Hack The Box FriendZone: All About Times and Zones

FriendZone is a medium-difficulty, CTF-style, Linux machine at Hack The Box that was retired today. I found the process of getting an initial foothold to be pretty routine, despite the number of rabbit holes. Privilege escalation using backdoored Python files was especially interesting.
Continue reading “Hack The Box FriendZone: All About Times and Zones”

Understanding the Time-Based One-Time Password (TOTP) Algorithm Used for Multi-Factor Authentication (MFA)

Using multi-factor authentication is a commonly recommended practice for securing user accounts, and it’s available across a range of services today such as Gmail, AWS, Azure, Facebook, Twitter, etc. One of the methods for MFA is to use a third party mobile app like Google Authenticator to generate security codes that are verified by the service. How does this work exactly?

Continue reading “Understanding the Time-Based One-Time Password (TOTP) Algorithm Used for Multi-Factor Authentication (MFA)”

Trying Harder and Passing the OSCP: A Developer’s Perspective

In my line of work, I design and develop enterprise products in the information security and risk management domains. These products generally serve blue teams, and I’ve wanted for a while to get the red team perspective.

So last Fall, I put myself through a self-imposed boot camp: earning the OSCP (Offensive Security Certified Professional) certificate. This is a intermediate-level certificate geared towards penetration testers. Before taking the exam, students spend significant self-directed time (30 to 90 days) in a specially constructed lab environment honing their hacking skills. The exam itself is a 24-hour test in which students are dropped into a network and need to gain admin access to as many machines as possible.

Below is a summary of my journey, along with tips for aspiring students.

Continue reading “Trying Harder and Passing the OSCP: A Developer’s Perspective”

An Alexa Skill for Unlocking Channel Content on my Roku

At home my young kids consume their favorite TV programs from the Disney and Nick Jr. channels on our Roku. We have a subscription to DIRECTV NOW that gives us access to the content on these channels. One annoyance of this setup is that every month these channels require us to manually re-affirm our DIRECTV NOW subscription. The process involves taking an activation code displayed by the channel on TV and manually entering it into an activation web site online. Then I need to enter my DIRECTTV NOW credentials to unlock the channel content again.

This minor inconvenience started grating on me over time, and I was curious to see if I could simplify things using our Echo Dot. After all, Robert Heinlein once said, “Progress isn’t made by early risers. It’s made by lazy men trying to find easier ways to do something.” I wanted to simply be able to tell Alexa the channel that needed to be unlocked and the activation code, and then have it perform the unlock automatically. This would also enable my wife and kids to unlock channels when I wasn’t around.

Here’s how I created a skill to do just this…

Continue reading “An Alexa Skill for Unlocking Channel Content on my Roku”

What I Learned From Building an Alexa Kid’s Skill with the New Alexa Python SDK

Writing an Alexa kid’s skill is something I had been intending to do for a while. I have young ones at home, and they frequently use our Echo Dot. I like that Alexa’s emphasis on voice-first interactions provides a different experience than using a TV or iPad, even if the conversation is ultimately with a bot.

Recently, Amazon announced the availability of the Alexa Skills Kit SDK for Python, complementing their existing SDKs for Node.js and Java. This announcement provided me, as someone who regularly uses Python, the impetus to dive in.

Continue reading “What I Learned From Building an Alexa Kid’s Skill with the New Alexa Python SDK”

Be Paranoid About Your Third Party Dependencies

With any programming language and its ecosystem, developers need to be judicious about the third-party dependencies they bring in. Go is no different, though it can be sometimes be astonishing how simple it is for a third-party package to wreak havoc with your program.

Case in point:

In Go, it’s a common practice to represent errors as variables using the following syntax:

package foo

import errors

var ErrFoo = errors.New("foo error")

The above code creates an error type called ErrFoo. Following Go convention, since the variable name is capitalized, it will be exported outside of its package and available to other packages that want to reference it.

One quirk of Go is that these error variables defined in this manner are modifiable. So another unrelated package can change the value of ErrFoo to something else.

Continue reading “Be Paranoid About Your Third Party Dependencies”

Writing Robust Concurrency Tests In Go Using a CountDownLatch

Recently, while writing tests involving concurrency in Go, I encountered the common situation of needing to wait for a series of events across multiple goroutines to complete before proceeding with further code execution.

Continue reading “Writing Robust Concurrency Tests In Go Using a CountDownLatch”

Rockets Game 7 Collapse – Chance or Something Else?

Game 7 of the NBA Western Conference Finals between the Houston Rockets and Golden State Warriors was the pivotal game of the 2018 NBA playoffs. The Rockets and Warriors were widely regarded as the two best teams all season. The Warriors won the game, coming back from a double-digit deficit, and then went on to sweep the Cleveland Cavaliers in the NBA Finals.

One of the most talked about aspects of Game 7 was the Rockets’ poor 3 point shooting, especially during a stretch in the second half when the Rockets missed 27 straight 3 pointers, an NBA record.

Continue reading “Rockets Game 7 Collapse – Chance or Something Else?”