tag:blogger.com,1999:blog-55896895080236589942024-03-13T23:13:38.484-07:00In Pursuit Of LazinessA blog about books, science, math, computers, and other random stuff!Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-5589689508023658994.post-62771151374527414862015-05-02T16:47:00.002-07:002015-05-02T16:47:47.957-07:00Moving to a new blog<div dir="ltr" style="text-align: left;" trbidi="on">
I'm moving to a Octopress-based blog located <a href="http://manishearth.github.io/">here</a>.<br />
<br />
Blogger is nice, but a WYSIWYG interface isn't really my cup of tea -- I end up jumping between formatted and HTML view and still having skewed spacing and sizes (code formatting is also a pain). Markdown is easy to use and I don't need to bother with formatting.<br />
<br />
So long, and thanks for all the fish!</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-36734888374231402532015-02-20T01:25:00.005-08:002015-03-09T05:24:19.905-07:00Thoughts of a Rustacean learning Go<div dir="ltr" style="text-align: left;" trbidi="on">
So as many of you may know, I really like Rust and have been programming in it for nearly a year now.<br />
<br />
Recently, for a course I had to use Go. This was an interesting opportunity; Rust and Go have been compared a lot as the "hot new languages", and finally I'd get to see the other side of the argument.<br />
<br />
Before I get into the experience, let me preface this by mentioning that Rust and Go don't exactly target the same audiences. Go is garbage collected and is okay with losing out on some performance for ergonomics; whereas Rust tries to keep everything as a compile time check as much as possible. This makes Rust much more useful for lower level applications.<br />
<br />
In my specific situation, however, I was playing around with distributed systems via threads (or goroutines), so this fit perfectly into the area of applicability of both languages.<br />
<br />
<br />
This post isn't exactly intended to be a comparison between the two. I understand that as a newbie at Go, I'll be trying to do things the wrong way and make bad conclusions off of this. My way of coding may not be the "Go way" (I'm mostly carrying over my Rust style to my Go code since I don't know better); so everything may seem like a hack to me. Please keep this in mind whilst reading the post, and feel free to let me know the "Go way" of doing the things I was stumbling with.<br />
<br />
This is more of a sketch of my experiences with the language, specifically from the point of view of someone coming from Rust; used to the Rusty way of doing things. It might be useful as an advisory to Rustaceans thinking about trying the language out, and what to expect. Please don't take this as an attack on the language.<br />
<br />
<br />
<h2 style="text-align: left;">
<b>What I liked</b></h2>
Despite the performance costs, having a GC at your disposal after using Rust for very long is quite liberating. For a while my internalized borrow checker would throw red flags on me tossing around data indiscriminately, but I learned to <b> </b>ignore it as far as Go code goes. I was able to quickly share state via pointers without worrying about safety, which was quite useful.<br />
<br />
Having channels as part of the language itself was also quite ergonomic. <span style="font-family: "Courier New", Courier, monospace;">data <- chan<span style="font-family: inherit;"><span style="font-family: Arial,Helvetica,sans-serif;"> and </span>chan <span style="font-family: inherit;"><- data</span></span></span> <span style="font-family: Arial, Helvetica, sans-serif;">syntax is fun to use, and </span>whilst it's not very different from <span style="font-family: "Courier New",Courier,monospace;">.send()</span> and <span style="font-family: "Courier New",Courier,monospace;">.recv()</span> in Rust, I found it surprisingly easy to read. Initially I got confused often by which side the channel was, but after a while I got used to it. It also has an in built <span style="font-family: "Courier New", Courier, monospace;">select</span> block for selecting over channels (Rust has a macro).<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">gofmt</span>. The Go style of coding is different from the Rust one (tabs vs spaces, how declarations look), but I continued to use the Rust style because of the muscle memory (also too lazy to change the settings in my editor). <span style="font-family: "Courier New",Courier,monospace;">gofmt</span> made life easy since I could just run it in a directory and it would fix everything. Eventually I was able to learn the proper style by watching my code get corrected. I'd love to see a <span style="font-family: "Courier New",Courier,monospace;">rustfmt</span>, in fact, this is one of the <a href="https://wiki.mozilla.org/Community:SummerOfCode15#Rust">proposed Summer of Code projects under Rust</a>!<br />
<br />
<br />
Go is great for debugging programs with multiple threads, too. It can detect deadlocks and post traces for the threads (with metadata including what code the thread was spawned from, as well as its current state). It also posts such traces when the program crashes. These are great and saved me tons of time whilst debugging my code (which at times had all sorts of cross interactions between more than ten goroutines in the tests). Without a green threading framework, I'm not sure how easy it will be to integrate this into Rust (for debug builds, obviously), but I'd certainly like it to be.<br />
<br />
Go has really great <strike>green threads</strike> goroutines. They're rather efficient (I can spawn a thousand and it schedules them nicely), and easy to use.<br />
<br />
<i>Edit: Andrew Gallant reminded me about Go's testing support, which I'd intended to write about but forgot.</i><br />
<br />
Go has really good in built support and tooling for tests (Rust does too). I enjoyed writing tests in Go quite a bit due to this.<br />
<br />
<br />
<h2 style="text-align: left;">
<b>What I didn't like</b></h2>
<br />
Sadly, there are a lot of things here, but bear in mind what I mentioned above about me being new to Go and not yet familiar with the "Go way" of doing things.<br />
<br />
<h4 style="text-align: left;">
No enums</h4>
<div style="text-align: left;">
Rust has enums, which are basically tagged unions. Different variants can contain different types of data, so we can have, for example:<br />
</div>
<pre class="prettyprint lang-rust">enum Shape {
Rectangle(Point, Point),
Circle(Point, u8),
Triangle(Point, Point, Point)
}
</pre>
<div style="text-align: left;">
<br />
and when matching/destructuring, you get type-safe access to the contents of the variant.<br />
<br />
This is extremely useful for sending typed messages across channels. In this model. For example, in Servo we use such an enum for sending <a href="https://github.com/servo/servo/blob/d5dd1d658e5d79701fb9d028479a0fcb26a033fa/components/script/dom/xmlhttprequest.rs#L100">details about the progress of a fetch to the corresponding XHR object</a>. <a href="https://github.com/servo/servo/blob/d5dd1d658e5d79701fb9d028479a0fcb26a033fa/components/msg/constellation_msg.rs#L198">Another such enum</a> is used for communication between the constellation and the compositor/script.<br />
<br />
This gives us a great degree of type safety; I can send messages with different data within them, however I can only send messages that the other end will know how to handle since they must all be of the type of the message enum.<br />
<br />
In Go there's no obvious way to get this. On the other hand, Go has the type called <span style="font-family: "Courier New",Courier,monospace;">interface {}</span> which is similar to <span style="font-family: "Courier New",Courier,monospace;">Box<Any> </span>in Rust or <span style="font-family: "Courier New",Courier,monospace;">Object</span> in Java. This is a pointer to any type, with the ability to match on its type. As a Rustacean I felt incredibly dirty using this, since I expected that there would be an additional vtable overhead. Besides, this works for any type, so I can always accidentally send a message of the wrong type through a channel and it'll end up crashing the other end at runtime since it hit a <span style="font-family: "Courier New",Courier,monospace;">default:</span> case.<span style="font-family: Arial, Helvetica, sans-serif;"> </span><br />
<br />
Of course, I could implement a custom interface <span style="font-family: "Courier New", Courier, monospace;">MyMessage<span style="font-family: Arial, Helvetica, sans-serif;"> </span></span>on the various types, but this will behave exactly like<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"> <span style="font-family: "Courier New", Courier, monospace;">interface{}</span></span></span> (implemented on all types) unless I add a dummy method to it, which seems hackish. This brings me to my next point:<br />
<br />
<h4>
<span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Arial, Helvetica, sans-serif;">Sma</span></span></span></span>rt interfaces</h4>
<div style="text-align: left;">
This is something many would consider a feature in Go, but from the point of view of a Rustacean, I'm rather annoyed by this.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In Go, interfaces get implemented automatically if a type has methods of a matching signature. So an interface with no methods is equivalent to <span style="font-family: "Courier New", Courier, monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">interface{}</span></span></span>; and will be implemented on all types automatically. This means that we can't define "marker traits" like in Rust that add a simple layer of type safety over methods. It also means that interfaces can only be used to talk of code level behavior, not higher level abstractions. For example, in Rust we have the <span style="font-family: "Courier New",Courier,monospace;"><a href="http://doc.rust-lang.org/std/cmp/trait.Eq.html">Eq</a></span> trait, which uses the same method as <span style="font-family: "Courier New",Courier,monospace;"><a href="http://doc.rust-lang.org/std/cmp/trait.PartialEq.html">PartialEq</a></span> for equality (<span style="font-family: "Courier New", Courier, monospace;">eq(&self, &other)</span>), and the behavior of that method is exactly the same, however the two traits mean fundamentally different things: A type implementing <span style="font-family: "Courier New",Courier,monospace;">PartialEq</span> has a normal equivalence relation, whilst one that also implements <span style="font-family: "Courier New",Courier,monospace;">Eq</span> has a full equivalence relation. From the point of view of the code, there's no difference between their behavior. But as a programmer, I can now write code that only accepts types with a full equivalence relation, and exploit that guarantee to optimize my code.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Again, having interfaces be autoimplemented on the basis of the method signature is a rather ergonomic feature in my opinion and it reduces boilerplate. It's just not what I'm used to and it restricts me from writing certain types of code.<br />
<br />
<h4 style="text-align: left;">
Packages and imports</h4>
<div style="text-align: left;">
Go puts severe restrictions on where I can put my files. All files in a folder are namespaced into the same package (if you define multiple packages in one folder it errors out). There's no way to specify portable relative paths for importing packages either. To use a package defined in an adjacent folder, I had to do <a href="https://github.com/Manishearth/cs733/blob/master/assignment2/kvstore/server.go#L5">this</a>, whereas in Rust (well, Cargo), it is easy to specify relative paths to packages (crates) <a href="https://github.com/servo/servo/blob/master/components/script/Cargo.toml#L19">like so</a>. The import also only worked if I was developing from within my <span style="font-family: "Courier New", Courier, monospace;">$GOPATH</span>, so my code now resides within <span style="font-family: "Courier New", Courier, monospace;">$GOPATH/src/github.com/Manishearth/cs733/</span>; and I can't easily work on it elsewhere without pushing and running <span style="font-family: "Courier New", Courier, monospace;">go get</span> everytime<span style="font-family: "Courier New", Courier, monospace;">.</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Rust's module system <a href="http://doc.rust-lang.org/book/crates-and-modules.html">does take hints from the file structure</a>, and it can get confusing, however the behavior can be nearly arbitrarily overridden if necessary (you can even do <a href="https://twitter.com/horse_rust/status/517408273750704128">scary things like this</a>).<br />
</div>
<h4 style="text-align: left;">
Documentation</h4>
<div style="text-align: left;">
Rust's libraries aren't yet well documented, agreed. But this is mostly because the libraries are still in flux and will be documented once they settle. We even have the awesome <a href="https://github.com/steveklabnik">Steve Klabnik</a> working on improving our documentation everywhere. And in general caveats are mentioned where important, even in unstable libraries.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Go, on the other hand, has stable libraries, yet the documentation seems skimpy at places. For example, for the methods which read till a delimiter in <a href="http://golang.org/pkg/bufio/">bufio</a>, it was rather confusing if they only return what has been buffered till the call, or block until the delimiter is found. Similarly, when it comes to I/O, the blocking/non-blocking behavior really should be explicit; similar to what <span style="font-family: "Courier New",Courier,monospace;"><a href="http://doc.rust-lang.org/std/sync/mpsc/struct.Sender.html">Sender</a> </span>and <span style="font-family: "Courier New",Courier,monospace;"><a href="http://doc.rust-lang.org/std/sync/mpsc/struct.Receiver.html">Receiver</a></span> do in their documentation.</div>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
Generics</h4>
<div style="text-align: left;">
This is a rather common gripe -- Go doesn't have any generics aside from its builtins (<span style="font-family: "Courier New",Courier,monospace;">chan</span>s, arrays, slices, and maps can be strongly typed). Like my other points about enums and interfaces, we lose out on the ability for advanced type safety here.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Overall it seems like Go doesn't really aim for type safe abstractions, preferring runtime matching of types. That's a valid choice to make, though from a Rust background I'm not so fond of it.</div>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
Visibility</h4>
</div>
</div>
<div style="text-align: left;">
Visibility (public/private) is done via the capitalization of the field, method, or type name. This sort of restriction doesn't hinder usability, but it's quite annoying.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
On the other hand, Rust has a keyword for exporting things, and whilst it has style recommendations for the capitalization of variable names (for good reason -- you don't want to accidentally replace an enum variant with a wildcard-esque binding in a <span style="font-family: "Courier New", Courier, monospace;">match<span style="font-family: Arial, Helvetica, sans-serif;">, for example)</span></span>, it doesn't error on them or change the semantics in any way, just emits a warning. On the other hand, in Go the item suddenly becomes private.</div>
<div style="text-align: left;">
<br />
<br />
<h3>
Conclusion</h3>
<div style="text-align: left;">
A major recurring point is that Go seems to advocate runtime over compile time checking, something which is totally opposite to what Rust does. This is not just visible in library/language features (like the GC), but also in the tools that are provided — as mentioned above, Go does not give good tools for creating type safe abstractions, and the programmer must add dynamic matching over types to overcome this. This is similar (though not the same) as what languages like Python and Javascript advocate, however these aren't generally interpreted, not compiled (and come with the benefits of being interpreted), so there's a good tradeoff.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Go isn't a language I intend to use for personal projects in the near future. I liked it, but there is an overhead (time) to learning the "Go way" of doing things, and I'd prefer to use languages I already am familiar with for this. This isn't a fault of the language, it's just that I'm coming from a different paradigm and would rather not spend the time adjusting, especially since I already know languages which work equally well (or better) to its various fields of application.<br />
<br />
I highly suggest you at least try it once, though! </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
</div>
<div style="text-align: left;">
<br /></div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-84362005651310815432015-02-18T23:17:00.000-08:002015-02-20T14:11:20.296-08:00Superfish, and why you should be worried<div dir="ltr" style="text-align: left;" trbidi="on">
<i>I'll be updating this post as I get more information</i> .<br />
<br />
<i>For non-techies, skip to the last paragraph of the post for instructions on how to get rid of this adware.</i><br />
<br />
Today a rather severe vulnerability on certain Lenovo laptops was discovered.<br />
<br />
<br />
Software (well, adware) called "Superfish" came preinstalled on some of their machines (it seems like it's the Yoga series).<br />
<br />
<br />
The software ostensibly <a href="https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882">scans images of products on the web to provide the user with alternative (perhaps cheaper) offers</a>. Sounds like a mix of annoying and slightly useful, right?<br />
<br />
<br />
Except to achieve this, they do something extremely unsafe. <span id="goog_1893479640"></span><a href="https://twitter.com/shaver/status/568216937181749248">They install a new root CA certificate into the Windows certificate store</a>. The software works via a local proxy server which does a man in the middle attack on your web requests. Of course, most websites of importance these days use HTTPS, so to be able to successfully decrypt and inject content on these, the proxy needs to have the ability to issue arbitrary certificates.<a href="https://twitter.com/fugueish/status/568258997578371072"> It's a single certificate as far as we can tell </a>(you can find it <a href="https://bug1134506.bugzilla.mozilla.org/attachment.cgi?id=8566372">here</a> in plaintext form)<br />
<br />
<a href="https://twitter.com/kennwhite/status/568299064929832960">It also leaves the certificate in the system even if the user does not accept the terms of use</a>. <br />
<br />
This means that a nontrivial portion of the population has a untrusted certificate on their machines. <br />
<br />
It's actually worse than that, because to execute the MITM attack, the proxy server should have the private key for that certificate.<br />
<br />
So a nontrivial portion of the population has the private key to said untrusted certificate. <i>Anyone</i> owning one of these laptops who has some reverse engineering skills has the ability to intercept, modify, and duplicate the connections of anyone else owning one of these laptops. Bank logins, email, credit card numbers, <i>everything</i>. One usually needs physical proximity or control of a network to do this right, but it's quite feasible that this key could be sold to someone who has this level of access (e.g. a secretly evil ISP). Update: The key is now <a href="https://twitter.com/ydklijnsma/status/568390533749604352">publicly known</a><br />
<br />
This is really bad.<br />
<br />
Installing random crapware on laptops is pretty much the norm now; and that's not the issue. Installing crapware which causes a huge security vulnerability? No thanks. What's especially annoying is their <a href="https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882">attitude towards it</a>; they haven't even acknowledged the security hole they've caused.<br />
<br />
The EFF has a rather nice article on this <a href="https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptops">here</a>.<br />
<br />
<strike>As far as we can tell, Firefox isn't affected by this since it maintains its own root CA store, however we are still <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1134506">trying to verify this</a>, and will see if we can block it in case Firefox <i>is</i> affected, for example, if Superfish installs the cert in Firefox as well. If you have an affected system and can provide information about this, feel free to comment on that bug or tweet at <a href="https://twitter.com/ManishEarth">@ManishEarth</a>.</strike><br />
<strike><br /></strike>
<strike>The application seems to <a href="https://twitter.com/supersat/status/568343079268327424">detect Firefox</a> and <a href="https://twitter.com/ETFovac/status/568361253002977281">install some add ons as well as the certificate</a>. We're <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1134506">looking into this</a>, further insights would be valuable.</strike><br />
<br />
Superfish does <a href="https://bug1134506.bugzilla.mozilla.org/attachment.cgi?id=8566794">NOT infect Firefox.</a><br />
<br />
Chrome <a href="http://www.chromium.org/Home/chromium-security/root-ca-policy">uses the OS's root CA store</a>, so it is affected. So is IE.<br />
<br />
It turns out that internally they're using something called <a href="http://marcrogers.org/2015/02/19/will-the-madness-never-end-komodia-ssl-certificates-are-everywhere/">Komodia</a> to generate the MITM; and Komodia uses a similar (broken) framework everywhere -- the private key is bundled with it; and the password is "komodia". <br />
<br />
<strike>If you have friends at Microsoft who can look into this, please see if a hotfix can be pushed, blacklisting the certificate. Whilst it is possible for an "arms race" to happen between Superfish and Windows, it's unlikely since there's more scrutiny now and it would just end up creating more trouble for Superfish. The main concern right now is that rogue root CA cert is installed on many laptops, and the privkey is out there too. </strike><br />
<br />
<br />
Update: <a href="http://www.theverge.com/2015/2/20/8077033/superfish-fix-microsoft-windows-defender">Microsoft has pulled the program and certificates via Windows Defender</a>! Yay! Firefox is probably going to follow suit -- now that the program itself should be gone, blacklisting the certificate won't make infected users have unusable browsers. <br />
<br />
If you own a Lenovo laptop that came preinstalled with Windows (especially one of <a href="https://twitter.com/kennwhite/status/568492133663027202">these models</a>), please check in your task manager for an app called "VisualDiscovery" or "Superfish". <a href="http://malwaretips.com/blogs/superfish-window-shopper-adware/#uninstall">Here's a small guide on how to do this.</a> It's slightly outdated, but the section on uninstalling the program itself should work. Then, follow the steps <a href="http://support.microsoft.com/KB/293819">here</a> to remove all certificates with the name "Superfish" from the root store. Then go and change all your passwords; and check your bank history amongst other things (/email/paypal/etc) for any suspicious transactions. Chances are that you haven't been targeted, but it's good to be sure.<br />
<br />
Alternatively, open Windows Defender, update and scan. There are more methods <a href="http://security.stackexchange.com/q/82056/7497">here</a></div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-52974429396248210322015-01-01T04:40:00.001-08:002015-01-01T04:57:43.658-08:00Mozlandia!<div dir="ltr" style="text-align: left;" trbidi="on">
Three weeks ago I was in Portland for Mozilla's <a href="https://wiki.mozilla.org/Portland_coincidental_work_week">Portland coincidental work week</a>, dubbed "Mozlandia".<br />
<br />
In Mozilla, a lot of the teams have members scattered across the globe. Work weeks are a way for team members to discuss/hack together and get to know each other better. This one was a bit special; it was all Mozilla teams having a simultaneous work week in Portland, so that the teams get a chance to work with each other.<br />
<br />
This was my first large Mozilla event outside of the country. I was there as a member (volunteer) of the <a href="https://github.com/servo/servo/">Servo</a> team, and it was my first time meeting almost everyone there. This meant that I got to enjoy the experience of seeing my perception of various people move from an amorphous blob of username (in some cases, a face too) to an actual human being :P<br />
<br />
I've always thought that I'm able to interact well with people online — perhaps even better than I do in person!. I've spent a lot of time with various online communities (Wikipedia, Stack Exchange, Mozilla), and I've never had trouble communicating there. However, meeting everyone in person was a really awesome experience and I was pleasantly surprised to realize that this makes it easier for me to interact with them online; something I didn't think was possible.<br />
<div>
<br /></div>
<div>
<br /></div>
Initially, I'd felt a bit skeptical about the "coincidental" bit of the work week; while I wanted to meet Mozillians outside of my team, I was worried that with all the cross team discussions (and other activities) we wouldn't really get any time to focus on Servo. However, it turned out great — the cross team discussions were <i>very</i> productive and we got lots of time to ourselves as well.<br />
<br />
<br />
On the first two days there were all-hands sessions (talks) in the morning. These were quite insightful, clearing up many question on the future goals of Mozilla, and being inspiring in general. <a href="http://www.jpl.nasa.gov/about/bio_muirhead.php">Brian Muirhead</a>'s guest talk about landing a rover on Mars was particularly enjoyable. A rather interesting thing was brought up in <a href="https://twitter.com/dherman76">Darren Herman</a>'s talk — Mozilla is going to start trying to make advertising on the Internet more enjoyable for consumers, rather than trying to just fight it outright. I'm not entirely sure what I feel about this, but they seem to be on the right track with the sponsored tiles on the new tab page; these tiles can be hidden/changed/pinned and aren't obtrusive at all (nor do they detract from the experience of surfing since they're on a page which used to be blank).<br />
<br />
I personally did a variety of things at the workweek:<br />
<br />
<br />
<ul style="text-align: left;">
<li>I worked with <a href="https://github.com/seanmonstar">Sean McArthur</a> on getting his <a href="https://github.com/servo/servo/pull/4065">Hyper</a> integration to work on Android (We finally <a href="https://github.com/servo/servo/pull/4198">got it to work!)</a>. I started out knowing nothing about the Android environment/NDK; now I'm much more comfortable.</li>
<li>There was <a href="https://gist.github.com/Manishearth/2ba0099663717b71d273">an awesome session</a> organized by <a href="https://twitter.com/mhoye">Mike Hoye</a> on helping new volunteer contributors get involved in your project. One of the major reasons I contribute to Mozilla is that they have by far the most welcoming and helpful system for newbies I've seen in any open source project. Mike gave a great introduction to the topic; covering a lot of ground on what we do well, and more importantly what we don't. <a href="http://twitter.com/lastonetheboat">Josh Matthews</a> and <a href="http://twitter.com/mike_conley">Mike Conley</a> outlined what makes a good mentored bug; and what makes a good mentor. There were various other talks outlining experiences with new contributors and lessons learned (including mine). The success stories by Joel Maher and Margaret Leibovic were particularly inspiring; both of their teams have managed to get a lot of effective community involvement. After the session a couple of us had a fun discussion over lunch on how we should move forward with this and make the newbie experience better. Mozilla may be the best at onboarding new contributors, but there still is a lot of room for improvement.</li>
<li>I was also part of a discussion on <a href="http://doc.rust-lang.org/guide-plugin.html">Rust's compiler plugins</a>. Rust provides hooks for writing custom syntax extensions and lints that can run arbitrary expansion/analysis on the <a href="http://en.wikipedia.org/wiki/Abstract_syntax_tree">AST</a> at compile time. However, the API is unstable since it deals with compiler internals. We discussed if it would be possible to somehow get a subset of this working for 1.0 (Rust 1.0 has <a href="http://blog.rust-lang.org/2014/10/30/Stability.html">strict backwards-compatibility requirements</a>). We also discussed the future of Rust's serialization support (currently based on builtin syntax extensions and rather broken). Hopefully future Rust (though not 1.0) will have support for an evolved form of <a href="https://github.com/erickt/rust-serde">Erick's serde library</a>.</li>
<li>We had a <a href="https://github.com/servo/servo/wiki/Mozlandia-WPT">couple</a> <a href="https://github.com/servo/servo/wiki/Mozlandia-Automation">of</a> discussions with the Automation team on testing, including performance/power tests. These were quite productive. I also had some interesting side discussions with Joel on performance testing; I'm now planning to see if I can improve performance in Servo by statically checking for things like unnecessary copies via the lint system.</li>
<li>I was part of the discussion in <a href="https://github.com/servo/servo/wiki/Mozlandia-Rust-In-Gecko">replacing some component of Firefox with one written in Rust</a>. We were quite apprehensive about this discussion; expecting all sorts of crazy requirements — apparently the build team <a href="http://gregoryszorc.com/blog/2014/12/04/a-crazy-day/">was tempted</a> to tell some horror stories but fortunately held back :P, In the end, it turned out okay — the requirements were quite reasonable and we're rather optimistic about this project.</li>
<li>I also helped <a href="https://github.com/eddyb">Eddy</a> on his crazy project to polyfill the polyfill for <a href="https://www.polymer-project.org/">web components/Polymer</a> so that it works in Servo.</li>
</ul>
<div>
Besides the major things listed above; there were tons of side discussions that I had on various topics which were rather helpful.</div>
<div>
<br /></div>
<div>
<br />
The week ended with a great party (which had a performance by Macklemore & Ryan Lewis!).<br />
<br />
Overall, this was quite a fun and enriching experience. I hope I'll be able to participate in such events in the future!</div>
<br />
<br /></div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-67888115407119397182014-07-22T20:55:00.001-07:002014-07-22T20:55:10.142-07:00200, and more!<div dir="ltr" style="text-align: left;" trbidi="on">
After my <a href="http://inpursuitoflaziness.blogspot.in/2014/04/50-more-shades-of-green.html">last post on my running GitHub streak</a>, I've pretty much continued to contribute to the same projects, so I didn't see much of a point of posting about it again — the fun part about these posts is talking about all the new projects I've started or joined. However, this time an arbitrary base-ten milestone comes rather close to another development on the GitHub side which is way more awesome than a streak; hence the post.<br />
<div>
<br /></div>
<div>
Firstly, a screenshot:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcKsga_WNuOxlpkJI9z8f9dTRKOnMGlK4uoLyC8LWGpuVvtMb-VYU-Y5kPRuWkP1wwEODEWjs8-k92vSYey5NXRDsl2RxdFLBSqiZTqmMADNemxl1UaKCjZ7Ry-YrS2CfwRI43ORZu4Ec/s1600/Screenshot+from+2014-07-23+07:11:22.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcKsga_WNuOxlpkJI9z8f9dTRKOnMGlK4uoLyC8LWGpuVvtMb-VYU-Y5kPRuWkP1wwEODEWjs8-k92vSYey5NXRDsl2RxdFLBSqiZTqmMADNemxl1UaKCjZ7Ry-YrS2CfwRI43ORZu4Ec/s1600/Screenshot+from+2014-07-23+07:11:22.png" height="170" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">I wish there was more dark green</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
Now, let's have a look at <a href="https://github.com/servo/servo/commit/ae5093ed4fafcce7b515454a0e53f9ccd40d5735">the commit that made the streak reach 200</a>. That's right, it's a <i>merge </i>commit to Servo — something which is created for the collaborator who merges the pull request<sup>1</sup>. Which is a great segue into the second half of this post:<br />
<br />
I now have commit/collaborator access to <a href="https://github.com/servo/servo">Servo</a>. :D<br />
<br />
It happened around a week back. Ms2ger needed a reviewer, Lars mentioned he wanted to get me more involved, I said I didn't mind reviewing, and in a few minutes I was reviewing a pull request for the first time. A while later I had push access.<br />
<br />
This doesn't change my own workflow while contributing to Servo; since everyone still goes through pull requests and reviews. But it gives a much greater sense of belonging to a project. Which is saying something, since Mozilla projects already give one a sense of being "part of the team" rather early on, with the ability to attend meetings, take part in decision-making, and whatnot.<br />
<br />
I also now get to review others' code, which is a rather interesting exercise. I haven't done much reviewing before. Pull requests to my own repos don't count much since they're not too frequent and if there are small issues I tend to just merge and fix. I do give feedback for patches on Firefox (mostly for the ones I mentor or if asked on IRC), but in this situation I'm not saying that the code is worthy to be merged; I'm just pointing out any issues and/or saying "Looks good to me".<br />
<br />
With Servo, code I review and mark as OK is ready for merging. Which is a far bigger responsibility. I make mistakes (and style blunders) in my own code, so marking someone else's code as mistake free is a bit intimidating at first. Yes, everyone makes mistakes and yet we have code being reviewed properly, but right now I'm new to all this, so I'm allowed a little uncertainty ;) Hopefully in a few weeks I'll be able to review code without overthinking things <i>too</i> much.<br />
<br />
<hr />
<br />
In other GitHub-ish news, a freshman of my department <a href="https://github.com/Manishearth/IIT-Timetable/pull/12">submitted a very useful pull request to one of my repos</a>. This makes me happy for multiple reasons: I have a special fondness for student programmers who are not from CS (not that I don't like CS students), being one myself. Such students face an extra set of challenges of finding a community, learning the hard stuff without a professor, and juggling their hobby with normal coursework (though to be fair for most CS students their hobby programming rarely intersects with coursework either).<br />
<br />
Additionally, the culture of improving tools that you use is one that should be spread, and it's great that at least one of the new students is a part of this culture. Finally, it means that people use my code enough to want to add more features to it :)
<br />
<br />
<sup>1. I probably won't count this as part of my streak and make more commits later today. Reviewing is hard, but it doesn't exactly take the place of writing actual code so I may not count merge commits as part of my personal commit streak rules.</sup>
</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-82739633306336672672014-04-21T13:17:00.001-07:002014-06-21T03:02:00.615-07:00The battle against self-xss<div dir="ltr" style="text-align: left;" trbidi="on">
In the past few months I've been helping fight a rather interesting attack vector dubbed as "self xss" by the Facebook security team. It's been a rather fun journey.<br />
<br />
<h3 style="text-align: left;">
What is XSS?</h3>
<div>
XSS, or <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">Cross-site scripting</a>, is a category of attack where the attacker is able to inject JavaScript code onto a page viewed by others. A very simple example would be if Wikipedia allowed the <span style="font-family: Courier New, Courier, monospace;">script</span><span style="font-family: inherit;"> tag to be used in wikicode. Someone could edit a malicious script onto the page that logs the current user out (or worse).</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Most modern XSS vulnerabilities have to do with improper sanitization; though in the past there used to be browser bugs related to XSS.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: inherit;">What is self-XSS?</span></h3>
<div>
<span style="font-family: inherit;">Self-xss is when the users themselves serve as the attack vector; they willfully copy untrusted code and execute it (via the JavaScript console). This is a social engineering attack which is becoming increasingly common on sites like Facebook. The basic mode of attack is to convince the user that the code does something awesome (e.g. gives access to a hidden feature), and the users do the rest. With social networking sites, the code can even re-share the original post, leading to an exponentially increasing footprint.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
There's a nice video explanation of the attack from one of Facebook's engineers <a href="https://www.facebook.com/photo.php?v=956977232793">here</a>. An example of the attack being used on bank websites is <a href="http://www.nytimes.com/2011/06/14/technology/14security.html?src=recg&pagewanted=all&_r=0">here</a>.</div>
<h3 style="text-align: left;">
The battle</h3>
<div>
In May 2011, <a href="http://code.google.com/p/chromium/issues/detail?id=82181">Chromium</a> landed a fix that strips the <span style="font-family: Courier New, Courier, monospace;">javascript:</span><span style="font-family: inherit;"> from javascript URLs <i>pasted</i> (or dropped) into the omnibox, and <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=656433">Firefox</a> landed a fix that stopped such URLs from being used from the URL bar at all. This (partially) fixes the attack mentioned in the video, though for Chrome it is possible to ask users to do something convoluted like "type j and then paste" to get it to work. This doesn't make Chrome's solution impotent, however -- more on this later.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">After a while, scammers switched to the javascript console for their attacks. This went on for a while.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">In July, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=664589">discussions started</a> on Mozilla on how to fix this for the console. <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=664589#c34">One prominent solution</a> was to use the <a href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP">Content Security Policy</a> (CSP) to let websites ask the browser to disable the console. More on this on a blog post by Joe Walker <a href="http://incompleteness.me/blog/2011/12/14/combating-self-xss/">here</a>.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">(CSP lets websites ask the browser to disable some features, like cross-origin script loading. With this the site can greatly hamper XSS and other similar attacks provided that they structure their own code to follow the CSP.)</span></div>
<div>
<br /></div>
<div>
For a while, discussions went on (<a href="https://bugzilla.mozilla.org/showdependencytree.cgi?id=971598&hide_resolved=1">tree of relevant bugs</a>, if you're interested), though as far as I can tell nothing concrete was implemented.</div>
<div>
<br /></div>
<div>
In February 2014, <a href="http://stackoverflow.com/a/21693931/1198729">Facebook used a modified version</a> of <a href="http://kspace.in/blog/2013/02/22/disable-javascript-execution-from-console/">this trick</a> to Chrome's console and enabled this change for a subset of the users. When one opens the console, one is greeted with this message:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://i.stack.imgur.com/Wiatp.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://i.stack.imgur.com/Wiatp.png" height="170" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From <a href="http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools">Stack Overflow</a>, by <a href="http://stackoverflow.com/users/283863/derek">Derek</a></td></tr>
</tbody></table>
<div>
trying to execute any code would result in the error message at the bottom. Fortunately, the link given there gave developers the ability to turn the console back on. (<a href="https://news.ycombinator.com/item?id=7350818">Netflix later copied this "feature"</a>, unfortunately without the opt out)</div>
<div>
<br /></div>
<div>
The loud text is not a bug, Chrome lets one <a href="http://stackoverflow.com/questions/7505623/colors-in-javascript-console">style log messages</a>. But the fact that the website has the power to (absolutely, if they wish) disable the console is a bug; websites should never have that level of power over the browser. I <a href="http://code.google.com/p/chromium/issues/detail?id=345205">reported it as such</a> soon after. I also noticed a need for a solution to self-xss; this was not the correct solution, but there seemed to be scope for a solution from the browser's side. I noted that in the bug as well.</div>
<div>
<br /></div>
<div>
Once the bug was fixed, the Chrome devtools team recognized that self-xss was something that might be fixed from the browser side, and <a href="http://code.google.com/p/chromium/issues/detail?id=345205#c18">converted the bug to one for self-xss</a>. They also came up with a brilliant proposal (copied from the comment):</div>
<ul style="text-align: left;">
<li>If user is considered a "first-time" user of devtools (a console history of less than 10 entries)</li>
<li>and <i>pastes</i> javascript into an execution context (console/watches/snippets) </li>
<li>Chrome detects that and throws up a confirmation prompt, something like… "You may be a victim of a scam. Executing this code is probably bad for you. [Okay] [I know what I'm doing, continue]." (This part of the proposal was modified to having a prompt which explains the danger and asks the user to type "always allow" if they still wish to continue)</li>
</ul>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOwjqwT2rAWGoREt3_XDAR9czYxN6ybthh853ASz_hqf2e7svb_KICHckcHGskXQF_QI5JE5HR30zf4ftxe2HaHr1OxbZPVfpWhtatB1hHtnXcpBWyAx_xETzoPVHPaAQfZX8y9KtmuWc/s1600/consoleselfxss.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOwjqwT2rAWGoREt3_XDAR9czYxN6ybthh853ASz_hqf2e7svb_KICHckcHGskXQF_QI5JE5HR30zf4ftxe2HaHr1OxbZPVfpWhtatB1hHtnXcpBWyAx_xETzoPVHPaAQfZX8y9KtmuWc/s1600/consoleselfxss.png" height="211" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The proposed fix for Chromium</td></tr>
</tbody></table>
<br /></div>
<div>
This fix was checked in and <a href="http://code.google.com/p/chromium/issues/detail?id=345205#c33">later rolled back</a>; they're now considering a universal "Developer Mode" preference that comes with the appropriate warnings. I personally don't really agree with that change; when it comes to such attacks, a specific warning is always better than a general "Only do this if you're a dev" message. People being convinced by a scammer to inject code into their own browsers probably will click through a generic message — after all, they know that they <i>are</i> doing developer-y stuff, even if they don't actually know what they're doing.</div>
<div>
<br /></div>
<div>
On the Firefox side, I filed <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=994134">a bug</a> suggesting a similar change. A while later, Joe wrote <a href="http://incompleteness.me/blog/2014/04/24/combatting-self-xss-part-2/">another post delving deeper into the issue</a>. The post frames the problem by first modeling self-xss as a "human script execution engine" (the model changes later), and notes that the more complex the "script" is, the less likely the engine is to execute it. There's an interesting analysis as to how the trend probably is, culminating in this graph:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://incompleteness.me/images/posts/self-xss-graph2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://incompleteness.me/images/posts/self-xss-graph2.png" height="163" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Taken from Joe's blog, with permission<br />
("script" here is the English script used to scam users, not the actual code)</td></tr>
</tbody></table>
<br />
While we can never completely defeat this, some small increases in the necessary complexity for the "script" can go a long way. (This is the reason that Chrome's solution for the omnibox is still effective. It can be bypassed, but it makes the "script" more complex with the "type j and then paste" instructions)<br />
<br />
We just have to balance the solutions with the annoyance to devs factor.<br />
<br />
Turns out that Chrome's solution (for the console) seems to be pretty balanced. People will be shown a prompt, which they will have to read through to figure out how to enable pasting. They can't just ignore it and press the nearest "ok" button they see, which would have been the case with a normal dialog. For devs, this is a minor annoyance that lasts a few seconds. Additionally, if the dev has already used the console/scratchpad in the past, this won't come up in the first place since it is disabled after 10 entries in the scratchpad/console.<br />
<br />
Of course, the scammer could simply ask the victim to type "allow pasting", but this has two issues. Firstly, it's now Firefox-specific, so they lose half their prospective victims. This can be fixed by making two branches of instructions for Chrome and Firefox, but that still increases complexity/suspicion. Secondly, the flow for this is rather strange anyway; most would find it strange that you have to type "allow pasting", and might be curious enough to read the popup to see why. There's also a big friendly "Scam warning" header, which can catch their attention.<br />
<br />
I wrote the patch for Firefox, this is what the current UI looks like when you try to paste something into the console or scratchpad:<br />
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGZ6Y5HebBSqIoeWD6s1qAikFEUds4BG01i5Z0tdxEg1URlJt0U5iUu8koelKJil9b5Rea4VAcpyXfto_Fj9nXvybDp4tCI78EU2ffV3bsxFLkF7fz6-Rj7UDL2DfxGBLkvUPGRw4eY9Y/s1600/Screenshot+from+2014-05-21+23:58:17.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGZ6Y5HebBSqIoeWD6s1qAikFEUds4BG01i5Z0tdxEg1URlJt0U5iUu8koelKJil9b5Rea4VAcpyXfto_Fj9nXvybDp4tCI78EU2ffV3bsxFLkF7fz6-Rj7UDL2DfxGBLkvUPGRw4eY9Y/s1600/Screenshot+from+2014-05-21+23:58:17.png" height="361" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Firefox's solution, for both the console and scratchpad</td></tr>
</tbody></table>
<div>
<br />
This got checked in today, and will probably reach the release channel in a few months.<br />
<br />
Hopefully this takes a big bite out of the self-xss problem :)</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-77938286906777396322014-04-21T13:17:00.000-07:002014-06-28T02:52:45.556-07:00I've been selected for Google Summer of Code 2014!<div dir="ltr" style="text-align: left;" trbidi="on">
I've been selected for <a href="https://www.google-melange.com/gsoc/homepage/google/gsoc2014">GSoC 2014</a>!<br />
<br />
My project is to implement XMLHttpRequest in <a href="https://github.com/mozilla/servo">Servo</a> (<a href="https://docs.google.com/document/d/1hEnYI3teExOMMo3xYSkSEA2k_YUx0oWfdmEWHe7xw_g/edit">proposal</a>), under Mozilla (mentored by the awesome <a href="https://twitter.com/lastontheboat">Josh Matthews</a>)<br />
<br />
Servo is a <a href="http://en.wikipedia.org/wiki/Web_browser_engine">browser engine</a> written in <a href="http://www.rust-lang.org/">Rust</a>. The Servo project is basically a research project, where Mozilla is trying to rethink the way browser engines are designed and try to make one which is more memory safe (The usage of Rust is very crucial to this goal), and much more parallel. If you'd like to learn more about it, check out <a href="https://www.youtube.com/watch?v=IvtyihvXdS8">this talk</a> or join #servo on irc.mozilla.org.<br />
<br />
<h3 style="text-align: left;">
What is GSoC?</h3>
<div>
<a href="http://en.wikipedia.org/wiki/Google_Summer_of_Code">Google Summer of Code</a> is a program by Google that helps jumpstart involvement in open source amongst students. Organizations are invited to float their own open source projects, and students float project proposals. If selected, you get to code the project over the summer, working closely with the mentor. It's supposed to be a great experience, and I'm glad I'll get to be a part of it this year!</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Who else got selected?</h3>
<div>
<br /></div>
<div>
One purpose of this post was to recognize all my friends and college-mates who got selected:<br />
<br /></div>
<h4 style="text-align: left;">
Mozillia India friends</h4>
<div>
<ul style="text-align: left;">
<li>Saurabh Anand (sawrubh): <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/saurabhanandiit/5639274879778816">FileLinks in IMs / File transfer</a></li>
<li>Avik Pal: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/avikpal/5724160613416960">Sound Visualization And Sound Effects In Artikulate</a></li>
<li>Sukant Garg (gargsms): <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/gargsms/5649050225344512">Add learning capability in the Gaia Keyboard prediction</a></li>
<li>Pankaj Malhotra (bitgeeky): <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/bitgeeky/5741031244955648">Functional Test Suite and Features for QA Taskboard - One and Done</a></li>
<li>Suyash Agarwal (sshagarwal): <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/sshagarwal/5724160613416960">Thunderbird - Make the unit test framework work with maildir mailbox format</a></li>
<li>Sunny (darkolwzz): <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/darkowlzz/5634387206995968">Implement Zest recorder and runner</a></li>
</ul>
<h4 style="text-align: left;">
Other IITB-ians</h4>
</div>
<div>
<ul style="text-align: left;">
<li>Alankar Kotwal: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/alankarkotwal/5668600916475904">Image Pixel Based Photometric Redshift Estimation</a></li>
<li>Sushant Hiray: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/sushant_hiray/5750085036015616">Extending Elementary Functions in CSymPy</a></li>
<li>Navin Chandak: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/whodarescapri/5649050225344512">pgmpy : Implementation of Undirected Graphical Models and its algorithms</a></li>
<li>Aman Mangal: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/amanmangal/5743522325987328">Work Stealing Scheduling on Parallella</a></li>
<li>Saket Choudhary: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/saketkc/5659847773126656">Human Genetic Variation Viewer</a></li>
<li>Kunal Tyagi: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/kunaltyagi/5733935958982656">Integration of ROS and Gazebo with Tango Controls</a></li>
<li>Aditya Nambiar: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/aditya_nambiar/5668600916475904">Visualization for Mailing stats and A/B testing</a></li>
<li>Anand Soni: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/anandsoni/5747976207073280">Improvement of automatic benchmarking system</a></li>
<li>Praveen Kumar Pendyala: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/praveendath92/5750085036015616">Android based remote display</a></li>
<li>S K Savant: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/savy2020/5750085036015616">Multiview Registration</a></li>
<li>Abhishek Bhowmick: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/abhowmick22/5700735861784576">Performance Optimization with VOLK</a></li>
<li>Roshan Raghupathy: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/roshanr/5676830073815040">Expand and Improve Boost.Compute</a></li>
<li>Dushyant Sabharwal: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/dushyantsabharwal/5718998062727168">Proposal for Access Control User Interface for SOS Servers</a></li>
<li>Siddhant Rajagopalan: <a href="http://www.google-melange.com/gsoc/project/details/google/gsoc2014/rajgo94/5741031244955648">Mail Blast UI</a></li>
</ul>
</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-63595410468771035422014-04-04T19:13:00.004-07:002014-04-11T02:09:11.967-07:0050 more shades of green<div dir="ltr" style="text-align: left;" trbidi="on">
<i>This is a continuation of <a href="http://inpursuitoflaziness.blogspot.in/2014/02/50-shades-of-green.html">50 shades of green</a>. Read that first if you want to know what this is about.</i><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmzPsfJEsHygsA7PA8vk7XOMF6L1KQn8dc3_Ilvbj10yb58uPXp5ZOOD9ucJkfWgyhZvSESVAgb6GoUWEPXjbXIiEYjIwnwDZxlj_LuD0SWlrpVzqtTIboYEH0p5o70FQ9XCHr4iglglU/s1600/Screenshot+from+2014-04-05+07:25:06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmzPsfJEsHygsA7PA8vk7XOMF6L1KQn8dc3_Ilvbj10yb58uPXp5ZOOD9ucJkfWgyhZvSESVAgb6GoUWEPXjbXIiEYjIwnwDZxlj_LuD0SWlrpVzqtTIboYEH0p5o70FQ9XCHr4iglglU/s1600/Screenshot+from+2014-04-05+07:25:06.png" /></a></div>
So I finally reached a hundred day GitHub streak!<br />
<br />
Since I already rambled about GitHub, commit streaks, time management, and a bunch of other things in the previous post, I'll just use this post to list what new projects I started working on in the latter 50 days:<br />
<br />
<ul style="text-align: left;">
<li><a href="https://github.com/mozilla/servo">Servo</a>, Mozilla's new browser* in Rust. Rather fun project to work on, there is a lot of scope for making an impact on the project since a lot of the core features are yet unimplemented. Additionally, it has a tight-knit community.</li>
<li><a href="https://github.com/Manishearth/SE-CitationHelper">SE-CitationHelper</a>: A citation helper for Stack Exchange, based on <a href="http://meta.mathoverflow.net/questions/1485/formatting-citations-to-the-literature-on-mathoverflow?cb=1">this meta request</a>. This was actually paid work, since I don't have the time to commit to a project like that.</li>
<li><a href="https://github.com/Manishearth/ElectionPortal">ElectionPortal</a>: A way to quickly hold elections and polls with LDAP authentication and filtering.</li>
<li><a href="https://github.com/Manishearth/MathToTeX">MathToTeX</a>: My parser for converting typed math into LaTeX. This already existed, but was a sub-repo elsewhere. I plan to reorganize this repo and then start work on rewriting the algorithm to be more extensible. </li>
<li><a href="https://github.com/Charcoal-SE/Blaze/">Blaze</a>: Under the Charcoal group. This project is for monitoring new posts on a medium-activity Stack Exchange site.</li>
<li>I also forked <a href="https://github.com/Manishearth/2048">2048</a> to add the ability to save one's present state. This is on a fork and doesn't count in the activity punchcard.</li>
</ul>
<div>
In addition I continued work on most of the repos mentioned in the previous post.</div>
<div>
<br />
<br />
I was less active than the first 50 days, I had academic commitments, extracurriculars, and more recently went to Kolkata and Kharagpur for a Mozilla event. Once the summer starts I expect to be pushing more dark greens :)<br />
<br /></div>
<div>
I also had to tweak the rules a bit from last time. Since I was working on Servo and rebasing code often, there were days when I did commit code but the commit was eventually moved around or left to rot in a fork. Neither of these count in the activity punchcard -- so for these days only, I've allowed pull requests / readme edits to count. I think there are two days like this.</div>
<div>
<br /></div>
<div>
Let's see how far I can take it from here!<br />
<br />
<br />
<small>* To be precise, it's a <i><a href="https://en.wikipedia.org/wiki/Web_browser_engine">layout engine</a></i>, not a browser. A layout engine (eg Gecko) handles most of the core magic that makes a browser work -- parsing and displaying HTML, and interacting with JavaScript. Browser features like tabbing and preferences and bookmarks are not a part of Servo, while it can be used (when it's stable enough) to browse the Internet, it's meant to be plugged into a browser if you want these features.</small></div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-20487518332461298052014-04-02T15:43:00.001-07:002014-04-02T15:47:23.337-07:00Introductory Firefox core development events : Setup issues<div dir="ltr" style="text-align: left;" trbidi="on">
<i>I'll be posting something about my overall experience at ProgramIIEST and MozSetup@IITKGP later this week, but I wanted to get this out there first. I may also post something about improving the good-first-bug system.</i><br />
<i><br /></i>
<i><br /></i>
This post is partially meant as an extension to <a href="http://debloper.blogspot.in/2014/04/laying-stones-for-mozilla-india-developer-engagement-v2.html">Deb's post</a> on the same issue. Most of the contents in this post come from discussions with Deb, Sankha, Saurabh, and others: thanks, everyone!<br />
<br />
So till now I've participated in two MozSetup-style events. One in IIT Bombay (where i was a participant), and one in IIT Kharagpur (where I was a volunteer/mentor). And one major issue that's there is setup. Basically, getting participants to come with a build system is rather nontrivial, and can be a turn-off in cases. Plus, some participants are on Windows (on the other end of the spectrum, some are on Arch), and it's harder to sort this out. Internet is not something to rely on either.<br />
<br />
Besides that, build times are long, especially on systems like mine:<br />
<blockquote class="twitter-tweet" lang="en">
Well, at least the build didn't take 400 minutes :p <a href="http://t.co/W6o4wEDWed">pic.twitter.com/W6o4wEDWed</a><br />
— Manish Goregaokar (@ManishEarth) <a href="https://twitter.com/ManishEarth/statuses/371352141610246145">August 24, 2013</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
At the IITB event, I had spent quite a bit of time getting a build ready. Fortunately I was able to create a couple of patches without testing, but that's certainly not the ideal way to go. Firstly, getting started takes up a huge chunk of time, and it's a bit overwhelming to have the participants learn and understand the entire process. It's far better to get them involved in writing code and let them figure out the details of setting it up at their leisure.<br />
<br />
At the Kharagpur event, I had planned on having some lab machines with a full Nightly build on them so that the students could test and make their patches on this system. This might have worked out, but we didn't have time (or lab access) the day before to initialize this. In the end, we had one machine with a full build on it, and another machine that was built later during the event. I had planned to rsync the built objdirs across systems, but somehow that didn't work even though I'd kept everything in a username-agnostic location (/opt). This is something I'll look into later.<br />
<br />
But it turns out there's an easier way to do things than to run full builds on the spot. <a href="https://twitter.com/Debloper">@Debloper</a> had the interesting idea of using OpenStack for this, and after some discussions it was basically to have an OpenStack instance where we create a VM with a full build environment, and allow participants to fork this VM and do all their coding/testing there (via <code>ssh -X</code>). This requires some investment in maintaining an OpenStack instance, but overall it's a viable way to go. We can also allow participants to keep access to the instance for some time period to make transition to development on their own systems much easier.<br />
<br />
As an alternative to this, I had the idea of using flash drives instead of VMs. One way to do this is to <a href="https://wiki.ubuntu.com/LiveUsbPendrivePersistent">install a persistent Ubuntu system</a><sup>1</sup> on a 16 GB flash drive, install the prerequisites, and build. This pen drive can then be booted into and used regardless of the user's system. It's persistent, too, so it can be used in the long term as well. It has the drawback of being a bit slower, though. Also, this drive can be quickly cloned via <code>dd</code> in preparation for an event. If a user wishes to install it baremetal, they can do so manually with <code>dd</code> and <code>update-grub.</code><br />
<br />
The other option is to make an Ubuntu live flash drive, but to <a href="https://help.ubuntu.com/community/LiveCDCustomization">customize it</a> via <code>squashfs</code> and <code>chroot</code> and add the required packages along with a full build. Here, there won't be persistent storage, so anyone trying it out by booting into the flash drive will lose their work on reboot. However, this is easier to install baremetal since the standard installation process will work, and a baremetal install is faster, too. Again, the ISOs can be cloned.<br />
<br />
If we want this to be scalable, we can eventually ask Mozilla to build these ISOs once every X days (or once every clobber) and put them up for download, much like Nightly builds. As far as I can tell, this won't create much extra strain on their resources. Then<i> </i>event organizers all over the world just have to burn the ISOs to some flash drives the night before, which is something very feasible.<br />
<br />
The cherry on top of this method (Deb's awesome idea) is that these flash drives can double as swag. A mozilla-branded drive is something pretty cool, especially if it contains everything you need for contributing to Firefox from wherever you are. The details of this depend on budget and all, but ... it's an option :)<br />
<br />
There will still be architecture issues and speed issues, but these can be solved with some work. Using an older Ubuntu version like Backtrack does is one way to make things faster, and we can always have a couple of AMD flash drives ready.<br />
<br />
I hope we get to try this method out at a similar event (maybe the upcoming Kolkata one). There are a lot of avenues to explore here, and a lot of room for improvement, but overall it seems like a promising way to fix the setup issues at such events.<br />
<br />
<br />
<small>1. Or Fedora, but I haven't yet worked out the details for Fedora. I'll be trying this out when I have time.</small></div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-53084612305933623802014-02-15T03:04:00.000-08:002014-04-13T03:55:19.419-07:0050 shades of green<div dir="ltr" style="text-align: left;" trbidi="on">
<i>Update: The streak has reached 100, read more about the additional projects I was working on <a href="http://inpursuitoflaziness.blogspot.in/2014/04/50-more-shades-of-green.html">here</a></i><br />
<br />
Alright, four shades. Making 50 squares.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmDudGo4UFAPW0czknm2g8z_BoaecmdcqafjvNrhWPD5jh2Taiw-BOGEpmJFkUmKXfAAvaB2ds-ob71LLZdjkMmS2LzANkvN0fx7U3Iq_de__1qUpYjqO4EhLLDeV11EankllF8KBz0UY/s1600/Screenshot+from+2014-02-14+16:51:57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmDudGo4UFAPW0czknm2g8z_BoaecmdcqafjvNrhWPD5jh2Taiw-BOGEpmJFkUmKXfAAvaB2ds-ob71LLZdjkMmS2LzANkvN0fx7U3Iq_de__1qUpYjqO4EhLLDeV11EankllF8KBz0UY/s1600/Screenshot+from+2014-02-14+16:51:57.png" /></a></div>
<br />
Yep, that's right, my GitHub commit streak <a href="https://github.com/Manishearth">reached 50 days</a>!<br />
<br />
<h3 style="text-align: left;">
What's GitHub? What's a GitHub commit streak?</h3>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://octodex.github.com/images/original.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://octodex.github.com/images/original.png" height="320" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Meow</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
For the uninitiated, <a href="https://github.com/">GitHub</a> is an online service that lets you efficiently manage repositories of code using the git protocol. Besides allowing for easy version control and collaboration on code (which are just features of the git protocol), it provides a bunch of useful collaboration tools like the issue tracker, and nifty features like pull requests. Most code hosted on GitHub is open source.</div>
<br />
I keep most of my code on GitHub because<br />
<br />
<ul style="text-align: left;">
<li>I can access my code from anywhere and make changes</li>
<li>I can use git without having to set up a bare repository on a remote server every time</li>
<li>It's open source, and I don't have to deal with the hassles of keeping it up to date elsewhere</li>
<li>It's pretty easy for others to report issues on it</li>
<li>It's easy for others to submit their own patches to the code via the pull request feature. I can also add collaborators with minimal hassle.</li>
</ul>
<div>
When using Git, a "commit" is basically a bundle of changes to the code, which can later be pulled/pushed between servers. On GitHub, if you've been committing code for a number of days in a row, it's called a "commit streak", and is showed on the profile. Days with relatively more commits are shown as a darker shade of green on the punchcard.</div>
<div>
<br /></div>
<h3 style="text-align: left;">
How I got started</h3>
<div>
Initially I didn't have any intention of maintaining a commit streak. Near the end of December, I was working on both <a href="https://github.com/Charcoal-SE/Charcoal/">Charcoal</a> and <a href="https://github.com/Manishearth/HostelNoticeboard/">HostelNoticeboard</a>, and after a week and a half of constantly committing code, I noticed that I had a commit streak going. Naturally, I was pretty happy and wanted to extend this.</div>
<div>
<br /></div>
<div>
I first set up some ground rules, inspired by <a href="https://ryanseys.com/blog/177-days-of-github/">Ryan Seys</a>:</div>
<div>
<ul style="text-align: left;">
<li>Issues don't count</li>
<li>Edits to READMEs don't count</li>
<li>Edits to non-code files like GitHub Pages files <i>do</i> count.</li>
<li>No scripting commits; and push code the day you write it unless it's half written</li>
<li>No playing with local commit times</li>
</ul>
<div>
I also identified repositories and mini-projects that I needed to work on beforehand. This actually got some of my backburner'ed ideas out of the woodwork; some of which I actually implemented.<br />
<br />
<h3 style="text-align: left;">
The journey</h3>
</div>
</div>
<div>
Initially I found it challenging to commit code every day. I had a lot of other commitments (ha!) in life and didn't want to impinge on my academics. Usually it takes a bit of time to get warmed up before coding; one has to evaluate the situation and figure out what needs to be done. This, along with debugging, takes up quite a bit of time.</div>
<div>
<br /></div>
<div>
However, as time passed, I got more and more efficient at this so that I could spend more time <i>writing real code.</i> At the same time, maintaining the commit streak became a habit. I used to always have a terminal tab open for my cloned repositories, and would be hacking away every now and then.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://octodex.github.com/images/agendacat.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://octodex.github.com/images/agendacat.png" height="200" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 13px; text-align: center;"><i style="font-size: medium;"><span style="font-size: x-small;">Sticking to an agenda becomes natural after a point</span></i><br />
<div>
<i style="font-size: medium;"><span style="font-size: x-small;"><br /></span></i></div>
</td></tr>
</tbody></table>
<br />
There were some days when I thought that I would be too busy to code, and would instead make some minor changes to fill in the punchcard for that day. Almost every time, I ended up unexpectedly making more substantial contributions the same day. There were also some days when I would open the site, in a panic that I forgot to code that day; and it would turn out that I <i>had</i> committed code, just forgotten about it. I guess that's the first sign of madness, but who cares?</div>
<div>
<br /></div>
<div>
<div style="text-align: right;">
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://octodex.github.com/images/Professortocat_v2.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://octodex.github.com/images/Professortocat_v2.png" height="200" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Use GitHub for your academics, too!</i></td></tr>
</tbody></table>
As exam time neared, I had to switch strategies. I always had planned to put up my LaTeX documents (notes, presentations, assignments) on GitHub, making it easier for me to share them, keep them up to date, and incorporate improvements. Till then I had been using scripts to upload them to my university homepage. Which wasn't as efficient.</div>
<div>
<br /></div>
<div>
So I created <a href="https://github.com/CourseResources">CourseResources</a>, and uploaded all the old documents I could find. Since I would be writing notes or assignments regularly, this provided a steady source of commits (also, a second motivation to study!) that helped me when I was too busy to write proper code. I still tried not to rely on this for the streak, though. The goal is to consolidate as many LaTeX notes as possible here; the repo is under an organization for easy collaboration. </div>
<div>
<br /></div>
<h3 style="text-align: left;">
Where it's at now</h3>
<div>
So, in the past 50 days, the new projects I created are:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div>
<ul style="text-align: left;">
<li><a href="https://github.com/Manishearth/Kapi">Kapi</a>, a Metro note-taking app with fluid math support. Made it for a hackathon, plan to continue working on it.</li>
<li><a href="https://github.com/Manishearth/IIT-Timetable">IIT-Timetable</a>, a webpage that lets one easily construct and share a printable semester timetable without having to worry too much about the complicated slot pattern. While there are plans to extend this, the app is complete in itself.</li>
<li><a href="https://github.com/Manishearth/ChatExchange">ChatExchange</a>, a python wrapper for Stack Exchange Chat. Currently it has basic read/write functionality, but needs a lot of polishing. I also created multiple projects that use this as a submodule:</li>
<ul>
<li><a href="https://github.com/Manishearth/StackExchange-ChatBot">StackExchange-ChatBot</a>: A python class that can be used to easily create a chatbot that can react to various commands. I created this today, and it doesn't do much yet but gives an idea of the basic structure.</li>
<li><a href="https://github.com/Charcoal-SE/SmokeDetector">SmokeDetector</a>: A bot that monitors the Stack Exchange realtime feed and links to possible spam or otherwise low quality posts in a couple of chatrooms so that it can be dealt with quickly. This was intended to solve the issue of spam lying around on low-activity sites if the moderators aren't around at that moment. The bot is currently running, though I make tweaks to the algorithm every now and then.</li>
<li><a href="https://github.com/Manishearth/ChatExchange-Scripts">ChatExchange-Scripts</a>: A couple of random scripts created as proof-of-concepts.</li>
</ul>
<li><a href="https://github.com/CourseResources">CourseResources</a> (both the <a href="https://github.com/CourseResources/CourseResources">CourseResources</a> and <a href="https://github.com/CourseResources/Slides">Slides</a> repos): As mentioned before, contains all my LaTeXed documents. Feel free to pull request and add your own.</li>
<li><a href="https://github.com/Manishearth/daemonic-mach">daemonic-mach</a>, a project to integrate inotify or watchman with Mozilla's mach build program to speed up build time. This is just a placeholder for now, I haven't yet gotten around to starting this. First commits don't count for a streak unless there are subsequent commits, so this didn't add to the streak.</li>
<li><a href="https://github.com/Manishearth/ECMAScript6-tester">ECMAScript6-tester</a>, a script that loads dummy versions of proposed ES6 features into the document and reports compatibility of the document with these features. Intended to prevent naming collisions (like <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=924386#c19">this one</a>) where a prototype extension clashes with a new feature, breaking things. This repo is another placeholder.</li>
</ul>
<div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://octodex.github.com/images/repo.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://octodex.github.com/images/repo.png" height="200" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Look at all this code I wrote!</i></td></tr>
</tbody></table>
<br /></div>
</div>
<div>
In addition, I worked on the following preexisting projects (not necessarily <i>my</i> projects):</div>
<div>
<ul style="text-align: left;">
<li><a href="https://github.com/Charcoal-SE/Charcoal">Charcoal</a>, a webapp that lets one easily collect and flag noisy content (mainly comments) from Stack Exchange sites. I mainly dealt with the JS code in this.</li>
<li><a href="https://github.com/Manishearth/HostelNoticeboard">HostelNoticeboard</a>, the code (both Pi-side and server-side) for the Electronic Noticeboard project in IIT. I've written the Pi-side code and a portion of the server-side stuff. The code works and is currently deployed, on a single Pi with the online interface <a href="http://gymkhana.iitb.ac.in/~stab/HostelNoticeboard/">here</a>. There are a bunch of improvements on the roadmap that I mean to get to in a few weeks.</li>
<li><a href="https://github.com/enwikipedia-acc/waca">waca</a>: The Wikipedia Account Request System, running <a href="https://accounts.wmflabs.org/">here</a>. I usually do small bugfixes.</li>
<li><a href="https://github.com/wncc/wncc.github.io">wncc.github.io</a>: The Web & Coding club website, running <a href="http://wncc-iitb.org/">here</a>. I add posts and sometimes make changes to the Jekyll code.</li>
<li><a href="https://github.com/Manishearth/Manish-Codes">Manish-Codes</a>, random userscripts and things which I write.</li>
</ul>
<div>
All in all, plenty of code written, lots of work done :D</div>
</div>
<div>
<br /></div>
<h3 style="text-align: left;">
Where it's going to go</h3>
<div>
I really don't know how long I'll be able to keep this up. Academics do get in the way, and while I can do minor changes every day, that's not too productive. However, it's giving me a driving motivation to get all my backburner'ed projects finished, which is great! It's also taught me a lot about planning and I got a good chance to hone my coding skills.</div>
<div>
<br /></div>
<div>
These 50 days have been really fun, though, and I hope I'll be able to keep it up as long as possible :)<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://octodex.github.com/images/father_timeout.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://octodex.github.com/images/father_timeout.jpg" height="320" width="288" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Hope I get the time!</i></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<i>Octocats taken from the <a href="http://octodex.github.com/">Octodex</a></i></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-982093890624675152014-02-07T19:45:00.001-08:002014-06-24T15:29:43.443-07:00Getting started with bug-squashing for Firefox<div dir="ltr" style="text-align: left;" trbidi="on">
<i>See also: <a href="http://sawrubh.tumblr.com/post/89737523167/tips-and-tricks-for-fixing-your-first-bug">Tips and Tricks For Fixing Your First Bug</a> by Saurabh Anand</i><br />
<br />
So over the past few months I've been trying to contribute a bit to Mozilla (mainly Firefox). Last August there was <a href="https://reps.mozilla.org/e/firefox-os-appdays-mozboot-iit-bombay-2013/">a MozBoot session at IIT Bombay</a> which helped me get over the learning curve.<br />
<br />
First off, a big thanks to <a href="https://twitter.com/Debloper">@Debloper</a> (and <a href="https://twitter.com/#!/hardfire">@hardfire</a>) for showing me the basics. The process is intimidating, though once you've done it with help, it becomes pretty natural. These Mozilla reps got me past that intimidation point, so I'm really grateful for that.<br />
<br />
This post is basically an tutorial on how to get started. It's basically an in-depth version of <a href="https://developer.mozilla.org/en-US/docs/Introduction">this tutorial</a>, which I feel misses a few things.<br />
<br />
Note that I am still a beginner at this, comments on how to improve this post/my workflow appreciated.<br />
<br />
Ok, let's get started.<br />
<br />
<h2 style="text-align: left;">
Step 1: Identifying a bug you want to fix</h2>
<div>
Firstly, make an account on <a href="https://bugzilla.mozilla.org/">https://bugzilla.mozilla.org/</a>. You'll need it later. Browse the bug lists on the site, looking for bugs that seem fixable. Look for bugs marked as "good first bug", which have a status of "NEW".</div>
<div>
<br /></div>
<div>
Of course, this is a bit cumbersome to do and there are a lot of bugs which are nontrivial or have a lot of discussion baggage which you may not want to go through. Fortunately, there are some tools out there that greatly help in searching for bugs.<br />
<br />
Firstly, there's <a href="http://whatcanidoformozilla.org/">What Can I Do For Mozilla?</a>. This is an interactive questionnaire that helps you find out which portions of Mozilla or Firefox you may be able to comfortably contribute to. Note that this is not just Firefox, though if you select the HTML or JS categories you will be presented with the Firefox subcategory which contains various entries.<br />
<br />
This doesn't help find bugs as much as it helps you find the areas of the codebase that you might want to look at.<br />
<br />
However, there <i>is</i> a different tool that is built specifically for this purpose; to look for easy bugs given one's preferences and capabilities. It's called <a href="http://www.joshmatthews.net/bugsahoy/">Bugs Ahoy</a>, and it lets you tick your preferences and programming languages to filter for bugs. It also has two insanely useful options, one that lets you filter out assigned bugs, and one that tells it to look for "good first bugs" ("simple bugs"). "Good first bug"s on Bugzilla are easy bugs which are kept aside for new users to try their hand at. There is a mentor for these bugs, who is a very active community member or employee. These mentors help you through the rest of the process, from where you need to look in the code to how to put up a patch. I've found that the mentors are very friendly and helpful, and the experience of being mentored on a bug is rather enjoyable.<br />
<br />
Make sure the bug isn't assigned to anyone, and look through the comments and attachments for details on the status of the bug. Some bugs are still being discussed, and some bugs are half-written (it's not as easy to use these for your first bug). If you need help on choosing a bug, join <a href="https://chat.mibbit.com/?url=irc%3A%2F%2Firc.mozilla.org%2F%23introduction">#introduction</a> on irc.mozilla.org. There are lots of helpful people out there who can give feedback on your chosen bug, and help you get started.<br />
<br />
<h2 style="text-align: left;">
Step 2: Finding the relevant bits of code</h2>
</div>
<div>
If this is a mentored bug, you usually can ask the mentor in a comment on the bug for help. Be sure to get it assigned to you! If the mentor doesn't respond in a few days, use the needinfo box at the bottom of the page:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwcTt7B-bKWzxXrw8lle5ubFp4HwlcsyWuVh9IDCgvmASbGcFjztPuyRzeQzS9cQ6NlGUTKHfPi9gtTfHatcxVqmCKKFyGIrg7lBu0YVnrK87TbaU197IHHta1ocY9YSBDtt3D2UT90zs/s1600/Screenshot+from+2014-02-08+06:45:47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwcTt7B-bKWzxXrw8lle5ubFp4HwlcsyWuVh9IDCgvmASbGcFjztPuyRzeQzS9cQ6NlGUTKHfPi9gtTfHatcxVqmCKKFyGIrg7lBu0YVnrK87TbaU197IHHta1ocY9YSBDtt3D2UT90zs/s1600/Screenshot+from+2014-02-08+06:45:47.png" height="88" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Type the username (usually preceded by a colon somewhere in the full name string), and a suggestion box should pop up with various users. Pick your mentor out from the list, and ask for help in the comment box.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you want to look for the code yourself, <a href="http://mxr.mozilla.org/">Mozilla Cross-Reference</a> is a great tool. For Firefox, you probably want the <a href="http://mxr.mozilla.org/">mozilla-central</a> subtree. With MXR, you can easily search the codebase for text, variable names, and regexes.</div>
<div>
<br /></div>
<div>
For most UI changes, you can track the code down by first looking for nearby strings. For example, if you want to look at the code for the where-do-I-save-downloads preference which is preceded with the text "Save files to", the <a href="http://mxr.mozilla.org/mozilla-central/search?string=Save%2Bfiles%2Bto">search result</a> leads to a dtd file, which defines the entity <code>saveTo.label</code> as the string. (Remember, all displayed strings will be in a localization file). <a href="http://mxr.mozilla.org/mozilla-central/search?string=saveTo.label&find=&findi=&filter=%5E%5B%5E%5C0%5D*%24&hitlimit=&tree=mozilla-central">Searching for <code>saveTo.label</code></a> turns up <a href="http://mxr.mozilla.org/mozilla-central/source/browser/components/preferences/in-content/main.xul">main.xul</a>. Now that you've found this, you can dig deeper by looking at the event handling and figuring out where the relevant javascript is, or you can look around this same file and figure out how it works, depending on what you want to fix.</div>
<div>
<br /></div>
<div>
I've not really made any changes to the C++ yet, only the toolkit and UI javascript, so I can't comment on how one can find the C++ code relevant to a bug. But you can always ask around in IRC or ask your mentor (if any) for help.</div>
<div>
<br />
<br /></div>
<h2 style="text-align: left;">
Step 3: Downloading and building the code</h2>
<div>
<i>See also: <a href="https://developer.mozilla.org/en-US/docs/Simple_Firefox_build">Simple Firefox build</a></i></div>
<div>
<br />
Not all bugs need a build. Some are quite easy to do without having a full copy of the code or a build, and while you'll eventually want to have both of these, it is possible to hold this off for a while, depending on the bug. While it's easier to create patchfiles when the system is all set up, I will address patching without the full code in the next section.<br />
<br /></div>
<div>
Downloading can be done in two ways. Both require Mercurial to be installed (<code>sudo apt-get install mercurial</code> works).<br />
<br />
<br />
<br />
One way is to simply <code>hg clone https://hg.mozilla.org/mozilla-central</code>. This will download the full repository. However, if you don't think your internet connection will be stable, download the mozilla-central bundle from <a href="https://developer.mozilla.org/en-US/docs/Developer_Guide/Source_Code/Mercurial/Bundles">here</a> and follow the steps given there. Note that Mercurial is a bit different from Git, so you may wish to read up on the basics.<br />
<br />
To build firefox , you first need to setup your build environment. If you already have Mercurial and Python installed on Linux/OSX, the build environment setup is simply <span style="font-family: monospace;">./mach bootstrap, </span>run from the root directory of the cloned repository. For setting it up on Windows or for other corner cases, go <a href="https://developer.mozilla.org/en-US/docs/Simple_Firefox_build">here</a>.<br />
<br />
Once done, go to the root directory of the firefox code and run <span style="font-family: monospace;">./mach build</span>. After your first build, you can run incremental builds (that only build the files you ask it to, and rebuilds any files depending on it) by using <code>./mach build <list of filepaths></code>, eg <code>./mach build browser/components/preferences/</code>. You can specify both folders and files to the incremental build.<br />
<br />
Note that for some javascript files, you have to build their containing directory — so if your changes aren't getting reflected in the incremental build, try building the directory they are in.<br />
<br />
<br />
<h2 style="text-align: left;">
Step 4: Getting a patch</h2>
</div>
<div>
<i>See also: <a href="https://developer.mozilla.org/en-US/docs/Developer_Guide/How_to_Submit_a_Patch">How to submit a patch</a>, <a href="https://developer.mozilla.org/en-US/docs/Mercurial_Queues">Mercurial Queues</a></i></div>
<div>
<br /></div>
<div>
So by this point you will have figured out the fix and modified the code so that you have a partial (for a multifaceted bug) or full fix of the bug. At this point you can submit the patch for review. For this, you need to have a patch to submit first!<br />
<br /></div>
<div>
<h3 style="text-align: left;">
Creating patches with hg</h3>
</div>
<div>
<br /></div>
<div>
If you have the full cloned repository, first add these lines to your <code>~/.hgrc </code>to enable the mercurial queues extension with the proper settings.</div>
<div>
<br /></div>
<div>
<pre>[ui]
username = Firstname Lastname <email something.com="">
[defaults]
qnew = -Ue
[extensions]
mq =
[diff]
git = 1
unified = 8
showfunc = 1
</email></pre>
<br />
<br />
Once done, navigate to the firefox source tree and run <span style="font-family: monospace;">hg qqueue -c somequeuenamehere. </span>This will create a named patch queue that you can work on.<br />
<br />
Now, run <span style="font-family: monospace;">hg qnew patchname.patch </span>and then<span style="font-family: monospace;"> hg qpush patchname.patch.</span> This creates a new patch by that name in the <span style="font-family: monospace;">.hg/patches-queuename</span> folder, and pushes it onto the curretly applied stack of patches. You can update its contents with the changes made to the code by <span style="font-family: monospace;">hg qrefresh </span>or simply <span style="font-family: monospace;">hg qref</span>. This patch is the one that you can submit in step 5.<br />
<br />
When you run <span style="font-family: monospace;">hg qnew</span>, it will ask you to enter a commit message. Write the bug name and a short description of the patch ("Bug 12345 - Frob the baz button when foo happens"), and add a ";r=nameofreviewer". In case of mentored bugs, the uername of the mentor will be your reviewer. If not, you'll have to find a reviewer (more details on this later, for now you may leave this blank and edit it in the patch file later). Note that the default editor for this is usually vim, so you have to press <kbd>Ins</kbd> before typing text and then <kbd>Esc</kbd> followed by a <code>:x</code> and <kbd>Enter</kbd> to save.<br />
<br />
<h3 style="text-align: left;">
Advanced usage</h3>
<div>
<br /></div>
In case of complicated bugs or bugs which already have a patch, you can queue the patches up. Simply use <span style="font-family: monospace;">hg qnew</span> to create patches and <span style="font-family: monospace;">hg qpush </span>or <span style="font-family: monospace;">hg qpop </span>to move up and down the patch queue (this will change the code to reflect the currently active patch, and <span style="font-family: monospace;">hg qref </span>will update that same patch)<br />
<br />
If you want to work on a different bug in parallel, you just have to pop all current patches out, and create a new patch queue with <span style="font-family: monospace;">hg qqueue -c</span>. You can then switch between the queues with <span style="font-family: monospace;">hg qqueue queuename</span>.<br />
<br />
<br />
<h3 style="text-align: left;">
Creating patches without hg</h3>
<div>
<br /></div>
<div>
Since the full repository takes a really long time to download and unpack, it's useful to have a different way of making patches so that the download doesn't become a blocking step.<br />
<br /></div>
<h4 style="text-align: left;">
For preliminary patches, with just one file</h4>
<div>
<br /></div>
<div style="text-align: left;">
This is if you want to submit a patch that can be reviewed fr feedback but not checked in as a final patch. I wouldn't recommend using this method, but I'll keep these instructions here just in case.<br />
<br />
If you're just editing one file, put the old version and the new version side by side, and run <span style="font-family: monospace;">diff -u oldfile newfile >mypatch.patch </span>in the same directory. Now, open the patch file and edit the paths to match the relative filepath of the edited file from the root firefox directory (eg if you edited <code>main.xulold</code> to <code>main.xul</code>, replace both names with <code>browser/components/preferences/main.xul</code>)<br />
<br />
<h4 style="text-align: left;">
Proper patches</h4>
<div>
<br /></div>
<div>
Put the files in a directory, and then run <span style="font-family: monospace;">git init</span> on the files. Now, <span style="font-family: monospace;">git add *</span> and then <span style="font-family: monospace;">git commit -m "commit message"</span> to commit the files.</div>
<div>
<br /></div>
<div>
After this, make your changes to the files. Then, run <span style="font-family: monospace;">git diff -U8 >output.patch</span> . Edit the patch and change the <code>a/filename and b/filename</code> lines to be <code>a/path/to/filename</code> and <code>b/path/to/filename.</code> The paths here are relative with respect to the root directory.<br />
<br />
Now, add the following to the top of the patch<br />
<br />
<pre># HG changeset patch
# Parent parenthash
# User Firstname Lastname email@something.com>
Bug 12345 - Frob the baz button when foo happens; r=jaws</pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">Set the commit message as described in the above section for creating patches with hg.</span></span></pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">As for the parent hash, you can ignore and remove the line (or get it by going to <a href="http://hg.mozilla.org/mozilla-central">the mozilla-central hg repository</a> and copying the hash of the tip commit).</span></span></pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre>
<pre><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre>
<h2 style="text-align: left;">
<span style="font-family: Times New Roman;"><span style="white-space: normal;">Step 5: Submitting the patch, and the review process</span></span></h2>
</div>
<div>
<span style="font-family: Times New Roman;"><span style="white-space: normal;"><i>See also: <a href="https://developer.mozilla.org/en-US/docs/Developer_Guide/How_to_Submit_a_Patch#Getting_the_patch_reviewed">Getting reviews</a></i></span></span></div>
<div>
<span style="font-family: Times New Roman;"><span style="white-space: normal;"><br /></span></span></div>
<div>
Now that you're at this stage, the rest is pretty smooth sailing. Find the "add attachment" link on the bugzilla page:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2MhnwcneI7yx44qFFmxXxHpoRJCYJccuFbGuT9NjK56viOPreMnH226zL-nHvvAIA_0tmL7K3Jvv709kV_1wtY_Y5-i4NL9UULX3qeS58_V-sxx9draghrc0_pNIpnZwsdZoR9PMnys/s1600/Screenshot+from+2014-02-08+08:58:42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2MhnwcneI7yx44qFFmxXxHpoRJCYJccuFbGuT9NjK56viOPreMnH226zL-nHvvAIA_0tmL7K3Jvv709kV_1wtY_Y5-i4NL9UULX3qeS58_V-sxx9draghrc0_pNIpnZwsdZoR9PMnys/s1600/Screenshot+from+2014-02-08+08:58:42.png" height="185" width="320" /></a></div>
<div>
<br /></div>
<div>
Upload the attachment, give it a descriptive name ("Patch for barring the foo", though sometimes I just use "Patch 0.1"), and make sure the "patch" checkbox is ticked</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgADyyph-0_kl7LL1NPlPyubT6M7bA79a168gh_R-iRki8KIvpVUzZkpPICJzf3JsKjQHB5Hg2N_ZrQM6ebIffB43rFslDBU_kYb5h7DHGDS99ZBaPj49o3KGBpt5KialP6VL0Jpn2cExE/s1600/Screenshot+from+2014-02-08+09:00:33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgADyyph-0_kl7LL1NPlPyubT6M7bA79a168gh_R-iRki8KIvpVUzZkpPICJzf3JsKjQHB5Hg2N_ZrQM6ebIffB43rFslDBU_kYb5h7DHGDS99ZBaPj49o3KGBpt5KialP6VL0Jpn2cExE/s1600/Screenshot+from+2014-02-08+09:00:33.png" height="242" width="320" /></a></div>
<div>
<br /></div>
<div>
Now, you also need to ask for review. Click the dropdown next to the review menu, and set it to "?" ("requesting review"). Put the username of your reviewer in the "Requestee" box (and use the autosuggest to get the email address). If you don't know who to ask for review:<br />
<ul style="text-align: left;">
<li>If the bug is mentored, your mentor will be able to review your code. Usually the mentor name will turn up in the "suggested reviewers" dropdown box in bold, too.</li>
<li>If the bug isn't mentored, you still might be able to find reviewers in the suggested reviewers dropdown. The dropdown is available for bugs in most firefox and b2g components.</li>
<li>Otherwise, ask around in IRC or check out the hg logs of the file you modified (start <a href="http://hg.mozilla.org/mozilla-central/file/">here</a>) to find out who would be an appropriate reviewer.</li>
<li>A list of module owners and peers for each module can be found <a href="https://wiki.mozilla.org/Modules/All">here</a> (the Firefox and Toolkit ones are usually the ones you want). These users are allowed to review code in that module, so make sure you pick from those. If you mistakenly pick someone else, they'll usually be helpful enough to redirect the review to the right person.</li>
</ul>
</div>
<div>
<br /></div>
<div>
Usually, on the first bug, your review will be canceled ("r-"). This is nothing to be worried about, the mentors (and/or reviewers) are very helpful and will let you know exactly what can be improved in the process. This is one of the things I like about Mozilla; everyone's quite helpful! </div>
<div>
<br /></div>
<div>
Once you fix the nits and other changes requested from you, re-upload the attachment (mark the old one as obsolete).</div>
<div>
<br /></div>
<div>
At one point, the review will be granted, and the code will be checked in. Once that happens, the bug will get marked as resolved. And you're done with your first bug!</div>
</div>
</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-74094195765703391892014-01-26T17:26:00.001-08:002014-12-12T03:53:54.370-08:00Solutions to a security competition/CTF<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" trbidi="on">
<i>Note: I've removed references to the original name of the competition to avoid people finding this post while trying to solve it.</i><br />
<br />
The other day a friend pointed out a competition to me. It was a CTF; i.e. a capture-the-flag competition, where one has to break into various systems to get the "flag", which is a piece of text. By collecting flags you get more points and may unlock more challenges.<br />
<br />
This one was pretty easy. It certainly was not as complicated as the DEFCON CTF quals or SIGINT CTF last year, however it had some elements in common with the simpler challenges in these CTFs. As someone who is still new to the world of information security, I thought I'd give it a try; I might learn something. While some challenges were straightforward, many made me think for quite a while.<br />
<br />
Without further ado, the challenges and my solutions:<br />
<br />
<h2 style="text-align: left;">
1: Begin</h2>
Hint: You need to Alter E then A and think like Windows not Linux, no PHP knowledge required for this question.<br />
<br />
Hint #2: Flag is inside a file, but which file?</div>
<div dir="ltr" trbidi="on">
<br /></div>
<div dir="ltr" trbidi="on">
<br /></div>
<div dir="ltr" trbidi="on">
Here, we were taken to <a href="http://bp.nettech.in/probs/begin/begin.php">this page</a></div>
<div dir="ltr" trbidi="on">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsnhnU2QXfssIk9h4KiEyNdMMOiwsvQIOk_pviiVn2u8zb1xxIIuwzNzzf1QPMlZbgJZ2Nh1DDsW4Z2OJ1YkFpGaNmb6kdn4MI2fO1VSBVa9YIhNuU5Nl4Ejap_0zQx5pFCLuhL3703yU/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsnhnU2QXfssIk9h4KiEyNdMMOiwsvQIOk_pviiVn2u8zb1xxIIuwzNzzf1QPMlZbgJZ2Nh1DDsW4Z2OJ1YkFpGaNmb6kdn4MI2fO1VSBVa9YIhNuU5Nl4Ejap_0zQx5pFCLuhL3703yU/s320/s1.png" height="113" width="320" /></a></div>
<div dir="ltr" trbidi="on">
<br /></div>
<div dir="ltr" trbidi="on">
<br /></div>
<div dir="ltr" trbidi="on">
The PHP code is one that takes the text "Hello world" and converts it to "Hell!!". This was a red herring, just looking at the source code would reveal the answer</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhauLkOKdQIc_jAwuCD0GphpXh37yd-yrJh0YafY50NxUditZLEHwXDovm_MGB0ZT0Z0HEDwBG2Ndx9BRiYFdDdNKG-BaqJnAXkEh2sn5xCSFwA9QxoiKTOciQ8i7oQj1kAnHBh7QAwrNo/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhauLkOKdQIc_jAwuCD0GphpXh37yd-yrJh0YafY50NxUditZLEHwXDovm_MGB0ZT0Z0HEDwBG2Ndx9BRiYFdDdNKG-BaqJnAXkEh2sn5xCSFwA9QxoiKTOciQ8i7oQj1kAnHBh7QAwrNo/s400/s1.png" /></a></div>
<div dir="ltr" trbidi="on">
Basically the "This is where you are very close to the flag!" was pretty literal, since the link to the file containing the flag was right underneath the text. Opening the file <code>drowssap.DWP</code>, I found the flag to be <code>slumdog_millionaire!</code>.</div>
<div dir="ltr" trbidi="on">
There was an alternate way of solving this if you take into account the hints. Apache directory listing was not turned off, and one could simply open the containing directory in the browser and see the DWP file, plain as day.<br />
<br />
<b>Commentary on the design</b>: I wasn't really fond of the exclamation mark in the flag. Most CTFs have text flags with underscores, or alphanumeric flags with some special characters. Punctuation is rarely part of the flag, because the punctuation could also be part of the sentence telling you what the flag is. This including of exclamation marks is pretty widespread in this CTF. This gets really confusing; and a CTF shouldn't be about having to try various portions of text after you have in essence completed the challenge. For this reason, many CTFs follow a standard format for their flags. For example, last year's SIGINT CTF said that all flags would start with something like <code>SIGINT_</code> and would be from a fixed set of characters. This makes all those "is that the flag?" moments unnecessary, and you can concentrate on the actual challenge.<br />
<h2 style="text-align: left;">
2: Nologin</h2>
<div>
Hint: You mite need to disable a feature in ur browser which prompts for the password.</div>
<div>
<br /></div>
<div>
This took us to <a href="http://bp.nettech.in/probs/nologin.php">a page</a> which kept doing this:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihoi65ZHRZRQkrGipUFRu6yYEPKvh4mlQH6UXAPZhO-hnq8gzug7oGlXuERhlgjSPdeJu2Z2gQlzeUfOIrDSAzKjMCcnKDFTjS16NarmCroHxT5K2Feghf0TH-Yz0y9VC-1OE6CP1R3Ok/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihoi65ZHRZRQkrGipUFRu6yYEPKvh4mlQH6UXAPZhO-hnq8gzug7oGlXuERhlgjSPdeJu2Z2gQlzeUfOIrDSAzKjMCcnKDFTjS16NarmCroHxT5K2Feghf0TH-Yz0y9VC-1OE6CP1R3Ok/s320/s1.png" height="234" width="320" /></a></div>
<div>
after some inspection it was obvious that the javascript prompt was not really doing anything but block the page. There was no communication with the network, thus the flag must be client side and found in the source. Solution: I fetched the page via <code>wget</code> and looked at the source. I could have used other tricks to disable the prompt, however these require timing and Chrome has an annoying habit of temporarily disabling other things like the dev tools when there is a prompt.<br />
<br />
On fetching the page, this is what I saw at the bottom:<br />
<br />
<pre class="brush: js">var p = prompt('Enter Password: ','here');
if (p == "yes_its_correct")
alert('The flag is: and_you_thot_javascript_was_fun');
else
window.location.reload();
</pre>
</div>
<div>
<br />
So that wraps up #2.
<br />
<br />
<b>Commentary:</b> This was a pretty good newbie problem since both the realization that the flag is in the source code and its extraction can be done in many ways.<br />
<h3>
</h3>
<h2 style="text-align: left;">
3: Strong</h2>
<div style="text-align: left;">
<br /></div>
</div>
<div>
Hint: Yes you are right, what you see is the real password, but are u copy pasting it?</div>
<div>
<br /></div>
<div>
In this one, there was <a href="http://bp.nettech.in/probs/strong.php">a page</a> with a text box that we had to enter a password into. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTm3l3sjw_e76fBBX7JzOhF4o5cPMNs9DJtTtORl0IFsECwfzcDyCfrJO1omVLapQeUMeXMy371t0sJ0n7L0hyphenhyphen58PFOWveU4ABqCHkP-9Lzr_af3vJkJ2EVWyMY4on5kqKXxSNCxuqfs/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTm3l3sjw_e76fBBX7JzOhF4o5cPMNs9DJtTtORl0IFsECwfzcDyCfrJO1omVLapQeUMeXMy371t0sJ0n7L0hyphenhyphen58PFOWveU4ABqCHkP-9Lzr_af3vJkJ2EVWyMY4on5kqKXxSNCxuqfs/s320/s1.png" height="157" width="320" /></a></div>
<div>
<br /></div>
<div>
Of course, the first thing I did was copy paste the text "very strong", "easy to crack" and "very strong but easy to crack!" into the box. None worked, however I noticed that the last one was truncated. This was due to a <code>maxlength</code> attribute on the text box, which was easily removed, giving the flag <code>what_you_c_is_the_passwd</code>.</div>
<div>
<br /></div>
<div>
<b>Commentary</b>: Similar as #1, the text had an exclamation mark (though this was not the flag text). This was also pretty good newbie problem, not everyone knows about editing HTML on the spot and this is a good introduction.<br />
<br />
<h2 style="text-align: left;">
4: 3 Users</h2>
</div>
<div>
Hint: Try downloading the source code and changing the names<br />
<br />
<a href="http://bp.nettech.in/probs/3users.php">This one</a> had a login page with a dropdown of 3 items to select the user. The password was given, however there was a restriction on the <i>username</i> that was displayed when you try to log in.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHftxVgKFp-ybFMzdVeJTiTLGgBSfWTkkBp85Kkk0odsFQjY01OHMWdci1PqWxYS27s7IzkgPcI2MkMPE3fEEIUVJmk56C-PplWH9cIb_atA5q85cNXZKpcmqrvYvG3iHjI_SDKqicEW4/s1600/Screenshot+from+2014-01-05+12:29:40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHftxVgKFp-ybFMzdVeJTiTLGgBSfWTkkBp85Kkk0odsFQjY01OHMWdci1PqWxYS27s7IzkgPcI2MkMPE3fEEIUVJmk56C-PplWH9cIb_atA5q85cNXZKpcmqrvYvG3iHjI_SDKqicEW4/s320/Screenshot+from+2014-01-05+12:29:40.png" height="189" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpKSqcPKrlaNyGNDfSB8zYZHyEOOrbpXS3GpDASzEeU15ShqqGktZdKt2vFOrf4GBoBaYlz6wq_xTGYsK0c2m6WnNjHWTYzjRGwIwp5Q8csyHTURFUa8JoPrQ_wmWHf7k_yE4d_dv758k/s1600/Screenshot+from+2014-01-05+12:30:04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpKSqcPKrlaNyGNDfSB8zYZHyEOOrbpXS3GpDASzEeU15ShqqGktZdKt2vFOrf4GBoBaYlz6wq_xTGYsK0c2m6WnNjHWTYzjRGwIwp5Q8csyHTURFUa8JoPrQ_wmWHf7k_yE4d_dv758k/s320/Screenshot+from+2014-01-05+12:30:04.png" height="174" width="320" /></a></div>
<br />
<div>
The usernames in the dropdown were reshuffled names of the ones who were allowed by the server. Editing the HTML on the fly and fixing any one name gave the flag as <code>the_thrii_musketeers</code><br />
<br />
<b>Commentary: </b>Still pretty basic, by now I would expect some more challenging ones. At this point I'm pretty sure anyone who didn't know HTML manipulation would have learned it.<br />
<br />
<h2 style="text-align: left;">
5: Stega</h2>
</div>
<div>
Hint: Download the pics in the same folder</div>
<div>
<br /></div>
<div>
We were taken to <a href="http://bp.nettech.in/probs/stega/index.html">this page</a>:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.stack.imgur.com/RsisE.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.stack.imgur.com/RsisE.png" height="173" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="http://bp.nettech.in/probs/stega/second.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://bp.nettech.in/probs/stega/second.bmp" /></a><a href="http://bp.nettech.in/probs/stega/first.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://bp.nettech.in/probs/stega/first.bmp" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Opening the images in new tabs and scroll-switching between the two revealed the hidden message (<a href="http://i.stack.imgur.com/Uyc9a.gif">animation</a>), "LOL APE". Removing the space created the flag.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h2 style="text-align: left;">
6: Reverseit</h2>
<div>
Hint: Read the tutorial :P</div>
<div>
<br /></div>
<div>
There was <a href="http://bp.nettech.in/probs/lolest.php">a tutorial</a> on ollydbg and a link to an exe. Basically, we had to reverse engineer the application and find the correct password for it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvIChf1WJkhIw52BuEnesqWyyBxkiXYULMGYU-Y0nxQAF0vhJ_6Ly-wOJr21rfVHaYNql9B5u39lHSu7r8ba50po-IOArlvxDL5bYUPmCaAxFU_h0TAsQchX8LnaSZ0xfnKldG8Vmb0MQ/s1600/Screenshot+from+2014-01-05+15:20:22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvIChf1WJkhIw52BuEnesqWyyBxkiXYULMGYU-Y0nxQAF0vhJ_6Ly-wOJr21rfVHaYNql9B5u39lHSu7r8ba50po-IOArlvxDL5bYUPmCaAxFU_h0TAsQchX8LnaSZ0xfnKldG8Vmb0MQ/s320/Screenshot+from+2014-01-05+15:20:22.png" height="129" width="320" /></a></div>
<br /></div>
<div>
Unfortunately, I was on my Ubuntu boot, and being lazy I didn't want to reboot to Windows just to use ollydbg. I could run the exe with WINE, and for that matter ollydbg too, but I decided to try my hand at it with <code>gdb</code>, the in-built disassembler that I have very little experience with. Till now in CTFs I have not participated much in reversing, while I know which tools to use I am not too familiar with the x86 assembly, pretty clumsy with the tools, and apt to get lost in the code. So this was a pretty new experience for me. Fortunately I have learned the 8085 assembly and know a bit about modern assembly.<br />
<br />
So, on running <code>gdb</code> on the program and then <code>disas main</code>, I got the following <a href="http://pastebin.com/9VPf0CU3">disassembled code</a>. Most of it wasn't really necessary to look at, what we're interested in are the jump statements. There are a bunch of <code>jne 0x4014b6 <main+200></code>s in the middle, all going to the same location -- most probably these are nested ifs or something similar. The relevant bit is:
<br />
<pre> 0x00401496 <+168>: cmpb $0x41,-0x18(%ebp)
0x0040149a <+172>: jne 0x4014b6 <main+200>
0x0040149c <+174>: cmpb $0x62,-0x17(%ebp)
0x004014a0 <+178>: jne 0x4014b6 <main+200>
0x004014a2 <+180>: cmpb $0x68,-0x16(%ebp)
0x004014a6 <+184>: jne 0x4014b6 <main+200>
0x004014a8 <+186>: cmpb $0x69,-0x15(%ebp)
0x004014ac <+190>: jne 0x4014b6 <main+200>
0x004014ae <+192>: cmpb $0x6b,-0x14(%ebp)
0x004014b2 <+196>: jne 0x4014b6 <main+200>
</pre>
<pre></pre>
</div>
<div>
<br />
What we see here are some comparison statements, each followed by a "jump if not equal to" statement. A literal hex number is compared with a part of a register, and if the two are not equal, the program jumps out, ending itself. This seems to be a likely candidate for the string comparison. Collecting all the literals together we get the hex string <code>41:62:68:69:6b</code> (colons separate letter), which converts to "Abhik", which turns out to be the key.<br />
<br />
<b>Commentary:</b> I had fun here. I believe that we were expected to do it differently, using ollydbg's powerful toolset, but regardless mucking around in not-too-complicated assembly is enjoyable. Reversing is a rather useful and important skill, this exercise gives an introduction from which others can learn.<br />
<br />
<h2 style="text-align: left;">
7: Ground Zero</h2>
Hint: is 1 = 1 ? What does the doctor give you when you are ill (am not talking abt tablets)<br />
<br />
<a href="http://bp.nettech.in/probs/ground0/index.php">The page</a> was a simple login form:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihafbbWmaIjHW2rTuT9ME4NAmGZe2fJd7087Ue3So2nkhEp0jHcK5WUuMrbgvQTQIhfPUv_B2uDRCHC-RV14EpwkPhsVnHfinrE0mlXajGQIPNFkvlQ6_ehrILR9l3tbNHztK4EfWTGzI/s1600/Screenshot+from+2014-01-05+15:34:39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihafbbWmaIjHW2rTuT9ME4NAmGZe2fJd7087Ue3So2nkhEp0jHcK5WUuMrbgvQTQIhfPUv_B2uDRCHC-RV14EpwkPhsVnHfinrE0mlXajGQIPNFkvlQ6_ehrILR9l3tbNHztK4EfWTGzI/s320/Screenshot+from+2014-01-05+15:34:39.png" height="170" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Even if you didn't get it from the hint, the first thing one tries on a login form in a CTF is SQL injection. Most CTFs have very little injection (or the ones that they have are still hard), but it's always something you try out, just in case.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After some mucking around, I was able to get the input with username <code>Manishearth</code> and password <code>' or '1'=1;#</code> to work. For some reason the usual MySQL commenting style, <code>--</code>, wasn't working (I'm pretty sure the db was MySQL), but the pound symbol worked.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
The flag was <code>sunny_days_kill_the_db</code></div>
</div>
<div>
<br /></div>
<div>
<b>Commentary:</b> A pretty simple injection exercise, but very useful for those new to it.<br />
<br />
<h2 style="text-align: left;">
8: Unauthorized</h2>
Hint: Im hungry, what should I eat?</div>
<div>
<br /></div>
<div>
This was a simple <a href="http://bp.nettech.in/probs/unauthorized.php">page</a> that said "You are not authorized!". Looking at the cookies, there is an <code>auth</code> session cookie:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXqiAMNAJ46PLMjpPIPmR0ELmxWy__GiODegRYjYYu2mmLqJG1Qwyb8tFELH4EcIHub3OSGgAxTBkGXZHUEdlZQQNHWmDQEkN6-skZp5TEhukF2juIMCLfcHmTaJnRRdTmJdGsR1fJl3Q/s1600/Screenshot+from+2014-01-05+15:46:34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXqiAMNAJ46PLMjpPIPmR0ELmxWy__GiODegRYjYYu2mmLqJG1Qwyb8tFELH4EcIHub3OSGgAxTBkGXZHUEdlZQQNHWmDQEkN6-skZp5TEhukF2juIMCLfcHmTaJnRRdTmJdGsR1fJl3Q/s1600/Screenshot+from+2014-01-05+15:46:34.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
This can be edited (I used the <a href="https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en">Edit This Cookie</a> Chrome Extension but there are many others) to yes, and you get the flag as <code>c00kies_are_sweet</code>.<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Commentary:</b> A good introduction to cookie manipulation. Some frameworks (I recall seeing this in a Sinatra webapp in a CTF) have vulnerabilities where you can get enough details to forge session cookies. While one would never have such an easily forged "auth" cookie on the client side, the fact that cookies can be forged easily opens up a new window to things.</div>
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: left;">
9: minorTweak</h2>
</div>
Hint: Its hidden!</div>
<div dir="ltr" trbidi="on">
<br /></div>
<div dir="ltr" trbidi="on">
<a href="http://bp.nettech.in/probs/profiles/index.php">Another login box</a> , this time with a registration form.</div>
<div dir="ltr" trbidi="on">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfVzvO97_cODFmSttDDaVcmEA_SInr2aszD9J7hEUzEekbxtlTcEWLWde3MBxMXAovRdBQ_1zKwW3bV-puz_ofHeCvHnzthcxk6I9neQ6MogCL0ihD2_lZ5jRLyVUIfaJwXGGKgsn4UpI/s1600/Screenshot+from+2014-01-05+19:53:20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfVzvO97_cODFmSttDDaVcmEA_SInr2aszD9J7hEUzEekbxtlTcEWLWde3MBxMXAovRdBQ_1zKwW3bV-puz_ofHeCvHnzthcxk6I9neQ6MogCL0ihD2_lZ5jRLyVUIfaJwXGGKgsn4UpI/s320/Screenshot+from+2014-01-05+19:53:20.png" height="147" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Registering normally would create an account which one can log in to, but there was nothing special there.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This one was pretty easy, there was a hidden input element called <code>level</code> in the registration form. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpWYt8doIY_9Tqi9xEEpZIVDn3N7EKRX7tISEDrR8EkIc8PWZ8BtSwK84gBFJoNJjkAWrwK8kFZ0oWMkw5Vx4XTOaBeCMprxFeJ0R6durhFYzE2cWToZDjc-XphR8LD6gnR5ORGYVzk4s/s1600/Screenshot+from+2014-01-05+19:55:54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpWYt8doIY_9Tqi9xEEpZIVDn3N7EKRX7tISEDrR8EkIc8PWZ8BtSwK84gBFJoNJjkAWrwK8kFZ0oWMkw5Vx4XTOaBeCMprxFeJ0R6durhFYzE2cWToZDjc-XphR8LD6gnR5ORGYVzk4s/s320/Screenshot+from+2014-01-05+19:55:54.png" height="91" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Setting it to one and registering got you to a page which listed all users and passwords. One of the passwords was a flag:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRm2wedyXLaE51SJLNy-3FhMy-Tax1ftFg8cn7X7OgmKmF30VzFe0GLpN1B7JLe-_wijZr8xRFPMwafI2qGlPbU24pc7d_ypgov9a3jhIAFkAC2AJN3Q9_s4BWdZWYDrm46yDN5XR25Cg/s1600/Screenshot+from+2014-01-05+19:57:57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRm2wedyXLaE51SJLNy-3FhMy-Tax1ftFg8cn7X7OgmKmF30VzFe0GLpN1B7JLe-_wijZr8xRFPMwafI2qGlPbU24pc7d_ypgov9a3jhIAFkAC2AJN3Q9_s4BWdZWYDrm46yDN5XR25Cg/s320/Screenshot+from+2014-01-05+19:57:57.png" height="185" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Commentary:</b> This was essentially about finding HTML worth manipulating again. By now I was a bit tired of these, since for simple apps these stand out from a quick look at the source.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h2 style="text-align: left;">
10: What Now?</h2>
<div>
Hint: You need to post it</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsxGnJKIrqTVN0r9byKORpz5vfjGZjaJZHVLeYM1m6AG12N1xqKhxWO9JWAltDk1dr_xQHc4cZBKpQ6crrOLRGuWIG6qkim_WORW-SXHqIguQbVUfPwki2_UinqpWD8cUYm5BFbbBCpF4/s1600/Screenshot+from+2014-01-05+20:03:00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsxGnJKIrqTVN0r9byKORpz5vfjGZjaJZHVLeYM1m6AG12N1xqKhxWO9JWAltDk1dr_xQHc4cZBKpQ6crrOLRGuWIG6qkim_WORW-SXHqIguQbVUfPwki2_UinqpWD8cUYm5BFbbBCpF4/s320/Screenshot+from+2014-01-05+20:03:00.png" height="139" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://bp.nettech.in/probs/whatnow.php">Here</a> we had a username and password, but no place to put it. Or so it seemed. Submitting a simple POST request to <code>whatnow.php</code> with the username and password parameters didn't work.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
However, what <i>did</i> work was tacking on an extra key-value pair to the POST request, <code>submit:submit</code>. Submit buttons in HTML forms are full-fledged input elements (This is by design, one may want to use more than one submit button and have the choice get recorded), with names and values, and the value of a submit button is also displayed on the button. By default, most people use <code><input type=submit name=submit value=Submit></code>, so plugging in the extra key value pair led to the flag, "stop_me_if_uoy_can".</div>
<div>
<br />
<h2 style="text-align: left;">
11: Strange Crack</h2>
</div>
<div style="text-align: left;">
Hint: Is it an exe file?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
There was a <a href="http://bp.nettech.in/probs/strange_crack/index.php">simple page</a> linking to <a href="http://bp.nettech.in/probs/strange_crack/flag.exe">an exe</a> that doesn't work.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This was fairly straightforward, though it is a good exercise in understanding file types. Almost all binary files have <i>some</i> text in them. Part if it is supposed to be easily searchable text (like artist data for a sound file), part of it has to do with the format and protocol. <i>Usually</i> there is some string that uniquely identifies its correct format. Here, running <code>strings flag.exe</code> led to:</div>
<div style="text-align: left;">
<br /></div>
<div>
<pre>RIFF
WAVEfmt
LIST(
INFOINAM
IART
Binary_Pirates
data
z L .
</pre>
<pre></pre>
<br />
The first two strings uniquely identify it as a WAV file. Renaming to WAV and running it led to some squabbly gibberish, however on opening in Audacity and considerably slowing down the speed, the words "The flag is waves2009" could be heard.<br />
<br />
<b>Commentary:</b> I really liked the file format bit. While not uncommon in CTFs (where it is just a first step to a more elaborate problem that is usually beyond my grasp), understanding that the extension is not all that can help you learn the file format is pretty important. However, the file was pretty garbled and, when slowed down to normal speed, the "waves" bit had been spoken pretty quickly and was mashed together, making it hard to understand even after tweaking the speed/tempo a bit. I guess some more enunciation would have been good.<br />
<br />
<h2 style="text-align: left;">
12: Browser</h2>
Hint: You might need to install something</div>
<div>
<br /></div>
<div>
<a href="http://bp.nettech.in/probs/browser.php">The page</a> was an error page, which advised the user to use the csd_bpgc_v4.1 browser.</div>
<div>
<br /></div>
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicmcOUKmzOAQvb9lnY3RQEEMNtMrJgI4_InLj44bMuQ87ZfPtNPPWSX3frNDcV9aGVbg46NI7nFmqSGciOAd_lLxxuKC5_PNP9uSzNHJCpsN2DiqYpMnrvcLMXAfWz6UjNtO2vj1hGrlY/s1600/Screenshot+from+2014-01-05+20:30:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicmcOUKmzOAQvb9lnY3RQEEMNtMrJgI4_InLj44bMuQ87ZfPtNPPWSX3frNDcV9aGVbg46NI7nFmqSGciOAd_lLxxuKC5_PNP9uSzNHJCpsN2DiqYpMnrvcLMXAfWz6UjNtO2vj1hGrlY/s320/Screenshot+from+2014-01-05+20:30:17.png" height="110" width="320" /></a></div>
<div style="text-align: left;">
Without pausing to check if this CSD thing really was a browser (apparently it's not, it is the user agent of a bot), I simply used <a href="https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg/related">User Agent Switcher</a> to make Chrome pretend to be the browser. This worked, and the flag was found.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Commentary:</b> User agent manipulation is again a form of client side manipulation, but it's a useful one to use while testing applications. Of course, it doesn't emulate the browser, however it makes the server think that the browser is different.</div>
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: left;">
13: OBL Network Login</h2>
Hint: What do you do when you forget to have lunch/dinner and start feeling hungry, (assume that maggi is not available)<br />
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="http://bp.nettech.in/probs/obl_login/index.php">Here</a> there was a login page with the username and password already out there.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddpWENWwTP6FD4MVSgyJDf8g-3oIv1ffzUrhWf8_Pd-FY9iWbM4n1LaORsh3KUTRG_5CE4_qI4l3iTG7KrKiPP1OPzLH638zpzqmOa57V5iUPlH5Wyk-2I1T71fBHdqMwxsyimBPllPw/s1600/Screenshot+from+2014-01-05+20:37:48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddpWENWwTP6FD4MVSgyJDf8g-3oIv1ffzUrhWf8_Pd-FY9iWbM4n1LaORsh3KUTRG_5CE4_qI4l3iTG7KrKiPP1OPzLH638zpzqmOa57V5iUPlH5Wyk-2I1T71fBHdqMwxsyimBPllPw/s320/Screenshot+from+2014-01-05+20:37:48.png" height="271" width="320" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Logging in worked, but there was nothing interesting once logged in.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
There was a reference to an access log in the comments</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWeMqbcgSAeBIR0MC4p614oa7Ku3Eq0BSrZuxWNYsJ7Te6VRqHln_YzRv5bbmcCaFIWiYF7fvt5iFuFL-athimsS1_O1AU_f147FXh7TQXOWjP5JSHsCV8-U8rFGZn3D8RUenpn1ncEw/s1600/Screenshot+from+2014-01-06+01:46:04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWeMqbcgSAeBIR0MC4p614oa7Ku3Eq0BSrZuxWNYsJ7Te6VRqHln_YzRv5bbmcCaFIWiYF7fvt5iFuFL-athimsS1_O1AU_f147FXh7TQXOWjP5JSHsCV8-U8rFGZn3D8RUenpn1ncEw/s1600/Screenshot+from+2014-01-06+01:46:04.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Looking at access.log, there were three users: roran, eragon, and binary_pirate. Eragon was an admin.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
Of course, I now have to log in as Eragon. SQL injection wasn't working, so I had a look at the cookies. There was a separate login_user cookie that contained a hex string. It looked like a hash, so I checked and it was indeed the md5 hash of the username. So all I had to do was edit the cookie to the md5 of "eragon", after which I got the flag, kage_bunshin_no_jutsu.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Commentary: </b>While I managed this one pretty quickly, this probably was a matter of luck. This was a wonderful mix of "forgetfulness" and an insecure implementation of session cookies. Unlikely in practice but there are many vulnerabilities along these lines found today.</div>
<div class="separator" style="clear: both;">
<br /></div>
<h2 style="text-align: left;">
14: RARE crack</h2>
<div>
Hint: you need to FORCE it</div>
<div>
<br /></div>
<div>
We were given <a href="http://bp.nettech.in/probs/flag.rar">a rar file</a> which was password protected with the first half of a Goan phone number.</div>
<div>
<br /></div>
<div>
This looked like something brute forceable (especially obvious if you look at the hint). We know that the number is a 5 digit one starting with a 9 (Unfortunately, as a Mumbaikar, I don't know the exact Goan cell phone number ranges). This could be easily brute forced using <code>unrar</code> and <code>itertools</code>, or alternatively a modified version of <a href="http://sourceforge.net/projects/rarcrack/">rarcrack</a>. I kept the latter running in the background, while I tried to find out the phone number ranges for Goa and wrote the former. Never really got to use it though, I got the result as 96732, which gave me access to a text file containing the flag, GJQKMNAVQEXKRFPOISBWERF.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Conclusion:</b> Brute forcing is pretty boring, since it can be done with various tools and just takes time. As an introduction to the topic this is pretty good, though. This could have been made slightly more challenging by having the password start with a zero, making the method of forlooping through the integers no longer work.</div>
<div class="separator" style="clear: both;">
<br /></div>
<h2 style="text-align: left;">
15: Encrypto</h2>
<div>
Hint: What is so special of the number 49?</div>
<div>
<br /></div>
<div>
Here we were taken to <a href="http://bp.nettech.in/probs/encrypto.php">a page </a>with an encrypted string which we had to decode:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaciF2sOReChyphenhyphen5IpGvZHhgWy4Nph4-9encg3_Lo3gAm60P8RmdEJ_bZUZgxs_xqBGlCQeuL_50630yJhZzy72bLnbCGXG_i_2Yp6nI6DtkkX6zMNnc-4MWnzHZsSBDBAAD0ocVf_xlWQ/s1600/Screenshot+from+2014-01-06+16:16:31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaciF2sOReChyphenhyphen5IpGvZHhgWy4Nph4-9encg3_Lo3gAm60P8RmdEJ_bZUZgxs_xqBGlCQeuL_50630yJhZzy72bLnbCGXG_i_2Yp6nI6DtkkX6zMNnc-4MWnzHZsSBDBAAD0ocVf_xlWQ/s1600/Screenshot+from+2014-01-06+16:16:31.png" height="95" width="320" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
This obviously wasn't a substitution cipher as there was a double space involved. After trying out various simple ciphers, I tried the Caesar Box cipher, which worked. This cipher involves writing the characters out in a square, and reading down the columns.<br />
<br />
In this case, the box looks like:<br />
<br />
<pre>F E M H C I _
R _ E E U S A
O S _ _ L _ _
M U T R O O S
_ B O I U N T
T L _ D S L E
H I T I _ Y P
</pre>
</div>
<div>
<br />
Which gives the text "FROM THE SUBLIME TO THE RIDICULOUS IS ONLY A STEP", giving the flag "its_the_caesar_box"</div>
<div>
<br />
Being too lazy to write out the box myself, I used the following JS code:
<br />
<br /></div>
<div>
<pre class="brush:js">a="FEMHCI_R_EEUSAOS__L__MUTROOS_BOIUNTTL_DSLEHITI_YP"
"\n"+a.substr(0,7)+"\n"+a.substring(7,14)+"\n"+a.substring(14,21)+"\n"+a.substring(21,28)+"\n"+a.substrig(28,35)+"\n"+a.substring(35,42)+"\n"+a.substring(42,49)
</pre>
</div>
<div>
<b>Commentary:</b> I liked this one. While it dealt with an old and rarely used cipher, it was pretty fun.<br />
<br />
<h2 style="text-align: left;">
16: Crack-o-mania</h2>
</div>
<div>
Hint: See the instructions after reversing</div>
<div>
<br /></div>
<div>
In <a href="http://bp.nettech.in/probs/rev2_easy.php">this one</a> we were given an exe to download, which we had to figure out the password to.</div>
<div>
<br /></div>
<div>
With the same techniques as #6, I got <a href="http://pastebin.com/KTwDPkmJ">this disassembled code</a>. While the code was more complicated, with a lot of printing and other stuff, the main bit was the same as last time:</div>
<div>
<br /></div>
<div>
<pre> 0x004015b9 <+459>: cmpb $0x45,-0x38(%ebp)
0x004015bd <+463>: jne 0x40171c <main+814>
0x004015c3 <+469>: cmpb $0x4e,-0x37(%ebp)
0x004015c7 <+473>: jne 0x40171c <main+814>
0x004015cd <+479>: cmpb $0x54,-0x36(%ebp)
0x004015d1 <+483>: jne 0x40171c <main+814>
0x004015d7 <+489>: cmpb $0x45,-0x35(%ebp)
0x004015db <+493>: jne 0x40171c <main+814>
0x004015e1 <+499>: cmpb $0x52,-0x34(%ebp)
0x004015e5 <+503>: jne 0x40171c <main+814>
0x004015eb <+509>: cmpb $0x2d,-0x33(%ebp)
0x004015ef <+513>: jne 0x40171c <main+814>
0x004015f5 <+519>: cmpb $0x50,-0x32(%ebp)
0x004015f9 <+523>: jne 0x40171c <main+814>
0x004015ff <+529>: cmpb $0x41,-0x31(%ebp)
0x00401603 <+533>: jne 0x40171c <main+814>
0x00401609 <+539>: cmpb $0x53,-0x30(%ebp)
0x0040160d <+543>: jne 0x40171c <main+814>
0x00401613 <+549>: cmpb $0x53,-0x2f(%ebp)
0x00401617 <+553>: jne 0x40171c <main+814>
0x0040161d <+559>: cmpb $0x57,-0x2e(%ebp)
0x00401621 <+563>: jne 0x40171c <main+814>
0x00401627 <+569>: cmpb $0x4f,-0x2d(%ebp)
0x0040162b <+573>: jne 0x40171c <main+814>
0x00401631 <+579>: cmpb $0x52,-0x2c(%ebp)
0x00401635 <+583>: jne 0x40171c <main+814>
0x0040163b <+589>: cmpb $0x44,-0x2b(%ebp)
0x0040163f <+593>: jne 0x40171c <main+814>
0x00401645 <+599>: cmpb $0x3a,-0x2a(%ebp)
0x00401649 <+603>: jne 0x40171c <main+814>
0x0040164f <+609>: cmpb $0x28,-0x29(%ebp)
0x00401653 <+613>: jne 0x40171c <main+814>
0x00401659 <+619>: cmpb $0x0,-0x28(%ebp)
0x0040165d <+623>: jne 0x40171c <main+814></pre>
<br />
<pre></pre>
</div>
<div>
<br /></div>
<div>
The ascii codes for the literals in the <code>cmpb</code> statements translate to "ENTER-PASSWORD:(", which is the key.<br />
<br />
<b>Commentary: </b>I believe this one would have been trickier via ollydbg, since the contestants had been trained to use the "find strings" feature. In this case the "ENTER-PASSWORD:" would have seemed to be part of the output and not the input, so the question would have to be solved by stepping through. With <code>gdb</code> it was more or less the same problem, just with more assembly to sift through. Still had fun with this one.<br />
<br />
<br />
<h2 style="text-align: left;">
17: Warn</h2>
</div>
<div>
Hint: Look above<br />
<br />
(I have found a vulnerability, but not yet solved this one)<br />
<br />
We were taken to <a href="http://bp.nettech.in/probs/warning_mesg.php">a page with a login screen</a> that provided credentials:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuEvgkxmfQywxZ_v5NBsCSAHUoUX69q6pD66rE_4j1yz5O73RoLyZe-ghpU8obBIjV2p0Ds-JNGFD5YoMEUoaMDCoHjCEYjlx8-jQZgmuraAR1MzFh-7Zn_AFw5r9CkC1Vy9UBSmmjQ5o/s1600/Screenshot+from+2014-01-07+17:53:38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuEvgkxmfQywxZ_v5NBsCSAHUoUX69q6pD66rE_4j1yz5O73RoLyZe-ghpU8obBIjV2p0Ds-JNGFD5YoMEUoaMDCoHjCEYjlx8-jQZgmuraAR1MzFh-7Zn_AFw5r9CkC1Vy9UBSmmjQ5o/s1600/Screenshot+from+2014-01-07+17:53:38.png" height="189" width="320" /></a></div>
<br /></div>
<div>
On login, a message appears "You need to warn the server with the message 'vulnerable'.". Interesting.<br />
<br />
After mucking around a bit, I realized that the page was vulnerable to array-ification of the inputs. Editing the <code>name</code>s of the inputs so that they become arrays,<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4UhaOECx7mj-bw3yFJCHHDvPtPvdEIk8cGJ8g1KhODuV8ZDIjf67mgEutlZmUi2jBjaQ0ywF6JQqwwf9TotMJ0WV2w7Fzy6hueVpvW5RTahUvppYfwBF3thcCnrTGv-E7cUvmCXxUIIA/s1600/Screenshot+from+2014-01-07+18:11:21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4UhaOECx7mj-bw3yFJCHHDvPtPvdEIk8cGJ8g1KhODuV8ZDIjf67mgEutlZmUi2jBjaQ0ywF6JQqwwf9TotMJ0WV2w7Fzy6hueVpvW5RTahUvppYfwBF3thcCnrTGv-E7cUvmCXxUIIA/s1600/Screenshot+from+2014-01-07+18:11:21.png" height="100" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
one can log in with any username or password.<br />
<br />
Why does this work? This is made evident from the warning messages shown when you try it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8H9Pva0uV_Vkhm8b_C9kgATPxlOdo3b-RgqpEeSrrTZVA3k81BSFDwPVffSBypqM5cbJLwCvHFrDfus_cYGnOY8FH4dxS4zo7iyMu7ko6YirjA_P5cX32UaxDQ1-n28gH3OPvgGzkuno/s1600/Screenshot+from+2014-01-07+18%253A11%253A21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8H9Pva0uV_Vkhm8b_C9kgATPxlOdo3b-RgqpEeSrrTZVA3k81BSFDwPVffSBypqM5cbJLwCvHFrDfus_cYGnOY8FH4dxS4zo7iyMu7ko6YirjA_P5cX32UaxDQ1-n28gH3OPvgGzkuno/s1600/Screenshot+from+2014-01-07+18%253A11%253A21.png" height="100" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx-l8Fl590XhH5KhHDiymIZquymrdceLSj99ouM492Kh1i_BlngxWmvP-F7Z68QsD-WqX2yze2KsVFVVVmIiLc5FBmvhjYBo_9rfQ7cLsAbxjfrAzg1ysRzIYDB1ES9hgpV3yI2oavkEg/s1600/Screenshot+from+2014-01-07+18:18:25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx-l8Fl590XhH5KhHDiymIZquymrdceLSj99ouM492Kh1i_BlngxWmvP-F7Z68QsD-WqX2yze2KsVFVVVmIiLc5FBmvhjYBo_9rfQ7cLsAbxjfrAzg1ysRzIYDB1ES9hgpV3yI2oavkEg/s1600/Screenshot+from+2014-01-07+18:18:25.png" height="105" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
PHPs <code>strcasecmp()</code> is being used here to check for the password, and it does not like array inputs. The way it works is that it returns zero if the strings are equal, and -1 if they are not. However, if an input is invalid, it also returns something which evaluates to a <code>false<.code>; so passing an array to it can be used to bypass the string check.</code></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
However, I was unable to warn the server with that message even by making every vulnerable field (username, password, submit, all of the free request headers) read "vulnerable"</div>
<br />
So I've not been able to complete the challenge, though I have found a vulnerability.<br />
<br />
<b>Commentary:</b> Since this one has stumped me, I like it a lot :) Array injection<br />
<br />
<h2 style="text-align: left;">
18: Patient's Nightmare</h2>
<div>
Hint: This is an old php server and allows simultaneous queries<br />
<br />
Here, we are shown <a href="http://bp.nettech.in/probs/patients_nightmare.php">another login form</a><br />
<br />
<br />
On submitting the page, some blending-in-with-background text appears with SQL code<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7e1Bvep9XQTp9IOWxVm2PPjuUAcp5TJ6c4RyaGnU1gUsOuETmwQZOuvxeBASk1j0iCoxas8cpF2fba7yU1bBXW4A6TVYD62BXkqDhEI6n-ZwV9rPU1ZNKmY1Ddek4xupfRcPThooPGBE/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7e1Bvep9XQTp9IOWxVm2PPjuUAcp5TJ6c4RyaGnU1gUsOuETmwQZOuvxeBASk1j0iCoxas8cpF2fba7yU1bBXW4A6TVYD62BXkqDhEI6n-ZwV9rPU1ZNKmY1Ddek4xupfRcPThooPGBE/s1600/Untitled.png" height="156" width="320" /></a></div>
<br />
<i>rubs palms</i> SQL injection time!<br />
<br />
So this one is different from most simple SQL injection logins in that most of them can be bypassed by tacking on an <code>or '1'=1</code> or anything else which evaluates to true because they usually are of the type where you <code>SELECT * FROM users WHERE username='$user' AND password='$pass'</code>. But here, they are <code>SELECT</code>ing the password and comparing it via PHP. So we have to make the SQL query return a fake password. This is doable with a <code>UNION</code> query.<br />
<br />
The following query worked:<br />
<code>' union select 'def' as password;#</code><br />
<br />
(with the password as "def")<br />
<br />
The flag was <code>the_nightmare_cms_true</code><br />
<br />
<b>Commentary: </b>The UNION query is not usually known to newbies, making this a rather challenging problem. I found it easy, but fun.<br />
<br />
<h2 style="text-align: left;">
Problem 19</h2>
<div>
Hint: You need to supply something, something which you should avoid doing with a fool</div>
<div>
<br /></div>
<div>
Here we were given another exe (<a href="http://pastebin.com/YJ5jay1H">disassembled code</a>), and the text:</div>
<div>
<br /></div>
<a href="http://bp.nettech.in/probs/lolest_crack_rev3.exe">Download</a> the file, try to crack it till you get the message, "correct!". <br />
Concatenate the strings you entered and submit it to the scoring server. Do not leave any blank space in your answer.</div>
</div>
<div>
<br /></div>
<div>
In this case, looking at the assembly code (or the hint), we had to provide arguments. Specifically, <i>two</i> arguments, as was evident from the lines (compare with 2, and jump away if there aren't enough arguments)</div>
<div>
<br /></div>
<div>
<span style="background-color: white; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">0x00401439 <+75>: cmpl $0x2,0x8(%ebp)</span></div>
<div>
<span style="background-color: white; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">0x0040143d <+79>: jle 0x40165c <main+622></span></div>
<div>
<br /></div>
<div>
This is roughly equivalent to a</div>
<div>
<br /></div>
<div>
<pre class="brush: c">if(argv.length<2){
return;
}
</pre>
<br /></div>
<div>
Similar to the last few, there was a huge row of comparison statements</div>
<div>
<br />
<pre> 0x00401443 <+85>: mov 0xc(%ebp),%eax
0x00401446 <+88>: add $0x4,%eax
0x00401449 <+91>: mov (%eax),%eax
0x0040144b <+93>: cmpb $0x31,(%eax)
0x0040144e <+96>: jne 0x4015e2 <main+500>
0x00401454 <+102>: mov 0xc(%ebp),%eax
0x00401457 <+105>: add $0x4,%eax
0x0040145a <+108>: mov (%eax),%eax
0x0040145c <+110>: inc %eax
0x0040145d <+111>: cmpb $0x33,(%eax)
0x00401460 <+114>: jne 0x4015e2 <main+500>
0x00401466 <+120>: mov 0xc(%ebp),%eax
0x00401469 <+123>: add $0x4,%eax
0x0040146c <+126>: mov (%eax),%eax
0x0040146e <+128>: add $0x2,%eax
0x00401471 <+131>: cmpb $0x30,(%eax)
0x00401474 <+134>: jne 0x4015e2 <main+500>
0x0040147a <+140>: mov 0xc(%ebp),%eax
0x0040147d <+143>: add $0x4,%eax
0x00401480 <+146>: mov (%eax),%eax
0x00401482 <+148>: add $0x3,%eax
0x00401485 <+151>: cmpb $0x51,(%eax)
0x00401488 <+154>: jne 0x4015e2 <main+500>
0x0040148e <+160>: mov 0xc(%ebp),%eax
0x00401491 <+163>: add $0x4,%eax
0x00401494 <+166>: mov (%eax),%eax
0x00401496 <+168>: add $0x4,%eax
0x00401499 <+171>: cmpb $0x63,(%eax)
0x0040149c <+174>: jne 0x4015e2 <main+500>
0x004014a2 <+180>: mov 0xc(%ebp),%eax
0x004014a5 <+183>: add $0x4,%eax
0x004014a8 <+186>: mov (%eax),%eax
0x004014aa <+188>: add $0x5,%eax
0x004014ad <+191>: cmpb $0x69,(%eax)
0x004014b0 <+194>: jne 0x4015e2 <main+500>
0x004014b6 <+200>: mov 0xc(%ebp),%eax
0x004014b9 <+203>: add $0x8,%eax
0x004014bc <+206>: mov (%eax),%eax
0x004014be <+208>: inc %eax
0x004014bf <+209>: cmpb $0x67,(%eax)
0x004014c2 <+212>: jne 0x4015e2 <main+500>
0x004014c8 <+218>: mov 0xc(%ebp),%eax
0x004014cb <+221>: add $0x8,%eax
0x004014ce <+224>: mov (%eax),%eax
0x004014d0 <+226>: add $0x2,%eax
0x004014d3 <+229>: cmpb $0x64,(%eax)
0x004014d6 <+232>: jne 0x4015e2 <main+500>
0x004014dc <+238>: mov 0xc(%ebp),%eax
0x004014df <+241>: add $0x8,%eax
0x004014e2 <+244>: mov (%eax),%eax
0x004014e4 <+246>: add $0x3,%eax
0x004014e7 <+249>: cmpb $0x64,(%eax)
0x004014ea <+252>: jne 0x4015e2 <main+500>
0x004014f0 <+258>: mov 0xc(%ebp),%eax
0x004014f3 <+261>: add $0x8,%eax
0x004014f6 <+264>: mov (%eax),%eax
0x004014f8 <+266>: add $0x4,%eax
0x004014fb <+269>: cmpb $0x6d,(%eax)
0x004014fe <+272>: jne 0x4015e2 <main+500>
0x00401504 <+278>: mov 0xc(%ebp),%eax
0x00401507 <+281>: add $0x8,%eax
0x0040150a <+284>: mov (%eax),%eax
0x0040150c <+286>: add $0x5,%eax
0x0040150f <+289>: cmpb $0x4d,(%eax)
0x00401512 <+292>: jne 0x4015e2 <main+500>
0x00401518 <+298>: mov 0xc(%ebp),%eax
0x0040151b <+301>: add $0x8,%eax
0x0040151e <+304>: mov (%eax),%eax
0x00401520 <+306>: cmpb $0x48,(%eax)
0x00401523 <+309>: jne 0x4015e2 <main+500>
</pre>
</div>
<div>
<br />
Each statement is of the approximate form of a move statement that brings a memory location into the register. Some number is added to it, and then the data at that location is compared. Basically, the inputted data was stored in an array, and it was being compared bit by bit<br />
<pre> 0x004014f0 <+258>: mov 0xc(%ebp),%eax ; move data to register
0x004014f3 <+261>: add $0x8,%eax ; add offset of 8 (can be 4, depends on which of the two argv elements I am accessing)
0x004014f6 <+264>: mov (%eax),%eax ; get memory at register contents
0x004014f8 <+266>: add $0x4,%eax ; add array offset of 4</pre>
<pre> ; can be anything from 2 upwards.</pre>
<pre> ; to access a[1], use inc</pre>
<pre> ; to access a[0], don't add anything
0x004014fb <+269>: cmpb $0x6d,(%eax) ; compare with byte 6D
0x004014fe <+272>: jne 0x4015e2 <main+500> ; exit if not equals</pre>
<br />
So all I had to do was extract the ascii strings and place them as two arguments.<br />
<br />
However, there was a little hitch. The statements from line 298 to 309 are actually for an earlier part of the string. Since they are comparing character-by-character, they can do it in any order. So they did the first letter (we know it is the first since there is no second <code>add</code> statement adding an array offset). Moving this character around, we get the string <code>130Qci HgddmM</code>.<br />
<br />
<b>Commentary:</b> This one was fun. You had to first realize that it needed two arguments, then figure out exactly what all those <code>add</code>/<code>inc</code> statements were doing. Once you realized that each one represented a shift in either the <code>argv</code> array or the string character array, the rest was a cakewalk though noticing that one of the letters was shifted was a bit non obvious.<br />
<h2 style="text-align: left;">
Problem 20</h2>
<div>
Here, we were given the following ciphertext:</div>
<div>
"gmsnmv rsfmvs bh rvacan cmis essk bh gmnnxan gbos ubc usmv gmngm emjs mu sws cb gxuum cvanc ubc cvsrbuxan omvi fsyy oscsyyan gxorsv ksgxan rvacan ybjsn cess ubc ceba emnc fvbuqsk gmxan yxqmvxan cesvs xn rac bus oxuk xu myy cesns osu muk xc xn rsuc mqmxunc gmsnmv"</div>
<div>
<br /></div>
<div>
This seemed like a substitution cipher. It turned out to not be in Modern English, so that made it a bit harder. I can't post details about the entire process here, but I eventually got the substitution array:</div>
<div>
<br /></div>
<div>
<div>
<pre>{"a":"U","b":"O","c":"T","d":"d","e":"H","f":"W","g":"C","h":"F","i":"K","j":"V","k":"D","l":"l","m":"A","n":"S","o":"M","p":"p","q":"G","r":"B","s":"E","t":"t","u":"N","v":"R","w":"Y","x":"I","y":"L","z":"z"}</pre>
</div>
</div>
<div>
<br /></div>
<div>
and the plaintext:</div>
<div>
<br /></div>
<div>
"caesar beware of brutus take heed of cassius come not near casca have an eye to cinna trust not trebonius mark well metellus cimber decius brutus loves thee not thou hast wronged caius ligarius there is but one mind in all these men and it is bent against caesar"</div>
<br />
The flag turned out to be "Et tu Brute, then fall Caesar!"<br />
<br />
<b>Commentary: </b>Always nice to have some crypto, however basic.<br />
<br />
<h2 style="text-align: left;">
Conclusion</h2>
</div>
<div>
I had fun, though I found it a bit easy and was frustrated as the levels did not get much harder. Of course, it was meant for newbies to the realm of security, so I guess that's ok. It was a bit haphazardly constructed; like I mentioned before, there was no uniformity in the flags. There were also not as many "real world" type problems as I would have liked (the only ones that qualify are the reversing ones--which were all really the same, sql injection, directory index, server-side validation, and the <code>strcasecmp()</code> one). I guess these are more personal gripes as I may have not been in the target audience.</div>
<div>
<br />
I enjoyed the variety though, and could recognize that these questions were great ways to induce comfort with the tools and the mental perspective required to do these things at a higher level. I've been thinking of conducting my own CTF for IITB, but I've always been intimidated by it. As far as I can tell, this one was designed by students too, so kudos to the team who made the CTF for pulling through with this!</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-82672105540178545152014-01-22T13:43:00.000-08:002014-03-31T09:58:33.418-07:00Editing files from omni.ja in Firefox 20 onwards<div dir="ltr" style="text-align: left;" trbidi="on">
<i>This post focuses on Ubuntu, however when I get time I will update it with instructions for Windows.</i><br />
<i><br /></i>
So I've been working on a small side project recently and I found that editing the live code on Firefox is not as easy as it used to be. I had to do a fair amount of digging (and sifting out of outdated information) to get all the information on how to modify <code>omni.ja</code> files from live Firefox installs, so I'll just collect what I learned in this post.<br />
<br />
<br />
Firefox is a browser written in C/C++, JavaScript, CSS, and XML. The C++ bits are compiled (<a href="https://twitter.com/ManishEarth/status/371352141610246145">by a very lengthy build process</a>), but the Javascript is simply zipped up and loaded at runtime. There <i>are</i> binary versions of the JS files (which probably load faster), but these are not necessary.<br />
<br />
Previously, the JS was uncompressed and just lying around in directories, and one could simply edit these files to change some functionality. While the core APIs are in C, most of the behavior of the Firefox UI is in JS/XML and thus a lot of tweaking can be done through these files. Of course, making an addon may be a viable option, but you may not always want to do that.<br />
<br />
However to improve performance the files were gradually bundled in jars, finally resulting in <a href="https://blog.mozilla.org/tglek/2010/09/14/firefox-4-jar-jar-jar/">the monstrosity known as <code>omni.ja</code></a>. This is a rather quirky jar file that contains the JS and JS "binaries".<br />
<br />
Fortunately, the files in this jar can still be edited, with some more effort.<br />
<br />
Firstly, let me note that on Ubuntu, there are <i>two</i> <code>omni.ja</code>s. The first in in <code>/usr/lib/firefox</code>, and the second is in <code>/usr/lib/firefox/browser</code>. These contain different code, so you may have to find out which one holds your JS.<br />
<br />
<div>
Extracting the files from <code>omni.ja</code> is pretty simple. Copy <code>omni.ja</code> to a temporary directory, and run <code>unzip omni.ja</code> on it. (<code>sudo apt-get install unzip</code> may be necessary. Alternatively, use Ubuntu's Archive manager after renaming it to a .zip)</div>
<div>
<br /></div>
<div>
If you wish to modify a file from <code>omni.ja</code>, be sure that you delete its corresponding binary in the <code>jsloader/resources/gre</code> subtree or under the <code>jssubloader</code> tree. Then modify the javascript file as usual.</div>
<div>
<br /></div>
<div>
Try to keep a backup of the old <code>omni.ja</code> just in case, syntax errors may stop Firefox from loading.</div>
<div>
<br /></div>
<div>
To repack, you have to run <a href="https://developer.mozilla.org/en-US/docs/Mozilla/About_omni.ja_(formerly_omni.jar)"><code>zip -qr9XD omni.ja</code> *</a> in the same temporary directory. Be sure to delete the old <code>omni.ja</code> file before zipping, otherwise you may end up with a nested <code>omni.ja</code>. While I was playing with the file, after an initial smooth period where everything worked, I started getting segfaults even when simply unpacking, repacking, and loading <code>omni.ja</code> because I was neglecting to delete the old <code>omni.ja</code>, which created a jar that was nested in around 25 levels, which was too large for Firefox.</div>
<div>
<br /></div>
<div>
Now copy the new <code>omni.ja</code> from the temporary directory to where you got it from. Give everyone read permissions (<code>chmod a+r /usr/lib/firefox</code>)</div>
<div>
<br /></div>
<div>
This still does not ensure that the new jar file will be loaded. What you need to do to force this reload is open Firefox, <a href="http://superuser.com/a/426875/119259">disable or enable an addon</a> (this only works if the addon is one that requires restart after being disabled or enabled — if this is the case you will be prompted to restart), and restart Firefox from the prompt. Other ways to do this (credit: <a href="http://inpursuitoflaziness.blogspot.com/2014/01/editing-files-from-omnija-in-firefox-20.html?showComment=1396277861547#c1811427011220436750">Neil Rashbrook</a>)<br />
<br />
<ul style="text-align: left;">
<li>Use the <code>--purgecaches</code> command line parameter</li>
<li>Set the <code>MOZ_PURGE_CACHES environment variable to <code>1</code></code></li>
<li>Use the <code>.purgecaches</code> file</li>
</ul>
<br />
Once you force reload <code>omni.ja</code>, Firefox should run on your new code.<br />
<br /></div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-68180996873257482232013-07-12T17:50:00.001-07:002014-01-26T17:31:31.695-08:00How to make Stack Exchange behave exactly how you want it to<div dir="ltr" style="text-align: left;" trbidi="on">
I wrote a post on the Programmers Stack Exchange Community Blog. It's a guide for writing userscripts, specifically Stack Exchange userscripts.<br />
<br />
<a href="http://programmers.blogoverflow.com/2013/07/how-to-make-stack-exchange-behave-exactly-how-you-want-it-to/">How to make Stack Exchange behave exactly how you want it to</a></div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-80525274673667801732013-07-03T22:35:00.000-07:002013-07-03T22:35:09.971-07:00Don't know the password, not allowed to change it. What now?<div dir="ltr" style="text-align: left;" trbidi="on">
So you say I need mysql root access for this?<br />
<br />
So you say that the root password is unknown?<br />
<br />
So you say that I'm not allowed to change the password and leave it changed because it may break something?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWitdDSkdTycP1WNH9X8Cr_ExyUPDtoarGvHnas7v6S1cplSdc-8VpS1PP-451qKzzdiOKftQcKS5HJSeZ9Co-NLLUnpF4GuiOpJvsHz3mtfyHm_NUsB17dzD6OtD1xmeT8bIKZpEDdog/" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWitdDSkdTycP1WNH9X8Cr_ExyUPDtoarGvHnas7v6S1cplSdc-8VpS1PP-451qKzzdiOKftQcKS5HJSeZ9Co-NLLUnpF4GuiOpJvsHz3mtfyHm_NUsB17dzD6OtD1xmeT8bIKZpEDdog/" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br /><br />
<br />
<br />
<i>(Anyone who has worked with mysql for a fair amount of time may find this solution obvious. In retrospect, it is obvious to me too, but it wasn't at the time -- and it was an amusing situation to be in)</i><br />
<br />
This was quite a strange situation. I needed to set up MediaWiki, and for that I need the mysql root password (to create tables and users). Which I didn't know. <br />
<br />
<br />
And, this was a live server. Not in use that much, but if I change the root password, stuff can break. I wasn't sure which app, if any, needed the root pwd, and while I <i>am</i> quite fond of breaking things, I didn't want to take the chance.<br />
<br />
At first, a simple solution strikes you, start mysqld with --skip-grant-tables (I had root access to the unix box). This gives you root privileges but you can't <span style="font-family: Courier New, Courier, monospace;">CREATE USER</span> or <span style="font-family: Courier New, Courier, monospace;">GRANT</span>. Those were the exact two commands I wanted. Useless.<br />
<br />
Well, <i>almost </i>useless. I *could* change the root password from here. But I can't do it permanently. So how would I change it back? I need to know the original password, right?<br />
<br />
Nope. Fortunately I can still <span style="font-family: Courier New, Courier, monospace;">UPDATE TABLE</span> and <span style="font-family: Courier New, Courier, monospace;">SELECT</span>. And the <span style="font-family: Courier New, Courier, monospace;">mysql.user</span> table is conveniently available to me. There were two possible fixes here. The first was to simply create an entry in the table that represented the new user. This would work, however the <span style="font-family: Courier New, Courier, monospace;">INSERT</span><span style="font-family: inherit;"> command would have to be huge (the table has one column per privilege, which adds up to a lot). The second solution was trickier. Basically, using a </span><span style="font-family: Courier New, Courier, monospace;">SELECT</span> command, I could get the password hash of the root user. Which means that I can change it back using a simple <span style="font-family: Courier New, Courier, monospace;">UPDATE TABLE</span><span style="font-family: inherit;"> when I get the chance! </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">So, the final solution was:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<ol style="text-align: left;">
<li>Stop <span style="font-family: Courier New, Courier, monospace;">mysqld</span></li>
<li>Start <span style="font-family: Courier New, Courier, monospace;">mysqld --skip-grant-tables</span><span style="font-family: Arial, Helvetica, sans-serif;">, then run </span><span style="font-family: Courier New, Courier, monospace;">mysql</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">SELECT password FROM mysql.user where user='root';</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: inherit;">Copy down the password hash. Don't lose it.</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">UPDATE TABLE mysql.user SET password=PASSWORD('something') where user='root';</span></li>
<li>Stop <span style="font-family: Courier New, Courier, monospace;">mysqld</span></li>
<li>Start <span style="font-family: Courier New, Courier, monospace;">mysqld</span></li>
<li><span style="font-family: inherit;">Run</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Courier New, Courier, monospace;">mysql -u root -p</span><span style="font-family: inherit;">, with password "something"</span></li>
<li><span style="font-family: inherit;">(creating a new root user) </span><span style="font-family: Courier New, Courier, monospace;">CREATE USER 'manish'@'localhost' IDENTIFIED BY 'my_password'; GRANT ALL PRIVILEGES ON *.* TO 'manish'@'localhost' WITH GRANT OPTION;</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">UPDATE TABLE mysql.user SET password='copied_hash_goes_here' where user='root';</span></li>
<li>Mock the root user for having been replaced. </li>
</ol>
<br />
<br />
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-42775053743121507452012-05-11T03:15:00.000-07:002012-05-11T03:15:41.995-07:00Stack Exchange<div dir="ltr" style="text-align: left;" trbidi="on">
Alright. I haven't been posting in a while, but I decided to take some time out today and post something.<br />
<br />
Let's talk about a new discovery of mine. <a href="http://stackexchange.com/">Stack Exchange</a> .<br />
<br />
StackExchange is a growing network of question-and-answer sites. Well, there are lots of those, aren't there? But SE is quite different from the rest. For one, it has a much better user base. Civility is maintained, and you can expect quality answers to quality questions. Also, it has a more "community" feel, like Wikipedia.<br />
<br />
<br />
I started off on <a href="http://physics.stackexchange.com/">Physics.Stackexchange</a> with a few questions of mine, and gradually began to like the site. One thing that's great about the site is that you can learn a lot <i>while posting answers</i>. Many times, you <i>think</i> you understand something, but you don't, not really. Thoughts are a jumbled mess and it's always hard to analyse them. On the other hand, the moment you try to put your thoughts into writing--well--<i>then</i> you learn about your own confusions. Teaching others is a great way to learn stuff yourself; the fact that you are trying to make <i>others</i> understand something mandates that you yourself understand it first. Also, others have different ways of thinking, and can lead you to exploring new avenues of thought. I haven't asked many <i>questions </i> on P.SE (17 to be exact), but I've given tons of answers. And I do feel that my physics has improved a <i>lot</i> after joining. And I've had fun as well, for example while writing <a href="http://physics.stackexchange.com/a/21856/7433">this answer</a> and <a href="http://physics.stackexchange.com/a/23895/7433">this answer</a> .<br />
<br />
<br />
Recently, a new site opened. <a href="http://chemistry.stackexchange.com/">Chemistry.SE</a>. I'm pretty excited about this one as well, and I'm hoping the site flourishes. If you have any Chemistry questions, please ask them there! Though try to make them <i>good</i> questions. "Why does Coke and Mentos explode?" is <i>not</i> a good question.</div>Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-37953696986177206402012-02-04T06:08:00.000-08:002014-01-26T17:36:51.049-08:00Inheritance and wave-particle duality<div dir="ltr" style="text-align: left;" trbidi="on">
I read <i>Inheritance</i> a few months ago. While reading it, I noticed a sentence which <i>appeared</i> to be a reference to wave particle duality and the atomic theory of matter. Anyways, <a href="https://twitter.com/#!/manishearth/status/136388327698989056">I asked Paolini (the author) about it</a>, and he <a href="https://mobile.twitter.com/InheritanceCP/status/136410795813777409">confirmed it.</a> (I learned this today, I hadn't checked my Twitter account for weeks).<br />
Isn't it great that Paolini, an amazing author, is interested in physics, too?<br />
<br />
Here's my full explanation of the situation (<a href="https://plus.google.com/u/0/112804966934275174479/posts/955MYj8q4gY">Copied from my post</a>)<br />
<br />
.....<br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">I'm rather surprised by this passage from it:</span><br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">(This is on the flight back to Urû'baen, when Valdr tells Eragon and Saphira about the starlings' dreams)</span><br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">"From him, they received a vision of beams of light turning into waves of sand, as well as a disconcerting sense that everything that seemed solid was mostly empty space."</span><br />
<br style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;" />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">At first, I interpreted the second part as "Not everything is as hard as it looks".</span><br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">But I couldn't make any sense of the first one.</span><br />
<br style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;" />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">Then, I remembered something from Rutherford's experiment. "Atoms are mostly empty space". I didn't like this connection (Why would Paolini mention </span><i style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">that</i><span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;"> ?), but then, the allusion to subatomic physics made the first sentence crystal clear. It refers to wave-particle duality, i.e. the fact/theory that light is </span><i style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">both</i><span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;"> a continuous wave and a bunch of particles</span><br />
<br style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;" />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">I know, it's unlikely that CP would mention such things, but he </span><i style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">has</i><span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;"> mentioned lots of scientific stuff before (coral, etc.. can't remember it off the top of my head, need to reread the first three books).</span><br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">Also, <spoiler alert (If you haven't read Inheritance yet)></span><br />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">the explosion at Vroengard (By Thuviel), and at Urû'baen (By Galbatorix), are both probably nuclear (as the sickness that Glaedr mentions is very similar to leukemia). So maybe, after all, CP did refer to waveparticle duality/atomic theory.</span><br />
<br style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;" />
<span style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 18px; text-align: -webkit-auto;">Thoughts?</span> <br />
<div style="text-align: -webkit-auto;">
<span style="font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 18px;">....</span></span></div>
<div style="text-align: -webkit-auto;">
<span style="font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 18px;"><br />
</span></span></div>
<div style="text-align: -webkit-auto;">
<span style="font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 18px;"><br />
</span></span></div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-52888129400981335892012-01-08T05:05:00.001-08:002012-01-09T19:45:28.206-08:00Problems with SETI<div dir="ltr" style="text-align: left;" trbidi="on"><b style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><i>Note: This is an essay I wrote a long time ago, just for fun. This was when I had read </i>Contact<i>, and was pretty enthusiastic about the whole SETI thing.</i></span></b><br />
<b style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><i><br />
</i></span></b><br />
<b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">All of us have wondered, at some time or the other, whether alien lifeforms exist. Indeed, our scientists have been so fascinated with this subject that we have a </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">massive</span><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> collection of programs, known as SETI (Search for Extra-Terrestrial Intelligence) which all have the sole intention of finding life outside Earth. This effort has been applauded by the world, but, if you think about it, we are really shooting in the dark here.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Most of our assumptions are that the aliens we are trying to contact have the same brain system as ours and communicate the same way we do.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Now, if you look at it, every method of communication we know is pretty much a product of our senses:</span></b><br />
<ul><li style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><span id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">EM Waves</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;">: </b>EM waves are those waves which are part of the Electromagnetic spectrum. Radio waves are a part of electromagnetic (EM) spectrum, which includes light (visible) waves, infrared rays, X-rays, micro waves, and Gamma rays. Now, we know about these waves, because of light, which we can see. If we couldn't see light, then we probably wouldn't know about the EM spectrum. How are we sure that the aliens aren't blind? Lets assume that they see EM waves. Now, a reasonable argument would be to use light waves to communicate, as the stars emit light, and intelligent aliens must be aware of that. But not all stars emit visible light. There are entire galaxies which emit very little light, but a lot of X-rays or radio waves, like Cyg X-1 (X-rays), and Cas A (Radio waves). So, we could use other waves (like radio waves, which we are currently using). But, other waves are obstructed by different things, like our atmosphere. Similarly, we can't be sure if radio waves penetrate the alien's atmosphere. And, anyways, we can't be sure that they are even listening on the same frequency that we do. For example, they might have discovered a better range of frequencies to communicate with which aren't so problematic, and would think it childish to use radio waves, which would be inefficient in their eyes, just like we won't use sound to communicate with aliens, as sound is too inefficient (In fact, it dies out almost immediately after leaving the atmosphere.</span></span></li>
<li style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><span id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Sound Waves</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;">: </b>We know of these because of our hearing. These work well on earth, but, they need a medium, so are useless in space.</span></span></li>
<li style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><span id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Objects:</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"> </b>We assume that the aliens have the same senses of perception when we send objects with engravings into space. Even if they did have the same senses, these things take hundreds of years to get anywhere useful, and they are obstructed easily.</span></span></li>
<li style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><span id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Gravitational waves:</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;"> </span>We perceive gravity through our senses, but this is only because of some tiny organs located in our ears. Even if we didn't have these organs, we could perceive the </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">effects</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> of gravity, like apples falling. Through Einsteinian mechanics, we know of the existence of 'gravitational waves'. Just like moving an electrically charged body produces EM waves, moving a massive (By 'massive' I mean 'has mass', but the other meaning 'has a lot of mass' is also fine in this case) generates gravitational waves. These are ripples in the fabric of space and time, which cause stretching and squeezing of objects. These are observed in significant quantities around spinning black holes. Unfortunately, we can't produce these, let alone form a message out of them. We even used to have problems </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">detecting</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> these, as we couldn't build detectors with enough accuracy. Now our interferometers do good job of detecting them, but they're still not perfect and can only detect large changes. To catch a gravitational signal would require either a very strong signal, or a much </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">much</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> more sophisticated detector.</span></span></li>
</ul><b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">These are the ways of communicating which we know of because of our perception. Now, if extraterrestrial lifeforms existed, how do we know that they have the same perception as us and 'see' the same things, and thus know about the same methods of communication?</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Now, this logic does not apply to </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">all</span><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> the methods of communication we know. There are some which we could use, but they all have large flaws:</span></b><br />
<ul><li style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><span id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Particles:</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"> </b>Particles like neutrinos are ideal for communication, as the pass through matter easily (Millions of neutrinos pass through your body every second, but they are harmless.) . These could be used, but the signals would die out if they had to pass through any large body in space, of which there are a lot.</span></span></li>
<b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;">
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Quantum teleportation:</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> As exotic as this name sounds, it, unfortunately, isn't anything like the teleportation in movies. It just refers to the transfer of information faster than light. This would be very useful when communicating with aliens, but for this to work, the two parties wanting to communicate must exchange a pair of 'entangled' particles (These are particles which are like the sender and receiver in quantum teleportation). So, we need to know about each other and exchange some stuff in order to use this.</span></li>
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Wormholes:</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> These are spacetime structures where space curves in on itself and connects two points in space, creating a 'tunnel' through space, with which one can reach their destination almost immediately. Now, we do not know if wormholes actually exist, but, if they do, we are sure that they form and immediately are destroyed. We know how to keep one alive if we ever find one, which is by 'threading' it with something called 'exotic matter'. (Exotic matter has negative energy, which sounds paradoxical, but, it exists, in the form of 'vacuum fluctuations') Even then, we do not know how to do the</span><span style="font-family: Verdana; font-size: 13px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">'threading', and, if wormholes exist, finding one is very hard, let alone finding one which has the exit end near an alien habitat. There are ways of making wormholes, though, but one of them requires 'tearing'the fabric of spacetime, and the other, though easier, is still impossible for us.</span></li>
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Tachyons</span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">:</span><span style="font-family: Verdana; font-size: 13px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">These are hypothetical faster than light particles, which would be ideal to send out as a message. The problem with these is that they allow you to send a message backwards through time, which means that they (most probably) do not exist...</span></li>
</b></ul><b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">As you can see, none of these are too feasible as of now.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Another one of our assumptions is that these aliens think the same way we do. This is a necessary assumption, otherwise, we would not be able to figure out what messages to send.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">We assume that they use the same logic/ mathematics as we do. Many messages make sense only in binary or base ten, when the aliens might be using ternary or some other base to communicate (they might have 17 'fingers', or they might have figured out an efficient way to send messages with three or more states--'on1','on2', and 'off'--this could be achieved through quantum computing). We also assume that they would do stuff like:</span></b><br />
<ul><li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Order the periodic table the same way we do.</span></b></li>
<b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;">
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Have the same fundamental units as us (We think that length mass, and time are fundamental units. They could equivalently use density, pressure, and force; or speed, energy, and power). This changes the significance of universal constants like the speed of light, Planck's constant, etc.</span></li>
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Have the same physics as we do. It is very, very likely that they are atleast a few millions of years more or less advanced than us. Their physics could make our physics obsolete. They might scoff at the idea of quantum mechanics, just as we scoff at the 'indivisible atom', and the 'ether'.</span></li>
<li style="font-family: Arial; font-size: 15px; font-weight: normal; list-style-type: disc; vertical-align: baseline;"><span style="font-family: Verdana; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Have the same logic/intuition as us. (Our logic is based on certain rules which cannot be derived from each other. Their set of rules might be the same.)</span></li>
</b></ul><b id="internal-source-marker_0.37265667505562305" style="text-align: -webkit-auto;"><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">This makes it hard to create a message that will be recognized as a 'message' and not as cosmic garble.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">(Before you read the following, keep in mind that this is my viewpoint...)</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">SETI scientists are also constantly searching for planets which would harbor life like ours. In their definition of 'life', they are looking for cellular organisms which would survive in the same conditions that we do. What they've forgotten is this: Life on our planet must have evolved </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">atleast</span><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> three times.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Yep. Before we go any further, think about bats, birds, and pterodactyls for a moment. Bats are winged creatures, but they are almost like rats. Even their wings are basically webbed hands. Similarly, pterodactyls and birds aren't too similar except in the wing structure. By the theory of evolution, one could say that somehow, pterodactyls (and other winged dinosaurs) evolved into birds, and went extinct. Some of the birds later evolved into bats. But, bats are so much like rats that they must have evolved from them, too. Then where do we fit the rats in the evolutionary tree? The answer lies here: How about if wings evolved thrice in the progress of evolution. Some dinosaurs got wings, then eons later, some other creatures got wings, and also the ancestors of rats got wings. After all, wings are very useful appendages. It wouldn't hurt for them to be created through evolution thrice.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Just like that, life is a very 'useful' thing. And, if you think about it, the first cellular life evolved quite quickly, before the earth even got a chance to cool down. This makes one think. If life evolved once, couldn't it evolve again? Now, there are currently (this is my view, please restrain those firebrands) three types of life resident on earth. One is normal, cellular life. Now the other two are.....viruses and prions. (Prions are kinda like viruses, but there's no RNA in them--they're entirely protein. Mad cow disease is a prion disease). But, many people argue, that viruses require cellular life to reproduce. I could argue back, "Cellular life requires food, sunlight, etc. to reproduce". The definition of life is (pretty much) something which grows, reproduces, etc., etc. But these things are all done with the help of an environment, anyways. Viruses evolved after cells (most probably), so one could say that cellular life </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">is</span><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> the environment for viruses. Same argument for prions.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Also, there is a widespread theory that there might have been </span><span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">other</span><span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> forms of life formed before of after cellular life. They could still be here, hidden away in something known as the 'shadow biosphere'. After all, many of our cellular organisms are hidden away (for example, the botulism organism--where you get botox from-- cannot survive in oxygen. It hides in places like deep soil)</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">All in all, alien life might (Actually most probably) isn't like our normal cellular life. So really there's no reason to search out a planet and label it as "could harbor life". The only use of doing this is if we want to find a new habitat for ourselves.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">In conclusion, I just want to say one thing. However much I shot down SETI's methods up above, they are still the best things one could do. After all, we know nothing about these 'aliens' of ours, so the best way to find them is to hope that they are like us (which makes stuff plausible and infinitely easier). Three cheers for SETI!!!</span><br />
<span style="font-family: Verdana; font-size: 13px; font-style: italic; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">For those alien hackers who are reading this, I will be happy to oblige with a translation into mathematics.</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">-Manish Goregaokar</span><br />
<span style="font-family: Verdana; font-size: 13px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">(Somewhere on) Earth, Solar system, In Orion Belt of Milky way Galaxy, Opp. Andromeda Galaxy, Local Group, Virgo cluster, This universe,11-brane,Multiverse,Creation.</span></b> <br />
<div style="text-align: -webkit-auto;"><span style="font-family: Verdana; font-size: x-small;"><span style="white-space: pre-wrap;"><br />
</span></span></div><div><span style="font-family: Verdana, sans-serif; font-size: x-small;"><span style="white-space: pre-wrap;">Summa</span>ry of this essay in one comic:<a href="http://xkcd.com/638/">http://xkcd.com/638/</a></span></div></div>Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-65305186090488074162012-01-02T04:25:00.000-08:002012-01-08T05:09:30.638-08:00Undefined=5One day, I shall write a JavaScript library and include this line in it:<br />
<pre class="brush:js">var undefined = 5</pre>For those of you JavaScript buffs, you must have realized that this will break almost every sufficiently large JavaScript code in eternity without causing any compiler errors.<br />
<br />
For those of you who don't know JS, take the time to learn it! It’s actually quite fun to learn.<br />
<br />
And the reason why the code will break it is simple, if not a bit weird:<br />
JS has two types of null values: <code>null</code> and <code>undefined</code>. <code>Null</code> is an actual object, kinda like <code>NaN</code>. You can call it and have no problems. <code>Undefined</code>, on the other hand, is nothing (not even a keyword). I can even type <code>undefined=2</code> and have no errors. Now, JS, with the <code>==</code> operator, can't distinguish between the two. As in, <code>window.blahblah==null</code> returns true even if <code>window.blahblah</code> is not defined . But, JS has a wonderfully quirky operator known as the identity operator. This guy can tell the difference between <code>null</code> and undefined. Eg:<br />
<pre class="brush:js">var poopy //gets a psuedo-default value "undefined"
return poopy===null //Will return false. Poopy is not null, it is undefined
</pre>It will only return true if you type poopy=null at the top. The reason for this is that <code>==</code> compares objects, typecasting them if necessary (so <code>undefined</code> is typecasted to <code>null</code>), while <code>===</code> preserves type and compares.<br />
<br />
Now, as I showed, using <code>window.blahblah==null</code> won't tell you if the property is deliberately set to <code>null</code> or just not defined. Unfortunately, when developing frameworks which fit into larger applications, you don't have control over the rest of the code, but you still have to interact with it. Which means checking for undefined values becomes crucial. In that case, most people do this:<br />
<pre class="brush:js">var undefined; //declare a variable which is not initialized
return poopy===undefined // check if poopy is in the same state as the undefined variable, i.e. uninitialized
</pre>This would work even if I didn't call the variable undefined:<br />
<pre class="brush:js">var bloopy
return poopy===bloopy
</pre>But, JS programmers are obstinate fellows who always use the first method.<br />
Now, if I type <code>var undefined=5</code> in a JavaScript framework, all other code which uses the above trick won't work. Why? Now, the variable "undefined" is no longer <code>undefined</code> (i.e. uninitialized), and the program returns the exact opposite value that it should. Since checking for undefined values is quite essential in asynchronous scripting, this can make the scripts do unexpected things.<br />
<br />
Kablooey.<br />
<br />
PS: If anyone here is working on a large framework, please, please type <code>var undefined=5</code> somewhere in the code. And make sure your code doesn't use <code>undefined</code> for checking for initialization. There you have it. Your code will be the only one that works when combined with other (sufficiently large) code.<br />
Neat, huh?Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.comtag:blogger.com,1999:blog-5589689508023658994.post-38479328319272862782011-12-29T04:25:00.000-08:002013-03-21T01:24:01.458-07:00Hello World/Prologue/Big Bang/whatever<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
First post!<br />
A bit about me and this blog:<br />
I have varied interests, including science, mathematics, reading, programming, and being lazy in general. I have been told by many people that I should start a blog, but I couldn't bring myself to choose which of my interests to follow. So, I decided to make a mishmash blog with posts from varying topics. All I'm afraid of is that this will scare off lots of readers; so I'll try to keep a balance between the posts (Though I'll end up doing more programming and science posts than reading and maths)<br />
Because of the mishmash nature of this blog, I have given this first post a title that takes care of most of the intended subjects of this blog.<br />
I am recently strapped for time, so I may not post as regularly as I should. This situation ought to get over by next May.<br />
Stuff I do in my spare time:<br />
<ul style="text-align: left;">
<li>Read stuff: Fiction, Nonfiction, and everything in between</li>
<li>Help out at Wikipedia (Volunteer work, writing userscripts, programming)</li>
<li>Code random useful stuff</li>
<li>Attempt to uncover the secrets of physics (and fail miserably)</li>
<li>Delve into Mathematics (No secrets to uncover here)</li>
<li>Figure out new ways to be lazy and thus get more free time (in which I figure out more ways to be lazy and thus get more free time[...])</li>
<li>Hack stuff</li>
<li>Other random stuff that I'm too lazy to think about now.</li>
</ul>
<br />
~Manish</div>
</div>
Manish Goregaokarhttp://www.blogger.com/profile/18168175762485696461noreply@blogger.com