I was alerted by a commenter that it’s been more than a year, now, since this
video dropped:
COVID measures had already begun to be implemented; national borders shut, most
schools already closed. Watching this press conference, a scene from The
Simpsons played in my mind. I’d
been getting a little comfy with a video editing program to record IIDX
plays, so I gave it a crack.
I don’t really have networks to tap, but Niki liked it so much she diligently
dropped it into comments on Facebook and Twitter replies wherever it seemed
appropriate. Before I knew it, I had a moderately popular YouTube video. It
entered the popular discourse when it was further
remixed, but if you ask me, the
Trump oversamples are just kinda gross.
One thing that’s been interesting to see has been how the popularity of the
video corresponded with (literally) viral events:
The three major events were:
Late March, video released, Dan Andrews said “get on the beers”.
Mid-May, first lockdown restrictions eased.
October 26, Victoria recorded zero new cases/deaths for the
first time since June. Dan reported that he “might go a little higher up the
shelf” than beers.
There’s a weird tension in programming — on the one hand, as you learn the
ropes, you (hopefully) learn very quickly that the problem is almost always
in your code, and not, say, the compiler, stdlib, kernel, etc. This is usually
very correct; the people who’ve worked on those things have many times the
experience you did when you decided that there must be a bug in printf or
something.
You’ll later realise you tried to print something through a pointer to a
stack-allocated variable that’s long since gone. These accusations tend to
wane as you gain familiarity with your subject matter, and wax as you step out
into lands populated with ever more footguns, exposing more of the architecture
than you ever suspected was there. (See also: the emails from me to the libev
mailing list in 2011.)
At some point, though, your journies will take you to places where things
aren’t so clear cut, and you’ll start to gain a sixth sense; a kind of visceral
experience that things are not as they have been promised to be.
A few weeks ago, that sixth sense whispered in my ear: “what
if, instead of your cruddy bootloader written in a pre-1.0 systems language for
a platform you don’t fully understand, it’s the 20 year-old project with 80,000
commits that’s wrong?” And it was right.
I recently received an Inkplate, and while I’m in the
middle of a few interesting projects already, I couldn’t let it sit there
unused. Until I get a longer chunk of time to turn it into something really
nifty — maybe an embedded debugging helper of some kind — it can at least
mean I no longer need to have Mail.app open.
Ever find yourself needing to implement a device tree
blob
(aka FDT, flattened device tree) parser and want to save yourself some time?
Learn from my mistakes!
If you try to do it in one pass, you will hurt yourself
I charged headlong into writing
dtb.zig
by starting at the top of the Devicetree Specification page on the “Flattened
Devicetree (DTB)” Format” and reading down. It looked delightfully simple. Keep
in mind, I still didn’t know what I yet needed out of it, just that I probably
needed to reference the DTB to get it. (I kind of know better now.)
Note: this is a pretty long article which does a deep dive into breaking some amateur crypto. I go on for quite a bit. Make a cup of tea before reading, and get ready to read some code!
This, then, is a post about a broken homegrown cryptosystem; namely, that used in CodeIgniter, pre-2.2. This version was current until the release of CodeIgniter 2.2, on the 5th of June, 2014, and you can still find sites on it today.
The attack described in the post depends on a lot of things to go right (or wrong, if you will); it’s not just that they used a bad cipher, but also the fact that they rolled their own session storage, and implemented a fallback, and a dozen other things. This is probably typical for most bugs of this class; a bunch of bad decisions which aren’t thought through find their logical conclusion in complete insecurity.