ISO: The Theory of Everything

Just finished up a thought provoking and highly-entertaining treatment of concepts and ideas swirling around related to life, the universe and everything.

Unlike some reviewers of the book, I specifically appreciate that the author tries to synthesize the scientific world view with the religious world view. 

There are too many in life that think the world is so black and white, on both sides, thus being completely unwilling to give credence to what another might say or think across the divide.

The dichotomy reminds me of a couple maxims summarized by Covey and Bragg: 1) first seek to understand, then to be understood, and 2) science and religion are opposed as the thumb and forefinger – between the two you can grasp anything.

I came to a similar simulation theory ages ago (without much science knowledge to back it up, just through general observation and cognitive experiences), I’m glad to see we have some great thinkers spending significant clock-cycles on it.

Somewhere in our future is “The Theory of Everything”.  Keep seeking!

General thoughts on OpenSource Software

While having conversations with a couple friends the last few weeks, I came to the conclusion that there might be value in writing down some of the ideas I have floating around in the big tin-can on my shoulders, as it relates to opensource software (oss).

Or, then again maybe not.

Regardless, I took a few minutes to jot down some thoughts. This list is by no means exhaustive, it’s just a quick brain dump around what comes to mind when I think about using oss in the enterprise.

Talent implications:

There are some definite and perhaps obvious implications to attracting talent when it comes to participating in the oss community.  First and foremost, it is an easy way for an organization to market itself, its culture, its people and its technology capabilities. Secondarily, in my mind, developers that engage with the oss community show an increased dedication and passion for ongoing learning and development outside of the 9×5. So participatory individuals definitely represent a type of individual I want to have in my organization.

Technology practices:

OSS can be fickle, as it involves many people with diverse backgrounds and perspectives agreeing to agree. ūüėä

When using oss, I would suggest setting up a company repository where oss and dependencies are curated and maintained as approved for corporate use. In addition, I would also recommend blocking teams from using external repositories, in order to manage and mitigate various risks based on company appetite.  JFrog Artifactory is one such example of a solution that can be used for a corporate repository.  

The link below gives a brief example of what can happen if you aren’t careful in how you manage the repository in the oss world.  ūüė≥

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

In addition, in order to maintain bench strength, autonomy, ensure continuity, and enforce corporate quality gates, it is also important to not become reliant on compiled binaries; as such, I would ensure the company has the toolchains and configurations to compile source code into binaries in a CI/CD type of model.

Security of open source:

On the upside, oss allows for easier identification and crowdsourced remediation of vulnerabilities; however, on the flip-side, it is easier for hackers to identify vulnerabilities, fingerprint companies using the oss, and subsequently exploit vulnerabilities, without disclosing them.

Thus, it is important to have a solid program in place for monitoring for emergent vulnerabilities and patching in a timely manner, especially for externally facing solutions. This also drives back to the discussion of having a centralized repository for curating approved oss.

Licensing models:

I‚Äôm not a legal expert by any means but know enough to state that careful considering needs to be made as it relates to the usage and mixing of different license models in the oss and proprietary world. 

As an example, some license models cannot be combined with others and some licenses like ‚Äúcopyleft‚ÄĚ licenses are viral (to a greater or lesser degree) and may require disclosure of source even for derivative or combined works.

In addition, there are nuances and interpretations related to words like ‚Äúpropagate‚ÄĚ or ‚Äúdistribute‚ÄĚ when modifying oss.  As an example, using it on your internal corporate network may have different implications compared to embedding it into a website and having people remotely access it, which may also be viewed differently than using it in the mobile app and putting it in an app store.

Cost factors:

OSS has many cost factors, but I saved cost for last because it is tired to all the previous discussions. While the initial investment is often lower for an individual package, taking on maintenance and support for more complex oss packages will likely increase the TCO and have a negative impact on opportunity cost over time, as you will have teams that will need to continue to maintain and provide upkeep for what is likely to be a commodity for the organization – rather than focusing that same time slice on things that are of a competitive advantage.

Summary

A quick wrap up. I am a huge proponent of both the concepts and implementations of oss, however, I often see companies going down the route of oss because it is perceived to be “cheaper”. While, in some cases, that may be true, especially for smaller companies with very limited IT budget and a high tolerance for risk.

My advice is to think through the risk and exposure around the use of OSS for the company, and then compare what it would take for investments to make oss elevate to the same first class citizen as internally developed software. That’ll give you a head start on understanding the TCO and opportunity costs of using oss in the overall aggregate of your technology economy.

Finally – while I admit, I really haven’t read much of it, this looks like a great resource. https://opensource.org/faq

My hope is that you will find ways to manage the corporate risk, and still commit to engaging with, and supporting the OSS community!

As always, I am happy to learn from others, so if you have a perspective you’d like to share on oss – feel free to reach out to me and engage.

Meeting a legend! Kevin Mitnick.

23 years ago, on Feb 15th, the worlds most famous hacker, Kevin Mitnick, was apprehended in NC after years on the run from the FBI.¬† Prompting many, many young hackers and computer enthusiasts (including yours truly) to take up the mantra “Free Kevin”.

A little over 28 years ago, I started my own journey into information security (thankfully never pursued by the FBI), and much like Loyd Blankenship (Hackers Manifesto), Kevin had a profound impact on my young security career.

Today, not only did I get see Kevin in action (POC exploits), but I got to say hello and shake his hand. I didn’t even think about taking a picture, I just wanted to shake his hand; but I’m thankful, someone there said “would you like a picture”.

Thank you anonymous picture taker!

Playing with Python

It’s been 15+ years since I have received a coding assignment, so recently, I decided to try moving in the opposite direction from Assembly, C, and Reverse engineering, and decided to take a course on Udemy for learning python.

So far, it is an excellent course.  If you are interested the course is located here.

The assignment:  create a Tic Tac Toe game in Python.  The results are as follows:

https://github.com/idarthjedi/TicTacToe/blob/master/tictactoe.py

Breaking free from the confines of the mind… is this what insanity is like?

For years I trained my brain to engage in lucid dreaming, I’ve played with hypnosis, NLP, paraliminal learning, photo reading, and other crazy reprogram and expand your brain exercises. ¬†Last night I got what I deserved (I guess).

As I awoke, but still asleep, I began to dream that I was programming my body in my brain. ¬†I was pushing and popping instructions off the stack of my mind to create¬†my heartbeat, to expand my diaphragm, to push blood through my veins. ¬†For a brief moment, I thought “this is awesome”, I’ve finally broken free of The Matrix.

However, very quick I realized that if I was controlling my autonomic functions, if I screwed up on the programming, my heart would stop, I would suffocate, my organs would die of asphyxia. Having this realization, I started to panic.

Mind you, I was dreaming, but aware I was dreaming.

So, I finally said to myself, this is silly, why panic, you can just wake up. ¬†But I couldn’t. ¬†I tried to stop thinking about programming my bodily functions. ¬†But I couldn’t. ¬†I tried to stop worrying about injecting the wrong opcodes. ¬†But I couldn’t. ¬†So then I started thinking, “Is this what happens when you go crazy”. ¬†“Will I wake up, insane”. ¬†“What if I can never get control over my mind again”.

I always thought going John Nash¬†crazy¬†wouldn’t be so bad, at least it would be in brilliance; but now, I couldn’t imagine being stuck in a world where I knew I was trapped in my own mind, but couldn’t break free.

Have you ever started thinking so much that your head started to throb?  Burn?  Ache?  I felt like my CPU was overclocked, overheating and was about to core dump.

And then I crashed – I don’t remember how it resolved, or how long it went on, but I woke up this morning… a little ragged, with vivid memory of the whole ordeal. ¬†Happy to report, that I am still part of The Matrix, and I’m not John Nash insane.

Maybe I should stop messing so much with my brain.  Maybe I should take a break from technology.

Nah.  Back to The Matrix.

Bubble sort in x86 ASM

[[NOTE: For a more efficient way to implement the bubble sort, see my later post]]

Why? ¬†I have no idea. ¬†It’s funny how many times I set off my AV scanner trying to compile and run my PE. ¬†That brings back some great memories with the VCL.

I’m sure there are cleaner ways to do it – but right now, I’m just worried about making it work. ¬†ūüėČ

NOTE: Written in FASM, and the training.inc can be found over at xorpd on git.

; Author J. Logiodice
; Date: 05/22/2016
; Purpose: Bubble SOrt
; This method will read in a series of TOTAL_NUMS numbers
; And bubble sort them, then print them out in sorted order to the screen
format PE console
entry start

include ‘win32a.inc’

TOTAL_NUMS = 10 ;10

section ‘.bss’ data readable writeable

array_numbers dd TOTAL_NUMS dup (?)
nMinus1Mem dd ?
boolSwapped dd ?

section ‘.text’ code readable executable

start:

; Set up the loop variables
mov ecx, TOTAL_NUMS
mov esi, ecx
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Read in one number at a time, for TOTAL_NUMS numbers, store them in the bytes that
; start with array_numbers
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
loopRead:

dec esi

; read input into eax but first clear out eax
xor eax, eax
call read_hex

; move value into memory offset (reverse order)
mov dword [array_numbers + esi * 4], eax

loop loopRead

; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; I am sure there is a more effecient way of doing this
; I will probably try and clean it up later, but for now it works.
; loop iteratively over the array until no more swapping occurs,
; and the highest number ends up in the lowest part of the array (lowest to highest)
; start with array_numbers
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Set back up the loop variables
restartLoop:

mov ecx, TOTAL_NUMS
mov esi, ecx

; set the swapped variable to false
mov [boolSwapped], dword 0

loopSort:

dec esi
mov eax, esi
sub eax,1d

test esi, esi
jbe loopExit
mov edx, dword [array_numbers + eax * 4]
cmp edx, dword [array_numbers + esi * 4]
jbe noSwap
; if we get into this section, then swapping needs to occur
; set the boolSwapped to true
mov [boolSwapped], dword 1

; need to swap the two numbers
mov [nMinus1Mem], dword edx
mov edx, dword [array_numbers + esi * 4]
mov [array_numbers + eax * 4], dword edx
mov edx, dword [nMinus1Mem]
mov [array_numbers + esi * 4], dword edx
noSwap:
; jump here if no swapping needs to occur, but we’re still in the loop
loop loopSort

loopExit:

; if boolSwapped isn’t false, then we’ve swapped at least one
; during the iteration, let’s go through it one more time to make sure
; that we don’t have any more to swap
cmp [boolSwapped], 1b
jae restartLoop
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Print each number back out to the screen for unmodified numbers
; we will loop from the lowest to highest part of the array – which is the largest to smallest number
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

;mov edi, array_numbers
mov ecx, TOTAL_NUMS
mov esi, ecx

loopPrint:

dec esi
mov eax, [array_numbers + esi * 4]
call print_eax

loop loopPrint

exit_prog:
push 0
call [ExitProcess]
include ‘training.inc’

Ehrlich’s Binary Shirt

In case you are wondering:

01000010 = 42h = B (A)
01101001 = 69h = i (A)
01110100 = 74h = t (A)
01100011 = 63h = c (A)
01101111 = 6Fh = o (A)
01101001 = 69h = i (A)
01101110 = 6Eh = n (A)

You know what they say, there are only 10 types of people in the world: those who understand binary, and those who don’t.

Manipulating bits for fun [..and profit..?]

For years I’ve understood assembly enough to get by with debugging and disassembling when needed; I finally decided it was time to learn to write.

The world of the computer language is intriguing, easy and frustrating all at the same time. Here are two equivalent pieces of code, they do the two very simple things in slightly different ways.

The first I wrote interpreting from a higher-level language that I can read & write (C); the second was the code rewritten to be more compact.

Why? ¬†I don’t know… just because…. ¬†at what point would I ever use this newly acquired(ing) skill for something valuable… ¬†I guess we’ll see…

assembly code

 

The end of the world as we know it – or the dawning of a new age?

Artificial Intelligence might bring immortality or it might as easily bring imminent destruction of the human race.

For an accessible quick read regarding this topic, you can check out the U.S. News article We all may be dead in 2050.

If you are interested in going a bit deeper regarding the precarious position the human race is in and the challenges to be overcome as we move into this new age of enlightenment Рcheck out the book Super Intelligence by Nick Bostrom.