Mobile Access Security: Some Thoughts
October 17, 2011
The latest round of the Kiwicon binge-drinking/sheep-buggering-joke-laden/fear-mongering hui is imminent, and once again I find myself refusing to sit in a room full of several hundred people smarter than I am. Maybe it’s just that I am an unsociable creature, but my psychologist suggests that it is more likely to be due to the fact that I am an egomaniac with an inferiority complex. Ever wanting to improve both my mental health and my social stature (actually, scratch that – fuck everyone), I’ve decided to get in on the spirit as best I can by jotting down a few notes about Mobile 3G/4G Access in a security context. I’ve been lucky enough to work in the mobile telecommunications industry for a while, including being paid at times to conduct security assessments of large networks containing many different 3GPP network interfaces and elements. Here I desperately want to embark on a long tirade about the endless number of snake-oil merchants I’ve run into in this industry, but I’ll just have to cry and bitch and pitch a fit another day.
Anyone with a real interest will have seen and read the numerous analyses of 2G (primarily GSM) weaknesses, including some very sophisticated SIM cloning attacks against COMP128 (anyone want to buy me an electron microscope?), the cracking of A5/1, the OpenBTS project and associated subsequent network impersonation trickery etc., etc. The ongoing ‘consumerisation’ of GSM hacking utilities and portable interception kits is still an interesting subject given the size of the underlying 2G deployment base, but the discussion has been done to death and has become a ‘less interesting’ topic as a result.
The 3GPP stepped up with the development of the 3G standards, including moving away from proprietary/closed algorithms to those published in the public domain for open scrutiny. USIM technology as yet remains robust, and the cloning of MILENAGE based end-user secrets has not been proven possible to-date[1]. The development of UMTS introduced AKA, or mutual authentication between the UE and the network, rendering the network impersonation attacks disclosed in the 2G space close to impossible. There have been inroads made into cryptographical weaknesses of the KASUMI algorithm, but the practicalities of applying these in a real-world threat context are negligible.
While the main focus of most mobile security researchers and BadGuys™ has been applied to theft of service (which makes sense), I’ve spent time over the last few years thinking on and off about what other avenues have not been explored in any particular depth. My prediction-come-hypothesis, and the real guts of why I bothered to write this post in the first place, is that the shared medium of Mobile Access may be vulnerable to more than just disruption caused by creating a wall of noise across the radio interface. If we look at other widely deployed shared-medium network access technologies, such as 802.11 Wi-Fi and wired Ethernet, we know there is a long history of pre-authentication security problems that have been widely exploited. The nature of the majority of these issues has been Denial of Service (network disruption); a weakness that mobile networks can little afford, particularly where they carry traffic such as emergency calls, and where the coverage of the shared medium is far more expansive than your local wireless hot-spot.
I’ll dive in to one example, hopefully without this becoming a novel. If we pull open the 3GPP TS 25.331 specification, Section 8.1.3, we look at the guts of the Radio Resource Control transaction required by all 3G UE in order to facilitate a network operation such as making a phone call, sending a text message or establishing a data session. It’s probably also worth noting here that the RRC protocol is an essential part of LTE. A high-level picture of the sequence required in order to establish a successful RRC connection is shown below:
This 3-way handshake is analogous to TCP’s SYN, SYN-ACK, ACK combination for connecting ports. The contents of the RRC Connection Request message include the following mandatory parameters: Message Type, Initial UE Identity, Establishment Cause and Protocol Error Indicator. The Initial UE Identity is populated as per Section 8.5.1 of 25.331, and is based on either the TMSI, P-TMSI or IMEI of the UE, depending on whichever is available to the handset. Section 8.1.3.2 of the specification requires the UE to set a running timer (T300) once an RRC Connection Request has been successfully delivered to the underlying MAC layer. The UE then evaluates a complex set of procedures to determine whether or not to resubmit an RRC connection request once this timer expires.
The RRC Connection Request is delivered over the Common Control Channel (CCCH) which is a shared radio access medium for all mobiles attempting to make use of the network. Remember that prior to authenticating to the network, your handset needs to acquire the CCCH and establish an RRC connection in order to perform its first Location Update and associated authentication procedures.
Section 8.1.3.4 of TS 25.331 goes on to describe the requisite behaviours for the RNC on reception of such an RRC Connection Request message. Early drafts of the specification describe a requirement for the RNC to set a timer known as T350 (or T352 in the event of an RRC Connection Re-Establishment Request), which decrements until such time as an RRC Connection Setup Complete message is received from the UE, completing the three-way transaction. At one stage the default value for this timer was 3000ms, although this was always considered a configurable, implementation-specific parameter. This timer is analogous to the TCP wait timer set by networking stacks on SYN-ACK reply transmission to an incoming SYN request. More recent versions of the specification do not make any mention of T350/T352, and as such, one can only assume that the management and release of these RRC connection resources is left to the discretion of the implementor. Note that 3GPP TS 25.331 also assumes that only a single RRC state machine can exist per UE (analagous to how PPP might be managed by a BRAS for example).
An attacker with the ability to send arbitrary RRC Connection Requests into the mobile network[2] could send a stream of messages, each containing unique “Initial UE Identity” parameters. The RNC will then allocate internal state and associated resources for each incoming request. These resources are effectively controlled by the connecting UE in an unsolicited fashion; remembering that no network authentication has been performed at this point. This scenario is somewhat analogous to a TCP SYN-flood, with the “Initial UE Identity” comparable to a randomized source IPv4 address. The attacker will never respond to the RRC Connection Request Setup messages returned from the RNC (in part by ignoring T300).
The RNC resources consumed, however, may be of least concern if the goal of the attacker is simply a DoS of the local cell resources. Okay, you could potentially save yourself time and effort by buying a cheap and nasty UMTS signal blocker (assuming you can get it past customs) and jam the hell out of the RF interface, but as illustrated below, this ‘half-open RRC attack’ triggers the allocation of radio bearers inside the UTRAN. The consequence being resource exhaustion on the local NodeB, along with the obvious increase in load at the RNC.
The effectiveness of this attack will be partly dependent on the attacker’s ability to send sufficient levels of fake RRC Connection Request messages within the T350/T352 (or equivalent) timeframe; however there is still a fundamental issue in that the network must allocate more resources than have been required on the part of the attacker. The attacker may need multiple UE in order to consume all available network RRC processing queue resources, but this just opens things up to thinking about the distribution of such attacks across discrete NodeB’s, clusters or Location Areas. Depending on the behaviour of the RRC state machine management inside the network RNC, control of the Iub interface may be required in order for the attacker to simulate a large number of connections (see [2] below).
Similarly, for the CM/MM/GMM protocols atop RRC, exposures are likely. It may be harder to deliver anything malformed all the way through to the VLR, but attacks in the same vein, where protocol state is intentionally broken by the malicious UE, are bound to exist. The Initial Direct Transfer procedure for authentication is one example where resources are allocated inside the target network; resources that may only be freed at a rate below that which an attacker can deliver the requests.
Hopefully I’m several years behind the 8-ball and someone has already looked long and hard at some of this stuff. The 3GPP Security Working Group seems like a fairly smart bunch, and I’m sure they will have discussed this subject. I know for a fact that there is some mitigation in the software running on particular vendors equipment (agressive T3XX timers, partitioning of RRC context availability pools across limited clusters of NBs, etc.), so it has obviously been given consideration at some point. If you are a mobile network god, and you know for certain why this suspect deficiency in the RRC protocol doesn’t exist, or why what I am suggesting is impossible, please let me know! The only real way the TCP gods managed to mitigate this type of issue was by using SYN-cookies. Perhaps the 3GPP could consider an equivalent for RRC? Should I quickly try and drop in a patent for RRC-cookies??
[1] This is always going to be an arms-race scenario. As modern electron microscopy technology improves, and with the flourishing nanotechnology industry, it is almost certain that advances will be made in the field of reverse engineering K secrets from modern USIMs. Someone will discover some new side-channel attacks; it is certainly only a matter of time, and the big question will be whether or not this can be achieved within the lifetime of the target network. This would be a fascinating area of study.
[2] Obtaining a full baseband UMTS chipset would be a fun way of doing this, although coding the air interface channel allocation feature-set would be a serious undertaking (think GNUradio / OpenBTS scale and beyond). Better would be to build a device along the lines of the ones demonstrated already in the 2G hacking world – an inline device sitting across the Iub interface, avoiding the MAC/PHY layers, with a basic FP/RLC state machine and the associated higher level stacks that the attacker is looking to target (RRC as an example). Depending on the underlying transport you may require TDM, ATM or IP/Ethernet interfaces in your kit. The practicalities of tapping an Iub might be best saved for another post, suffice to say that it probably requires doing something highly illegal. The more honest approach would be with the baseband chipset – or some very clever stop instruction management of a running phone chipset. Building this sort of capability would be an investment mainly in time, but once created, would open a world of possibilties. Think fuzzers. Think about the fact that a number of the devices in the mobile access path run flavours of embedded Linux. Keep thinking pre-authentication.
Memoirs From Siberia
October 5, 2011
My Great Grandfather was an amazing man. He was an architect, an artist, a soldier who fought for Germany in World War I, a Jew who had to flee Europe in the 1930’s, a linguist and a great pragmatist. I’m sure he was many other things also, but I have only been able to build a picture based on the bits and pieces of information I’ve been able to glean from his writing and from discussions with my Grandmother. He fought on the Eastern Front in what is now the Ukraine as a part of the notorious Brusilov Offensive, considered one of the most lethal battles in all of world history. In a botched gas attack against a Russian patrol, he was machine gunned through the legs and left behind by his retreating unit to be captured. He did not describe in any detail where or how he received medical treatment, but ultimately he was transported all the way east to Siberia where he was held as a POW in a camp near Krasnoyarsk. It took him 3 and half years to get back home to Germany, after which time he detailed his experiences in a fascinating memoir.
I am grateful not only for the fact that he survived and that ultimately in turn, I am alive, but also most thankful that he took the time and effort to document this enthralling and obviously world-changing period of his life. There are frustating moments in the memoirs such as when, after describing some of the more colourful fellow prisoners in detail, he writes “…and as this is written for friends and family, it is not necessary to describe myself”, although in many ways this only serves to add further intrigue in terms of trying to understand exactly who this man was.
He provides fascinating insight into the behaviour and personality of some of his captive comrades, as well as his captors. He makes humorous references to some of the stereotypical traits of the various nationalities imprisoned along with him, probably bordering on what could be considered non-politically correct in today’s world, and to his credit he isn’t shy about giving a bit of stick to his own tribe either:
The uneducated Germans in their multidialectal arguments quickly lost their tempers and abused one another with rude words. Such disputes ended frequently in a brawl much to the amusement of the onlookers. Others passing the barracks would say, “Listen how the Germans love one another”.
The story itself may be less interesting to anyone who is either not a historian, or not a blood relative, but I think there are some genuine gems in here. It moves between absolute horror and hardship, to comedy gold, right through to sheer disbelief on the part of the reader (particularly when he describes how frequently the Russian soldiers themselves are in a worse situation than he is!). Things go from sublime to ridiculous as he and another prisoner end up on a “maid run”, a sojourn by horse and cart through the rolling Siberian hills during the nicest weather of the year in search of the best (read: prettiest) Siberian girl they can find to become their live-in housekeeper. After promising all the less-than-desirable ones that they ‘have the job’, they move on to the next village in hope of finding the ultimate beauty.
“I wish we had taken the hunchback at Teplorietshka or one of the old women in Savedienje.”
The truth is, it was a bizarre scenario he had ended up in. At some point during his ‘imprisonment’ in Siberia, the Treaty of Brest-Litovsk was signed, ending Russia’s involvement in WWI. Unfortunately, that treaty did not include any provision for the return of German POWs, so he was left in a strange state as a quasi-prisoner with no trivial means of returning west. Just to keep things interesting, the tail-end of the first World War gave birth to the Russian Civil War, and he was yet again forced to escape from what would have ultimately been forced conscription into the armies of the White Forces. Understanding the complex geopolitical environment in which he was surviving is difficult at times, and even after multiple reads of the memoirs and much pouring over books concerning the political history of the Russian Empire, it can still be confusing to me.
His journey back home included walking many hundreds of miles with little food, working odd jobs including being a full-time Typhus victim nurse and subsequent body stacker, contracting the disease and nearly dying from it himself, and many many months of careful operating within the bounds of the various state police edicts and civil war constraints that controlled Russia at that time.
“We undressed them completely in the snow in front of the building. There they lay, the emaciated, unclean bodies, bitten all over by the poisonous lice, mottled and spotted. Two of us had to carry them inside, gripping their hands and feet. If the shed was already too full with these stiffly frozen corpses to throw them on top of the pile, we had to climb on top of it. To do so required indescribable moral effort. This remains one of my most terrible war memories.”
The memoir’s themselves were first written in 1920 once he had returned to Hamburg. In 1963 he translated them into English, and there were three known typed copies in existance in our family. A cousin helped to type these into the computer, and a significant editing job was required due to the large volume of typewriter copy errors present on the originals. I spent several months in 2009 going through the document, first highlighting the various place names and other Russian or Tartar words, and then going back to try and decipher these. Nearly 100 years is a long time, and the Russian’s have a great habit of changing place names every time a new leader comes to the fore, so in many instances the task of working out exactly where he had been was non-trivial. Most of the place names had only been heard by spoken word, so he had to write them back down phonetically, first into German and then later into English. I trawled Google Earth for hours at a time, often getting out the ruler to gauge the ‘150 miles south’ or equivalent that had been described in the memoirs. Wikipedia was more than handy for finding the historical names of places, some of which had changed as many as 3 or 4 times since he was there. The language he uses is old-fashioned, and at times obviously written or translated by a non-native English speaker, but for the most part this just helps to add to the authenticity and feeling of the document. I made a few edits to try and improve the readability, but kept things as original as possible wherever I could.
There are a number of small villages I haven’t been able to track down. There is the odd word that I still don’t understand, and the odd timing or directional discrepancy that doesn’t make exact sense. Most annoying are just the missing pieces leading up to his capture. I know he wrote letters home both before and after he was shot, so perhaps if these are still in existance somewhere they will surface one day and answer a bunch of questions.
Long after his return to Germany in 1920, my Great Grandfather was smart enough to see what was happening with the rise to power of the Nazi party, and he moved his entire family out of the country and into what was then Yugoslavia. From there they moved to Bulgaria and applied for Visas to the UK, USA and New Zealand. The NZ Visa came back first, and they boarded a ship which arrived in Wellington just around the outbreak of WWII in 1939. Being German, they were treated as enemy aliens and imposed with travel restrictions and a requirement to attend regular ‘interviews’. My Great Grandfather eventually found work as an architect, forging a very successful career and becoming well regarded for bringing European influence to the houses he designed – something that prior to that time did not feature much in the New Zealand building scene.
If you’ve read this far, and if you are at all interested, you can read an edited copy of the 100-odd paged memoirs here. If you are a Hollywood pundit and you think you could make this into a film, contact me and I’ll flick over my bank account details (all proceeds to go to the wider whanau of course). :>
Ruggers
September 26, 2011
So the RWC is in full swing, and despite the wailing and gnashing of teeth from the naysayers all across Aotearoa, it’s actually going kinda well. Okay, there have been a few obvious blunders – more notably the Auckland transport chaos, the ho-hum opening ceremony (although I did get mildly gushy when old bung-kidney Jonah appeared through the mist), the typically highly variable performance of the match officiators, and of course the endless fucking noise of commentary, analysis and general match post-mortem from people we don’t give a toss about. Much like this post really. Yes, I can appreciate the irony of adding to the kerfuffle, but with my updated readership total of my Dad, 2 coworkers and now a friend from Japan, not to mention my heroic appearance and sublime performance in the solitary official game of rugby I have ever played[1], I’m feeling confident in my status as someone who can bring about a bit of value-add here.
The truth is, whether you like rugby and the RWC or you don’t; you’re still a dick. Even the most vehement of opposers, including those saying that the economic burden of the competition on our fragile economy is unjustified, are still talking about rugby – so at least we are unified in the sense that we’re all jabbering on about the same crud. Okay, I really don’t want to hear about how many oysters Radike Samo managed to scoff at the last press conference, and I couldn’t care less that Zac Guildford has gone on a bender in his hotel room just because he played like a narcoleptic thalidomide child, but there is a compelling draw exuding from what can only be described as a real world soap opera. Maybe things will move to a whole new level and we’ll end up with a Cricket World Cup Bob Woolmer-esque incident to really rark things up a bit.
“The truth is, whether you like rugby and the RWC or you don’t; you’re still a dick.”
Not that the on-field antics have been lacklustre to the point of driving us to seek off-field drama; a bit of foul play always provides that extra bit of oomph to an already thrilling match. Todd Clever’s blatant shoulder charge of that Russian bloke was right up there for me, including his effective subsequent acquital of all wrongdoing at the judiciary. The match itself felt like a re-kindling of the now fairly frozen Cold War, and Clever’s shoulder-to-the-face manoeuvre was altogether very Team America. Hoo-rah. The banzai charging of the Japanese has been great (even if they capitulated and fielded a second-string team against the ABs to save themselves for the backyard dog cookers), and for the most part all of the minnow nations have been playing really well for at least 40 minutes of each game.
Petter De Villiers has been in typical fine form; ranting incoherently and doing his best to pretend like he knows what he is doing. Dingo has been expectedly toothy. Graeme Henry couldn’t be any more like Winston Churchill if he tried, although a bit of womanising, heavy drinking and cigar smoking might cap things off there. Chris Paterson’s conversion attempt from out in front where he managed to soccer pass the ball along the ground and under the cross-bar was one of the best things I have ever seen; right up there with the time I saw Joe Strummer playing Clash songs at the BDO – I just couldn’t get enough of it, and must have watched it 10 times on replay. The best part was the ref asking him seconds afterwards “How long have you been doing this?”. Priceless.
I’m looking forward to the remainder of the tournament. It’s been great to be able to limit my screaming at the television a bit. Long gone are the days of me incessantly shouting “Pass the fucking ball, Nonu!”, or groaning as Toeava spills it just for a change. Nine times out of ten now I’m just yelling “Spread it!”, like I’m obsessed with margarine or something. I’ve even been particularly loving the insightful, witty and intelligent commentary offered by Stuart Barnes, and he’s a Pom! I can in all honesty say that I don’t really mind whether the ABs win or loose, except to say that if we don’t pull off winning the whole thing, the endless witch hunting and finger pointing is going to get old as fast as it did the last time around. Remember, we’re all still dicks – get over it already.
[1] Ever the under-performing miscreant, I grew up doing my best to ruin The Beautiful Game by playing it rather averagely at the best of times. I played striker for 6 or 7 years, having the odd moment of glory, but generally played spectacularly poorly due to experiencing high levels of performance anxiety every time I put my boots on (no, not that sort of performance anxiety – that came later). My Dad once commented that I went onto the soccer field looking like I was about to play a game of rugby, and I did have a tendency to end up injuring goal keepers as I ferociously attacked the ball they were attempting to dive on. One morning after playing a game for North Wellington, I headed down to Kilbirnie to watch a friends rugby team play. Arriving early, I stood around for the obligatory shit-talking with the players, who were mostly concerned about their lack of numbers. Once they heard that I still had my soccer boots with me, I was instantly ‘on the team’, and about to play my first ever real match in the position of blind-side flanker. Before the game began I was told (by some fuckwit) to rub a liberal amount of Tiger Balm onto my legs. Either by virtue of having giant testicles that dangled beneath the bottoms of my shorts (highly likely), or just by being dimwitted enough to try and rearrange my own balls before going out to play with the oval one, I somehow ended up with a scrotal experience quite unlike any other to-date. Now feeling more than fully wired and like being buried in a ruck would be welcome relief, I was ready. Our team received the kickoff, and within 5 seconds of my first rugby game I was in my first maul (linked for all of you uneducated haters). After about 15 seconds of mauling like a zoo-born tiger who got his first crack at a fence jumping psychiatric patient, I was utterly and incomprehensibly fucked. Tired in the way that makes you just want to sit down and refuse to ever move again. In hindsight, I don’t quite know how I managed to play the full 80 minutes. I do know that I was almost entirely ineffective as a loose-forward, and that the exhaustion factor limited my tackling ability. But I did manage to punch one of my own team members in the face in another maul later in the game which I think is a fairly spectacular achievement. Oh and I scored a try after the opposition failed to clean up a line-out win on their own 5 metre line, where I pounced on the ball inside the end-goal and then immediately looked up apologetically towards the referee for having been so blatantly off-side. Must have been Wayne Barnes refereeing that day, because suddenly we were 5 points up and I was a hero. Anyway, I’m not saying that Keiran Read is shit, but let’s be honest – if Winston needs me, I’m ready to put the boots back on.
NetCrack
September 19, 2011
So after nearly two whole decades of on-again/off-again blundering my way towards Yet Another Stupid Death, I finally capitulated and begun to read some NetHack spoilers. The difference between “figuring things out on your own” and having a comprehensive guide to follow is phenomenal. I can’t help but think about all of the cumulative hours I’ve spent (wasted?) trying to figure out a workable strategy for long-term survival in those cavernous depths; and can’t help but feel awe for those that have managed to ascend without the use of such inside information. Several times I’ve considered reading the source-code (well, I did read a small piece of it after finding an easy-as-you-like stack based buffer overflow in the command line arguments about a year before someone else discovered and disclosed the same bug[1]), and I always knew I could be playing “smarter” by writing down the various hints and rumours that the game provides, but I guess I was always too lazy. That laziness held me in a spiral of playing intently for a week or two, invariably dying repeatedly before ever really reaching the true ‘mid-game’, becoming disillusioned, and then casting the entire game aside only to pick it up again 6 months later.
For most people who end up reading this, the sad part will be that I have bothered playing this game so much, bothered writing this post, or pretty much bothered existing in the first place – but for the true NetHack gods, the sad part will be that I am so obviously crap at it. Not only did I not manage to progress beyond the mid-game in almost 20 years of fumbling around in the darkness, but I didn’t even grasp some of the fundamental basics. Unbelievably, I’d never even made use of Elbereth (although I do claim that until very recently no pre-compiled versions I had ever played with had the option included), and I never got my head around sourcing a unicorn horn well in advance of eating things willy-nilly. One definition of insanity is “repeating the same behaviour and expecting a different result”, and in the context of my nearly 20 years of periodic NetHack’ing I can well and truly lay claim to a spot in the gamers loony-bin.
‘Frodo halted for a moment, looking back. Elrond was in his chair and the fire was on his face like summer-light upon the trees. Near him sat the Lady Arwen. […] He stood still enchanted, while the sweet syllables of the elvish song fell like clear jewels of blended word and melody. “It is a song to Elbereth,” said Bilbo. “They will sing that, and other songs of the Blessed Realm, many times tonight. Come on!”‘
But not anymore! Now armed to the teeth by virtue of online playing guides, I have become…. no, not ascendent (not yet anyway)… but instead hopelessly, hopelessly addicted. Hooked like I’ve taken one too many chuffs on the old crack pipe. Wired like I’m main-lining, leaving me playing 8+ hours a day on the weekend, late through the evening on week nights, and jonesing through what has become mostly sleeplessness as I alchemise potions and attempt to complete Sokoban from my pillow. The truth is, this game is the real pinnacle of computer gaming. It is the funniest, most random, hardest and most satisfying game I have ever played. It is the true epic, and yet it runs in all of only 256 colours and I can play it on my phone. It has been compiled across pretty much every platform ever made (still waiting for a PS3 version though!), and it can be played through a number of different user interfaces (although not using a full keyboard with a dedicated keypad is mildly aggravating).
Any game where you can go from striding along confidently in your blessed +3 orcish ringmail to being polymorphed in an instant into a Brown Pudding incapable of wearing armour or holding anything at all just lends itself to hilarity, despair and general entertainment. I still feel the pang of guilt when I let my kitten die after thrusting it between myself and the oncoming horde. I still love the fact that once I have the permanent invisibility intrinsic (having eaten the corpse of an Invisible Stalker), that shopkeepers won’t let me into their stores (“Invisible guests are not welcome!”) until I don a mummy wrapping around myself. I continue to be amazed by gems like the one I picked up today: find a scroll of destroy armour, curse it by dipping it into unholy water, read a cursed scroll of confuse monster to become confused, read the cursed scroll of destroy armour while confused and…. one of your pieces of armour is granted an inherent resistance bonus!

The observent amongst you will recognise that this is in fact a screenshot from unNetHack, not the original 'vanilla' NetHack.
I’m left feeling like a using drug addict who can reel off a list of one hundred ways in which his or her drug of choice has been proven to be beneficial in some way. In that blind state of denial that can only be brought about by the obsequiousness of being wilfully chained to your master. I’m still in the happy phase where the highs are high and the lows really aren’t that low. I haven’t quit my job to play NetHack full-time, and I haven’t started sucking dick just to get that Amulet of Life Saving. My biggest fear now is that the spoilers turn out to be just that – that things could become too easy – and that it would have been better to spend the next 20 years continuing to chip away at the survival skills that are so desperately essential to staying alive in that dungeon. Thankfully this is not yet the case: tonight my Level 14 Woman-at-Arms only narrowly survived a skirmish with a Disenchanter, where she had to unequip all of her magic items and struggle through the furious resultant melee. I’m 24,130 turns into the game and feeling like i want it to last another 24,000,000.
Latest messages
It hits!
It kicks!
It hits!
It kicks!
It hits!
It kicks!
It hits!
It kicks!
It hits!
It kicks!
It hits!
You die…
‘…. fonetikli was killed on level 9 by a b0f!’
[1] In a former life I was momentarily involved in a not-so-underground hacking community that boasted a remotely accessible “test lab” of several different platforms and operating systems. The lab was to be used for the sole purpose of exploit research and development, and while not entirely useless, was less interesting for me due to the number of discrete UNIX platforms I already had access to play with at work. At some point inbetween all of the posturing, penis-length comparison and for the most part shit-talking, someone noticed that not only was NetHack installed on the sparc Solaris 9 core Bastion – but that for some reason it was installed setuid root. Anyone who managed to 0wn the box via the nethack binary was to become a god among men among small-time hackers in a small-time test network. I set to work with an entirely unscientific hit-and-miss approach of perl driven CLI buffer overflow and format string attempts, and was genuinely surprised when the binary crashed. Not wanting anyone else to see what I’d found, I retreated to another sparc platform I had access to at work, plaguerised and modified some handy sparc shell code, bashed my head against the keyboard for about a day and a half while i tried to stop making mistakes with endianness and byte-alignment (I was writing exploits in an x86 environment at the same time and not context-switching well), before finally coming out with something that worked. Thinking myself much funnier than I actually am, AND of course being an avid fan of the game itself – as the stack overflow exploit ran it printed: “…. fonetikli was killed on level 9 by a b0f!” before dropping the user out into a root shell. Not one fucking person in that circle seemed impressed, and the only other people in my life I have ever tried to repeat this story to just look at me like I am the most pitiful creature to have ever dragged its carcass across the face of the planet. *Sigh*