Blog‎ > ‎

Internet spying, Infosec, Money, Fail, Ignorance is bliss, GAE, Cryptanalysis, Old Games and bugs

posted Dec 20, 2013, 10:49 PM by Sami Lehtinen   [ updated Mar 4, 2015, 9:24 AM ]

Yet again, lot of stuff, in no particular order.

  • A few people claimed that Google or Facebook wouldn't be spying. But they are, and that's sure. Anyway nobody forces you to use Facebook either. Actually Google's hooks are pretty extensive and pervasive. Chrome browser login, Gmail, Google+, YouTube, Android devices, etc. It actually requires quite much effort trying to avoid all their spy hooks. Not to mention people who are using Gmail and therefore leaking conversational data to Google, even if you're not using Google. This same approach of course applies to Facebook, as far as I know, they're also monitoring people not using Facebook using similar methods. I'm also a techie and if my mission would by spying on people, I would naturally do all the same stuff. So therefore I'm not surprised at all, about Facebook, Google or NSA. None of those is doing anything amazing or what might sound impossible, all they're doing is utilizing basic skills if your task is to be professional spy.
  • Information Security (Infosec) group in LinkedIn is quite interesting. Anyway, lot of topics aren't nearly on deep enough level. Most are high level blah blah, about things without any meaningful or extensive details. Discussion about cloud security has been a long topic. But as said, cloud can be much more secure than in house built systems developed and maintained by incompetent staff.
  • It seems that many businesses aren't really careful with money. It can take them a long time before they notice that money is missing, if they notice it at all. I often think that in some of the worst cases it has to be so that either their bookkeeping department is filled with incompetent people or more likely they're cooking the books. This is bad situation, because it's hard to say if it's intentional or not. Maybe it isn't, they're just not doing their work nearly properly or doesn't know how to do it at all.
  • Just found out a few days ago, that one database engineer didn't understand at all how databases work outside the SQL layer. He's SQL pro and web-developer, but not system administrator. He kept complaining about having old data in database, and corrupted databases. What did he do? He simply copied database from system to another, by overwriting and reading files, while database service were running and transactions happening. Ouch. It's interesting to see, how extremely restricted understanding of things many specialists got. I think it's old joke that the ford car engineer did know his job very well. It was making sure that the one screw on assembly line was present and correctly tightened. He didn't know anything else about ford cars. It also seems very common that true meaning and effects of  journaling, caching and transactions aren't well understood at all.
  • Ignorance is bliss. - This applies to software engineering & security stuff very well. Why? Because it's easy to make statements like: "Our software is completely bug free or secure." But when reading between the lines, what does it really mean? Even if we're completely honest, it means that we aren't aware of any bugs or security issues. How we can easily manage to reach that state? Simplest method is very simply to avoid looking for any possible problems. It reminds me from Max Payne game by Remedy software, it was also released as completely bug free game. But when people started to play it, they found out that it crashed after 45 minutes or so. Well, we can totally honestly and with straight face, claim that our game is completely bug free, because we only test it for five minutes and with very limited set of features / tests. - I think this is straight from Dilbert. But it's true.
  • Why I'm reading stuff for so many different topics? Because I'm aware of Dunning-Kruger effect. I want to know something, so I know I don't know anything. Because if I wouldn't know something, I might think that I know something.
  • Google App Engine team posted best practices for app engine memcaching, sounds just like my earlier post about Google App Engine.
  • Again old topic: Acoustic cryptanalysis, Power Analysis, Tempest, NSA spying game worlds. Well well, there's nothing new about side channel attack or covert channel. First one can seriously leak information, as seen in Acoustic cryptanalysis article, and former is something which can be utilized over any method which can convey information in any form imaginable. Side channel leaks were common in analog systems where black/red isolation wasn't complete. So strong encrypted signal, could still include very weak clear text signal. As example of covert channel, when I come to meeting in multiuser game, I could relay information on many other forms than over chat. What I'm wearing, when I'm coming and leaving, etc. All kind of traditional covert channels. I'm just carrying this basket of chicken eggs. When you take a really careful look, you'll notice that some of those eggs are tapering end upwards and some downwards. You can use those as bits. That's one example of covert channel in real world which also works in games which allow to place objects in detailed enough way. Using Huffman coding and codebook even modest messages can be relayed using very small amount of data.
  • Time for retro flashback! In game called Wolfpack was quite funny bug. If your submarine or surface ship took hit to the engine, it allowed you to reverse on incredible speed. It seemed that the code taking care of slowing down ship due engine damage, didn't process negative value aka reversing correctly. If engine hit made your ship 50% slower, it also made it revers 50% faster, but not only as total. Total was something completely different, because that same rule was reapplied on every processing cycle in game engine. So get engine damaged and as long as you kept the power on reverse your ship was going faster and faster. This allowed some great attacks, where you would stalk enemy in position which would be deadly after attack which reveals your submarine position. But with engine damage, you could always easily escape from every bad situation, using ultimate reverse speed.
  • Because that Wolfpack thing was so funny, here's another one. It's about game engine, bad coding, and lack of transactions. Game is called Trade Wars and there were at least two really nice bugs. First one was related to banking, and we abused it a lot. First we deposited money on account sequentially and then we withdraw money in parallel, this simple trick allowed us to double our money on each deposit, withdraw cycle. Oh boy it did other players mad. They just saw our wealth soaring incredibly fast, but they couldn't figure out how we're doing it. Another bug was classical example of lacking bounds check. When you just kept attacking federation. After a lot of attacks the fines you were owning to federation flipped over 4,2 billion. After that you just had to be sure that you didn't have anything in your game account and then you went to pay the -4,2B fine. - Thanks devs, thats a great bug! I hope it would work in real world too.
  • IndexedDB (tutorial), played with it a little, using different samples and modifying those.