Bounded-Error Log

I was pretty torn between this and “The Future Soon” as the Year-End Song on this blog, but in the end I think I feel more threatened by the bland existence of the soulless adult than inspired by the starry-eyed-idealism-with-misogynist-undertones of the twelve-year-old, plus I get to show you the best kinetic typography video I have ever seen.

Halfway through 2018 I thought this would be the year of ephemeral phases. I felt like I went through a different phase every month — Online Dominion in April, crosswords in June, Only Connect in July, Jonathan Coulton in August, a brief stint of trying really hard to barre my guitar chords in October. Somewhere in the middle, I discovered Kittens Game (“the Dark Souls of Incremental Gaming”) and my summer internship mentor got me to pick up Pokémon Go again. A few intense periods of typographical study were interspersed, which involved watching the above music video dozens of times, teaching a Splash class on typography, and developing a new awareness of how Avenir was everywhere. During the last month, I went hard on Advent of Code and got second place, apparently the only person to make it on every single leaderboard. I also did a related golf side contest and poured a couple more hours into Paradoc, my personal golfing language, for rather unclear gain. At least I got a lot of GitHub followers?

It would turn out, though, that a lot of these phases had more staying power than I expected. Pokémon Go is a much better game than it was two years ago and has actually fostered a significant real-life community, which seems like one of the best possible outcomes of an augmented reality game, and I’ve found a steady pace to play at. I spread the Only Connect bug and people on my hall, intrigued by the format but annoyed by the overwhelmingly British trivia¹, started writing and hosting full games for each other, with our own MIT-slanted set of trivia. One of us developed a custom site and tool to host these games. It took me a while to warm up to Jonathan Coulton’s latest album, but since it happened, I cannot get Ordinary Man or Sunshine out of my head; I’m still listening to JoCo as I finish typing up this post. Although I never got back to the peak of my crossword frenzy, I still study crosswordese from time to time and compose crosswords for some special occasions, like this one (.puz file).

The academics and technical aspects of this year have all blurred together, but I think my interests are finally crystallizing:

A more accurate but less informative title for this post would be “How I wish React and Redux were explained to me”. Note that this does not imply that this method of explanation is suitable for anybody else. I suspect it won’t be for most people.

I had to learn React and Redux the past summer for my internship at MemSQL, and there were hundreds of articles that explain React and Redux in addition to the (fine) built-in documentation, but none of them scratched the itch; I wanted to know what was going on completely, including some of the technical details and the philosophy I ought to be following, as well as efficiently. I did not need another explanation about how to think functionally, in JavaScript types or with immutable data. React’s chapter on Conditional Rendering, for example, felt so inefficient — I know what if statements and conditional expressions are, and I know how to refactor complicated subexpressions into variables…

So here’s the guide I wish I had. I think. It’s been months since I started it (as usual, for posts on this blog) and it is probably incomplete. However, I haven’t written React/Redux deeply in a while, so I didn’t have much motivation to continue to investigate the incomplete bits; and the perfect is the enemy of the good, so here it is.

We’ve burrowed ourselves deep within the facility, gaining access to the programable logic controllers (PLC) that drive their nuclear enrichment centrifuges. Kinetic damage is necessary, we need you to neutralize these machines.

You can access this challenge at https://wargames.ret2.systems/csaw_2018_plc_challenge

A much belated post. This is a pwn challenge on a custom online wargaming platform. We are provided with the assembly of what’s ostensibly a programmable logic controller (PLC) for a centrifuge in a nuclear reactor. The challenge looks like it’s still up, so you can take a look and follow along.

This was the first ROP (okay, spoiler, it’s a ROP) I ever pulled off live during an actual CTF, which I was pretty excited about. The web platform meant I had to worry less about setup, and even though some of the tools it provided were a little lacking (no gdb shortcuts like until, no pwntools utilities for packing/unpacking numbers, … no one_gadget), I think they ultimately made the whole thing a lot more educational for me, so kudos to the folks behind it. I’ve included a brief description of all the exploit techniques that lead up to ROP when we get to that, so hopefully this post will be useful even if you don’t know much about pwning binaries. The prerequisites would be some knowledge with x86 assembly, how executables are loaded into memory, and how to use gdb (or fictionalized web knockoffs thereof).

The villains are communicating with their own proprietary file format. Figure out what it is.

$ nc proprietary.ctfcompetition.com 1337

We get a server that will talk to us on a port and a flag.ctf file that’s definitely not a binary. It’s a black-box reversing challenge! I was @-mentioned as the person who might want to due to solving bananaScript (CSAW CTF Quals 2017) as a black box, although that gave a binary that it was possible in theory to reverse. Here black-box reversing is the only option.

For the first few lines of input that the server wants, it responds with quite helpful error messages to help you appease it. If the first line you give it is not P6, it complains:

You discover this cat enthusiast chat app, but the annoying thing about it is that you’re always banned when you start talking about dogs. Maybe if you would somehow get to know the admin’s password, you could fix that.

This challenge is a simple chat app written in NodeJS. The home page redirects you to a chat room labeled with a random UUID. Anybody can join the same chat room with the URL.

In a chat room, you can chat and issue two commands, /name to set your name and /report to report that somebody is talking about dogs. After anybody in the chat room issues /report, the admin shows up, listens for a while, and bans anybody who mentions the word “dog”.

There are two more commands, /secret and /ban, which are in the server source code and also described in comments in the HTML source if you didn’t notice:

You stumbled upon someone’s “JS Safe” on the web. It’s a simple HTML file that can store secrets in the browser’s localStorage. This means that you won’t be able to extract any secret from it (the secrets are on the computer of the owner), but it looks like it was hand-crafted to work only with the password of the owner…

The challenge consists of a fancy HTML file with a cute but irrelevant animated cube and some embedded JavaScript.

The hardest challenge of not very many I solved in this CTF. What a struggle! I have a long way to improve. It was pretty fun though. (I solved “You Already Know”, and got the essence of “ghettohackers: Throwback”, but didn’t guess the right flag format and believe I was asleep when they released the hint about it.)

The challenge consists of a simple PHP script that opens a MySQL connection and then feeds our input into a custom PHP extension shellme.so.

$link = mysqli_connect('localhost', 'shellql', 'shellql', 'shellql');

if (isset($_POST['shell']))
{
   if (strlen($_POST['shell']) <= 1000)
   {
      echo $_POST['shell'];
      shellme($_POST['shell']);
   }
   exit();
}

The extension basically just executes $_POST['shell'] as shellcode after a strict SECCOMP call, prctl(22, 1). This means that we can only use the four syscalls read, write, and exit, and sigreturn, where the latter two aren’t particularly useful.

The goal is to read the flag from the open MySQL connection.

We are presented with a big zip file of SML code, which implements an interpreter for a small ML-like language with a form of taint analysis in its type checker, called Wolf. Concretely, every type in Wolf’s type system has an associated secrecy: it is either “private” or “public”, and in theory, the type system makes it impossible to do any computation on private data to get a public result.

Of course, this is a CTF, so the challenge is all about breaking the theoretical guarantees of the type system. When we submit code, it’s evaluated in a context with a private integer variable flag; our code is typechecked, executed, and printed, but only if its type is public. The goal is to break the type system and write code that produces a public value that depends on flag, so that we can exfiltrate flag itself.

In all, there are three progressively harder Wolf problems, named Pupper, Doggo, and Woofer. Doggo and Woofer are each encrypted with the flag of the challenge before it, so that you need to solve them in order (unless you can somehow blindly exploit servers running SML programs).

Wolf Overview

Let’s first go over the Wolf syntax and semantics. (There are small differences between the three problems, but they’re syntactically identical and only semantically differ in cases that we’ll naturally get to.) The examples folder has some examples of valid code:

let x = (5 :> private int) in
6

This challenge is a video of somebody’s messy desk, with what is apparently the audio from a Futurama clip. The desk is indeed extremely messy and full of things that aren’t particularly useful for us, but close examination reveals a QR code reflected in the globe in the middle.

The challenge is all about getting that QR code. After trying our best to clean up the image, we ended up with this:

It feels a little surreal watching #DeleteFacebook.

On one hand, despite how hard it is to keep an issue trending in today’s fast news cycle, this issue has managed to continue burning for a while. Somewhat recently (March 21), we got two high-profile Facebook account deletions from Brian Acton (WhatsApp cofounder) and Elon Musk. Other apparent examples include Playboy and Cher, or see Time or CNET for a few more. Facebook’s U.S. and Canada user base declined for the first time last quarter.

On the other hand, for me and for a lot of people, the scandal just doesn’t seem that qualitatively different from things we’ve known about Facebook for a long time — its stance on privacy, its psychological effects, its willingness to manipulate the user experience. Why is this time different? (Here’s the /r/NoStupidQuestions thread. I don’t actually know which answer I believe the most.)

Is this time really different? I’m not optimistic. The decline could simply be Facebook running out of potential users to add and space to grow. According to a recent Raymond James survey, about half of surveyed users did not plan to change how much they used Facebook, while only 8% would stop using it, and this may still be an overestimate of people who will actually leave or delete their accounts.¹ Mark Zuckerberg himself told the New York Times, “I don’t think we’ve seen a meaningful number of people act on [the #DeleteFacebook campaign]”.

I myself have to admit upfront that, even though I barely use Facebook any more and have carefully contemplated deleting my Facebook account for a long time, I still haven’t pulled the trigger.

Why? What will it take to change this?