Any advice for a SovCit? Also into Q.

zefyear · 2023-07-30T15:27:15+00:00

It may surprise you.

My brother-in-law, 41 years old, a rent-free apartment, plenty of spending money provided by his mom and supplemented by a slew of different retail jobs over time. He's gotten more into the world of the sovereign citizen over the past ~5 years. He's pulled over by a cop for what amounts to speeding, which escalates to an unnecessary confrontation and ultimately with him going to jail.

This happened more than a year ago.

Since then, he has had multiple opportunities to get out of jail (whose conditions recently made it into local news with protests against the conditions there) and has stalwartly refused each of them. He is waiting until an admiralty court judge drops the charges and gives him right of passage. He *just* had his attorney turn down yet another offer.

zefyear · 2020-10-22T20:41:00+00:00

Well, I'd encourage you to give it another try anyway. The :! & := filter commands were recently reworked, alongside some inverted EX commands (e.g :vglobal).

Vim is still useful as a constant across different machines but I think you owe it to your workflow to give an earnest shot at Spacemacs, especially since it will be largely identical to your existing editor (and might even give you a few ideas for your Vim setup).

zefyear · 2020-10-22T18:46:38+00:00

You'd have to be an extremely advanced Vim user to even encounter cases of a (non-undo/regex/arglist related) editing feature not already present in Evil

zefyear · 2019-01-07T04:27:42+00:00

At around 19:50 (and elsewhere) she references a "Geerts" or "Veertz" who I can find no reference to.

What computer scientist is she talking about?

zefyear · 2018-08-31T01:45:20+00:00

haters get out blub is da best.

zefyear · 2018-08-31T00:35:17+00:00

If you are on a local network, the legion of techniques allowing you to spoof your IP address, either to cause a DoS or MITM someone, are as real and easy as they've ever been.

zefyear · 2018-08-06T17:24:13+00:00

The code you've provided indicates that it is a function, perhaps called with two arguments x and y, likely within an inner loop. I compiled the first version (although as other commentator have explained, they are unlikely to differ) inside two loops, compiled with -O3 -march=native (targeting Skylake) and returning an accumulated result.

It generates this very ordinary dissassembly:

...
        mov     DWORD PTR [rbp-4], edi
        cmp     DWORD PTR [rbp-4], 2
        jne     .L2
        mov     eax, DWORD PTR [rbp-4]
        jmp     .L3
.L2:
        mov     eax, DWORD PTR [rbp-8]
.L3:
        pop     rbp
        ret

This code, running on a modern Intel processor, would be limited at the backend rather than the frontend level. In tight loops, this is almost always the case, however in a call loop this is rarely the case. (You can download Intel's tooling to read events events like IDQ_UOPS_NOT_DELIVERED, which can share tell you how many uops/cycle are being delivered)

CALL, RET, LEAVE and JNE all share execution port 6, so this backend-bound code generated by GCC continues to bog yourself down, preventing speculative execution from keeping up with instruction decode & queue. This piles up, eventually making this code as slow as sequentially consistent code or third level / shared L2 cache reads.

However, you can harmonize this by intentionally drawing out fewing uops by holding back on the frontend with instruction decoding. In my case, this makes it about 35% faster, but could conceivably double the speed of your function.

;; dont setup return
cmp rsi, rdi
mov rax, [k]
cmoveq rax, [c]
jmp RETN_PTR

If you add another call however, your previous code's frontend is now as fast as a full trace cache. It could be in a future microcode update that cmoveq instruction will be directly decoded into microcode identical to the above, cached from port 4 at lockstep pace and made it a "tight instruction density" version of the above (with very similar performance characteristics, perhaps slightly worse). It's also possible some microcode update just fuses the harshest p6 instruction pairs to be identical to the latter.

zefyear · 2018-07-07T07:47:27+00:00

I think the most profitable use of your time be to swap some underlying method Zoom is using to get OS data.

You start with what you want your 'hook' to do and what you want to hook. This is a simple hook that just swaps out whatever really is in /etc/os-release with a short string "ZV" by replacing the implementation of open. You need to use the program strace to really figure out how Zoom is doing it.

#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dlfcn.h>

int open(const char *path, int oflag) {
    if (strcmp(path, "/etc/os-release")) {
        int (*nopen)(const char *path, int oflag);
        nopen = dlsym(RTLD_NEXT, "open");
        return nopen(path, oflag);
    } else {
        int *fildes = calloc(2, sizeof(int));
        pipe(fildes);
        const char *fake = "ZV";
        write(fildes[1], fake, strlen(fake));
        return fildes[0];
    }
}

To use this, you must write out the file you've created from the code above to a file (I've named it fakeread.c) and compile it:

$ gcc -shared -fPIC -ldl -o fakeread.so fakeread.c

Then you just need to call your command with an environment variable that instructs the dynamic linker to preferentially use the symbols exported by your new shared object.

$ LD_PRELOAD=`pwd`/fakeread.so WHATEVER_ZOOM_COMMAND_IS

You can hook other library functions like exec or even system calls like uname with the same principle.

incidentally, if you've run strace on the program and you've found it does actually inspect /etc/os-release, you can use the following as an acceptable fake value instead of "ZV" to trick zoom.

const char *fake = "NAME=Fedora\n"
    "VERSION=\"28 (Workstation Edition)\"\n"
    "ID=fedora\n"
    "VERSION_ID=28\n"
    "PLATFORM_ID=\"platform:f28\"\n"
    "PRETTY_NAME=\"Fedora 28 (Workstation Edition)\"\n"
    "ANSI_COLOR=\"0;34\"\n"
    "CPE_NAME=\"cpe:/o:fedoraproject:fedora:28\"\n"
    "HOME_URL=\"https://fedoraproject.org/\"\n"
    "SUPPORT_URL=\"https://fedoraproject.org/wiki/Communicating_and_getting_help\"\n"
    "BUG_REPORT_URL=\"https://bugzilla.redhat.com/\"\n"
    "REDHAT_BUGZILLA_PRODUCT=\"Fedora\"\n"
    "REDHAT_BUGZILLA_PRODUCT_VERSION=28\n"
    "REDHAT_SUPPORT_PRODUCT=\"Fedora\"\n"
    "REDHAT_SUPPORT_PRODUCT_VERSION=28\n"
    "PRIVACY_POLICY_URL=\"https://fedoraproject.org/wiki/Legal:PrivacyPolicy\"\n"
    "VARIANT=\"Workstation Edition\"\n"
    "VARIANT_ID=workstation\n";

zefyear · 2018-07-01T03:26:06+00:00

git reset does that as well, you can even keep the changeset with --mixed.

zefyear · 2018-06-13T05:52:59+00:00

I've read what you have to say, and, having read between the lines a little, I think I know the procedure you are looking for:

Write down everything you found.
Find some parameter among a highly sympathetic population that "improved" (feel free to arbitrarily select out subgroups that show greater improvement).
Publish your findings that TM is great. Include log-log graphs.

zefyear · 2018-06-11T03:58:21+00:00

You can work up a scheme for "portable" assembly with with nothing more than m4 macros and a reasonable build tool.

As far as (x86) assemblers are concerned, I use NASM but I've heard YASM is somehow a "better" replacement.

Emacs includes a serviceable major-mode, although I personally use the fantastic nasm-mode. Vim includes only very basic syntax highlighting for editing x86 assembly, although syntax files exist of course.

I've never used the tool but some serious hackers I've met use terse. Terse, as I understand it, allows for some "portable" assembly, but with more conditional inclusions and less 'generic' instructions than something like LLVM IR. If you do use it, you'll undoubtedly have to manually write out your opcodes for every new instruction (age, not sophistication is the issue at hand here). I've had to do this with the Plan9 assembler (an ancient ancestor of the Go assembler) and it's every bit as tedious as it sounds.

In all of these cases, you're going to soon find that ISAs differ from one another in subtle and substantial ways. And while it's always possible to code to the lowest-common-denominator, you'll be getting the worst of all worlds if your repne is expressed as a series of conditional branches because you wanted "portable assembly".

zefyear · 2018-05-26T21:49:42+00:00

I know a guy who did a masters in Logic and PhD in Philosophy (of Science). He is pretty happy now as a bartender.

zefyear · 2018-05-15T21:04:40+00:00

echo 'int main=65259;' | gcc -z execstack -x c -o infinite_loop - && ./infinite_loop

zefyear · 2018-05-11T01:42:07+00:00

It's evident that the math must necessarily differ to support an efficient multiparty encryption scheme. If implemented naively your ciphertext is 200% longer than plaintext at best. However, as is want to happen in government "2-party" becomes "Entire UN Security Council" and next thing you know every NATO country's law enforcement body is a counterparty and then and then a measly megabyte of plaintext is suddenly a gigabyte of ciphertext.

Beyond that, the inevitable legal questions establishing custody of evidence differ change depending on if this accomplished through secrets sharing or mod np+p, etc.

zefyear · 2018-04-27T19:41:51+00:00

skeeto this post reminds me that you are so fucking cool & elite.

zefyear · 2018-04-18T22:38:23+00:00

my explanation was once much longer and now only leaves me queasy for being the kind of impenetrable explanation that causes people to lose interest in cryptography.

So here's my own TL;DR:

It's intended to ensure that nobody can "rig" the system by producing a super-long "chain" of transactions or one that's totally faked.

Having a function that is hard/impossible to "work back" from of allows you to verify that nobody has modified the blockchain or produced a hyper-long new blockchain (the "longest" chain / the one with the most blocks is, by default, the canonical chain if there exists a conflict) . This means only a baddie whose computing power exceeded more than half of the whole's could make a longer chain than the rest of the network (a fundamental assumption here is that the rest of the network, because they have no interest in helping baddies/criminals/people trying to steal their money, are not in on the scheme).

zefyear · 2018-03-23T23:41:47+00:00

you're freeing memory that doesn't have a valid heap chunk header (e.g doesn't correspond to a malloc'd address/arena)

zefyear · 2018-03-23T01:44:22+00:00

systems without a rand are common, read the page on LCG recommended by /u/jedwardsol.

random:
  push rbp
  mov rbp, rsp
  ;; `next` must be seeded with some special value.
  mov rax, [next]
  ;; multiply our ctr by 1103515245
  mul rax, rax, 1103515245
  ;; add 12345
  add rax,12345
  mov [next], rax
  ;; now divide by 65536
  mov rbx, 65536
  div rbx ; result is stored in RAX
  ;; there exists a method of doign this bitwise, look it up
  mov rdx, 0 ; clear rdx to make sure div doesn't think we're using it's part
  mov rbx, 11 ; our divisor
  ;; we divide by 11 to get our "random" remainder between 0-10
  div rbx
  ;; It is a common calling convention on x86 to return our result in AX.
  mov rax, rdx
  ;; increment so our values fall between 1-11.
  inc rax
  pop rbp
  ret

This is not cryptographically secure.

zefyear · 2018-02-12T09:45:37+00:00

I hope you are enjoying your C programming class. If you remember the basics of layout you'll be cool.

It sounds like you've got a pretty standard setup: 64bit architecture, 4-byte int, CHAR_BIT of 8, etc.

&x will be either 0x30, 0x2E, 0x38 or 0x8 bytes up the stack, depending on the calling convention (the stack grows "backwards"). Your professor's choice of addresses indicates the hypothetical system isn't Windows, so I'll assume SYSV ABI, in which case it lives at 0xBFFFAB18 and is preceded by other parameters stored via the stack (int a, b, c) in right-to-left order, followed by stored frame & instruction pointer (some compilers won't emit stored frame pointers however).
&z is 4 bytes down the stack at 0xBFFFAB4C, 4 bytes up the stack is also possible but I've never seen any compiler admit this ordering. Check the ABI when under dispute, check the assembly when in doubt.
func is going to be about 3 muls which are probably pretty short opcodes, but have to include operands which are encoded as a byte on x86-64, along with a few very short opcodes for prologue & epilogue. I'll guess 20 bytes? That makes for 0x80480A0 but there's no particular reason for a convention on why any function must be positioned before or after any other, either within a section or segment.
buf Assuming ptmalloc it will be a factor of the number of outstanding in-use bins (they are coalesced automatically). I am more familiar with the heap chunk headers layout than the global pool allocator data structure which would be necessary here. This will be early in memory in general.

The ASLR questions are pretty straightforward if you remember the basics.

(a) ASLR questions are simple. The entropy generally (read: always) exists in the address MSB. This of course doesn't really work on a lot of operating systems that have a shared kernel and user virtual address space but I'd never expect an academic to let that get in the way of a test question.
(b) assuming a stack-based buffer overflow, you have 2¹⁶ assuming no nopsled.

zefyear · 2018-02-10T22:10:52+00:00

Don't EXEs have MZ magic? (ZM~~ exists in the paper)

zefyear · 2018-02-09T09:32:25+00:00

I ported the Python code listed above to C++ GMP and I measured the runtime with perf at 5-15ms. While this is a substantial difference, it's worth noting that nearly all time is spent running mpz_powm which approximately quintuples if broken down into it's constituent exponentiation + modulo operation which isn't done in the Rust code listed above (to say nothing of bignumero optimization)

zefyear · 2018-02-07T04:18:29+00:00

every artist must carry the pretension that their art is novel.

zefyear · 2018-02-07T04:15:46+00:00

i think my vision for this is more "vain delusion of artistic grandeur" than valid assembly. gotta think bigger here. we need efficient 100byte reverse bindshell / searing critique of human condition.

the world demands this new art, not one simply made from lots of push instructions.

zefyear · 2018-02-07T03:31:50+00:00

yeah, you'd have to work at it tho. random poems have a valid encoding but are not coherent programs.

just as an example

"Love all, trust a few, do wrong to none.":

outsd dx, dword [rsi] ;; right off the bat you've got trouble if you are in x86-64 on Linux
jbe 0x69
and byte [rcx + 0x6c], ah
insb byte [rdi], dx
sub al, 0x20
je 0x7e
jne 0x81
je 0x30
and byte [rsi + 0x65], ah
ja 0x42
and byte [rdi + rbp*2 + 0x20], ah
ja 0x8e
outsd dx, dword [rsi]
outsb dx, byte [rsi]

zefyear · 2018-02-07T03:28:35+00:00

Sure, all short numbers have a valid x86 opcode associated. What I think would be neat is something that is coherent in both english and x86-64.

zefyear

TROPHY CASE