0xabad1dea

O tumblr, my tumblr, the delightful romp is done The board approved e’ry point, your future has been...

Sun, 19 May 2013 12:57:07 -0400

O tumblr, my tumblr, the delightful romp is done
The board approved e’ry point, your future has been won
Gods dammit
#poem

I chipped again https://soundcloud.com/0xabad1dea/

Thu, 16 May 2013 23:57:41 -0400

I chipped again

https://soundcloud.com/0xabad1dea/

Hey, people who camp tags to send inflammatory trolls to women and allies: Go screw your 3D...

Sat, 27 Apr 2013 01:03:57 -0400

Hey, people who camp tags to send inflammatory trolls to women and allies:

Go screw your 3D simulated sex partner, I’m fabulous

Mansplained

Sat, 27 Apr 2013 00:22:30 -0400

I was informed by the Mansplaining Brigade tonight that “man” is not a gendered word in the English language.

Great, so your mother is a man then? Lesbianism is man-on-man love? Don’t you dare say “well obviously I only meant sometimes”. I’m not psychic; your use of “man” doesn’t come with a little tag that says “oh, obviously I mean women too, I just couldn’t be bothered to say so.”

These people (certain people, not everyone) just can’t get over the idea that a woman might want to be referred to as a “craftswoman” or a “craftsperson” or an “artisan” or pretty much anything but “craftsman”; they think that’s really weird and unreasonable that she doesn’t want to be systematically misgendered and her identity covered up with a tarp because it doesn’t fit the stereotype.

One person even told me unironically that the -man suffix denotes species in such words. So we don’t get confused with craftsoctopi I guess. They want me to “disassociate” the word “man” from, uh, men.

The idea that the word “craftsman” was chosen by a sexist culture to describe a field of employment women were usually barred from, and this has changed because we’re no longer blatantly sexist to the core, seems to elude these people… or the idea that academic centers with the power to influence language standards are historically all-male and many to this day remain predominantly male. Our culture historically categorizes “men” as “us” and “women” as “them”, the other. As a result, we have a language that is systematically male-biased (despite no longer being a grammatically gendered language like Spanish) and people are often not even consciously aware of it.

Best excuse: it’s too cumbersome to acknowledge other genders! Ah, the good old days, when men were men and women were men because that’s shorter to write.

Believe it or not, this started when I linked http://techcompaniesthatonlyhiremen.tumblr.com/ which points out that job listings frequently use gendered language, because people assume the applicants will be male, because of the self-perpetuating culture of sexism which is only slowly eroding. Imagine flipping all of those gendered pronouns to she, her, lady, etc. People would flip out or find it incredibly weird and uncomfortable.

Thanks to everyone who “gets it” - whether or not they totally agree with me, as I certainly don’t expect everyone to. Gender deletion is the very face of sexism whether it’s intentional or not. Referring to me with words that have a male connotation sends the message that my gender is so abnormal that words fail you. It paints the picture that you’re just going to pretend I’m a guy and hope my weird, strange gender goes away. Is that what you’re consciously thinking? Probably not - but that’s the underlying process that causes such things.

I’m so freaking sick of people who tell me to gender-neutralize my online identity because the pink and sparkles are “weird” or because I’d “have an easier time fitting in.” (Pink isn’t even my favorite color. I just resort to using it in an attempt to not be assumed male.) Hey, genius, I’m objectively a girl. If that freaks you out, it’s your failure to deal with observed reality that there are women who do things you associate with men.

See also http://www.cs.virginia.edu/~evans/cs655/readings/purity.html for another, more clever, take on this.

Mansplainers who want me to know that everything I just wrote is stupid and I’m a whiny bitch, please take a ticket for the next train to hell.

Thoughts on the Boston Lockdown from the edge

Sat, 20 Apr 2013 22:13:00 -0400

A lot of people are angry, upset, or worried about the “Boston Lockdown” as a sign that Freedom Is Over. One thing almost all of these people have in common is not having been in Boston at the time. I work in information security and I’m involved with the privacy scene; I understand there’s a lot going on in America to be worried about. I’m writing this to try and explain that the police acted in good faith, they did the best job they could, and this was not, as it may have appeared from the outside, some sort of martial law terrorizing the citizenry.

I’m a resident of the Boston suburbs, who also works in the suburbs, and I occasionally make forays into the city proper. My family is from the greater Boston area, going back to the Irish immigration wave and to the Pilgrims. On Monday, when the bombs went off, I was working from home and happened to have Twitter open - I found out within seconds. After watching long enough to get confirmation from multiple sources, I sent a company-wide email to plan on not taking the trains home. I was listening to the police radio and knew they believed there to be more bombs. The fact that they turned out to not be explosive was itself immaterial; when a terror attack has been initiated, you hope your adversaries are incompetent amateurs, but act under the assumption they’re sick, twisted, and prepared to do the unthinkable.

During this time, it was clear from the police scanner that their #1 concern was getting everyone to safety and reuniting families. They remained quite calm and professional. I cheered when they broadcasted that every single one of roughly a hundred and eighty victims had arrived at a medical treatment center, about an hour into the incident.

Later that night, I hitched a ride with my boss to the heart of the city to set up for a conference called Source Boston which was to begin Tuesday at noon. The only remarkable thing about this trip was that hotel staff asked our names and checked our bags before allowing us past the lobby. Let me emphasize: this was not the police, this was private security inside a private building, and we could have refused and simply not entered the hotel. So far as I know, only the crime scene itself and portions of the subway system were under any special protection at this time.

Tuesday was an uneventful span of speculation. There were more police out and about than typical, particularly on the transit system, but no-one I met seemed to feel afraid or threatened. Someone who was speaking at the conference had their flight cancelled and couldn’t make it in time… but that was the only effect it had on us. Wednesday dragged on with rumors, only rumors. On Thursday morning there was a very strong presence of police and military with assault rifles, because the President was coming. I suspected, just as they did, that if the terrorists were planning on striking again, now was the time. We are very predictable in holding these sorts of high-profile ceremonies, so it was possible that bombing the memorial to break our national heart was the goal all along.

The President came and went without any disaster striking. Thursday night, the FBI published their official photos of the suspects, two quite ordinary-looking young men who would never be worth a second glance anywhere in Boston. This area is very international, you know - it teems with exchange students and well-educated immigrants and people who came here for a new chance at life. Every time I go to the grocery store I see families from all over the world, many apparently Muslim. The idea of being threatened by Muslims in general is absurd and I condemn anyone who assaulted or harassed someone because they appeared to be Muslim. (In a twist that upset everyone’s pet theory, the suspects turned out to be both white Americans and Muslims, though as I write this, no stated motive is available.)

The convention formally ended Thursday evening and most attendees dispersed to the winds, but a few of us were planning on staying late. Our car was parked out by Alewife Station somewhere and our friend was going to give us a ride from the hotel to the station when we were ready to go. Once again, I happened to be checking Twitter (I do that a lot) when the first reports of a shooting at MIT surfaced. No-one assumed it was the bombers: it’s a city, random shootings will happen. What people did express was frustration with stupid freaking criminals having the disrespect to cause a scene in the middle of an investigation. At this point, some of my local MIT friends ragequit Twitter and went to bed. They didn’t want to deal with the stress of murder on their campus on top of the stress of the terror investigation.

It was the point at which news of grenades hit Twitter that suddenly everything came into focus. A frenzy of attempts to confirm that it was in fact a detonation and not some random city noise was settled when people I knew and trusted said they heard several small explosions from their house. I went around and told everyone still chilling at the conference not to leave the hotel, because some nutjob who may or not be a marathon bomber was armed and dangerous and running around with nothing to lose. Mainstream media was in bed; we only had the radio and eyewitnesses over social media. We (the waking Twitter population) by and large understood that this was not 100% reliable. Boston is not much of an after-midnight city to begin with, so there was hardly anyone on the streets to worry about. I remember seeing a pizza delivery truck rolling by well after the violence in progress had been declared to be the bombers making their getaway. I hope they got a nice tip.

Several of us ended up getting a few rooms at two in the morning and crashing instead of going home, since it was abundantly clear that the remaining bomber was armed and dangerous. Boston is a surprisingly small area, incredibly dense and mazelike, and much more easily navigated by bike or on foot than with cars. Staying inside if you have the option is not cowardice or foolishness in such a situation, it’s practical. The bombers had already murdered one person, shot up another, and kidnapped someone before kicking them out of their own car. The younger one was so panicked that he had run over his own brother’s body trying to get away from the cops. It’s completely irresponsible to be outside and make yourself a target for hostage-taking by a desperate terrorist unless you have a truly compelling reason.

I took a sleeping pill because there were sirens everywhere; I have a good ear for them. The last thing I remember is that my manager, who lives in Watertown, was barricaded inside his house by the police to keep him from being taken hostage. To my understanding the police communicated with him and this was by consent. A widespread misconception I saw on Twitter is that SWAT teams were running around and breaking into people’s houses and ransacking them. I haven’t seen a single report of this from a local! The worst I heard is that they opened exterior basement doors and sheds. They knocked on doors and asked if people would like their houses checked. It’s not like the police assumed anyone was deliberately sheltering the terrorist. Now, I am not going to make a blanket statement that not one single breach of respect happened. Thousands of people were involved, there was probably at least one. Just let me emphasize: the police made every effort to not screw this up and not terrorize people. The documented incidents make sense in context: there was unambiguously an armed and dangerous maniac somewhere in Watertown. Some police forces we shall not name would probably have racked up seven or eight civilian shootings and burned down a couple houses. While it’s really quite pathetic that we’re pleasantly surprised when this doesn’t happen, well, it didn’t happen. Hooray.

I woke up at 11am on Friday and my first action was to post on Twitter asking what I needed to know before I got out of bed. The answer?: “Don’t bother, go back to sleep. They’re still looking for him and everything’s closed.” It became clear that something called “shelter in place” was going on. This is the “lockdown” everyone heard about. Let me emphasize this very clearly: this was NOT a lockdown in the classical sense. People were on the sidewalks. Cars were on the streets. Just not very many. No cops or soldiers were running around bothering people outside of the immediate vicinity of Watertown. The idea that the entire city shut down simply isn’t true. Restaurants and shops and other assorted businesses were mostly closed, but this was by choice of the operators to heed the call to do so. It was, by and large, a surprise holiday; the park near the hotel was actually quite crowded.

The hotel kindly allowed us to delay checkout, and mid-afternoon we were able to find a taxi driver willing to take us all the way to Alewife Station, which itself was completely closed. Our car was severely overdue on the parking time limit, and this will probably be the only time in our lives we escape the watchful eye of the meter police. We actually passed through a corner of Watertown on the way home, which was alive and well.

A lot of people are concerned about the cost to the city of Boston that the lockdown incurred. Two points: first, we have severe weather incidents every year with similar effects on business, and our economy doesn’t collapse; second, pretty much every single last person in the greater Boston area would personally sign the check paid out of our taxes to see the marathon bombers taken off the streets. We wanted this. We wanted to facilitate the investigation and we wanted those prepared to deal with an armed terrorist checking the hidey-holes in our neighborhoods, which was exactly where Suspect #2 was found. It is better that the trained negotiators handled it than the private citizens, because let me tell you, the city is filled with people who wouldn’t have hesitated to beat him to death with their bare tattooed hands, and it is important for both human rights and for the investigation that he was taken alive. I regret that the older brother has died but, fittingly, it seems to have been the younger brother’s fault anyway.

Some people feel that Boston has failed to “refuse to be terrorized.” Let me make something clear: being cautious during an ongoing terror attack (even a relatively small one such as this) is not a shameful thing, it’s common sense. “Being terrorized” would be if we cancelled next year’s marathon. There’s not a snowball’s chance in hell of that happening. “Being terrorized” would be if we ceased to be a welcoming home for people from all over the world. That had better not happen, and I don’t think it will.

Incidents where a few people die and many are injured happen all the time even in America - the Texas explosion seems timed by fate to remind us of this. It’s true, we don’t make it an issue for every single person in a city every time three or four people are murdered. In this case, the people of Boston chose to make it their issue. This attack was extremely personal. We responded in kind. This was not a city driven by fear. This was a city driven by a keen and righteous fury. We absolutely will not tolerate anyone attacking the heart of our culture. We’re not worried about the monetary cost of bringing everything to a screeching halt to make sure there is no possibility of escape. There are a lot of Bostonians, we can keep this up longer than our handful of cowardly enemies can.

Finally, those of you who watched from a distance: thank you for your attention, your concern, and your outpouring of support. However, if you are worried that this was “normalization of the police state,” let me assure you there was nothing “normal” about this. Our governor is not signing some sort of order to turn Boston into a rights-free zone on account of two kids with a pressure cooker. I know it’s freaky to see photos of armed troops in an American neighborhood, but that’s just it - it’s freaky. It’s unusual. There was a very specific reason for it and the locals wanted them there and they’ve packed up because the mission is over. I know we in infosec are paid to be paranoid but thinking that this was a “dry run” for some sort of coup is a little over the top even for us.

Now is a good time to reflect on the fact that in some parts of the world, none of this would have seemed remarkable. There are entire countries worn down by constant petty terrorism. Dozens of innocent people have died in bombings abroad during this investigation.

I think Boston’s reaction is a key component of keeping it unusual in our country. Zero tolerance for terrorism.

This is the city which would not be cowed by the wrath of an empire. We won that war. We will not be cowed by you, Tamerlan and Dzhokhar Tsarnaev, and we will be victorious over hatred, fear, and senseless violence.

Boston is my ancestral home. I came back after living far away for half of my life. I’m so glad I did.

Ported one of my orchestra songs to chiptune

Sat, 20 Apr 2013 17:47:14 -0400

Ported one of my orchestra songs to chiptune

I woke up and wrote another chiptune - this is the themesong of...

Sat, 13 Apr 2013 14:38:49 -0400

I woke up and wrote another chiptune - this is the themesong of a bookish teenage boy, he needs another themesong for hero mode though.

https://soundcloud.com/0xabad1dea/

Abadidea's Guide To Internet Arguing

Thu, 11 Apr 2013 09:19:52 -0400

Not everyone on the internet is an adult. This cannot be emphasized enough. Someone who seems incredibly dumb or ignorant may actually just be thirteen years old.
Not everyone on the internet speaks English as their native language. Misunderstandings happen. Grammatical mistakes happen. Difficulty expressing themselves does not automatically make someone dumb.
People come from many countries with many political systems and a different idea of what “normal” is. Don’t project your beliefs as “normal” even if you strongly believe they are “right.”
Before you get upset with someone, consider how much you have in common vs. the size of what you disagree over. Don’t create internal disorder in your cause over minor things.
Lead with a compliment. If you really can’t think of one, there’s a good chance you need to back off.
Do not accuse the other person of being “completely horrible” based on one stance which is a hot issue with you. From their point of view, you’re ignoring the vast number of ways they’re indisputably not horrible and they’ll dismiss you as too extreme. Most people are trying to be good people; give them the benefit of the doubt.
Take other people’s complaints about you into consideration. Some are wrong. Some are dead on.
Be rigorous in avoiding the clear-cut logical fallacies. Annotate your intent if you play around with them. Call out people who fall into them. If you’re relying on one, recheck your beliefs.
While we’re on that subject, stop getting the definitions of “ad hominem” and “straw man” wrong. Sometimes an insult is just an insult. Sometimes speculation is just speculation.
Don’t confuse people who deliberately spread misinformation with those who fall for it.
No-one has the time to be an expert in every subject. Don’t be condescending to the innocently ignorant and don’t tell a genuine expert their business just because you have a Strong Opinion on something you’re only casually familiar with.
Graciously accept being corrected. Better ex-wrong than wrong.
The other person is probably not as angry or rude as they sound in your head.
Intent matters.
Behavior matters.
Context matters.
It’s not “just the internet.” This is the excuse of the dishonest troll.
No matter what you do, some people really are just willfully ignorant, hateful, prejudiced, and awful. Your #1 most important job is to not be one of them.

Did you know I make classic RPG-style chiptunes? I do, or try at...

Fri, 05 Apr 2013 23:37:00 -0400

Did you know I make classic RPG-style chiptunes? I do, or try at least; I’m still learning. Unfortunately this one compressed a little weirdly. https://soundcloud.com/0xabad1dea

Concerning the nature of a woman of computer science

Thu, 04 Apr 2013 10:40:12 -0400

A long-form response to Ionic, who, in essence, has found woman’s dedication lacking, if she submits so few papers in comparison to her fellows of the masculine gender.

Mr. Ionic (or Mr. Esser, if you prefer) I am writing this because we have exceeded the capabilities of Twitter to contain our disagreement, opening the dam a hundred and forty little symbols of mutual anger at a time, never enough to wash each other off our piers of certainty. You are welcome to reply in kind, and so we may have a war, a true and proper war, where the best weapons are brought out and carefully aimed. I hope you will forgive me in having an advantage I did not ask for: English is the language of my infancy, whereas you had to earn its secrets the long and toilsome way. My ability to make the most deft use of this language shall probably always exceed yours, no matter the effort – and while the same is true concerning you and your mastery of German, political reality suggests my luck was better. I do not need another language to pursue my passions. You do.

I bring this up not to make a mockery of nationality, but to suggest that just as I may, in the arrogance of innocent advantage, forget that not everyone is an English bard, so too might anyone not know the full measure of what circumstance has given them. I do not know what it is like to be a German-speaker or a Mandarin-speaker or a Hindi-speaker plying the sciences dominated by English, having to first overcome the barrier of language to participate as an equal. You do not know what it is like to be a woman in the very same circumstance: that the intellectual industries present a man with some barriers, and a woman all these and a few more, and some higher. Surely you and I can both point to this or that little detail, in which woman has the advantage over man, but when one backs up and weighs them fairly they are not equal compensation. I doubt you would wish to forget German in exchange for a perfect English, however, and I would not wish to depart from womanhood. Both of these are matters of who we truly are, desirable in and of themselves, not because of the luck of advantage.

I do not know in detail the chapters of your life, the circumstances peculiar to you rising to a certain renown in our field, but I do know that your intellectual prowess is quite real and readily evident. No-one now contests this, though surely there was a time when you were yet unknown. However, I would venture that while you were proving yourself to the public, no-one ever accused you of presenting the work of your hypothetical wife, nor discussed whether you were truly a man as you claimed, or in actuality a woman in disguise. Does that not sound absurd? This, however, is woman’s task: first to leap the barrier of competence, the same as you, then to leap the barrier of proving that she is, in fact, the same person who is found competent. For years I toiled to learn the craft under accusations of not being a woman, because there are no women in our field, because anyone who claims to be is not a woman…, or else I was a harlot, preying on the hearts of innocent boys and falsifying my abilities (perhaps having a boy write my exploits for me) to string along their affection. To what end? I cannot imagine.

So far as I have known their motivations, strangers said these things to me because they were unable to separate their sexual orientation towards women from perceiving women as fellow sojourners seeking knowledge. Our field is noted for being the bay in which the socially different come to drop anchor, and I believe much of it was spoken not on account of deliberate vitriol, but out of fear and anxiety. I am also anxious – I am a shipwreck upon the shoals of social competence. I also experience sexual attraction towards men in this industry, certain ones at least. Hence it is not attraction itself that I find troublesome, nor the social blunders which we all commit; rather, it is a willingness to take refuge in their excess, and let womankind, measuring half the blood of our existence, be the casualty of the community’s peace. This is the very folly that you promote, complaining that our kind brings trouble on our wings, swooping in to crow and blather and retreating to brood in our nests of contempt for your gender. Consider rather that we are scratched by ten thousand thorns, none lethal but each painful, and at some point there are too many little cuts bleeding out our dignity. We protest, and are told that we complain of one thorn, whichever pricked us last. No-one’s path is free of thorns, but some begin within the briars of presumption and must fight their way out. They reach the road bleeding; others, more fortunate, suppose them to have foolishly done this to themselves.

This is the root of what I have been trying to express to you: in any time, in any place, there are those who must struggle more than others to claim their honor. Each of us must be vigilant against supposing that our good fortune is so readily seized by all who would have use of it.

If two percent of your submitted papers are written by women, Mr. Esser, there may be a larger force at work than a simple lack of desire of half of humankind to pursue research and burn away long hours of their life in study. This I have done, and shall continue to do, but for years I was faced at every turn by those who would have me surrender. Few people of any gender, any nationality or religion or whatever division you prefer, could pursue a career that did not want them for so long. I say this not to praise myself, for I am so useless at other endeavors that I would not know what else to do. Rather, I say this to cast light on the host of minds whose curiosity and desire were stamped out by the boot of callousness before their passion could be truly ignited. This is the systematic bias of which women try to tell you: we are chipped away from the moment our eyes open with tools of degradation and condescension. A hundred years ago, to be a girl was to be told “no.” Now, I admit, things are a little better: to be a girl is to be told “it is possible, but you will suffer.”

This very day, I was told by a man that I should be glad to suffer, that my suffering is my glory.

No, my work is my glory. I am not here to suffer on your account. I intend to tell tomorrow’s daughters “yes,” as do many men who have given pause to consider whether they are perpetuating the problem or fighting back against it. I would advise you either help or get out of our way.

Some (self-righteous?) stuff I thought of while playing video games

Thu, 21 Mar 2013 20:31:00 -0400

Men fear women will reject them, women fear they won’t be allowed to say no

Straight people fear being made uncomfortable by gays, gay people fear they won’t be allowed to love

Cisgendered people fear being fooled, transgendered people fear they won’t be allowed to be honest

The rich fear the poor won’t work hard enough, the poor fear they won’t be allowed to work at all

The ethnic majority fears the minority will cause trouble, the minority fears they won’t be allowed to live

Everyone has something to be afraid of

But some people fear

Others becoming less afraid

Ethics of One Girl In-Particular

Mon, 18 Mar 2013 10:36:38 -0400

A philosopher is one who takes many words to state what all people know, or even better, to state what sounds profound but no-one actually understands. I am not a philosopher. I value a terseness of style, and a blunt attitude towards those who mark papers, which has never been valued in their halls. Philosophers also have an interest in systems which they purport to solve everything, to leave no more questions, to lay out absolute rules which create a closed system for the problems of life they will consider. This is no different from the physicist who considers all objects to be spherical and without friction. This is the reality only found in notebooks and classrooms. It functions only in the broadest of terms. It does not describe the reality in which we operate as conscious minds, but only a simplified imitation of it, made finite in its complications so that we may grapple with it, and suppose we have conquered.

I am so foolish, so prideful, as to add to ten thousand years of written philosophies my own little ideas, born of youthfulness and a life complicated not by war or famine but by intellectual matters. I am using the following definitions in this undertaking: first, that a “rational mind” is the remarkable but imperfect organ of sensory gathering and decision-making which forms the core of an acting entity, a “person”; that “emotion” and “pain” are the experience of the rational mind mapping its desires to physical sensations, with the latter being inherently negative; that “good” and “evil” are the judgements of the person by which we reflect on whether a desire should actually be carried out; and last, that “ethics” or “morality” is the practice of extending good and evil outside one’s own mind and taking into account what is good or evil for others. I shall take it for granted that the typical person desires to continue existing, to experience positive emotions, to interact with other people, and to avoid pain. These are the founding principles of “good.”

I reject the idea that there is any one system of ethics which can guarantee the morally superior outcome in all possible situations. The universe does not conform to our wishes to live in a just-so story. I also reject the notion that morality does not matter and does not profit a person to pursue. We must try to be good to one another, even if we are sometimes unsure of the very definition of goodness. We must struggle in the face of a universe which was not structured around our wants and needs. We cannot achieve perfection but we may approach it, even as the pole of perfection itself may drift. Without trying, however, we will suffer, individually and collectively, because the universe does not care if it causes us pain or sorrow or loneliness. The universe is a slow dance of obliteration. We can fight the universe. We can hold back the tide of nothingness with walls built from the strength of our reason and our desire to exist. We can band together and say, “we are greater than you, stones and seas and suns and vast empty spaces, for no matter how small we are, we are alive, and we defy you.”

Morality is the means by which we cease to be merely an odd lump of material and become something that not only wants to exist but deserves to. Everything, truly everything that shall ever matter, relies on our ability to pursue goodness effectively, to secure our collective future before we destroy one another with selfish actions. With imperfect minds in an imperfect world, how are we to achieve this? How can we decide what is good?

The key to moral judgement, I believe, is not intuition or rules but rather the pursuit of knowledge; both of the general nature of the world, and of the circumstances specific to a person’s life. It is the responsibility of every person to be as well-informed as is possible in their time and place. If they work harm out of willful ignorance, they have worked evil. Of course, some people are deprived of education by circumstance; sometimes decisions must be made immediately; or information may even be maliciously withheld. Though unfortunate, it is not a fault to have made the “wrong” choice because of an inability to have complete knowledge of the situation. The fault may lie with persons who, through action or inaction, prevented relevant knowledge from being available, or there may not be anyone at all who could have improved the outcome. Who can argue with the tectonic plates, that they should not destroy our cities? Who can command the geologists to discover the inner workings of the earth before the next quake, that we might avert it? They are trying. Their minds are finite. They may one day succeed, and much good will come of it, but it is no fault of our great thinkers that they have not yet cured nature’s temper.

The means of measuring the morality of actions is, I believe, by correlation to dignity: a property which all people, and to a lesser extent the animals and even some inanimate objects, possess. It is, of course, difficult to define, changing with context and circumstance. Dignity, so far as it concerns people, is the state of being in which a person feels that their future is safe, that they have membership in their community, and that they have the ability to practice their beliefs of what makes a good life. It is the enabler of a person’s goodness, and people need some semblance of it to maintain harmony with one another. Deprived of it, a person will most likely do whatever is necessary to restore it, even resorting to actions they would typically consider evil. The loss of dignity engenders fear, anger, jealousy and resentment. Hence, much evil can be averted by an effort to value the dignity of every person. It is better to forgive and assist those who work harm out of desperation than to condemn and humiliate them, which only worsens the very condition which caused them to first work harm.

Dignity is not quite the same as happiness; we cannot change that unhappy things will happen even if every human being were to behave in an ethical manner at all times. Happiness is awakening to your smiling child. Dignity is performing funeral rites for your child according to your custom. Happiness is financial success; dignity is being assured that society will be willing to help you when times are hard. Happiness is good health; dignity is recognizing when it is time to let someone you love end their suffering. Happiness is the greatest good, but it often is not within our control. Dignity, however, is the product of how people treat other people.

Animals, to various extents, approach the human level of intelligence, and so too do they have variable rights to dignity accordingly; to torture or frighten them in caprice, to starve them or leave them to die when they are easily mended, is evil in proportion to their ability to reason and to act emotively, and to their instinct for self-preservation. It is not evil, I believe, to meet with violence an animal that would harm a human, nor to startle a wolf that a hare may escape; but here truly you see what I mean that there sometimes is no perfectly good and moral answer. I value the predator and I value the prey. The carnivore is not evil for doing what it must to live, but a perfect world would not contain carnivores. Various religions have constructed elaborate fantasies about the cause of predation, and promises that in the coming end of suffering, the lions shall graze in the meadows. The cold truth is that unthinking, unemotional happenstance constructed a horrible system in which thinking, feeling minds must exist. It is possible that we may be able to engineer a means to alleviate this, to sate ourselves and our animal cohabitants with false flesh, so that the moral mind trumps over the ever-craving body. What then of overpopulation? What then of this and that? The imperfect world howls and threatens. There is no right answer.

Even a mere object, I believe, can possess a certain sort of dignity, for objects can be valued by minds for more than the mere sum of their materials. That which expresses or signifies the experience of the rational mind – a diary, a statue, an ancient tree in the town square – carries a portion of the dignity of every person who put thought or emotion into it, and should be treated with proportional respect. To burn a book is to set fire to a rational mind’s projection onto material reality, which was created specifically so that the thoughts would outlast the mind itself. Attempting to deliberately destroy the record of a mind is, I think, evil, a sort of intellectual murder. We should value every mind’s marks on the world, no matter how insignificant that person seems to have been. We have in our collective care the art of the earliest peoples, inscribed thousands upon thousands of years ago in their places of refuge, their places of triumph. This art is nothing except a discoloration upon a rock face depicting the simplest of shapes, but the preservation of this art is the preservation of human dignity itself.

The building blocks of morality, then, are to avoid depriving others of dignity, to pursue preserving or enhancing it, and to recognize one’s own right to a dignified existence. The means of discernment is to use our rational minds to make informed decisions which take into account circumstances outside of ourselves, to be eager to share knowledge and to debate and reason with one another. Disagreement is inevitable. Conflict between cultures and philosophies is inevitable. We human beings are not so many billions of identical machines, which reach the same conclusions from the same observations. We are people, who love and hate each other and work and play and spend years caught up in mundane concerns and suddenly we look up at the boundless night swollen with burning, dying stars and think –

– We are alive. We are rational minds. What we do matters. We don’t always do what’s right, but we are trying, we are improving, we are discovering our own potential. We are flawed, we are finite, we are magnificent.

This is my morality, to treasure and respect the intellect and its creations, to treat myself and others with dignity, and to accept that I may not always be happy. I do not believe in theism, beholden to the arbitrary demands of an arbitrary authority. I do not believe in nihilism, that our miraculously improbable existence is ultimately meaningless. I believe that we, the rational minds, have awoken on this little world around a modest star, and we have this chance, this amazing, fantastically lucky chance, to take everything we see in this beautiful universe and make it better, including ourselves. We are hungry, violent, frightened little creatures. Morality is the means of being better than that. It’s not perfect, but it is good.

How to destroy tumblr

Sat, 16 Mar 2013 14:54:30 -0400

I have devised a means by which the tumblr community can be utterly imploded in recursive, fractal confusion

Write a novel or comic book which features quirky, angst-ridden teens who are highly shippable in many combinations

Title the work “Trigger Warning: Spoiler Alert”

Inquiry into the cause of my own insanity

Sun, 03 Mar 2013 17:28:36 -0500

I have often been described as confusing, but in one sense, I can explain myself very easily: I am a child. In my mind and my heart, I am still small and wide-eyed, vexed by a world that is absurd in its pretensions, and all I want is to be left to the works of my whimsy. I am brilliant, possessed of a startling genius that expresses itself in fits and tempests, and always, for so long as my memory reaches, infuriated by a failure to impress my mind upon the pale reality that surrounds it. My mind composes the symphony, but my ears cannot find the chords. My mind knows well the shape, but my hands cannot render the pen strokes. I know every pebble and fern of ten thousand imagined vistas, but the words, the letters and symbols which pile up on page after page of an increasingly frustrated attempt to create a record of my fleeting thoughts, inevitably drive me to destroy the whole effort out of disappointment in myself. All in one moment, I hate that I am four-and-twenty and have not completed any enduring work of art, and still dread that I am expected to occupy myself with trite endeavors for another fifty years yet.

At some point, my young mind was turned towards the inner workings of computers, and while I dearly wish it had been several years sooner, I cannot change the circumstances of the past. I was told that I would never find success here as I had failed or nearly failed every mathematics course I was subjected to. Nevertheless, I discovered for myself the peculiar talent of reasoning about computation: I possess the ability to construct the model of a program in my mind, as it relates to the machine rather than as to human language, and discover what the original programmer did not realize they had written. People, it turns out, are very bad at expressing precisely what they mean, as they trust to the common sense of other people, and to the fact that the analogue nature of the world around us does not demand much precision. Every computer program ever executed which expresses any real complexity has been burdened with errors, oversights, and simple failures of the human to think in accord with the machine. My talent is not that of the programmer – there are many good programmers in the world, and I do not count myself highly among them – but that of the machine’s advocate. I find errors. I find what kills the machine or enslaves it to the wrong path of execution. I pursue endlessly the cause of how these errors happen and why they must be remedied and prevented. As always, I cannot articulate as well as I would like. Having thought a great deal about the matter, I suppose that I “see” the labyrinthian structure of code much as a person who has never known sight is aware of the geometry and texture of a familiar room. I can connect the constraints of one function to another and see where they are not congruent, compromising the integrity of the entire program and the data it operates upon.

I am, then, a hacker.

This makes me a valuable person in a computerized world, and there are several means of making a career of this, not all of which are ethical. Some are unambiguously wicked. I resent society, however, for laying these pressures of money on me, and this is where my childish nature shines clearly. Someone, please, take care of me, and keep the howling wind of adulthood from disturbing my dreams. I shall craft such gems of knowledge for you! Left to my craft, I shall eventually be without peer.

I suffer endlessly from anxiety, fear, and from my thoughts simply blanking under pressure, so that I forcibly forget my own reality to pursue my intellectual delights. I realize this is no way for an adult to behave. I am not depressed, as so many readily assume. I was once, several years ago, when I felt ugly and unlovable and unsuccessful. That passed; I am happy, at least when the demons of responsibility are not pounding at the door, demanding I cede to their demands, and the tide of panic rises in me until I can no longer breathe and I close my eyes and think of an interesting problem I wish to solve and suddenly it is five hours later and solved. The demons pound on the door again, having waited patiently for the fit to pass.

I will abridge the root causes: a religion that forbade my mind to inquire beyond the veil in the temple, and which shamed my body for being of the wrong half of humankind, the so-called weaker and more foolish half, the half which was a mistake of God if we were only allowed to ascribe to God mistakes. Contradictions between what I was told by those I trusted and what I observed in the uncensored world drove me nearly to madness. It is a simple matter of literal fact, of course, that not even ten thousand years ago, the one true god created a new world and fashioned statues of clay and breathed life into them; a talking snake dissuaded these golems from obedience, and the very soil of the earth was poisoned in retaliation; and eventually this god destroyed the entire face of the world out of anger, save for one family of refugees in a wooden boat, so on and so forth. But he is the god of love, and – oh never you mind. It hardly matters.

It is easy for some people to accept these tales as literal and it will neither bother them nor particularly inform how they live. I have known many people who are intelligent but passively accepting of whatever the culture of happenstance has told them. My own mind, however, was nearly torn asunder. I found no comfort in the tales of Heaven. I wept, alone in the dark, for the billions of souls in eternal torment, convicted of the crime of not pleading to the right god to absolve them of inherited evil. I was made to believe by smiling and well-meaning teachers that God was so unspeakably sadistic that he would not intervene in this, the cause of justice as large as existence itself, and if a person I had ever known perished without salvation, it was my fault personally that they were now in Hell. I several times nearly had breakdowns when I would go out in public and consider how many of the men, women, and children I saw were doomed to eternal torment. I believe this is why my mind blanks out when I am anxious. The only way I could cope with the cruel and twisted theology I believed to be true was to suppress all thoughts of it and act as though it weren’t true.

I now understand that this was never true, and find great comfort in the sciences of biology, geology, and astronomy, which answer honestly the questions my teachers dismissed as Satan’s trickery. That does not, however, mean that I am free from the shackles of extremist religion. I was young – very young. I can no more purge this theology from myself than I can forget how to read. I will live with this forever, this anxious fear of injustice, this aching sense of being separate from those around me, and most of all, the unspoken horror of something bad happening to someone else and it’s my fault. This is the undercurrent of my dreams. I do not sleep in peace.

These obsessions manifest through all the most trivial and mundane matters. I barely, just barely, made it through university. I would find myself unable to finish, or even start, assignments for reasons I could not name. I was mechanically capable of them, but I was paralyzed with dread drawn up from the well of my fear. That well has not run dry. I now seriously doubt my own ability to maintain employment. But I must! How will I eat! And thus the dread blooms, its tendrils choking me. It affects every aspect of my existence that is not a purely intellectual pursuit.

I am a hacker. I want to break things. I want to fix things. Like many other hackers, I am insane, each of us for our own reasons. I want to live well. I want to pursue justice. I want to rejoice in knowledge. I want to be at peace.

What am I to do?

Kuaiyong: the short version

Thu, 03 Jan 2013 04:40:17 -0500

It’s 4am, hi! Scratch that, 4:30.

I promised I would put something on tumblr. I won’t share my speculations on the exact cause until Apple has taken a whack at it, but @chpwn @tapbot_paul and I have sent them a report on our attempt to reverse engineer kuaiyong’s DRM circumvention for iOS. It appears they own a few dozen iTunes user accounts and buy the apps for these accounts. They then write something over USB which fools the iDevice into passively accepting signed apps which belong to these accounts as if they belong to the account which owns that iDevice. Apple engineers certainly know a lot more about their own USB protocol and DRM system than I do, so hopefully the details we sent them will help them quickly narrow down the exact problem.

As for the question of whether kuiayong is “safe”: I have not seen any deliberately user-hostile code in what it installed; it’s just mildly allergic to debuggers. However, it has an open-ended update system and a EULA that clearly states they can do anything they want at any time. If you go on their site they have another EULA that says they reserve the right to force ads and charge money in the future. (I autotranslated all of this but the intent is clear.) Additionally, the User ID forging technique seems to be a bit glitchy, as many pirates have reported strange problems with the App Store after using kuaiyong. On top of that, you can be sure that someone will come out with unambiguously user-hostile imitationware, so don’t just go around installing whatever. Same advice as always.

And just to crush your hopes, no, I don’t think this is a jailbreak vector. It only works with things that are properly signed. This means no random malware and no cydia. Sorry! :)

0xabad1dea

New blog about the wonderment that is PHP

Sat, 06 Oct 2012 00:31:08 -0400

After spending some time wading through the comment section of the PHP manual, this was born.

http://phpmanualmasterpieces.tumblr.com/

Follow for all the bitter black-hearted programmer rage you can handle

Our Enemy the Optimizer

Mon, 06 Aug 2012 00:27:00 -0400

(If you are viewing this post in dashboard mode, please direct view so that the syntax highlighting loads correctly. Darn tumblrisms.)

The optimizer is the root of all compiler evil. It complicates binary analysis of every kind. It throws out context and sensibility to save an opcode here, a cycle there, and seems to gleefully cackle at the idea of the poor, confused reverse engineer trying to track the sixteen different things stored in rax in one function. This is just a little case study on what assembled code looks like with and without optimization so you can see how it relates back to the source code and how it is functionally equivalent.

Here is a short but not-quite-trivial C program that calculates how many hit points a game character loses from an attack. I deliberately left in some inefficiencies to see what the optimizer would do with them.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <math.h>

int main(int argc, char** argv) {

    char* name;

    int hits;

    double damage;

    double hitpoints = 100.0;

    if(argc != 4) {

        printf(“usage: string:name int:hits float:damage\n”);

        return -1; }

    /* yes. the inefficiency is deliberate. */

    name = malloc(strlen(argv[1])+1);

    if(name == 0) {

        printf(“Geez, you really need more ram.\n”);

        return -1; }

    strncpy(name,argv[1],strlen(argv[1]));

    name[strlen(argv[1])] = 0;

    hits = atoi(argv[2]);

    if(hits <= 0) {

        printf(“hits must be a positive integer\n”);

        return -1; }

    damage = atof(argv[3]);

    if(damage <= 0.0f) {

        printf(“damage must be a positive float\n”);

        return -1; }

    printf(“%f * %d == %f\n”,damage,hits,(damage * hits));

    hitpoints -= (damage * hits);

    if(hitpoints > 0.0f) {

        printf(“%s lives with %f health\n”,name,hitpoints); }

    else {

        printf(“%s is dead with %f health!\n”,name,hitpoints); }

    return 0;
}

I compiled this on OSX with llvm-gcc with -O0 (capital o, digit zero) option to disable the backend optimizer (as opposed to some things done in the parsing stage) entirely. You will of course get slightly different results with different compilers, but for such a short program the differences shouldn’t be notable. The full disassembly is pretty long: here it is on pastebin. Let’s ask Hopper’s decompiler mode to take a crack at it. The decomp is not perfect, largely because I deliberately chose to throw in some floating-point math just to complicate things, but compare the control flow structure to the original.

function _main {

    var_92 = rdi;

    var_80 = rsi;

    asm{ cvtsi2sd   xmm0, rax };

    var_24 = xmm0;

    if (var_92 != 0x4) {

            puts(“usage: string:name int:hits float:damage”);

            var_60 = 0xffffffff;

    }

    else {

            rax = strlen(*(var_80 + 0x8));

            rax = malloc(rax + 0x1);

            var_48 = rax;

            if (var_48 == 0x0) {

                    puts(“Geez, you really need more ram.”);

                    var_60 = 0xffffffff;

            }

            else {

                    if (0xffffffffffffffff != 0xff) {

                            var_16 = 0xffffffffffffffff;

                            rax = strlen(*(var_80 + 0x8));

                            rax = __strncpy_chk(var_48, *(var_80 + 0x8), rax, var_16);

                            var_64 = rax;

                    }

                    else {

                            rax = strlen(*(var_80 + 0x8));

                            rax = ___inline_strncpy_chk(var_48, *(var_80 + 0x8), rax, *(var_80 + 0x8));

                            var_64 = rax;

                    }

                    rax = strlen(*(var_80 + 0x8));

                    *(int8_t *)*(rcx + rax) = 0x0;

                    rax = atoi(*(var_80 + 0x10));

                    var_44 = rax;

                    if (var_44 <= 0x0) {

                            puts(“hits must be a positive integer”);

                            var_60 = 0xffffffff;

                    }

                    else {

                            atof(*(var_80 + 0x18));

                            var_32 = xmm0;

                            xmm0 = var_32;

                            asm{ cvtsi2sd   xmm1, rax };

                            if (xmm1 >= var_32) {

                                    puts(“damage must be a positive float”);

                                    var_60 = 0xffffffff;

                            }

                            else {

                                    asm{ cvtsi2sd   xmm0, eax };

                                    var_8 = xmm0 * var_32;

                                    printf(“%f * %d == %f\n”);

                                    asm{ cvtsi2sd   xmm0, eax };

                                    var_24 = var_24 - var_32 * var_32;

                                    asm{ cvtsi2sd   xmm1, rax };

                                    if (var_24 > var_24 - var_32 * var_32) {

                                            printf(“%s lives with %f health\n”);

                                    }

                                    else {

                                            printf(“%s is dead with %f health!\n”);

                                    }

                                    var_60 = 0x0;

                            }

                    }

            }

    }

    var_76 = var_60;

    rax = var_76;

    return rax;
}

In my original code, I have multiple returns, and I rely on the knowledge that a return statement will terminate execution to not have any else statements after my if statements that return an error. The compiler, as a general rule, does not like multiple returns, and even with the optimizer disabled, it has rearranged my code so that there is a single return point. This causes the control flow to change from a shallow series of if statement to nested if-elses. The compiler has invented a new variable, here named var_60, to hold the return value at each possible error condition check and at the end of the function.

Oh, and the compiler changed the places where I called printf with a static string to puts, probably because it has a much lower overhead. That was thoughtful of it, but I feel cheated somehow - I wanted no optimization! (This was probably done at an early stage not affected by the -O flags.) You can see a few other spots where compiler-generated cruft is added: for example, check out how the strncpy of the player name to its malloc region is bracketed by nonsensical comparisons. Don’t worry, this weirdness will disappear in an optimized build (to be replaced by other weirdness).

Click here to see the control flow graph of the disassembly of this version in a new tab. You can clearly see several distinct chains leading to the common block at the end of loading the variable where the exit code is stored and returning it.

Now, what about the fully optimized version? (Many compilers support multiple levels of optimization, but often there is little difference between them and most deployed binaries will just use the maximum setting regardless. This is with -O3.) Check out the full disassembly here and notice that it is dramatically shorter - 70 opcodes vs. 152. Whence the savings? Let’s find out.

function _main {

    if (rdi == 0x4) goto loc_0x100000cfe;

    goto loc_100000ce2;

loc_100000cfe:

    rbx = rsi;

    r14 = *(rsi + 0x8);

    rax = strlen(*(rsi + 0x8));

    rax = malloc(rax + 0x1);

    if (rax != 0x0) goto loc_0x100000d24;

    goto loc_100000d1b;

loc_100000d24:

    r15 = rax;

    rax = strlen(r14);

    strncpy(r15, r14, rax);

    rax = strlen(*(rbx + 0x8));

    *(int8_t *)*(r15 + rax) = 0x0;

    rax = atoi(*(rbx + 0x10));

    r14 = rax;

    if (rax > 0x0) goto loc_0x100000d65;

    goto loc_100000d5c;

loc_100000d65:

    atof(*(rbx + 0x18));

    if (0x0 < xmm0) goto loc_0x100000d84;

    goto loc_100000d78;

loc_100000d84:

    asm{ cvtsi2sd   xmm1, esi };

    var_0 = xmm1 * xmm0;

    printf(“%f * %d == %f\n”);

    if (*0x100000e70 - var_0 > *(int32_t *)*0x100000e78) {

            rdi = “%s lives with %f health\n”;

    }

    else {

            rdi = “%s is dead with %f health!\n”;

    }

    printf(rdi);

    rax = 0x0;

loc_100000cf3:

    return rax;

loc_100000d78:

    rdi = “damage must be a positive float”;

loc_100000ce9:

    puts(rdi);

    rax = 0xffffffff;

    goto loc_100000cf3;

loc_100000d5c:

    rdi = “hits must be a positive integer”;

    goto loc_100000ce9;

loc_100000d1b:

    rdi = “Geez, you really need more ram.”;

    goto loc_100000ce9;

loc_100000ce2:

    rdi = “usage: string:name int:hits float:damage”;

    goto loc_100000ce9;
}

Uh-oh!!! It’s that thing your professor threatened to beat you over the head with a copy of K&R for if you ever used it in your code!!! GOTO! The dark secret of goto is that the compiler uses it like sprinkles on ice cream. It’s just a jmp instruction. Of course, all compiled code uses the jmp family of instructions (jump-if-greater-than, jump-if-not-equal, etc) to implement control flow, but unconditional jumps - of which I count five in the disasm - are typical of code that has been ruthlessly rearranged by the optimizer to bear little superficial resemblance to the original line order.

The trick here is that the optimizer is looking for repeated sections in the code. For example, it notices that puts is called several times. In the unoptimized version, there was a different puts call in-line each time. In the optimized version, there is only one puts call, and each former callsite now jumps to it. The puts is immediately followed by loading -1 into eax and jumping to the return block, because every time I’m writing a static string, it’s because I’m writing an error message and returning -1. It’s also rewritten the part where I printf whether the player lives or dies to only use one printf call instead of two.

In the original, I calculated (damage * hits) twice. The compiler was able to prove that I don’t change the values of either side of the equation between the two calculations and has rewritten it to be calculated only once and stored in a new variable. Note, however, that the optimizer was not able to fix my rookie mistake of calculating the strlen of argv[1] three times. Arrays Are Hard, and even though C programmers like you and I can look at that and say “yeah, don’t see how that could possibly change between these call sites,” there is not much the compiler can do about fixing it as written because I didn’t throw in hints like const.

Take a look at how strlen is called each of those three times, however. First it takes an argument of rsi + 0x8, then of r14, and then of rbx + 8. All of these places point to the same location in memory - argv[1]! (Recall that this being a 64-bit disassembly, incrementing a pointer to a pointer by 1 in C actually increments it by 8, as opposed to by 4 in a 32-bit program. Pointer math is on drugs, kids.) A key job of the optimizer is to get data to spend as much time in the registers as possible, since register accesses are vastly faster than a memory fetch. To this end, it makes multiple copies of the pointer to argv (which, according to the x86_64 calling convention in use, comes into main in rsi) to work with as it loads the several arguments. You may find it easiest to track these variable copies in the control flow graph image of this disassembly. Spotting when two different registers or stack variables are really the same thing is a critical skill for understanding disassemblies (and a major reason Decompiling Is Hard.)

There are some other minor things that one often sees in optimized code that can be puzzling the first time they are encountered. Perhaps the most famous example is using xor with the same register twice to set it to 0 instead of loading a 0 value. The optimized disasm contains a xor and a pxor while the unoptimized contains neither. In a similar vein, cmp value, 0 is swapped out for test value, value. While it doesn’t show up in this disassembly, a classic optimization trick is to replace multiplication or division by powers of two (2, 4, 8, 16…) with bitshifts to the left or right respectively. Do the math on paper if you’re not sure why; it works out the same.

Another trick is abusing the powerful lea (“load effective address”) opcode to do normal integer math instead of pointer math. lea is intended for working with pointer offsets and allows directly encoding values to add to or multiply by the base pointer value. In the unoptimized disasm, you see lea only used for literal pointers, to load the addresses of the strings we’re passing off to printf and puts. In the optimized verison, however, you will see the line lea rdi, qword [ds:rax+0x1] in between a strlen and a malloc. It is deliberately misusing the return value of strlen as though it were a pointer to add one to it and copy it to rdi in one step.

You may also notice that in the unoptimized version, the stack contains 96 (0x60) bytes of temporary storage, but the optimized version contains 8. This is the agressive register usage at work, squashing intermediate results the instant they are no longer needed. Of course these dramatic memory savings complicate your life trying to understand the disassembly - personally I recommend using paper and pencil to track when registers are dirtied with new values.

Bonus question: the original source code shows hitpoints being set to 100.0. Look up and down the disassembly all you want and you will never see anything that even remotely resembles that number, so where does it go? Don’t bother trying to look for 100 in hex (0x64) either, if that’s what you’re thinking. The number is floating point, and hence evil. This is actually a trick question, as the number is not passed as an immediate value as you might expect, but is stored in the __const section. This line in the optimized version - movsd xmm0, qword [ds:0x100000e70] - is where 100.0 is loaded. If you load the binary in your favorite disassembler-which-supports-macho (or compile it yourself and find the equivalent line) and follow that pointer, you will see a stored value; the disassembler will probably display it as a hexadecimal value of 0x4059000000000000 which is totally opaque to us mere mortals. Toggling the display method of the variable, or plugging it into an online IEEE floating point converter will give you a nice, understandable 100.0. As the reverse engineer, your clue that it is a floating point value is that it is loaded into the xmm0 register and otherwise operated on with float-specific opcodes instead of normal integer ones, and you know it is a double type instead of a float because it is 64-bit instead of 32-bit.

Personally, I hate floats.

As usual, the disassembler (and decompiler) I use is Hopper for OSX, and here is your mandatory sickeningly cute picture.

Is the Vibe messaging app safe for protestors?

Wed, 04 Jul 2012 12:14:00 -0400

I saw someone claiming that they believed a social messaging app for iPhone and Android called “Vibe” was actually a trap to solicit data from members of the Occupy movement, who were using the app for its advertised feature of location-specific anonymous messages. For example, you could set it so that the message is visible to people within 3 miles of your current GPS location. Since the app became popular with the Occupy movement, its threat model is bumped up a few notches from “people posting about local band performances - nobody cares” to “people posting about potentially sensitive political activities - they may be monitored.”

I was bored and wanted a distraction so I decided to check it out. I only checked the Android version because that is a lot easier to work with. I did not at any time install the app or run a single line of its code. (I am a security researcher at Veracode if you are wondering. This is my idea of a great evening.)

The modest download page of Vibe: http://zami.com/v.html

The FAQ: http://www.zami.com/vibe/faq.html

Alright, here’s the skinny. You may mistakenly believe that if you dial the distance on your message down really low, that only people who are actually physically close to you could ever see it. This is not true. It is very, very easy to write a script which impersonates being at any location you want and can get the vibes for that location. It is simply a REST client request to a specific URL recoverable from the app with the latitude, longitude and range set to anything. Tested and confirmed, I was reading short-range New York vibes from my home a few states away.

This is not hacking. The remote web server simply works with whatever geo-coordinates the client provides. It could be improved, if the server hosts wanted, by comparing the client’s IP address and seeing if it’s roughly colocated with the submitted coordinates, but of course there are ways around that such as simply running the script from a rented server in the target’s general region. The simple fact of the matter is that there is no way for a server on the internet to determine for sure you are, in fact, standing in a particular location with your phone. Hence, do not post anything that should not read by someone outside of your range. It’s not actually private! I have not tried it, but it appears someone could also remotely post messages pretending to be near you, so treat the messages you see with a healthy skepticism. (This is actually an advertised feature of the underlying AskLocal platform, which lets you place a message anywhere on the world map but claims that only people near to it can see it. We have already seen that is not really true.)

The second problem is that the app (at least on Android, but probably on iOS too) deliberately overrides SSL security validation (specifically javax.net.ssl.x509trustmanager) to accept any certificate. What this means is that someone who set up malicious “free wifi” could install a MITM (man-in-the-middle) proxy to intercept your Vibe messages and log everything before posting it so that you never noticed anything was wrong. I am guessing the programmers did this not to facilitate evil but because SSL errors are difficult and annoying and they did not want to complicate their user interface with messages like “Server presented expired certificate, can’t connect.” Now, if this app were only used to post about local art shows and the like, this would not be particularly worth worrying about, but again our threat model is members of a protest movement. Hence, this is not a good app to use if you are attending an event where someone may wish to log the information of who is present and use it against them. (Technically a MITM attack could still happen on your 3G, but the “open a free wifi point and wait” technique is both a very easy and very successful avenue of attack.) This bug could be fixed by the app programmers with a bit of effort so that the Vibe client would not post messages without being certain it was talking directly to the Vibe server.

As for whether or not the real Vibe server logs the IP address when you submit a message, it is impossible to tell for sure but they claim they do not. The IP address alone is only semi-useful but you will still have to answer for yourself how comfortable you are with the situation.

I did not see any deliberately malicious activity (such as siphoning off contact data) and every interface functionality appears to work as advertised. Hence, my recommendation is to treat it as a convenient filter for local messages rather than believing that only local people can see what you say, and to be mindful that your connection info may be logged by an interceptor. Use common sense in what you say and what you believe like on any other social networking service.

Also, this is supposed to be a girly pictures blog, so here’s a pic of Marisa the witch.

Why I posted the Asus screenshot

Mon, 04 Jun 2012 23:01:09 -0400

So the big problem with Twitter is that only a tiny fraction of people who saw “the screenshot” will see this comment on it, because it already ricocheted off and I can’t attach this now. Nonetheless I hope this clears it up for at least somebody.

Why I posted the Asus screenshot even though a lot of people think it’s not worth ruffling feathers about:

Short version: I’m not accusing Asus of deserving the ninth circle of fiery sexist hell for being the worst people in the universe. I am asserting whoever specifically thought posting that would be a good idea of being creepy in a way totally inappropriate to a corporate account, and suggesting that people who don’t see the creepy factor may need to take a step back and reconsider their attitudes towards how women are portrayed to men in technology and how not-a-professional-model-who-hopefully-consented-to-this-picture women feel about how much the technology industry values them when they can’t read about a new laptop without being visually assaulted with “HAHA LADY-ARSE AMIRITE GUYS.” I’ve already been told by several people that it’s okay because laptops are for men. Think about that. I guess I need to surrender the several laptops I own to my husband, then?

~ ~ ~ ~ ~

Maybe today you saw the screenshot of the Asus computer company’s official twitter feed posting a picture of a woman’s rear end in lieu of a clear picture of one of their products, with a caption actually emphasizing that her rear end is the most obvious thing in the pic. She’s presumably in their employ but it does not look like she’s posing for the shot so much as someone just walked up while she was leaning forward and snapped a pic. Maybe she did pose, I don’t know. She’s next to a laptop. Or a tablet. Or a large phone? I really can’t tell, because again, the picture is of a woman’s posterior, NOT of the PRODUCT they are allegedly pitching. I saw the tweet when it was still fairly new and my spider sense told me to take a screenshot. A few minutes later it was deleted when someone at Asus caught on to all the negative comments, and I posted the screenshot with minimal comment so there would be a record of the event to back up what people were saying. It ended up on Gizmodo among other places, where the debate raged thick on whether or not this was “sexist” or indeed something even worth remarking on.

A provocative photograph is not inherently wrong, assuming the person in the picture consented to it. Hiring a lady to stand next to your unspecified product of productyness to smile and hand out brochures is not inherently wrong and she is not inherently in the wrong. Someone who happened to be wandering around the salesfloor and cracked a joke like “nice curves, on the phone too” would be pretty crass and I would not want to hang around with a person like that but it’s a personal-level thing, not an official one. A corporate twitter account - that’s official, and a lot more Serious Business than someone just making a comment on their personal account. Now, I understand that these things are often staffed by interns or whoever wasn’t too busy and may not have publicity training or whatever. So again, this is more against whichever Asus employee(s) specifically decided to snap the pic and post it that than against the corporation as a whole. While theoretically it may have been a woman, I’m going to use the male gender on a hunch. Dude: what were you thinking?

When I saw the picture and its caption, my only thought was “Ewwwwww, gross - so I guess Asus isn’t planning on selling any laptops to any women ever.” Remarks about the female body like that made in public are a major clue-in that the speaker is not respectful towards the female gender. It’s a total turn-off both in the literal sense and the broader, social one. “Right, this person isn’t courting my respect so no need to court theirs.”

There is a time and place for “sexy” marketing. Like, you know, when you’re selling something related to sex. Trying to show off a laptop (or a tablet or whatEVER it is, since may I remind you, I can’t clearly see it in the picture) by hiding it behind a woman bending over sends the message “we don’t have anything positive to say about our product so we’ll count on the trick of being sleazy to at least get SOMEBODY to look at it.” That’s not a conscious act of sexism against women, but it is a subconscious act of using women as a means to an end and apparently not even remembering that they buy laptops too and tend to find this sales tactic really off-putting. The sexism here is assuming that the female half of the potential customer population can be insulted and dismissed without consequence. Again, that’s not overt, deliberate sexism. That’s a manifestation of the male-by-default technology culture that doesn’t take women into account and then wonders why there’s so few women in technology.

I just know that someone’s going to say that if I were a man I’d totally get the joke and women need to stop overreacting. Now that is overt sexism, because it excuses the grating behavior of one gender and ignores the complaints of the other (and yes, this cuts both ways), but you probably didn’t know that I am bisexual and I find female posterior just as attractive as I presume men do. And yet, my reaction to that picture was “ewww,” because of the context of a corporation saying “lol arse” in an official corporate context while promoting their non-gender-specific, non-sexual products.

So the reason I posted the screenshot was not to call everyone to set their Asus electronics on fire and vow to see the corporation destroyed for their sins. It was to just show that yes, the technology industry has an attitude-towards-women problem and it’s sad and pretty creepy.

PS. People actually sent hate tweets to a young lady I know on Twitter because she commented on all this, calling her a whore and whatnot. I assume I was shielded because my account isn’t too obviously female (well, at the time I thought that a pink cartoon girl avatar was pretty feminine, but it turns out the internet assumes you’re a guy unless you have a photographic female avatar). Isn’t that just pathetic?

(Please direct all gender-shaming hatemail to my carefully read account at whoops I already deleted it dot com. Yeah, there isn’t anything you can say I haven’t already heard a thousand times for being a girl on the internet for over a decade.)

Analyzing Binaries with Hopper's Decompiler

Mon, 21 May 2012 13:35:00 -0400

by abadidea - @0xabad1dea

(this is now also on the corporate blog with an expanded introduction: clickie )

No source code? No problem!

This is aimed at beginners in static analysis. The binary we examine is non-malicious and non-obfuscated, and is not run through the highest optimization settings of the compiler. We will start at line one and proceed linearly, just to get a feel for how to read decompiled code.

For this tutorial you will need a strong knowledge of C, only the slightest familiarity with assembly, the ability to understand Unix man pages, and Hopper Disassembler/Decompiler, which is $29. It is only for OSX, but it is literally cheaper to buy a Mac Mini and Hopper than the (naturally more mature and well-featured) x86 Hex-Rays decompiler. Heck, you could get an iMac and still have change for a coffee.

Hopper is a disassembler with a very-close-to-C “pseudocode” decompiler that does not roundtrip with your C compiler but is quite good for examining other people’s binaries. It supports both 32-bit and 64-bit executables for Windows and OSX (no Linux or iOS/ARM support yet). At the time of writing, the newest version is 2.2.0; the App Store is still holding it hostage for review, but you can also buy the app directly from the creator. It is still under active development, and (like every other decompiler) is not perfect, so learning how to spot when it goes awry is an important facet of making use of it.

(I am not affiliated with Hopper or its creator nor am I receiving a handsome sum to promote it. Honest.)

We will be looking at an ancient piece of C code for Unix called metamail, which was a mimetype helper that received base64-encoded attachments from email clients and opened the appropriate viewing program. Having reviewed it before, I strongly recommend that you do not use it on a production system (not that there is any use for it in this millennium). The source code is yonder, but it is so old that I had to change a few functions to return 0 instead of void to get llvm to compile it for OSX. I also ran the strip utility to remove any debug symbol names of internal functions that may be there, which would make it too easy (you will almost never see these in distributed closed-source programs). Download my metamail binary here.

When you open metamail with the “Read Executable” button in the upper left, you will be dumped here:

This is the prologue before we reach C’s main. Skip down to the first call instruction. Place your cursor over the sub_1000018b0 symbol - the address of the first function called, which presumably is main - and press enter to jump to it.

We are now faced with a wall of inscrutable assembly, but there is no need to panic. In the upper right hand corner of Hopper is the magical Pseudo Code button. It will pop up a C-like reconstruction of the function.

External library functions will show their names just like in source code, and are your waypoints that will make it much easier to understand what’s going on. Internal functions will be named “sub” for “subroutine” followed by their address. Variables are “var” followed by a number. Hopper does not attempt to do much type guessing, nor does it completely write out the use of registers, although it collapses as much as it can manage. In a 32-bit program you will see eax, ebx, ecx, edx, esi, edi, ebp, esp, and in a 64-bit one you will also see rax, rbx, rcx, rdx, rsi, rdi, rbp, rsp and some unnamed registers that look like r<num>. In optimized code, you may also see partial registers ax, bx, cx, dx (16 bits) and ah/al, bh/bl, ch/cl, dh/dl (8 bits).

If you have never looked at assembly before, just know that the registers are named storage locations inside the processor itself, and compilers try to place variables into registers as much as possible because it is much faster than reading and writing RAM. esp/rsp refer to the top of the stack, ebp/rbp to the base of the current stack frame, and eax/rax is normally where a function’s return value is received. In the disassembly view of a function, you will normally see it move the stack pointer. This creates the storage area for the local variables. Rewriting these from relative offsets to the stack base to a name like var_40 is a nice thing that the decompiler view does for us.

The decompiler view does not support in-place text editing, and disassembly-view comments do not carry over to decompiliation view, so in the following screenshots I have copied the decompiled C to a code editor for annotating with explanatory comments. (You can also directly rename symbols in the disassembler view with ‘n’ when you have an idea what they’re for, but we won’t be doing that to keep the symbol name consistent across screenshots.) Let’s focus on this block for now (first screenshot is of the disassembly, second is of the decompilation):

Note that var_144 is set to a function pointer. Switching back to disassembly view, we see that the sub_100001620 pointer is first loaded into rcx and then copied from there to var_144 and then from there to rsi. See how the decompiler abstracted that for us? It’s then passed as the second argument to signal so that it will be set up as the handler for signal 0x2 (stored in var_156), which according to the documentation is SIGINT. Place your cursor on the sub_100001620 reference and press enter to see what function this is. Go ahead and annotate that it’s a signal handler.

Before worrying about anything else, we see several standard functions; another call to signal, followed by getpid and kill on the result of getpid, so we know already that the process is attempting to send itself a signal in its own signal handler.

Hopper does not yet support decoding function arguments (it currently shows “void” as a placeholder), but you can see by inspecting the function body that it assumes there is a value in rdi (on the x86-64 calling convention we are using, arguments in order are rdi, rsi, rdx, rcx, r8, r9) .We know from signaling documentation that handlers receive the integer value of the signal they are handling. We already know that it at the very least will be processing SIGINT, but there’s no reason this handler can’t be attached to other signals as well (spoiler alert: this will happen). Work through the rest of the function assuming var_24 has the value of 0x2.

We see that the handler calls another subroutine. Follow through in disassembler view to sub_100009c50 with enter (backspace will take you to your previous function).

Uh-oh. Things are getting uglier.

What on earth is 0x10000F988? It is a value with a fixed address, i.e. a global variable. If you hover over it in disassembly view, you will see that it has a default value of zero. With it highlighted, press ‘x’ to bring up the cross-reference window. Aside from the current spot, where it is being checked for zero, it is set to 1 in sub_100009bd0, which is… well, let us not worry about it for now, as we will quickly get into a mess of function calls. We now know that 0x10000F988 is a boolean flag. If it’s set, we are doing an ioctl with standard output and standard input. Don’t worry too much about what exactly it’s doing, as ioctl takes arbitrary values and does arbitrary things pretty much by definition (one would have to dig into the macros for the platform it was compiled against and do some bitwise math- which isn’t a productive use of our time until we’re sure that it’s important to the application logic and not just boilerplate, which, spoilers, it is). What we should note, though, is that ioctl is a variadic function, and as such will confuse the decompiler and create orphan variables in the disassembly view that may not even show up in the decompiler view. In this case, it loses sight of the fact that 0x10000F83E and 0x10000F838 are global variables (each moved into rdx before the call) being passed as the third arguments to ioctl. If we cross-reference them, we see that they are set in another small function almost identical to this one except it passes a different ioctl value… and sets the boolean flag we found earlier. It is reasonable at this point to assume it is obtaining and later pushing back at exit time the properties of standard input and output to reset the terminal. (If we cheat and check the source code, this is exactly what it is doing, in function RestoreTtyState.)

After annotating the function with what we’ve learned, it is much easier to understand.

Press backspace until we’re back in the signal handler at sub_100001620. We went on quite the little excursion just to determine that it’s pushing a stored terminal state. Picking up where we left off, we see that the handler takes the received signal number and reassigns it to a null handler pointer with signal(var_24, 0x0). This will cause the next raising of that signal to go to the default handler instead of a custom one. We can see it store the return value in var_8 and proceed to do exactly nothing with it. (This would probably disappear altogether on a high optimization setting.) Having changed the signal handler after calling the terminal reset function, it then resends the same signal to itself by calling kill on the value of getpid. The default handler will be raised with the propagated signal, which generally will result in process termination.

Isn’t that quite easy to understand? And we haven’t taken a single peak at any source code!

Alright, we will back up one more level back into main(). The next several lines are quite obvious: it’s just repeatedly setting up our signal handler for several different signals. Bla bla bla, skip down to the next chunk, which is more interesting:

getenv! The program checks for the METAMAIL_TMPDIR variable and, if found, points the global variable 0x10000f278 to the returned buffer. Otherwise, it points it to the constant string "/tmp". Next it checks MM_HEADERS. It gets the strlen of the buffer if it exists; note that in high optimization settings, strlen or strcpy is often inlined and you will not see an explicit function call to it, just a few lines of byte-copying right in the middle of the surrounding code. It mallocs a new buffer into var_160 that is the length of the MM_HEADERS string plus fifteen (0xf) extra bytes. Why? We don’t know yet.

If the malloc fails and returns zero, the program goes to sub_100006130 passing the global pointer variable 0x10000f270. Follow the global pointer and it dumps you to another pointer; follow it again and you get the string "Out of memory!". It is not hard to guess what this function will do.

It flips out and quits.

Backing up one - assuming the malloc was successful, we are going to sprintf something, and hence it becomes obvious that the extra fifteen bytes were to make room for the static string "MM_HEADERS=" and the trailing null. You may have noticed we are actually calling a wrapper that will land you in dynamic library purgatory if you try to follow it. We are not calling the real true sprintf; a theoretically more secure variation (int __sprintf_chk(char * str, int flag, size_t strlen, const char * format);) has automatically been substituted by the compiler. The seemingly mangled call is actually intentional. However… it specifies a security flag of zero and a max string length of MAXINT, so I am not sure how that is supposed to help anyone. Just ignore these flags as noise. That being said, since sprintf is a variadic function, the variadic part (in this case, the buffer stored at 0x10000f930) fell off the end. If you are not intimately familiar with printf format strings, it’s time to brush up- you need to understand them to correctly reconstruct calls and/or spot vulnerabilities in incorrect printf usage.

We haven’t gotten very far into the program at all, but we’ve covered quite a few different C paradigms and how they appear in a disassembly. Hopefully binaries now appear less inscrutable and less magical, and you understand why reverse engineers laugh in the face of programmers who think no-one will never understand their awesome secret keygen without the source code.

I may do some followup articles examining particularly interesting pieces of this moderately large program. With some practice, you can learn to read decompiled code very quickly and learn to spot boilerplate that can be skipped over. Thanks for reading :)