Final stretch: The trade fair

Hello again, this will be my last blog post in the ECIP course. The trade fair was stressful at first, but it turned out to be quite fun in the end. They also offered free food and coffee at the event. I’m going to explain how our pitches went, what kind of feedback we got from it and what I learned. 

First off, our prototype. Our software engineer Oskari made a nice prototype, which roughly explained the different aspects of our app. It included the core features of our app like the leaderboard system, user statistics and the timer. Sadly, we received only one comment about our prototype. The comment suggested to connect our app to Moodle. It was fascinating because that would allow to greatly help the cause of the program. For instance, it could calculate the total time studied in different courses. 

Our product is called !ZeroTime. It’s a gamified time management app, where you can collect points and compete with other students. Our pitches went well, but I was nervous at first. During the research of our feedback, we received a lot of feedback and the fair seemed to have gone successfully.  

Only problem which we had with our app that it didn’t have as much functionality as expected, so we might need to tweak our presentation a bit. No one commented on our poster, so I think it worked in the intended way: The poster should be a supporting element. 

All in all, I think we must connect our program with other educational software to make it better. After a little bit of tweaking and understanding how users would use the app, it could become a great app for students. 

Take care! 

Have you ever been interested in real-world exploitation? The book I’m about to review is going to blow your mind.

 
“Hacking: The Art of Exploitation” is a book explaining the basics of computers so you can exploit them. It contains programming exploits, the faults of protocols and networking, and the basics of cryptography and cryptoanalysis. The book has lots of examples, so you can try them for yourself.

“Chapter 2: 0x200—Programming” is a must read for computer science students because it explains the computer memory in depth. The computer memory consists of a text, data, bss, heap and the stack segment. You can read more about these segments in the book. What I’m interested in as an amateur security enthusiast is the heap and the stack segment. If a programmer builds a program which allocates a certain amount memory without any restrictions, it could be used to overwrite areas of the memory. All the attacker wants to do is to overwrite the return address. This can allow him to write arbitrary code. The programmer doesn’t ever want this to happen, because it can possibly lead to full compromise of the target system. That’s bad, right? 

 

 

This image presents the basic format of a stack segment, where the buffer approaches the return address and the function arguments. The attacker wants to write more bytes than the buffer has space to overwrite the return address. The return address is an address, which the stack uses to remember to return to the code after a function call.



 

 

 

The book is thorough with its contents. I couldn’t understand all of it. It’s not because of my English, but because it’s like the book is challenging you to understand it. And I absolutely love it. My only critique is that the chapter parts are too long, which is probably already fixed in the second edition of the book: “Hacking: The Art of Exploitation, Second Edition”.

 

I recommend this book to everyone who wants to delve deeper into computers and how they actually work behind the scenes. I liked this book and I’m thinking of reading the second edition after. I loved how the book has plenty of examples and they are easy to try. Understanding them is a completely different scenario.  

 

Citations:  

Erickson, J. (2003). Hacking: The art of exploitation. No Starch Press.

Potential security issues

If you have thought about the security issues your app might have, then this post is for you.

Our company ZeroCorp has started to develop an app, which helps students manage time better. Our team just kept a presentation about the backlog, which is basically a list of upcoming tasks. In the presentation I presented our “Motivation System,” which consists of a reward system and a leaderboard system. You might be wondering; how does this have anything to do with security? After presenting, I started wondering about the security aspect of our app. If the security is not good enough, the user could hack as many coins as possible or hack themself on top of the leaderboard.
 
After a long time of thinking, I came up with a brilliant solution. I must implement antihacking software or in other words: an anticheat. It is very easy to implement but molding it superior is another huge problem, which could be hard to tackle.

The anticheat is a very simple program, that is ran aside the full application. It shouldn’t be possible to notice its existence, hopefully. If the user somehow manages to notice it, then it would be safe to assume that they are cheating or at least going to cheat. The program checks if the user is running any weird software on their computer, like the infamous “Cheat Engine”, which many cheaters have used previously in different games.  There’s also a system in place, which checks the total amount of coins earned. If that count doesn’t match with the experience earned: It will detect the tampering with the app and give a permanent ban.
 
Congratulations for reaching the end. I learned many things while making my software. It’s hard to check if the user is cheating or not because some users might be good and have a tremendous number of coins. Sometimes the user might buy coins, which should be considered. My anticheat is still under development, so it might have multiple problems. I am eager to get the full application to the beta phase, so I could see my little program in action, and fix possible issues with it. Thank you and see you in the next post.

Introduction!

Welcome to my blog! I want my blog to be all about learning and progressing on my path to becoming a real computer expert. I have some prior experience of computers: I know the basics of their internal processes, how to exploit some badly written code and some writing of the code myself. I feel like my skills do not really help anyone now because I am still learning. Henceforth, I want to help develop secure servers because it is sad to see breaches, which would be easily avoidable, and it might cause the suffering of multiple people.

 

The reason I chose to study information processing is simply because I want to deepen my understanding of computers. In the future I would wish that my career path would end up in information security. I have heard that information security is a lucrative career because you can make lots of money. On top of that, I fancy the people in the business, and they amaze me every time with their solutions.

 

My most interesting project was a couple of years ago. I worked with a cryptographical problem, which I will not go to detail now because it is out of scope for this post. I worked with many other people but not specifically close. I did some things and asked for help if I really got stuck. After finishing the project, I learned that I really need to struggle to get the results I want. I need to delve into the depths of algorithms, computers and learn how to work with other people efficiently.

 

The primary purpose of my blog is to teach myself and others. If I continue doing this blog after the ECIP course, I want to turn this into a memo for me. Hopefully, you will enjoy my journey on becoming a omniscient of computers!