Use em-dash everywhere Signed-off-by: Anirudh Oppiliappan <x@icyphox.sh>
Anirudh Oppiliappan x@icyphox.sh
Tue, 17 Dec 2019 19:26:54 +0530
19 files changed,
112 insertions(+),
112 deletions(-)
jump to
M
pages/blog/2019-09-17.md
→
pages/blog/2019-09-17.md
@@ -40,7 +40,7 @@ ## Other
I have been listening to my usual podcasts: Crime Junkie, True Crime Garage, Darknet Diaries & Off the Pill. To add to this list, I've begun binging Vice's CYBER. -It's pretty good -- each episode is only about 30 mins and it hits the sweet spot, +It's pretty good---each episode is only about 30 mins and it hits the sweet spot, delvering both interesting security content and news. My reading needs a ton of catching up. Hopefully I'll get around to finishing up@@ -49,7 +49,7 @@
I've begun learning Russian! I'm really liking it so far, and it's been surprisingly easy to pick up. Learning the Cyrillic script will require some relearning, especially with letters like в, н, р, с, etc. that look like English but sound entirely different. -I think I'm pretty serious about learning this language -- I've added the Russian keyboard +I think I'm pretty serious about learning this language---I've added the Russian keyboard to my Google Keyboard to aid in my familiarization of the alphabet. I've added the `RU` layout to my keyboard map too:
M
pages/blog/2019-10-17.md
→
pages/blog/2019-10-17.md
@@ -66,4 +66,4 @@ Monogatari_ (till the latest chapter) and _Another_, and I've just
started _Kakegurui_. I'll reserve my opinions for when I update the [reading log](/reading). -That's about it, and I'll see you -- definitely not next week. +That's about it, and I'll see you---definitely not next week.
M
pages/blog/2019-11-16.md
→
pages/blog/2019-11-16.md
@@ -16,7 +16,7 @@ [repo](https://github.com/icyphox/site)'s issues to track blog post ideas.
I've made a few, mostly just porting them over from my Google Keep note. This method of using issues is great, because readers can chime in with -ideas for things I could possibly discuss -- like in [this +ideas for things I could possibly discuss---like in [this issue](https://github.com/icyphox/site/issues/10). ## Contemplating a `vite` rewrite@@ -31,7 +31,7 @@ - Nim: My favourite, but I'll have to write bindings to [`lowdown(1)`](https://github.com/kristapsdz/lowdown). (`nite`?)
- Shell: Another favourite, muh "minimalsm". No downside, really. (`shite`?) -Oh, and did I mention -- I want it to be compatible with `vite`. +Oh, and did I mention---I want it to be compatible with `vite`. I don't want to have to redo my site structure or its templates. At the moment, I rely on Jinja2 for templating, so I'll need something similar.@@ -56,7 +56,7 @@ ## Other
I've been reading some more manga, I'll update the [reading log](/reading) when I, well... get around to it. Haven't had time to do -much in the past few weeks -- the time at the end of a semester tends to +much in the past few weeks---the time at the end of a semester tends to get pretty tight. Here's what I plan to get back to during this winter break: - Russian!
M
pages/blog/_index.md
→
pages/blog/_index.md
@@ -19,12 +19,12 @@ | [Hacky scripts](/blog/hacky-scripts) | `2019-10-24` |
| [Status update](/blog/2019-10-17) | `2019-10-16` | | [PyCon India 2019 wrap-up](/blog/pycon-wrap-up) | `2019-10-15` | | [Thoughts on digital minimalism](/blog/digital-minimalism) | `2019-10-05` | -| [Weekly status update, 09/17 -- 09/27](/blog/2019-09-27) |`2019-09-27`| -| [Weekly status update, 09/08 -- 09/17](/blog/2019-09-17) |`2019-09-17`| +| [Weekly status update](/blog/2019-09-27) |`2019-09-27`| +| [Weekly status update](/blog/2019-09-17) |`2019-09-17`| | [Disinformation demystified](/blog/disinfo) |`2019-09-10`| | [Setting up my personal mailserver](/blog/mailserver) |`2019-08-15`| -| [Picking the FB50 smart lock (CVE-2019-13143)](/blog/fb50) |`2019-08-06`| -| [Return Oriented Programming on ARM (32-bit)](/blog/rop-on-arm) |`2019-06-06`| +| [Picking the FB50 smart lock](/blog/fb50) |`2019-08-06`| +| [ROP on ARM32](/blog/rop-on-arm) |`2019-06-06`| | [My Setup](/blog/my-setup) |`2019-05-13`| -| [Python for Reverse Engineering #1: ELF Binaries](/blog/python-for-re-1/)|`2019-02-08`| +| [Python for Reverse Engineering](/blog/python-for-re-1/)|`2019-02-08`|
M
pages/blog/digital-minimalism.md
→
pages/blog/digital-minimalism.md
@@ -27,7 +27,7 @@ after which the phone would become usable again. Not helpful.
My solution to this is a lot more brutal. I straight up uninstalled the apps that I found myself using too often. There's a simple principle -behind it -- if the app has a desktop alternative, like Twitter, +behind it---if the app has a desktop alternative, like Twitter, Reddit, etc. use that instead. Here's a list of apps that got nuked from my phone:@@ -55,7 +55,7 @@
My setup right now is just a simple bar at the top showing the time, date, current volume and battery %, along with my workspace indicators. No fancy colors, no flashy buttons and sliders. And that's it. I don't -try to force myself to not use stuff -- after all, I've reduced it +try to force myself to not use stuff---after all, I've reduced it elsewhere. :) Now the question arises: Is this just a phase, or will I stick to it?
M
pages/blog/disinfo.md
→
pages/blog/disinfo.md
@@ -23,7 +23,7 @@
At the end, we'll also look at how you can use disinformation techniques to maintain OPSEC. In order to break monotony, I will also be using the terms "information operation", or the shortened -forms -- "info op" & "disinfo". +forms---"info op" & "disinfo". ## Creating disinformation
M
pages/blog/fb50.md
→
pages/blog/fb50.md
@@ -19,7 +19,7 @@ account before further functionality is available.
It also facilitates configuring the fingerprint, and unlocking from a range via Bluetooth. -We had two primary attack surfaces we decided to tackle — Bluetooth (BLE) +We had two primary attack surfaces we decided to tackle---Bluetooth (BLE) and the Android app. ## Via Bluetooth Low Energy (BLE)@@ -41,7 +41,7 @@ ## Via the Android app
Reversing the app using `jd-gui`, `apktool` and `dex2jar` didn't get us too far since most of it was obfuscated. Why bother when there exists an -easier approach -- BurpSuite. +easier approach---BurpSuite. We captured and played around with a bunch of requests and responses, and finally arrived at a working exploit chain.
M
pages/blog/feed.xml
→
pages/blog/feed.xml
@@ -32,7 +32,7 @@ <h3 id="april-14-2018">April 14, 2018</h3>
<ul> <li>RT published an article claiming that Spiez had identified a different -toxin – BZ, and not Novichok.</li> +toxin—BZ, and not Novichok.</li> <li>This was an attempt to shift the blame from Russia (origin of Novichok), to NATO countries, where it was apparently in use.</li> <li>Most viral piece on the matter in all of 2018.</li>@@ -108,7 +108,7 @@ <ul>
<li>OPCW facilities receive an email from Spiez inviting them to a conference.</li> <li>The conference itself is real, and has been organized before.</li> -<li>The email however, was not – attached was a Word document containing +<li>The email however, was not—attached was a Word document containing malware.</li> <li>Also seen were inconsistencies in the email formatting, from what was normal.</li>@@ -120,7 +120,7 @@ a state actor:</p>
<ol> <li>Attack targetting a specific group of individuals.</li> -<li>Relatively high level of sophistication – email formatting, +<li>Relatively high level of sophistication—email formatting, malicious Word doc, etc.</li> </ol>@@ -176,7 +176,7 @@ <p>UK made the arrests public, published a list of infractions commited by
Russia, along with the specific GRU unit that was caught.</p> <p>During this period, just one of the top 25 viral stories was from -a pro-Russian outlet, RT – that too a fairly straightforward piece.</p> +a pro-Russian outlet, RT—that too a fairly straightforward piece.</p> <h2 id="wrapping-up">Wrapping up</h2>@@ -204,20 +204,20 @@ ]]></description><link>https://icyphox.sh/blog/ru-vs-gb</link><pubDate>Thu, 12 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ru-vs-gb</guid></item><item><title>Instagram OPSEC</title><description><![CDATA[<p>Which I am not, of course. But seeing as most of my peers are, I am
compelled to write this post. Using a social platform like Instagram automatically implies that the user understands (to some level) that their personally identifiable information is exposed publicly, and they -sign up for the service understanding this risk – or I think they do, +sign up for the service understanding this risk—or I think they do, anyway. But that’s about it, they go ham after that. Sharing every nitty gritty detail of their private lives without understanding the potential risks of doing so.</p> <p>The fundamentals of OPSEC dictacte that you develop a threat model, and -Instgrammers are <em>obviously</em> incapable of doing that – so I’ll do it +Instgrammers are <em>obviously</em> incapable of doing that—so I’ll do it for them. </p> <h2 id="your-average-instagrammers-threat-model">Your average Instagrammer’s threat model</h2> <p>I stress on the word “average”, as in this doesn’t apply to those with more than a couple thousand followers. Those type of accounts inherently -face different kinds of threats – those that come with having +face different kinds of threats—those that come with having a celebrity status, and are not in scope of this analysis.</p> <ul>@@ -231,7 +231,7 @@ of the amount of visual information shared on the platform. A lot can be
gleaned from one simple picture in a nondescript alleyway. We’ll get into this in the DOs and DON’Ts in a bit.</p></li> <li><p><strong>Facebook & LE</strong>: Instagram is the last place you want to be doing an -illegal, because well, it’s logged and more importantly – not +illegal, because well, it’s logged and more importantly—not end-to-end encrypted. Law enforcement can subpoena any and all account information. Quoting Instagram’s <a href="https://help.instagram.com/494561080557017">page on this</a>:</p></li>@@ -252,7 +252,7 @@ <h3 id="donts">DON’Ts</h3>
<ul> <li><p>Use Instagram for planning and orchestrating illegal shit! I’ve -explained why this is a terrible idea above. Use secure comms – even +explained why this is a terrible idea above. Use secure comms—even WhatsApp is a better choice, if you have nothing else. In fact, try avoiding IG DMs altogether, use alternatives that implement E2EE.</p></li> <li><p>Film live videos outside. Or try not to, if you can. You might@@ -262,9 +262,9 @@ <li><p>Film live videos in places you visit often. This compromises your
security at places you’re bound to be at.</p></li> <li><p>Share your flight ticket in your story! I can’t stress this enough!!! Summer/winter break? “Look guys, I’m going home! Here’s where I live, -and here’s my flight number – feel free to track me!”. This scenario is +and here’s my flight number—feel free to track me!”. This scenario is especially worrisome because the start and end points are known to the -threat actor, and your arrival time can be trivially looked up – thanks +threat actor, and your arrival time can be trivially looked up—thanks to the flight number on your ticket. So, just don’t.</p></li> <li><p>Post screenshots with OS specific details. This might border on pendantic, but better safe than sorry. Your phone’s statusbar and navbar@@ -317,18 +317,18 @@ <div class="footnotes">
<hr /> <ol> <li id="fn-ddepisode"> -<p><a href="https://darknetdiaries.com/episode/51/">https://darknetdiaries.com/episode/51/</a> – Jack talks about Indian hackers who operate on Instagram. <a href="#fnref-ddepisode" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> +<p><a href="https://darknetdiaries.com/episode/51/—Jack">https://darknetdiaries.com/episode/51/—Jack</a> talks about Indian hackers who operate on Instagram. <a href="#fnref-ddepisode" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> </li> </ol> </div> ]]></description><link>https://icyphox.sh/blog/ig-opsec</link><pubDate>Mon, 02 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ig-opsec</guid></item><item><title>Save .ORG!</title><description><![CDATA[<p>The .ORG top-level domain introduced in 1985, has been operated by the <a href="https://en.wikipedia.org/wiki/Public_Interest_Registry">Public Interest Registry</a> since 2003. The .ORG TLD is used primarily by communities, free and open source projects, -and other non-profit organizations – although the use of the TLD isn’t +and other non-profit organizations—although the use of the TLD isn’t restricted to non-profits.</p> <p>The Internet Society or ISOC, the group that created the PIR, has -decided to sell the registry over to a private equity firm – Ethos +decided to sell the registry over to a private equity firm—Ethos Capital.</p> <h2 id="whats-the-problem">What’s the problem?</h2>@@ -343,7 +343,7 @@
<ul> <li><p>They control the registration/renewal fees of the TLD. They can hike the price if they wish to. As is stands, NGOs already earn very -little – a .ORG price hike would put them in a very icky situation.</p></li> +little—a .ORG price hike would put them in a very icky situation.</p></li> <li><p>They can introduce <a href="https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en">Rights Protection Mechanisms</a> or RPMs, which are essentially legal statements that can—if not@@ -377,7 +377,7 @@
<p>The Internet that we all love and care for is slowly being subsumed by megacorps and private firms, who’s only motive is to make a profit. The Internet was meant to be free, and we’d better act now if we want that -freedom. The future looks bleak – I hope we aren’t too late.</p> +freedom. The future looks bleak—I hope we aren’t too late.</p> ]]></description><link>https://icyphox.sh/blog/save-org</link><pubDate>Sat, 23 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/save-org</guid></item><item><title>Status update</title><description><![CDATA[<p>This month is mostly just unfun stuff, lined up in a neat schedule – exams. I get all these cool ideas for things to do, and it’s always during exams. Anyway, here’s a quick update on what I’ve been up to.</p>@@ -389,7 +389,7 @@ <a href="https://github.com/icyphox/site">repo</a>’s issues to track blog post ideas.
I’ve made a few, mostly just porting them over from my Google Keep note.</p> <p>This method of using issues is great, because readers can chime in with -ideas for things I could possibly discuss – like in <a href="https://github.com/icyphox/site/issues/10">this +ideas for things I could possibly discuss—like in <a href="https://github.com/icyphox/site/issues/10">this issue</a>.</p> <h2 id="contemplating-a-vite-rewrite">Contemplating a <code>vite</code> rewrite</h2>@@ -406,7 +406,7 @@ <li>Shell: Another favourite, muh “minimalsm”. No downside, really.
(<code>shite</code>?)</li> </ul> -<p>Oh, and did I mention – I want it to be compatible with <code>vite</code>. +<p>Oh, and did I mention—I want it to be compatible with <code>vite</code>. I don’t want to have to redo my site structure or its templates. At the moment, I rely on Jinja2 for templating, so I’ll need something similar.</p>@@ -433,7 +433,7 @@ <h2 id="other">Other</h2>
<p>I’ve been reading some more manga, I’ll update the <a href="/reading">reading log</a> when I, well… get around to it. Haven’t had time to do -much in the past few weeks – the time at the end of a semester tends to +much in the past few weeks—the time at the end of a semester tends to get pretty tight. Here’s what I plan to get back to during this winter break:</p> <ul>@@ -462,7 +462,7 @@ or Telegram. This is an account of how that went.</p>
<h2 id="the-status-quo-of-instant-messaging-apps">The status quo of instant messaging apps</h2> -<p>I’ve tried a <em>ton</em> of messaging applications – Signal, WhatsApp, +<p>I’ve tried a <em>ton</em> of messaging applications—Signal, WhatsApp, Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, DeltaChat.</p> <p><strong>Signal</strong>: It straight up sucks on Android. Not to mention the@@ -486,7 +486,7 @@ really sucks for one-to-one chats.</p>
<p><strong>Slack</strong> / <strong>Discord</strong>: <em>sigh</em></p> -<p><strong>DeltaChat</strong>: Pretty interesting idea – on paper. Using existing email +<p><strong>DeltaChat</strong>: Pretty interesting idea—on paper. Using existing email infrastructure for IM sounds great, but it isn’t all that cash in practice. Email isn’t instant, there’s always a delay of give or take 5 to 10 seconds, if not more. This affects the flow of conversation.@@ -505,7 +505,7 @@
<p>This was the next obvious choice, but personal message buffers don’t persist in ZNC and it’s very annoying to have to do a <code>/query nerdypepper</code> (Weechat) or to search and message a user via Revolution -IRC. The only unexplored option – using a channel.</p> +IRC. The only unexplored option—using a channel.</p> <h2 id="setting-up-a-channel-for-dms">Setting up a channel for DMs</h2>@@ -523,9 +523,9 @@ modes.</p></li>
<li><p>Notifications: Also a trivial task; a quick modification to <a href="https://weechat.org/scripts/source/lnotify.py.html/">lnotify.py</a> to send a notification for all messages in the specified buffer (<code>#crimson</code>) did the trick for Weechat. Revolution IRC, on the other -hand, has an option to setup rules for notifications – super +hand, has an option to setup rules for notifications—super convenient.</p></li> -<li><p>A bot: Lastly, a bot for a few small tasks – fetching URL titles, responding +<li><p>A bot: Lastly, a bot for a few small tasks—fetching URL titles, responding to <code>.np</code> (now playing) etc. Writing an IRC bot is dead simple, and it took me about an hour or two to get most of the basic functionality in place. The source is <a href="https://github.com/icyphox/detotated">here</a>.@@ -568,7 +568,7 @@ <li>3-letter org steps in, wants him released.</li>
</ul> <p>So here’s the thing, his presence is a threat to public but at the same time, -he can be a valuable long term asset – giving info on drug inflow, exchanges and perhaps even +he can be a valuable long term asset—giving info on drug inflow, exchanges and perhaps even actionable intel on bigger fish who exist on top of the ladder. But he also seeks security. The 3-letter org must provide him with protection, in case he’s blown. And like in our case, they’d have to step in if he gets arrested.</p>@@ -577,7 +577,7 @@ <p>Herein lies the problem. How far should an intelligence organization go to protect an asset?
Who matters more, the people they’ve sworn to protect, or the asset? Because afterall, in the bigger picture, local PD and intel orgs are on the same side.</p> -<p>Thus, the question arises – how can we measure the “usefulness” of an +<p>Thus, the question arises—how can we measure the “usefulness” of an asset to better quantify the tradeoff that is to be made? Is the intel gained worth the loss of public safety? This question remains largely unanswered, and is quite the@@ -586,11 +586,11 @@
<p>This was a fairly short post, but an interesting problem to ponder nonetheless.</p> ]]></description><link>https://icyphox.sh/blog/intel-conundrum</link><pubDate>Mon, 28 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/intel-conundrum</guid></item><item><title>Hacky scripts</title><description><![CDATA[<p>As a CS student, I see a lot of people around me doing courses online -to learn to code. Don’t get me wrong – it probably works for some. +to learn to code. Don’t get me wrong—it probably works for some. Everyone learns differently. But that’s only going to get you so far. Great you know the syntax, you can solve some competitive programming problems, but that’s not quite enough, is it? The actual learning comes -from <em>applying</em> it in solving <em>actual</em> problems – not made up ones. +from <em>applying</em> it in solving <em>actual</em> problems—not made up ones. (<em>inb4 some seething CP bro comes at me</em>)</p> <p>Now, what’s an actual problem? Some might define it as real world@@ -605,7 +605,7 @@ examples.</p>
<h2 id="now-playing-status-in-my-bar">Now playing status in my bar</h2> -<p>If you weren’t aware already – I rice my desktop. A lot. And a part of +<p>If you weren’t aware already—I rice my desktop. A lot. And a part of this cohesive experience I try to create involves a status bar up at the top of my screen, showing the time, date, volume and battery statuses etc.</p>@@ -627,7 +627,7 @@ <p>My next avenue was the Spotify Web API. One look at the <a href="https://developer.spotify.com/documentation/web-api/">docs</a> and
I realize that I’ll have to make <em>more</em> than one request to fetch the artist and track details. Nope, I need this to work fast.</p> -<p>Last resort – Last.fm’s API. Spolier alert, this worked. Also, arguably +<p>Last resort—Last.fm’s API. Spolier alert, this worked. Also, arguably the best choice, since it shows the track status regardless of where the music is being played. Here’s the script in its entirety:</p>@@ -745,7 +745,7 @@ given that there are <a href="https://staticgen.com">so many</a> of them, but
I chose to write one myself.</p> <p>And that just about sums up what I wanted to say. The best and most fun -way to learn to code – write hacky scripts. You heard it here.</p> +way to learn to code—write hacky scripts. You heard it here.</p> ]]></description><link>https://icyphox.sh/blog/hacky-scripts</link><pubDate>Thu, 24 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/hacky-scripts</guid></item><item><title>Status update</title><description><![CDATA[<p>I’ve decided to drop the “Weekly” part of the status update posts, since they were never weekly and—let’s be honest—they aren’t going to be. These posts are, henceforth, just “Status updates”. The date range can@@ -806,13 +806,13 @@ Monogatari</em> (till the latest chapter) and <em>Another</em>, and I’ve just
started <em>Kakegurui</em>. I’ll reserve my opinions for when I update the <a href="/reading">reading log</a>.</p> -<p>That’s about it, and I’ll see you – definitely not next week.</p> +<p>That’s about it, and I’ll see you—definitely not next week.</p> ]]></description><link>https://icyphox.sh/blog/2019-10-17</link><pubDate>Wed, 16 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-10-17</guid></item><item><title>PyCon India 2019 wrap-up</title><description><![CDATA[<p>I’m writing this article as I sit in class, back on the grind. Last weekend—Oct 12th and 13th—was PyCon India 2019, in Chennai, India. It was my first PyCon, <em>and</em> my first ever talk at a major conference! This is an account of the all the cool stuff I saw, people I met and the talks I enjoyed. -Forgive the lack of pictures – I prefer living the moment through my +Forgive the lack of pictures—I prefer living the moment through my eyes. </p> <h2 id="talks">Talks</h2>@@ -848,10 +848,10 @@
<h2 id="some-nice-people-i-met">Some nice people I met</h2> <ul> -<li><a href="https://twitter.com/abhirathb">Abhirath</a> – A 200 IQ lad. Talked to +<li><a href="https://twitter.com/abhirathb">Abhirath</a>—A 200 IQ lad. Talked to me about everything from computational biology to the physical implementation of quantum computers.</li> -<li><a href="https://twitter.com/meain_">Abin</a> – He recognized me from my +<li><a href="https://twitter.com/meain_">Abin</a>—He recognized me from my <a href="https://reddit.com/r/unixporn">r/unixporn</a> posts, which was pretty awesome.</li> <li><a href="https://twitter.com/h6165">Abhishek</a></li>@@ -865,7 +865,7 @@ <h2 id="pictures">Pictures!</h2>
<p>It’s not much, and I can’t be bothered to format them like a collage or whatever, so I’ll -just dump them here – as is.</p> +just dump them here—as is.</p> <p><img src="/static/img/silly_badge.jpg" alt="nice badge" /> <img src="/static/img/abhishek_anmol.jpg" alt="awkward smile!" />@@ -875,7 +875,7 @@
<h2 id="cest-tout">C’est tout</h2> <p>Overall, a great time and a weekend well spent. It was very different -from your typical security conference – a lot more <em>chill</em>, if you +from your typical security conference—a lot more <em>chill</em>, if you will. The organizers did a fantastic job and the entire event was put together really well. I don’t have much else to say, but I know for sure that I’ll be@@ -904,7 +904,7 @@ after which the phone would become usable again. Not helpful.</p>
<p>My solution to this is a lot more brutal. I straight up uninstalled the apps that I found myself using too often. There’s a simple principle -behind it – if the app has a desktop alternative, like Twitter, +behind it—if the app has a desktop alternative, like Twitter, Reddit, etc. use that instead. Here’s a list of apps that got nuked from my phone:</p>@@ -934,7 +934,7 @@
<p>My setup right now is just a simple bar at the top showing the time, date, current volume and battery %, along with my workspace indicators. No fancy colors, no flashy buttons and sliders. And that’s it. I don’t -try to force myself to not use stuff – after all, I’ve reduced it +try to force myself to not use stuff—after all, I’ve reduced it elsewhere. :)</p> <p>Now the question arises: Is this just a phase, or will I stick to it?@@ -1054,7 +1054,7 @@ <h2 id="other">Other</h2>
<p>I have been listening to my usual podcasts: Crime Junkie, True Crime Garage, Darknet Diaries & Off the Pill. To add to this list, I’ve begun binging Vice’s CYBER. -It’s pretty good – each episode is only about 30 mins and it hits the sweet spot, +It’s pretty good—each episode is only about 30 mins and it hits the sweet spot, delvering both interesting security content and news.</p> <p>My reading needs a ton of catching up. Hopefully I’ll get around to finishing up@@ -1063,7 +1063,7 @@
<p>I’ve begun learning Russian! I’m really liking it so far, and it’s been surprisingly easy to pick up. Learning the Cyrillic script will require some relearning, especially with letters like в, н, р, с, etc. that look like English but sound entirely different. -I think I’m pretty serious about learning this language – I’ve added the Russian keyboard +I think I’m pretty serious about learning this language—I’ve added the Russian keyboard to my Google Keyboard to aid in my familiarization of the alphabet. I’ve added the <code>RU</code> layout to my keyboard map too:</p>@@ -1093,7 +1093,7 @@
<p>At the end, we’ll also look at how you can use disinformation techniques to maintain OPSEC.</p> <p>In order to break monotony, I will also be using the terms “information operation”, or the shortened -forms – “info op” & “disinfo”.</p> +forms—"info op” & “disinfo”.</p> <h2 id="creating-disinformation">Creating disinformation</h2>@@ -1370,7 +1370,7 @@ <h2 id="why-would-you">Why would you…?</h2>
<p>There are a few good reasons for this:</p> -<h2 id="privacy">Privacy</h2> +<h3 id="privacy">Privacy</h3> <p>No really, this is <em>the</em> best choice for truly private email. Not ProtonMail, not Tutanota. Sure, they claim so and I don’t@@ -1388,7 +1388,7 @@ third-party.
This isn’t an attempt to spread FUD. In the end, it all depends on your threat model™.</p> -<h2 id="decentralization">Decentralization</h2> +<h3 id="decentralization">Decentralization</h3> <p>Email today is basically run by Google. Gmail has over 1.2 <em>billion</em> active users. That’s obscene.@@ -1398,7 +1398,7 @@ Google reads your mail. This again loops back to my previous point, privacy.
Decentralization guarantees privacy. When you control your mail, you subsequently control who reads it.</p> -<h2 id="personalization">Personalization</h2> +<h3 id="personalization">Personalization</h3> <p>Can’t ignore this one. It’s cool to have a custom email address to flex.</p>@@ -1436,7 +1436,7 @@ account before further functionality is available.
It also facilitates configuring the fingerprint, and unlocking from a range via Bluetooth.</p> -<p>We had two primary attack surfaces we decided to tackle — Bluetooth (BLE) +<p>We had two primary attack surfaces we decided to tackle—Bluetooth (BLE) and the Android app.</p> <h2 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h2>@@ -1458,7 +1458,7 @@ <h2 id="via-the-android-app">Via the Android app</h2>
<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too far since most of it was obfuscated. Why bother when there exists an -easier approach – BurpSuite.</p> +easier approach—BurpSuite.</p> <p>We captured and played around with a bunch of requests and responses, and finally arrived at a working exploit chain.</p>@@ -1628,7 +1628,7 @@ ]]></description><link>https://icyphox.sh/blog/fb50</link><pubDate>Mon, 05 Aug 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/fb50</guid></item><item><title>Return Oriented Programming on ARM (32-bit)</title><description><![CDATA[<p>Before we start <em>anything</em>, you’re expected to know the basics of ARM
assembly to follow along. I highly recommend <a href="https://twitter.com/fox0x01">Azeria’s</a> series on <a href="https://azeria-labs.com/writing-arm-assembly-part-1/">ARM Assembly Basics</a>. Once you’re -comfortable with it, proceed with the next bit — environment setup.</p> +comfortable with it, proceed with the next bit—environment setup.</p> <h2 id="setup">Setup</h2>@@ -1636,7 +1636,7 @@ <p>Since we’re working with the ARM architecture, there are two options to go
forth with: </p> <ol> -<li>Emulate — head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU. +<li>Emulate—head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU. And then download and extract the ARMv6 Debian Stretch image from one of the links <a href="https://blahcat.github.io/qemu/">here</a>. The scripts found inside should be self-explanatory.</li> <li>Use actual ARM hardware, like an RPi.</li>@@ -1752,7 +1752,7 @@ <p>Since we know the offset at which the <code>pc</code> gets overwritten, we can now
control program execution flow. Let’s try jumping to the <code>winner</code> function.</p> <p>Disassemble <code>winner</code> again using <code>disas winner</code> and note down the offset -of the second instruction — <code>add r11, sp, #4</code>. +of the second instruction—<code>add r11, sp, #4</code>. For this, we’ll use Python to print our input string replacing <code>FFFF</code> with the address of <code>winner</code>. Note the endianness.</p>@@ -1793,7 +1793,7 @@ <p>Clean and mean.</p>
<h2 id="the-exploit">The exploit</h2> -<p>To write the exploit, we’ll use Python and the absolute godsend of a library — <code>struct</code>. +<p>To write the exploit, we’ll use Python and the absolute godsend of a library—<code>struct</code>. It allows us to pack the bytes of addresses to the endianness of our choice. It probably does a lot more, but who cares.</p>@@ -1866,7 +1866,7 @@ <p><img src="https://i.redd.it/jk574gworp331.png" alt="scrot" /></p>
<p>Most of my work is done in either the browser, or the terminal. My shell is pure <a href="http://www.zsh.org">zsh</a>, as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need -a framework. It’s useless bloat. The prompt itself is generated using a framework I built in <a href="https://nim-lang.org">Nim</a> — <a href="https://github.com/icyphox/nicy">nicy</a>. +a framework. It’s useless bloat. The prompt itself is generated using a framework I built in <a href="https://nim-lang.org">Nim</a>—<a href="https://github.com/icyphox/nicy">nicy</a>. My primary text editor is <a href="https://neovim.org">nvim</a>. Again, all configs in my dotfiles repo linked above. I manage all my passwords using <a href="https://passwordstore.org">pass(1)</a>, and I use <a href="https://github.com/carnager/rofi-pass">rofi-pass</a> to access them via <code>rofi</code>.</p>@@ -2157,6 +2157,6 @@ <p>Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.</p>
<p>All the code used in this post is here: <a href="https://github.com/icyphox/asdf/tree/master/reversing-elf">https://github.com/icyphox/asdf/tree/master/reversing-elf</a></p> -<p>Ciao for now, and I’ll see ya in #2 of this series — PE binaries. Whenever that is.</p> +<p>Ciao for now, and I’ll see ya in #2 of this series—PE binaries. Whenever that is.</p> ]]></description><link>https://icyphox.sh/blog/python-for-re-1</link><pubDate>Fri, 08 Feb 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/python-for-re-1</guid></item></channel> </rss>
M
pages/blog/hacky-scripts.md
→
pages/blog/hacky-scripts.md
@@ -6,11 +6,11 @@ date: 2019-10-24
--- As a CS student, I see a lot of people around me doing courses online -to learn to code. Don't get me wrong -- it probably works for some. +to learn to code. Don't get me wrong---it probably works for some. Everyone learns differently. But that's only going to get you so far. Great you know the syntax, you can solve some competitive programming problems, but that's not quite enough, is it? The actual learning comes -from _applying_ it in solving _actual_ problems -- not made up ones. +from _applying_ it in solving _actual_ problems---not made up ones. (_inb4 some seething CP bro comes at me_) Now, what's an actual problem? Some might define it as real world@@ -25,7 +25,7 @@ examples.
## Now playing status in my bar -If you weren't aware already -- I rice my desktop. A lot. And a part of +If you weren't aware already---I rice my desktop. A lot. And a part of this cohesive experience I try to create involves a status bar up at the top of my screen, showing the time, date, volume and battery statuses etc.@@ -45,7 +45,7 @@ My next avenue was the Spotify Web API. One look at the [docs](https://developer.spotify.com/documentation/web-api/) and
I realize that I'll have to make _more_ than one request to fetch the artist and track details. Nope, I need this to work fast. -Last resort -- Last.fm's API. Spolier alert, this worked. Also, arguably +Last resort---Last.fm's API. Spolier alert, this worked. Also, arguably the best choice, since it shows the track status regardless of where the music is being played. Here's the script in its entirety:@@ -165,4 +165,4 @@ given that there are [so many](https://staticgen.com) of them, but
I chose to write one myself. And that just about sums up what I wanted to say. The best and most fun -way to learn to code -- write hacky scripts. You heard it here. +way to learn to code---write hacky scripts. You heard it here.
M
pages/blog/ig-opsec.md
→
pages/blog/ig-opsec.md
@@ -9,20 +9,20 @@ Which I am not, of course. But seeing as most of my peers are, I am
compelled to write this post. Using a social platform like Instagram automatically implies that the user understands (to some level) that their personally identifiable information is exposed publicly, and they -sign up for the service understanding this risk -- or I think they do, +sign up for the service understanding this risk---or I think they do, anyway. But that's about it, they go ham after that. Sharing every nitty gritty detail of their private lives without understanding the potential risks of doing so. The fundamentals of OPSEC dictacte that you develop a threat model, and -Instgrammers are _obviously_ incapable of doing that -- so I'll do it +Instgrammers are _obviously_ incapable of doing that---so I'll do it for them. ## Your average Instagrammer's threat model I stress on the word "average", as in this doesn't apply to those with more than a couple thousand followers. Those type of accounts inherently -face different kinds of threats -- those that come with having +face different kinds of threats---those that come with having a celebrity status, and are not in scope of this analysis. - **State actors**: This doesn't _really_ fit into our threat model,@@ -31,7 +31,7 @@ there are select groups of individuals that operate on
Instagram[^ddepisode], and they can potentially be targetted by a state actor. -[^ddepisode]: https://darknetdiaries.com/episode/51/ -- Jack talks about Indian hackers who operate on Instagram. +[^ddepisode]: https://darknetdiaries.com/episode/51/---Jack talks about Indian hackers who operate on Instagram. - **OSINT**: This is probably the biggest threat vector, simply because of the amount of visual information shared on the platform. A lot can be@@ -39,7 +39,7 @@ gleaned from one simple picture in a nondescript alleyway. We'll get
into this in the DOs and DON'Ts in a bit. - **Facebook & LE**: Instagram is the last place you want to be doing an -illegal, because well, it's logged and more importantly -- not +illegal, because well, it's logged and more importantly---not end-to-end encrypted. Law enforcement can subpoena any and all account information. Quoting Instagram's [page on this](https://help.instagram.com/494561080557017):@@ -56,7 +56,7 @@
### DON'Ts - Use Instagram for planning and orchestrating illegal shit! I've -explained why this is a terrible idea above. Use secure comms -- even +explained why this is a terrible idea above. Use secure comms---even WhatsApp is a better choice, if you have nothing else. In fact, try avoiding IG DMs altogether, use alternatives that implement E2EE.@@ -69,9 +69,9 @@ security at places you're bound to be at.
- Share your flight ticket in your story! I can't stress this enough!!! Summer/winter break? "Look guys, I'm going home! Here's where I live, -and here's my flight number -- feel free to track me!". This scenario is +and here's my flight number---feel free to track me!". This scenario is especially worrisome because the start and end points are known to the -threat actor, and your arrival time can be trivially looked up -- thanks +threat actor, and your arrival time can be trivially looked up---thanks to the flight number on your ticket. So, just don't. - Post screenshots with OS specific details. This might border on
M
pages/blog/intel-conundrum.md
→
pages/blog/intel-conundrum.md
@@ -19,7 +19,7 @@ - Local PD busts his operation and proceed to arrest him.
- 3-letter org steps in, wants him released. So here's the thing, his presence is a threat to public but at the same time, -he can be a valuable long term asset -- giving info on drug inflow, exchanges and perhaps even +he can be a valuable long term asset---giving info on drug inflow, exchanges and perhaps even actionable intel on bigger fish who exist on top of the ladder. But he also seeks security. The 3-letter org must provide him with protection, in case he's blown. And like in our case, they'd have to step in if he gets arrested.@@ -28,7 +28,7 @@ Herein lies the problem. How far should an intelligence organization go to protect an asset?
Who matters more, the people they've sworn to protect, or the asset? Because afterall, in the bigger picture, local PD and intel orgs are on the same side. -Thus, the question arises -- how can we measure the "usefulness" of an +Thus, the question arises---how can we measure the "usefulness" of an asset to better quantify the tradeoff that is to be made? Is the intel gained worth the loss of public safety? This question remains largely unanswered, and is quite the
M
pages/blog/irc-for-dms.md
→
pages/blog/irc-for-dms.md
@@ -11,7 +11,7 @@ or Telegram. This is an account of how that went.
## The status quo of instant messaging apps -I've tried a _ton_ of messaging applications -- Signal, WhatsApp, +I've tried a _ton_ of messaging applications---Signal, WhatsApp, Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, DeltaChat. **Signal**: It straight up sucks on Android. Not to mention the@@ -35,7 +35,7 @@ really sucks for one-to-one chats.
**Slack** / **Discord**: _sigh_ -**DeltaChat**: Pretty interesting idea -- on paper. Using existing email +**DeltaChat**: Pretty interesting idea---on paper. Using existing email infrastructure for IM sounds great, but it isn't all that cash in practice. Email isn't instant, there's always a delay of give or take 5 to 10 seconds, if not more. This affects the flow of conversation.@@ -54,7 +54,7 @@
This was the next obvious choice, but personal message buffers don't persist in ZNC and it's very annoying to have to do a `/query nerdypepper` (Weechat) or to search and message a user via Revolution -IRC. The only unexplored option -- using a channel. +IRC. The only unexplored option---using a channel. ## Setting up a channel for DMs@@ -72,10 +72,10 @@
* Notifications: Also a trivial task; a quick modification to [lnotify.py](https://weechat.org/scripts/source/lnotify.py.html/) to send a notification for all messages in the specified buffer (`#crimson`) did the trick for Weechat. Revolution IRC, on the other -hand, has an option to setup rules for notifications -- super +hand, has an option to setup rules for notifications---super convenient. -* A bot: Lastly, a bot for a few small tasks -- fetching URL titles, responding +* A bot: Lastly, a bot for a few small tasks---fetching URL titles, responding to `.np` (now playing) etc. Writing an IRC bot is dead simple, and it took me about an hour or two to get most of the basic functionality in place. The source is [here](https://github.com/icyphox/detotated).
M
pages/blog/mailserver.md
→
pages/blog/mailserver.md
@@ -116,7 +116,7 @@
## Why would you…? There are a few good reasons for this: -## Privacy +### Privacy No really, this is *the* best choice for truly private email. Not ProtonMail, not Tutanota. Sure, they claim so and I don't dispute it. Quoting Drew Devault[^3],@@ -131,7 +131,7 @@ third-party.
This isn't an attempt to spread FUD. In the end, it all depends on your threat model™. -## Decentralization +### Decentralization Email today is basically run by Google. Gmail has over 1.2 *billion* active users. That's obscene. Email was designed to be decentralized but big corps swooped in and@@ -140,7 +140,7 @@ Google reads your mail. This again loops back to my previous point, privacy.
Decentralization guarantees privacy. When you control your mail, you subsequently control who reads it. -## Personalization +### Personalization Can't ignore this one. It's cool to have a custom email address to flex. `x@icyphox.sh` vs `gabe.newell4321@gmail.com`
M
pages/blog/my-setup.md
→
pages/blog/my-setup.md
@@ -1,7 +1,7 @@
--- template: text.html title: My Setup -subtitle: My daily drivers — hardware, software and workflow +subtitle: My daily drivers---hardware, software and workflow date: 2019-05-13 ---@@ -35,7 +35,7 @@ 
Most of my work is done in either the browser, or the terminal. My shell is pure [zsh](http://www.zsh.org), as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need -a framework. It’s useless bloat. The prompt itself is generated using a framework I built in [Nim](https://nim-lang.org) — [nicy](https://github.com/icyphox/nicy). +a framework. It’s useless bloat. The prompt itself is generated using a framework I built in [Nim](https://nim-lang.org)---[nicy](https://github.com/icyphox/nicy). My primary text editor is [nvim](https://neovim.org). Again, all configs in my dotfiles repo linked above. I manage all my passwords using [pass(1)](https://passwordstore.org), and I use [rofi-pass](https://github.com/carnager/rofi-pass) to access them via `rofi`.
M
pages/blog/pycon-wrap-up.md
→
pages/blog/pycon-wrap-up.md
@@ -10,7 +10,7 @@ weekend---Oct 12th and 13th---was PyCon India 2019, in Chennai, India.
It was my first PyCon, _and_ my first ever talk at a major conference! This is an account of the all the cool stuff I saw, people I met and the talks I enjoyed. -Forgive the lack of pictures -- I prefer living the moment through my +Forgive the lack of pictures---I prefer living the moment through my eyes. ## Talks@@ -44,10 +44,10 @@
## Some nice people I met -- [Abhirath](https://twitter.com/abhirathb) -- A 200 IQ lad. Talked to +- [Abhirath](https://twitter.com/abhirathb)---A 200 IQ lad. Talked to me about everything from computational biology to the physical implementation of quantum computers. -- [Abin](https://twitter.com/meain_) -- He recognized me from my +- [Abin](https://twitter.com/meain_)---He recognized me from my [r/unixporn](https://reddit.com/r/unixporn) posts, which was pretty awesome. - [Abhishek](https://twitter.com/h6165)@@ -60,7 +60,7 @@ ## Pictures!
It's not much, and I can't be bothered to format them like a collage or whatever, so I'll -just dump them here -- as is. +just dump them here---as is.  @@ -70,7 +70,7 @@
## C'est tout Overall, a great time and a weekend well spent. It was very different -from your typical security conference -- a lot more _chill_, if you +from your typical security conference---a lot more _chill_, if you will. The organizers did a fantastic job and the entire event was put together really well. I don't have much else to say, but I know for sure that I'll be
M
pages/blog/python-for-re-1.md
→
pages/blog/python-for-re-1.md
@@ -308,4 +308,4 @@ Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.
All the code used in this post is here: [https://github.com/icyphox/asdf/tree/master/reversing-elf](https://github.com/icyphox/asdf/tree/master/reversing-elf) -Ciao for now, and I’ll see ya in #2 of this series — PE binaries. Whenever that is. +Ciao for now, and I’ll see ya in #2 of this series---PE binaries. Whenever that is.
M
pages/blog/rop-on-arm.md
→
pages/blog/rop-on-arm.md
@@ -9,14 +9,14 @@ Before we start _anything_, you’re expected to know the basics of ARM
assembly to follow along. I highly recommend [Azeria’s](https://twitter.com/fox0x01) series on [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/). Once you’re -comfortable with it, proceed with the next bit — environment setup. +comfortable with it, proceed with the next bit---environment setup. ## Setup Since we’re working with the ARM architecture, there are two options to go forth with: -1. Emulate — head over to [qemu.org/download](https://www.qemu.org/download/) and install QEMU. +1. Emulate---head over to [qemu.org/download](https://www.qemu.org/download/) and install QEMU. And then download and extract the ARMv6 Debian Stretch image from one of the links [here](https://blahcat.github.io/qemu/). The scripts found inside should be self-explanatory. 2. Use actual ARM hardware, like an RPi.@@ -130,7 +130,7 @@ Since we know the offset at which the `pc` gets overwritten, we can now
control program execution flow. Let’s try jumping to the `winner` function. Disassemble `winner` again using `disas winner` and note down the offset -of the second instruction — `add r11, sp, #4`. +of the second instruction---`add r11, sp, #4`. For this, we’ll use Python to print our input string replacing `FFFF` with the address of `winner`. Note the endianness.@@ -170,7 +170,7 @@
## The exploit -To write the exploit, we’ll use Python and the absolute godsend of a library — `struct`. +To write the exploit, we’ll use Python and the absolute godsend of a library---`struct`. It allows us to pack the bytes of addresses to the endianness of our choice. It probably does a lot more, but who cares.
M
pages/blog/ru-vs-gb.md
→
pages/blog/ru-vs-gb.md
@@ -27,7 +27,7 @@
### April 14, 2018 - RT published an article claiming that Spiez had identified a different -toxin -- BZ, and not Novichok. +toxin---BZ, and not Novichok. - This was an attempt to shift the blame from Russia (origin of Novichok), to NATO countries, where it was apparently in use. - Most viral piece on the matter in all of 2018.@@ -93,7 +93,7 @@
- OPCW facilities receive an email from Spiez inviting them to a conference. - The conference itself is real, and has been organized before. -- The email however, was not -- attached was a Word document containing +- The email however, was not---attached was a Word document containing malware. - Also seen were inconsistencies in the email formatting, from what was normal.@@ -103,7 +103,7 @@ but there are a lot of tells here that point to it being the work of
a state actor: 1. Attack targetting a specific group of individuals. -2. Relatively high level of sophistication -- email formatting, +2. Relatively high level of sophistication---email formatting, malicious Word doc, etc. However, the British NCSC have deemed with "high confidence" that the@@ -152,7 +152,7 @@ UK made the arrests public, published a list of infractions commited by
Russia, along with the specific GRU unit that was caught. During this period, just one of the top 25 viral stories was from -a pro-Russian outlet, RT -- that too a fairly straightforward piece. +a pro-Russian outlet, RT---that too a fairly straightforward piece. ## Wrapping up
M
pages/blog/save-org.md
→
pages/blog/save-org.md
@@ -8,11 +8,11 @@
The .ORG top-level domain introduced in 1985, has been operated by the [Public Interest Registry](https://en.wikipedia.org/wiki/Public_Interest_Registry) since 2003. The .ORG TLD is used primarily by communities, free and open source projects, -and other non-profit organizations -- although the use of the TLD isn't +and other non-profit organizations---although the use of the TLD isn't restricted to non-profits. The Internet Society or ISOC, the group that created the PIR, has -decided to sell the registry over to a private equity firm -- Ethos +decided to sell the registry over to a private equity firm---Ethos Capital. ## What's the problem?@@ -26,7 +26,7 @@ to the .ORG community:
- They control the registration/renewal fees of the TLD. They can hike the price if they wish to. As is stands, NGOs already earn very -little -- a .ORG price hike would put them in a very icky situation. +little---a .ORG price hike would put them in a very icky situation. - They can introduce [Rights Protection Mechanisms](https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en)@@ -59,4 +59,4 @@
The Internet that we all love and care for is slowly being subsumed by megacorps and private firms, who's only motive is to make a profit. The Internet was meant to be free, and we'd better act now if we want that -freedom. The future looks bleak -- I hope we aren't too late. +freedom. The future looks bleak---I hope we aren't too late.