turd Sandwich.

Why bother with Eric Swalwell?

Eric Swalwell might be out, but other candidates for Democratic nomination seem to think the same way as him. They're trying to score points with extremists in party base, and hope that somehow it will work out.

It could work against Turd Sandwich, but not if they end up picking a Giant Douche again.

The idea that extremist will somehow increase turnout among the base is total nonsense - highly politicized people will vote anyway, and you're far more likely to increase turnout of opponent's base this way - as Trump did during 2018 midterm, with his shittiness really motivating Democrats to go vote, regardless of who was their local candidate.

It's not like this is a novel strategy. Nancy Pelosi, the most successful Democratic politician, has been successfully doing just that - marginalizing the extremists in her party while pushing hard for what's realistically achievable. Especially in country whose political system is designed for gridlock, focusing on popular parts of your party's agenda in alliance with moderates is the only way you can actually achieve anything.

The successful strategy is attacking your opponents where they're weak, not responding to Trump's Wall with abolishing ICE, abolishing borders, and free citizenship to anyone who jumps where the border used to be.

It is still 50:50

Many things can happen before the elections. The economy could crash. Trump could start WW3. One of many Trump scandals might end up discovering some real evidence of crimes resulting in impeachment, not decades old hearsay that convince only partisans. Any of those would shift elections far more than Democratic debates.

If none of that happens, and the elections is still 50:50, it will really matter if Democratic Party follows Nancy Pelosi, and picks a successful moderate, or follows Eric Swalwell and tries to outdo itself in extremist appeals and chooses a Giant Douche while handing over second term to the Turd Sandwich.

Far Left is losing everywhere

It's not US specific issue. Traditional center left parties (more or less analogous to the US Democratic Party) got weakened by the Great Recession, resulting in brief resurgence of the far left.

This resurgence is crashing now. UK Labour was lost every elections since it went extremist, and in some polls is now 4th with 18% support. In two countries worst affected by the crisis where far left actually got power it already lost it, Podemos completely crashed in Spain. Syriza more narrowly lost in Greece.

In most other Western countries, all this bickering on the left just weakened it, and let either center right or populist right take over. Many Western countries like Poland and Israel nowadays have 50 Shades of Right elections.

Seriously guys, just listen to Nancy, she knows what's best for you.

Monday, July 01, 2019

What's wrong with all music streaming services

DSCN3865 by wiccahwang from flickr (CC-BY)

Music streaming service has three jobs:
  • be available
  • play music
  • discover new music

Be available

First music streaming service that offered decent recommendations was Audiogalaxy It was shut down by the Big Copyright.

A while later, Pandora came out, and it had mindblowingly good music discovery, but Big Copyright forced them to lock out everyone outside US. There's probably some way to access it with VPNs, but the hassle is just too great.

Play music

You'd think this would be trivial, but it's not. As a consequence of watching videos and listening to podcasts at high speed, my baseline speed changed, and I just don't enjoy any media below 140% speed.

That shouldn't be a problem, as browsers can inherently play audio and video at any speed, and there are browser extensions to add speed controls to sites without them.

Unfortunately services like Spotify and Deezer go out of their way to disable that, so I'd be locked to 100% speed at which all the music feels slowed down.

Sure I'm in tiny minority here, but who isn't in tiny minority one way or another when it comes to music?

As far as I know, this leaves me with just two options:
  • Download the songs and play them locally
  • Youtube

Downloading songs with tcpflow

Downloading songs lets me play whichever way I want, but there's not one shred of discovery there. The easiest way to download songs these days is youtube-dl, but you can use basically any source.

So funny story time! Once upon a time I wrote a music downloader that tapped into network traffic to get music from Pandora by tcpflow network intercepts. The music was just in MP3 files. Some minor complications was metadata being int separate XML HTTP requests, and songs being out of order for buffering purposes.

The whole thing was about 300 lines of ruby, it figured out which song and which metadata match, and then saved and organized all that.

It didn't mass download songs, and it didn't even interact with the website in any way, it was 100% passive and undetectable, it just saved everything I listened to in regular browser.

I needed those files to put them on a hardware MP3 player, as there was no way to listen to internet radio without the internet obviously.

I never mentioned it back then, as I would be way too much hassle for most people to setup, and if it got public they might change the API to make it more difficult somehow.

So I might have been the only person who got their music with tcpflow ever.

I have no idea if that still works. It's unlikely, as everything is routinely encrypted these days, so you'd need either a MITM proxy to strip the SSL, or capture music from a browser plugin, or something like chromedriver.

Youtube

As far as I know, all that leaves Youtube as the only option to me. It is available. It has more music than anything else thanks to all the covers. It plays music at any speed. It even has convenient downloads.

The problem is music discovery. It's not great. For ages it kept suggesting absolute garbage all the time. For example one thing I absolutely can't stand is male vocalists, but it kept doing this to me.

Now it seems it has given up and just plays same songs I already know, and occasionally some new mainstream hit.

Then again, what did I expect? It can't even consistently figure that after Part 4 of some let's play comes Part 5, and not Part 17.

For all the claims about imminent AI takeover, this is miserable. Maybe all those drivers who will lose their jobs to self-driving cars can get new jobs as music recommenders.

Discovering new music

So the last option is separating music discovery from music play.

There's plenty of sites where you put your favorite artists and they recommend some other artists. I don't think recommending based on artists is even a sensible thing, most artists create a range of different music, and good recommendations for someone who really likes this song would be really different from good recommendations for someone who really likes this one.

Of the services I tried, most are overwhelmingly awful. Sage is actually kinda OKish. Like 10% of what it recommends is actually good, and the UI of "click here to go to youtube search for the artist" is not the worst.

So overall I'm not too happy with all this, but it's not like it's possible to just fix it with some code, as Big Copyright would probably ban anything that improved the situation.