Banksy and Authenticity

A great writeup on how Bansky handles authentication of his artworks. So Banksy created a not-for-profit company, Pest Control, to sell and authenticate his works. The process is fiendishly clever, as Will Ellsworth-Jones writes in his book ‘Banksy: The Man Behind the Wall’: Now, for £65 you can get your Banksy print authenticated. And just to keep the whole thing as jokey as possible, the authentication certificate has stapled to it half a ‘Di faced tenner’, a £10 note faked by Banksy with Lady Diana’s face on it. [Read More]

PlaidCTF - Can You Guess Me

A friend asked me for help with this one. I hadn’t planned on doing the Plaid CTF but I’m easily dragged into a neat programming challenge. can you guess me Misc (100 pts) Here’s the source to a guessing game: here You can access the server at nc canyouguessme.pwni.ng 12349 Nothing ridiculously simple here, the solution’s obviously in the code… here’s the code that was provided: #! /usr/bin/env python3 from sys import exit from secret import secret_value_for_password, flag, exec print(r"") print(r"") print(r" ____ __ __ ____ __ __ ") print(r" / ___|__ _ _ _\ \ / /__ _ _ / ___|_ _ ___ ___ ___| \/ | ___ ") print(r"| | / _` | '_ \ V / _ \| | | | | _| | | |/ _ \/ __/ __| |\/| |/ _ \ ") print(r"| |__| (_| | | | | | (_) | |_| | |_| | |_| | __/\__ \__ \ | | | __/ ") print(r" \____\__,_|_| |_|_|\___/ \__,_|\____|\__,_|\___||___/___/_| |_|\___| ") print(r" ") print(r"") print(r"") try: val = 0 inp = input("Input value: ") count_digits = len(set(inp)) if count_digits <= 10: # Make sure it is a number val = eval(inp) else: raise if val == secret_value_for_password: print(flag) else: print("Nope. [Read More]

Crikeycon 2019 CTF - 1000 Qways to DieR

This was the challenge: The flag is contained in the following attached file. You know how QR codes work right? Flag is in format “word”. (So no flag bit on this one) Challenge by Garry. Attached was a 1.2MB, 20,000 line file which looked like this: I’ve been around a while and the =’s at the end of the lines made me think of base64, so I copied it out into CyberChef and got my first indication I was on the right path: [Read More]

Virtualbox Host Key Commands

I couldn’t find an easy list when I went looking for these, so I made a list. Key Combination Command Host + R Reset Host + Q Close VM Host + S Settings Host + T Snapshot Host + N Session Information Host + P Pause Host + H ACPI Shutdown View Window Key Combination Command Host + F Fullscreen Host + L Seamless mode Host + C Scaled mode Host + A Adjust Window Size Host + E Take Screenshot Keyboard Key Combination Command Host + End Send Ctrl-Alt-Delete Host + Backspace Send Ctrl-Alt-Backspace [Read More]

Whois for Stackstorm

I’ve been playing around with stackstorm for a little while now, and wanted to get back into it after a bit of distraction on other things. The idea of automating a lot of my daily repetetive tasks really appeals to me, so I started work on another module today. The end result of today’s head-desking was st2-whois, a pack that does basic whois calls and saves me from having to find the website that works just right for it, or open a shell from a box with the right access. [Read More]

Facebook and Security

This article on Naked Security is a little bit calmer than some of the other coverage I’ve seen. If I was doing physical/staff security for a large organisation with a global platform I’d totally be using any intel sources I could find to help improve my results. This has to be the least creepy thing they do with thier data. What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. [Read More]

On Blogging

I really like this idea from a longer post about the ethics of blogging by Brett Terpstra I sometimes wish that job résumés and Tinder profiles required an appendix of all of the comments a person has left on other’s work in the last year. You can learn a lot about a person from how they approach offering criticism when it’s not face to face. Anonymity’s a mess, I’m thankful I seem to live on a nicer part of the internet most of the time, more through lack of exposure. [Read More]

TheHive and Elasticsearch Initial Errors

I was trying to install TheHive and ran into some issues with configuration. When trying to log in for the first time, I was getting “Elasticsearch cluster is not available” as a little red popup on the login screen. When checking the log /opt/thehive/logs/application.log I found the following line: 2019-01-28 21:22:34,494 [WARN] from org.elasticsearch.client.transport.TransportClientNodesService in main - node {#transport#-1}{1eyCBCV1Rs-oVwFIHuQ7cw}{127.0.0.1}{127.0.0.1:9300} not part of the cluster Cluster [Cluster], ignoring... This means the cluster name doesn’t match between TheHive and elasticsearch - mainly it is probably not set in elasticsearch - because that’s the default on install. [Read More]

Robert A. Caro and Lyndon Johnson's Story

This fascinating story of a life-long journey to explore the story of President Lyndon Johnson’s life was amazing read. I don’t have any real interest in American politics, but I do love great writers, and Robert A. Caro is definitely one of them. He didn’t look up. After a while, I said tentatively, “Mr. Hathway.” I couldn’t get the “Alan” out. He motioned for me to sit down, and went on reading. [Read More]

Bug-O Notation

This article by Dan Abramov about Bug-O Notation is a great one. The Big-O describes how much an algorithm slows down as the inputs grow. The Bug-O describes how much an API slows you down as your codebase grows. Without explicitly calling it out, he describes using simple Finite State Machine concepts that allow for explicit, identifiable state positions rather than nested calls and race conditions. It’s a great way of thinking about things - if you know where you are, you can explicitly reset the UI and rebuild it with much less effort. [Read More]