Clever Title Goes Here

Security educator, researcher, and developer

Read this first

The Hardware Hacker Manifesto

Originally written and published 2010-09-21 – Creative Commons Attribution 3.0 Unported License Edited to replace deadname.

This post is a long time in coming. For years we’ve been seeing an active fight against the right to utilize hardware the way the owner wishes to use it, but it wasn’t until this week that it got personal, driving me to write this. Please, share this far and wide; hardware hacking is essential and we’re losing ground to those who would love to see it done away with.

The Hardware Hacker Manifesto

My name is Sera and I’m a hardware hacker. It started at the age of five, taking apart a toy computer to figure out how it worked. I live for that thrill of discovery and rush of power that I feel when I figure out what makes something tick, then figure out how to bend it to my will. This has led to me hacking everything from game consoles to phones.

It used to be that...

Continue reading →


A Case for Orbital Rings

Part 1: What the fuck is an orbital ring

An orbital ring is, in its simplest form, a structure encircling the Earth, at an altitude of 100-400km above the surface. This means it’s a massive structure sitting in space, but the term “orbital ring” implies that it’s in orbit; it’s not. It’s actually stationary with respect to the ground, spinning just slightly faster than the surface it’s over.

This means that if you were standing on one, you would be feeling approximately the same downward pull you feel on the surface (you could be up to 12% lighter depending on the altitude). If you jump off, you’ll fall to the ground – hope you packed a parachute! – but you’re not reentering since you’re not at orbital speed.

So… how does it stay up there? Normally anything that’s up in the air falls down, and even if the ring were perfectly balanced around the Earth with all the force vectors...

Continue reading →


Classification Challenge

I’ve been working on a game AI based around taking an input state and choosing one of 6 possible actions; in essence, a classifier with self-play. I’m having trouble achieving great accuracy, so I figured I’d open up a challenge.

This is just a personal project and I’m funding this myself, so I can’t go too crazy, but the prizes are:

  • $256 to the top model
  • $128 for second place
  • $64 for third place

Data structure:

  • Game stage as an integer (0-3)
  • State values as 7 floats
  • Correct action as an integer (0-5)

Rules:

  • Must release the source to your model, under any license you choose
  • Accuracy is measured against the testing set
  • Don’t use the testing set for training
  • Accuracy is measured by the minimum percentage of action accuracy (see example below)
  • Competition will end Monday, 5/23 at noon EST
  • Payout will occur by 5/26 via Paypal, Cash App, or Amazon gift card (participant’s choice)
...

Continue reading →


Reverse-Engineering BSA From Scratch

Foreword

I’ve been building a little tool for assisting with the reverse-engineering of compressed archive files, primarily for game hacking: Refriender

This blog post is a stream-of-consciousness look at how I actually went about reverse-engineering a file format (the BSA archives used in Skyrim Special Edition, specifically, though it’s used in lots of Bethesda titles). I make mistakes, I make bad assumptions, and I don’t complete the entire reverse-engineering process, though I do cover the majority of it! This format is well-documented (by modders), but I intentionally didn’t look at any of that until after I completed this. This is my honest, raw approach to analyzing the file I picked.

Process

Pick the smallest BSA file (‘Skyrim - Textures8.bsa’ from Skyrim Special Edition, md5sum 3ca6cbfcfca7b41f3939352d4cb27717 if you want to follow along! Also, a hexdump of the first 0xf20...

Continue reading →


The Drift

Originally published 2014-10-27

He steps into a classroom. He steps into his lab. He steps into an airport. He steps into the future, each step happening beside each step. But the question remains: who is he?

When the second ‘he’ came into the picture, morning rituals were the first to have to change; he figured that he could get away with one toothbrush, as long as all of him didn’t use it at once. Parallel lives increased productivity, but scheduling resources became more complex with each new ‘him’. After all, once you’ve had a taste of the future, it’s hard to stop.

Three bodies, three locations, all capable of independent thought and with their own working memory. This wasn’t terribly out of the ordinary – most companies had been paying for body doubles for years, to aid in productivity. What he had over the other phyclones was a simple – and yet essential – modification: a...

Continue reading →


Stateful Randomness in Shaders

I often find myself needing good random numbers in shaders, but this gets messy when you want to generate a bunch of different ones for each pixel. To get around this, I’m using a genuinely awful hack in DaeForth.

Implementation

:m rand-given-seed (| seed |)
        [ seed seed 1141 * sin ]
        [ 12.9898 78.233 ]
    dot sin 43758.5453 * fract
;
@float global =pixel-seed
real-position /rand-given-seed \+ =pixel-seed
:m seed .7 rand-given-seed ;
:m gen-seed
    seed =>cur-seed
    cur-seed rand-given-seed =>next-seed
    [ next-seed ] &seed def-macro
    cur-seed
;
:m next-random gen-seed pixel-seed * store rand-given-seed ;

Each time you call next-random it generates a new, high-quality random number for the given pixel. Importantly, it does so with low overhead at runtime!

Example

For instance, this generates two random colors and then mixes them randomly (for a total of 7...

Continue reading →


Arbitrary File Write On Client By ADB Pull

The Android Debug Bridge, ADB, contains a long-standing vulnerability. It can have a rather severe impact, but only under some pretty unusual circumstances. Tl;dr: Executing an adb pull command against a malicious Android device or ADB daemon can lead to arbitrary file writes, pretty easily escalating to code execution.

ADB Architecture

There are three notable pieces worth discussing, when it comes to ADB:

  • Device-side ADB server (this runs on your Android device and facilitates debugging, running shells, etc)
  • ADB daemon (this runs on your machine on port 5037 and talks to the device side, acting as a dumb proxy)
  • ADB client (this talks to the ADB daemon)

Pull process

We’re going to examine what happens if you run a simple pull command: adb pull /foo

  1. The ADB client (hereafter just referred to as ADB) attempts to connect to localhost:5037
    • If it fails to connect, the ADB daemon...

Continue reading →


CTF Design 101

I’m frequently asked how I go about building a successful CTF and while I’ve tried to answer this in the past (generally on Twitter), I’ve never actually gone in-depth on it. So today we’re going to talk about what makes a CTF successful.

A word of warning: I’m writing this entirely from my own experience as a CTF builder, not as much of a CTF player. While I’ve participated in a couple over the years, I’m actually quite bad at them in most cases and need significantly more practice (… and free time) to change that. Additionally, I’m only going to be talking about “jeopardy-style” CTFs (a term I absolutely despise!) wherein tasks are laid out and the players win by completing those tasks. With that warning out of the way…

So You Want To Build A CTF

Before you write a single line of code or start designing challenges, you need to ask yourself one question: when the players are done...

Continue reading →


Bounty Progress - September 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • (ACHIEVED!) At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Update

I’ve really had a hard time with this lately. I burnt out pretty bad in May and took some time off from bug bounty and didn’t really get started again until hacker summer camp, back in August. I’ll try to update more frequently.

Goal Health

Current total earnings for the year: $48679

This is 97.358% of my goal for the year. By the end of September I should be at $37500 to be on track, putting me $11179 ahead as of 2019-09-21

Lifetime Stats

  • 29 bounties paid
  • 6 bonuses paid
  • $59641 total earned
  • $1970 average bounty

Bugs

  • CRITICAL Discovered 2019-08, Paid 2019-09 by Verizon Media –...

Continue reading →


SupercellNX #0

For the past few years, I’ve been working on an intermittent research project. My hypothesis is this: it’s possible to create a CPU description from which you can generate disassemblers, decompilers, interpreters, recompilers, and more. A single CPU description could be used for any number of independent projects, without all the bullshit that typically comes with working with machine code; you just get to write the part that makes your project different.

I started off with extremely high-level, generic code (something usable by many different architectures), and eventually decided to specialize things. The first fruits of this were a fork of the Beetle/Mednafen PSX core from Retroarch, which autogenerated an interpreter and recompiler (using libjit) from a single file description of the MIPS core. This used LLVM Tablegen with a custom language embedded within it, and a giant (very...

Continue reading →