Hacks, cracks, dev culture and Armenia's development in tech 🇦🇲

in

Audience


This post is intended for both technical and non-technical people; its for people interested in the development of programmers, cultures of professionalism, security, and the development of Armenia as a tech power. Along the way I will show some security vulnerabilities of well-known sites in Armenia, non-technical people will be able to follow along as everything will be explained. I will also introduce the concept of a bug bounty exchange.

A glossary of technical terms follows the post, might be worth while to read through those terms first.

I want to emphasis that the point of this blog post is not to shame or make fun of any individual or company, rather it is meant to bring attention to the tech industry, culture in Armenia and what can be done to further it to a higher average level of excellence and professionalism.

Problem


Specifically, with respect to Armenia, much has been said about the tech as a shining example of an honest and rapidly growing industry. However, in my view much of that has been pushed by people who frankly are little connected to the tech industry writ tech itself. There are not enough voices heard from the down in the trenches folks who can provide a truly informed voice.

Armenia’s geopolitical situation being what it is makes the tech industry arguably of high interest to national security as:

  1. A robust engine of sustained, organic economic growth. A nation cannot wage wars or devote high levels of resources to its military without a resilient economy. A strong economy lets us negotiate with our enemies from a position of strength.
  2. As a nursery and pipeline for cyber-security. Armenians are disproportionality effective in every domain, the digital realm amplifies that 100X.

For the development of countries, it is better to see a country of makers and not outsourcers. Why? Because making products, like Uber, Facebook, etc, is what makes the biggest bucks of all and is best able to utilize the Armenian people’s creative talents. Working as outsourcing tends to make decent but soulless products, and such products are made by programmers who simply don’t care about what they’re making beyond the salary paid. (Hardly eudaimonia)

With that, Armenia has a lot of outsourcing but the product scene is coming along nicely although we haven’t even seen our first largish failure yet.

Here are two intertwined things I see in the Armenian tech scene that need more attention & sustained improvement.

Problem Fixable Solution
Hacker, developer culture lagging Yes Invest more in people
Cyber-security Yes Invest more in people

What do I mean by developer culture? In a way, it’s like professionalism in other fields which is characterized by devotion to your craft, not cutting corners, doing things the right way even when it takes longer and deeply learning the tools of your craft. Sometimes in Armenian culture people like to cut corners, this is a fact. Examples include cutting corners in Gyumri’s apartment construction which led to worse outcomes in the 1988 earthquake to the elevator in my building whose buttons were always off by one. There’s an implicit acceptance of a shrugging your shoulders quality work and it is reflected in the tech industry as well.

Examples of shortcoming


Now let’s look at a few examples of the manifestations of these shortcomings. I will now show you three examples of live web vulnerabilities of three sites in Armenia, each of which was told that a problem existed but didn’t pursue a fix initially although one has been fixed. All three of them are the result of similar entry level mistakes.

I found out about these exploits after first posting in the Facebook iterate chatroom about bots attacking silicondzor.com

This image is from a server log for silicondzor.com. See the line GET /.git/ HTTP/1.1? That’s a bot checking if it can get our entire git repo, all our source code. After posting that, Sparik Hayrapetyan reached out to me and reported some Armenian sites that were vulnerable to this very exploit!

I verified some of those site and here are how damning it is…

Say we have three websites each ending in a .am TLD:

(the creator field is from attributes given on the public facing sites)

Site Subject matter exploit creator
siteA auction Full git repo, found credentials http://voodoo.pro/en
siteB car rental Full git repo, found credentials sitemax
siteC reading materials Full git repo https://www.studio-one.am

What does it mean to have the full git repo? It means to have the entire history of the source code from beginning to end.

Verification pics:

SiteA – the auction site

First about the programmer culture, this particular code base uses PHP. A programming language known to be inherently defective in security and one that is usally avoided for new projects in Silicon Valley.

Not only are they using PHP, they are also using an IDE to generate PHP code.

Another bad practice they have their passwords in the source code. Hint: this is never a good idea. Since as an auction site they are handling all kinds of credit cards and other sensitive information and now any attacker, including me potentially have access to it all. (Programmers: A better solution is to use environment variables)

SiteA also exposed their SQL on the public website

SiteB – Car rental site

The car rental site required a little bit more work to reconstruct the original git repo. Thankfully using tools like GitTools makes the process painless and after some searching through the source code I found this goodie. These are credentials to the database which being a car rental site also probably contains some nice credit card numbers, accounts.

SiteC – Reading materials

I didn’t dig too deeply in this repo but here’s an example structure. The indentation means hierarchy of directories and files, things ending in .php are source code files.

Studio-One proudly boasts of its clients including AmeriaBank and the National Assembly of RA. How much do you want to bet that they do similar sloppy coding across all these projects?

Again this exploit was rather simple, it was a rookie mistake.

Bug Bounties

Now as I mentioned Sparik first reported exploits to the respective site owners but amazingly some didn’t even reply or simply asked him leave his email address, the de facto equivalent of “Don’t call us, we’ll call you”. Amazingly Sparik wasn’t compensated at all or recognized! I reached out as well but only one replied and has since fixed the mistakes.

Many other companies would have paid him under a system called a bug bounty. This is when companies pay whoever finds exploits on their website/app/program under a structured disclosure method. The idea is that it is better for the company to pay to know about the exploit, fix it, and move on rather than have the exploit end up on the black market and then hit them out in the wild. An example of this is the Target hacking, that cost over $100 Million in damages. Facebook has been running their bug bounty since 2011 with great success, some payouts reach $40,000 which is still substantially less than what can happen when someone malicious literally has all the passwords to your databases and computers. To my knowledge, there are no companies in Armenia that run a bug bounty.

Mitigation

How can we mitigate these kinds of exploits? Well in a way its simple but also hard & vague; we do it by:

  1. Promoting a culture of people open about knowledge, about promoting collerboration. This particular exploit is talked about in just about every other InfoSec meetup in San Francisco and is well known but in Armenia a seemingly prominent firm is repeatedly making it. Practically speaking this means more meetups. A check on silicondzor.com shows 53 events in Feburary for Armenia, that number needs to be higher and a higher percentage needs to be programmers talking to other programmers, not fluff sessions about Marketing/Startups. The meetups should lean toward being workshops with hands on examples and live coding.

  2. Sponsoring bug bounties, especially starting with Government & military websites.

  3. Having more events like the recent Capture the Flag which literally included the exploit used in this blog post.

  4. Promoting a culture of professionalism & respect for programmers. Programmers are not respected as crafts people in Armenia.

  5. Collective funding of talent. The entire Armenian tech industry needs to be willing to spend some money on the collective pool of talent. This means like non-trivial prizes for hackathon, paid bug bounties, paid trainings Armenian culture in general does not promote doing things for free, or helping someone without expecting something in return implicitly.

  6. Promoting and funding projects that protect critical internet infrastructure for Armenia, like CERT-AM

Keep in mind that many of these are happening one way or another, I am merely enumerating some for record. Because I believe in doing and not merely speaking, I will be creating a public bug bounty exchange for all of Armenia, it will be listed on silicondzor.com. Once it is up, I encourage all companies, not just tech companies, to post on the bug bounty exchange with offers of payment for successful examples of exploits.

Parting

(While writing this post a new story broke out of crackers attacking Armenian banks, Hackers Infiltrate Computer System of Bank in Armenia; Steal $273,000, I think you could see the connections of what I’m trying to say; forget criminals for a moment and now imagine a nation-state determined to destroy us.)

There is a lot of hype and excitement for tech in Armenia and it holds a huge promise, but we must grow our industry, talent correctly. In addition, because the topic is Armenia, we must keep in mind about security as cyber-security is increasingly the first line of attack and defense in war. Would our enemies be so kind as to tell us about exploits on our banking sites? Or perhaps military sites or other critical government? What about the electrical system or other critical infrastructure that is increasingly connected to the internet. How effective are Iskanders when someone hacks and reprograms them mid-flight? These questions show the level to which tech, economy and national security are all interrelated in Armenia and the level of responsibility the tech industry has to Armenia.

Glossary

Note:

  1. Non-technical people, you should probably start learning the jargon.
  2. Technical people, these are loose definition meant for intuition rather than accuracy.

source code: The original code of a program, written by a programmer. This can be publicably available or private, usually when its private then it has things like passwords written in it.

exploit: A mistake in the source code which then lets another person use that mistake to cause a program to do something other than originally intended. I.E. if I find an exploit in the ATM machine, then maybe I can get it to spit out money.

InfoSec: Short for information security, its a subfield of programming culture and include a focus on security.

cracker: A professional hacker who attacks programs, products for money usually.

pentest: Short for penetration testing, its when you pay a infosec professional to attack your product as if they were a cracker.

DDoS: This is when someone abuses whatever service you are providing by overwhelming you with too many requests for that service thereby bringing the whole system down.

git: A program used by programmers to help them keep track of all the source code they write, down to the detail of which line of code was written by whom, when.

repo: A directory on the hard drive of a computer created by the git program. It contains all the source code and whatever else the programmers decided to keep track of in the project.

commit: Something created by git that is like a collection of saves of source code. Think of it like a record in time of how the source code look like.

TLD: Top level domain, basically the .com or .am part of a website name.

IDE: A program that some programmers use to help them make new programs, think of it like a fancy word processor with auto completion.

SQL: A programming language designed for databases. If I know your SQL then I know how your data is organized, stored, and what I should be looking for once I get into your system.

bots: Computer programs designed to do boring, repetitive things. In this post it refers to programs designed to search the web for simple, rookie level exploits.

let binding in OCaml class definition

in

I like the object layer in OCaml but here’s one quirk of the language that sometimes I forget about and it can bite you…like I just got bit in my OCaml bindings to Java’s ScriptEngine. (Let’s you evaluate JavaScript in OCaml using the JVM)

OCaml lets you define an object like so:

class thing = object
  method speak = print_endline "Hello"
end

let () = (new thing)#speak

Note that methods don’t need arguments, they will always go off when you call them.

and you can also have fields

class thing = object
  val coder = "coder"
  val mutable name = "Edgar"

  method speak = print_endline (name ^ coder)
  method set_name s = name <- s
end

let () = 
  let p = new thing in
  p#speak;
  p#set_name "Gohar";
  p#speak

Notice that we can also make fields mutable and they are private by default.

Now here’s one situation you might encounter:

class compute = object
  val first_field = Other_module.init ()
  val second_field = Some_module.use_it first_field
end

This won’t work though because you can’t use one field in another field.

One solution might be:


class compute = 

  let first_field = Other_module.init () in
  let second_field = Some_module.use_it first_field in
  object
    val first = first_field
    val second = second_field
  end

Now question, are first_field and second_field created each time a new instance of compute is made?

The answer is no and this might be counter intuitive to some, at least it was to me and I sometimes forget this.

Verify it with:

class thing =
  let foo = 1 + 2 in
  let () = print_endline "I was called" in
  object

  end


let () =
  let a = new thing in
  let b = new thing in
  ()

And see how many times I was called is printed to the screen; hence be aware of this when you use objects in OCaml.

Calling Google Closure programmatically

in

This is a pretty neat post, I’ll show you how to programmatically call Google Closure in Java. Closure is an amazing project that actually optimizes JavaScript rather than just minifies it. (This is pretty much one of the few times you’ll see me write Java, I think the language sucks).

Its mostly a 2017 update of this post from 2009

Here’s the Java

package com.hyegar.closure;

import java.io.IOException;
import java.util.List;
import java.util.ArrayList;

import com.google.javascript.jscomp.CompilationLevel;
import com.google.javascript.jscomp.Compiler;
import com.google.javascript.jscomp.CompilerOptions;
import com.google.javascript.jscomp.SourceFile;
import com.google.javascript.jscomp.CommandLineRunner;
import com.google.javascript.jscomp.CompilerOptions.LanguageMode;

/**
 * An example of how to call the Closure Compiler programmatically, 
 * this is LICENSED AS GPL-3.0.
 *
 * @author edgar.factorial@gmail.com (Edgar Aroutiounian)
 */

public class CallCompiler {

    /**
     * @param code JavaScript source code to compile.
     * @return The compiled version of the code.
     */
    public static String compile(String code) {
	Compiler compiler = new Compiler();

	CompilerOptions options = new CompilerOptions();

	// See :
	// closure-compiler/src/com/google/javascript/jscomp/CompilerOptions.java
	// lines 2864-2896
	options.setLanguageIn(LanguageMode.ECMASCRIPT_2015);
	options.setLanguageOut(LanguageMode.ECMASCRIPT5_STRICT);

	CompilationLevel
	    .ADVANCED_OPTIMIZATIONS
	    .setOptionsForCompilationLevel(options);

	List<SourceFile> list = null;

	try {
	    list =
		CommandLineRunner
		.getBuiltinExterns(CompilerOptions.Environment.BROWSER);
	} catch (IOException e) {
	    System.out.println("Exception raised");
	}

	list.add(SourceFile.fromCode("input.js", code));
	compiler.compile(new ArrayList<SourceFile>(), list, options);
	return compiler.toSource();
    }

    public static void main(String[] args) {
      String compiled_code = compile("var a = 1 + 2; console.log(a)");
      System.out.println(compiled_code);
    }

}

You’ll need to have the Closure Compiler installed, on OS X this is easy with brew install closure-compiler

Then in a new directory that you can use for this build, you can copy the jar from /usr/local/Cellar/closure-compiler/20161201/libexec to where the root is of your directory, let’s call that directory build.

Here’s a Makefile which will build, run the code.

blog_code:
	javac -Xlint:deprecation -cp ./closure-compiler-v20161201.jar:./ com/hyegar/closure/CallCompiler.java
	java -cp ./closure-compiler-v20161201.jar:./ com.hyegar.closure.CallCompiler	

variants in C++14 without boost

in

Variants in their native land

One of the best parts of functional programming are Algebraic Data Types, also known as Sum types, also known as variants. They help you make more type safe programs, self-documenting code.

Here are some examples in OCaml

type 'a option = Some of 'a | None

This is the famous option type of functional programming. A fun thing about option is that its also a Monad, so >>= aka bind is easily defined as:

let ( >>= ) x f = match x with Some h -> f h | _ -> None

Another example recently added to the OCaml standard library is the result type.

type ('success, 'failure) result = Ok of 'success | Error of 'failure

The things prefixed with ' are called type variables, they let you write generic code from the getgo. We only need one for option but we need two different ones for result so that the type of the Ok variant need not be the same as the type of the Error variant.

Once you get an result value, you can pattern match on it:

let process_result = function 
  | Ok r -> (* Do something with r *)
  | Error reason -> (* Do something with the error *)

variants in C++

In C++ variants are not first class citizens of the language, so they need to be provided by a library. In modern C++ our options are C++17’s std::variant, boost::variant or someone’s own rolled version.

I don’t want the boost dependency and I can’t use C++17 so I looked for a library implementation. I found one by mapbox and it fit my usecase perfectly; its a header only template library and I like the API provided. Here’s my implementation of option using the mapbox variant library.

// Let's assume this file is named optional.hpp
#pragma once

#include <mapbox/variant.hpp>

namespace optional {
  struct None { };
  template<typename T>
  struct Some { T payload; };

  template<typename T>
  struct Optional : mapbox::util::variant<None, Some<T>> {
    using Base = mapbox::util::variant<None, Some<T>>;
    using Base::Base;
  };

  // These two are helper functions, like std::make_unique, etc.
  template<typename T>
  auto some(T x)  { return Optional<T>{Some<T>{x}}; }

  template<typename T>
  auto none(void) { return Optional<T>{None{}}; }

}

And here’s an example usage:

// Let's assume this file is named main.cpp
#include <string>
#include <iostream>

#include "optional.hpp"

// This lets just make std::string just by adding a suffix of 's'
// to things that otherwise look like char *
using namespace std::literals::string_literals;

// Pretend that this is something that could fail.
auto file_contents(void) {
  return optional::some("some file contents"s);
}

int main(void)
{
  file_contents()
    .match(
  	   [](optional::None) {
  	     std::cout << "Check if file existed\n";
  	   },
  	   [](auto some) {
  	     std::cout << "File contents: " << some.payload;
  	   });
}

and you can easily compile it with, assuming that you added mapbox/variant.hpp to your compiler’s include search path…

$ clang++ -std=c++14 main.cpp

Happy coding.

node's async, await, Promises.

in

While studying for interviews I’m talking breaks by working on silicondzor.com

This is giving me some real web dev experience and I’m using the latest and greatest features of JavaScript and node.

One thing that I’m really liking in modern JavaScript is the async story, it reminds me a lot of OCaml and both are somewhat converging, i.e ES6’s introduction of Promises which are basically 'a Lwt.t, and Lwt renaming Lwt.t into Promises in 2.7.0.

Here’s like my conceptual cheatsheet about using Promises from scratch, converting an callback API into a Promises API and then taking it to the next step with async, await.

Basic callback APIs

node uses an event based programming paradigm and this is reflected in basically all server side code, ie the trailing callback argument to asynchronously call once the task completes.

Let’s simulate it with this function

// Plain CB based API
const test_func = (item, cb) => {
  setTimeout(() => {
    if (item < 5) cb(null, 'Success');
    else cb(new Error('Oops'), null);
  }, 3000);
};

test_func(3, (err, success) => console.log(success));

This models typical node code, the callback being called three seconds after execution of test_func

This seems pretty fine for this example but once you have logic that is dependent on the success of one callback API after another then you start to have a difficult to reason about triangle of callbacks on the screen.

Promises

ES6 introduces Promises and these are quite convienent, think of a Promise as being a box which will have a value in it sometime later.

We can turn any callback based API into a Promises based one.

// Promises based
const test_func_promise = item => {
  return new Promise((accept, reject) => {
    test_func(item, (err, success) => {
      if (err) reject(err);
      else accept(success);
    });
  });
};

test_func_promise(2)
.then(item => { console.log('Sucess!!', item); })
.catch(err => console.error(err));

When you create a new Promise you need to provide it with two function, one to be called when there’s a success and when the Promise should fail. Hence when calling test_func_promise returns a Promise, not the value 'Success'. Also if you use the plain Promises approach be sure to include a .catch call.

This is nicer than the original callback API approach, but now all your success or failure logic and everything following that effectively has to be all in either .then or .catch and that’s a bit awkward still.

async/await

ES7 introduced async, await where I basically think of the latter as >>= and async as sort of like >|=. With async, await we can call Promises based code as if it was synchronous code.

const test_func_async_example = async (item) => {
  try {
    const result = await test_func_promise(item);
    console.log(`Yay: ${result}`);
  } catch(e) {
    console.error(`Messed up: ${e}`);
  }
};

test_func_async_example(6);
test_func_async_example(3);

First notice how whatever function we use await inside of, we need to tag that function with async and now this function returns a Promise

Now when we call test_func_promises with await prefixed, then we get the value that the Promise resolved. Also whatever the reject condition of the Promise was then becomes the exception of the catch following the await usage.

Summary

async, await are very powerful features of ES7, Promises are from ES6. Not every JavaScript engine supports ES7 so you’ll have to use babel to compile your async, await to runnable code; basically turns the async, await to generators (also an amazing topic).

On newer versions of node, I’m using v7.3.0, you can turn on features from the future with command line arguments. Check all of them with:

$ node --v8-options | less

I’m turning on native async, await with --harmony_async_await, so my final invocation is:

$ node --harmony_async_await test.js

You can get all the code as one script here