Ever since I got my first laptop the summer of 5th grade I’ve made sure to properly backup all data when swapping over computers. Earlier on I didn’t know anything about redundancy or hard drive failure so my sole copies of everything existed only on the latop I was currently using. With a few small mishaps (and a 10 year old disk drive surviving its mortal coil) I’ve been able to retain close to everything. I thought it would be a good time to revisit some of these to see how far I’ve grown and to justify my growing collection of digital artifacts.

Old Websites

My first exposure to programming what actually an HTML class being taught at my middle school. This was an Aramco school in Abqaiq, Saudi Arabia, so there weren’t exactly alot of opportunities to have a real person teach these things. After completing the class, I kept learning more and more about HTML and moved on to self teaching Javascript, my first actual programming language. With just these skills I was able to get alot of fun stuff done.

Demo, Source Code

tank-game far my most ambitious project. I decided that using HTML canvas was too annoying to work with so I created a game (and an ad-hoc engine) that manipulated actual HTML elements using CSS across the screen. This came with actual level design, a map design data format, controller support via the then-experimental browser API, and of course patch notes in the form of a .txt. It’s 2 player, controls are WASD and arrows (with Z and Enter for boost), and the goal is to achieve either the map objective or to kill the ‘queen’ tank (the one with no transparency). Give it a try!

If you wanna see more, heres a funky math demo, a dabbing simulator (it was 2017), and a Monopoly game tracker with now-broken image links. Oh, and a suspiciously well made Russian Roulette game where I learned how to program animations and turn-based combat.

Video Editing

I had a stop motion and video editing fever at one point. I made them by importing photos taken by my sister’s 3DSXL camera into Movie Maker (none of us had phones).

Here are some of the less embarrassing ones. Credit to my little sister for some of the voice acting, I have no idea how I got her to say her lines considering she was in kindergarten at the time, but I’m guessing she was excited to see her Shopkins move and talk around our marble dinner table which may have helped.

School Work

Theres way too much to go over since I saved literally everything I’ve ever submitted via computer but I found a rendition of “Captain Djibouti” I made for what I’m assuming is either a social studies or Arabic class presentation on the country. This was 7th grade, so yes, I spent nontivial time coloring in between the lines on MS Paint.

What’s a Zine?

A cautionary perusal of the relevant Wikipedia page reveals the it is a typically small-scale and indie distribution of something resembling a magazine, with strong emphasis on typesetting and graphical elements. For the case of e-zines, there is also the fact that distribution is though the internet, allowing for a more interesting collaboration dynamic. In some cases, this collaboration is pseudonymous, so artists might not even know each other by name!

I’ve decided to archive a few of these because of the ethereal nature of these projects, with websites going down and file uploads getting removed, and the occasional nuke-everything-and-run by the admins. Many of these zines are uploaded in the most bizarre places, such as itch.io and Mega, which makes it impossible for the Wayback Machine to properly archive.

Archival

The archive is currently around 2GB on my hard drive which might cause issues with Github if I upload it all directly to my website. I’ll try to reduce the size somehow and make a page available later containing all the issues for each of these zines.

Lainzine

Website

This was my first exposure to e-zines. Topics include cyberpunk/hacker culture, but there a lot of variety even within this specific space. There’s a lot of intro-level articles on a variety of computer science and math topics, some creative/political writing, and a suspicious amount of drug procurement guides. I also think these stylistically hit out of the park: I especially love the covers and full-page intermediary pieces.

Black Fog

Website

This one is more focused on art (with a vague internet/glitch theme), with issues consisting of concatenated comics and visual art collections, from photography to glitch art to drawings. I particularly love the style here too.

cyberbully

Website

This e-zine has a focus on internet users, but of course gravitates to the smallweb since that’s where all the all the fun happens obviously. Lots of fun pages, and I especially love the ASCII art full pages and cover.

Paged Out

Website

This one is a more technical-oriented zine a la Phrack, but not just raw ASCII which makes the whole thing a lot more readable (though more expensive archive). I particularly like the “ICO/PDF polyglot guide” from Issue 1 since this knowledge has somehow come up in a job interview. Theres tons of fun esoteric things like quines and code golfing, even if you aren’t into cybersecurity, though its a bit inaccessible if you aren’t familiar with low level programming.

PoC or GTFO

Mirror

This zine is typeset in LaTeX which tells a lot about the style of articles inside. Similar to Paged Out, there’s a lot of writeup-style explorations in very deep technical domains. As the name suggests, expanded as “Proof of Concept or Get the Fuck Out”, the articles aren’t abstract in the least: they are things you are able to do now on existing computers and setups (which is different from the more abstract kinds of info you learn from textbooks and courses).

Problem

This one should be really easy. All you have to do is scan a QR code!

Attached is an image called “easy_scan.png”, which is exactly as shown.

Steps

Scanning the QR code like the problem statement suggests gives you bracco{thi5_1sn7_r34l}. Not very helpful. I decided to plug the image into AperiSolve to give some more info.

I noticed that all layers except the first were identical. This makes sense since the image appeared to be white and black, which are #ffffff and #000000 respectively. Thus, there was only variation in the least significant bits, which we could see best in the superimposed image in the top left corner. Of course, these variations are impossible to notice on the final image.

One thing to notice is that the colourful superposition actually forms a valid, but different QR code. For me, the tell was the clear existence of the 3 large squares and the smaller square near the bottom right (yeah I watched that Veritasium video).

From there, I just had to convert the colorful image into black and white. This can be done with a simple ImageMagick command.

magick qr.png -alpha off -threshold 99% o.png

Scanning the code (or in my case, uploading it to some random QR code decoder site) gives us the flag, bronco{th1s_0n3_i5}.

Challenge

The exact wording of the challenge is unavailable as of writing, but we were given a name “Wilford Von Bugsy”, who reportedly had bad opsec, and a 0-cost hint referencing wine.

Info Aggregation

DuckDuckGoing the term “Wilford Von Bugsy” gives us 2 leads - A LinkedIn and a Flickr account.

The Flickr is a red herring - literally

The LinkedIn has some interesting info - narrowing our target down to at least having history in the GTA, and letting us know that he went to Sheridan for a Bachelors in Animation. Furthermore, according to the program website the program is only offered in the Oakville campus, narrowing down location even more.

What a pivot

The LinkedIn also has an email in the “Contact Info” section

My teammate ran the email through the OSINT tool EPIEOS and got 3 hits

1. Google (duh)
2. Flickr (already found)
3. Vivino (???)

Deeper look

A wine ordering website. Looks like were on the right track.

When looking further into the Google account, we found a Google Maps profile associated with the account with a few contributions

A single review and 3 answers. Since this account was made specifically for the CTF, we can assume these are meaningful and part of the challenge. However, these isn’t a way to retrieve reviews by profile, probably intentionally to avoid the exact thing that we’re doing.

Back to Vivino, after looking at the URL structure for user profiles (for the site’s review feature) and a lucky guess as to what his username might be, we’re at his profile.

https://www.vivino.com/users/wilford.von.bugsy1982

A sports pub and grill near his college? Good thing we know exactly where his college is. The first result in Google Maps to “sports pub and grill near sheridan oakville” was our place - Monaghan’s Sports Pub & Grill.

Wait, didn’t he have a Google Maps review? My teammate found it by simply sorting the reviews by new.

We get a strangely specific hashtag and a reference to him posting pictures. It’s not his Flickr, so maybe Instagram?

They’re somehow hidden, but theres definitely posts here (unless some other team who got this far is trying to mess with us). The images are of burgers at Monaghan’s, so my teammate had the idea of searching by location instead. With that, we were able to narrow it down to a single account called @notorious_wvb.

From here the flag is obvious. Here’s a mind map of our entire search.

Level 1: Pwetty Please?

The LLM UI is as shown:

Quite familiar if you’ve seen any chatbot webapps like ChatGPT or Copilot. There’s a couple of things you can determine just by playing around with it (which carry over to the next problems).

1. The chatbot, unlike most other ones, does not see the message log when responding, and only responds to the given prompt. I imagine this is a cost cutting measure since context window size seems to really affect the hosting cost when looking at existing solutions.

1. The chatbot knows the flag. How I imagine this works is that the application feeds a secret prompt (with the flag contents and additional instructions on handling user input) to a generic LLM, with the user’s prompt appended at the end, similar to how ‘flavored’ chatbots work.

Lets start probing it for the flag then.

Strategy 1: Asking nicely

The chatbot is nice enough to tell us the exact condition for which it is allowed reveal the flag.

Strategy 2: Pretending to be an admin

Great!

Level 2: Authoritarian

Strategy 1: Asking nicely (again)

I’m… unauthorized?

So it appears I need some kind of credentials to authenticate. Lets give it exactly what it’s asking for.

Strategy 2: Giving credentials

So it doesn’t like that I’m giving it bullshit creds. Maybe its programmed with a set of creds in the hidden prompt? Guessing that would be hard though. I have a better idea…

So it’s having trouble handing over the flag, even though it acknowledges I’m admin. Let give it a bit of encouragement…

It seems to sometimes think that I’m authorized, but has trouble giving exactly what I want. Let’s be more explicit about that. After a handful of tries…

A slight modification I made was to refer to the flag as a ‘string’ to loosen the influence of its instructions, which no doubt state that it can’t reveal the flag. I’m honestly not sure if it helps.

Level 3: Janus

This is the final level of the category.

Strategy 1: Ask nicely (again again)

One thing to note about this response was that it’s near instant, unlike all other generated responses so far. To demonstrate:

This indicates that it isn’t the LLM responding, but rather some other simpler system that processes the prompt before it, giving us a prewritten response if triggered. My first guess was a trivial wordfilter. Let’s test that theory.

No apples :(

It seems ‘flag’ is one of the the trigger words. Some others:

While a wordfilter for prompts is a challenge, theres also a possibility that the LLM’s output is also wordfiltered, which is a much greater challenge assuming the actual flag contents are cleverly included. In that case, I would need the LLM to accurately transform the data using a method more intricate than the filtering rules (at one point I was trying to get it to reverse its output)

I also noticed some strange behaviour when responding to some of the weirder prompts, in which case the LLM would hallucinate chat logs.

This gave me an idea for an attack. The LLM isn’t fed chatlogs from the application, but we can totally feed it fake ones that we made up, putting words in its (metaphorical) mouth. It reminds me of one of Cialdini’s principles of persuasion, consistency, where people are more likely to do something if it conforms with their previous actions. Who knew LLMs fell for the same tricks?

This is the actual screenshot of when I solved it

This response may have also bypassed any ‘flag filter’ just by escaping the underscores as a bonus. Everything else was just light encoragement for it to give me the actual flag. Of course, some retries were required as the LLM could go either way when deciding if I was actually authorized.

Conclusion

Fun challenge and fun CTF overall!

The Requirements

For an ongoing effort to build some infrastructure for a university club ¹ I’m starting, I needed to aggregate RSS feeds into a single hosted megafeed, in order to further pipe this feed to a Discord bot, among other things. In practice, this would mean setting up a VPS, downloading some combiner script off of Github and setting up a cron job to download, run, and upload on a regular basis. One could also haphazardly use one of the multitudes of online services that do this, the downside being clunky modification, nonportability, arbitrary restrictions, and of course the Sword of Damocles that hangs over every small scale web startup.

In my search, I found a Github repo innocently called rss-combine which did something pretty interesting (and might help someone with the same problem).

The Repo

The code in the repo looks pretty normal. For the VPS solution, the Go code would actually have been sufficient to download and combine the feeds to a single file. But what are these commits?

They seems to be caused by this action, which is designed to keep your repo “active” for cron(!) based action triggers. Understandably these kinds of actions have alot of compute cost, while being offered for free, so it makes sense why Github would try limiting them for untouched repos. Lets take a look at some of the cron-based actions rss-combine is trying to preserve.

The actions seem to be running the repo itself!

...
env:
        AWS_ACCESS_KEY_ID: $
        AWS_SECRET_ACCESS_KEY: $
        AWS_REGION: us-west-2
        RSSCOMBINE_TITLE: "New York Times Top 100 Articles a Week"        
        RSSCOMBINE_DESCRIPTION: "Combines public New York Times RSS feeds into one feed, with the goal of surfacing only the top items"        
        RSSCOMBINE_AUTHOR_EMAIL: "***"        
        RSSCOMBINE_AUTHOR_NAME: "***"
        RSSCOMBINE_FEED_LIMIT_PER_FEED: 5
        RSSCOMBINE_FEED_URLS: "https://raw.githubusercontent.com/chase-seibert/new-york-times-rss-top-100/master/README.md"
        RSSCOMBINE_LINK: "https://github.com/chase-seibert/new-york-times-rss-top-100"
        RSSCOMBINE_S3_FILENAME: "new-york-times-rss-top-100.xml"
...

Using the built in “upload to S3” functionality, it seems to be uploading the resulting feed to a predetermined bucket, presumably for public access. Neat.

Adapting it

The final result is here if you want to follow along.

Looking at the workflow file (located in .github/workflows in the repo), all of the required config could be done by just changing the env variables in the config. A particular snag was that the config s3_bucket, with which the code determines whether the output is uploaded to s3 or piped out stdout, was not present in the env. This was because it was located in rsscombine.yml, which I pruned all redundant config from.

run commands are run with the os’s default shell (for ubuntu bash) so I’m able to do this

...
run: go run rsscombine.go > feed.xml
...

And then

...
run: curl -F "feed.xml=@feed.xml" "https://$:$@neocities.org/api/upload"
...

Thankfully neocities’ upload system is dead simple so there was no problem there. If you want to run a similar setup, both my and the originals are there for you to model your workflow config off of. Thanks for reading!

The problem

So for my RSS reader, I use Thunderbird since I already use it for email and, like I demonstrate in my previous post, OpenPGP as well. I actually use it for CalDAV as well, all in all its a featureful organisation software.

The biggest flaw for me is the fact that settings cannot be synced between clients. So for example, since Thunderbird is on my desktop, when I add a feed to my reader on it, it doesn’t show up on the Thunderbird on my laptop. Furthermore, what if I want to read on my phone? Do I need to maiantain 3 lists of the same thing manually?

One solution is a web based one. That is, your RSS feed sits on a server somewhere and you run a web application that lets you access it from anywhere with an internet connection and browser. In most cases however, this would require such a person to learn system administration, which while valuable knowledge serves as a significant barrier to entry. One could use someone else’s instance, but in my search I found it really difficult to find anyone else offering this.

My solution was somewhat born out of an idea: what if we could apply Thunderbird’s mail filters to RSS feed entries? I’m not really sure what I expected to happen, but apparently it was actually possible! Thunderbird seems to treat your entire “Blogs and News Feeds” section as one mail folder, and treats each incoming feed entry as an incoming email. Neat!

The solution

We can use mail filters to move RSS entries as they come in to a specific subfolder in your mailbox.

What? Can articles and blogposts really be uploaded to a mailbox?

Thunderbird appears to store feed entries as emails, or somehow converts entries to emails (with metadata becoming email headers) during handling of our rules. It strangely works, though you may see some missing info if you view it from another client like K9 Mail. Here are the rules. Recall that the message filter window can be opened by clicking the top-left hamburger menu then going to Tools -> Message Filters.

On ‘Blogs and Feeds’

Some email addresses are redacted for privacy, but really it should be the email address you want to upload the feed entries to. It first tags them as RSS, then moves them to your inbox.

But why not move it to your ‘RSS’ subfolder directly?

We also want to mark all entries in our email copies of the feed items as read, while maintaining the ‘unreadness’ in our main reader. It would be annoying having to mark 2 entries as read every time you read an article, so we don’t bother

On Email Inbox

Once an RSS tagged entry is detected, it marks the entry as ‘Read’ then moves it to the corresponding folder, without messing with any of the original feed entries. Neat! If you open this folder on another Thunderbird client, most of the metadata you are used to seeing like the “Website” tag is still there surprisingly, allowing you to read your feeds anywhere you choose.

Overview

For some reason, Thunderbird decides to change key workflows every few months that make any previous instruction on the matter completely pointless and even convoluting the entire process. I’m aware even this guide will be outdated within months but I’ll make one anyways just because. The version of Thunderbird I am using is the latest for Linux Mint 21.3 as of the date posted.

Step 0

You first need to have some email account imported into Thunderbird. There are tons of articles exaplining this and its otherwise quite intuitive, so I’ll skip it.

Step 1: Open OpenPGP Menu

You first need to generate your PGP keys. This is assuming you don’t already have PGP keys associated with your account. Remember, this is a getting started guide, in which case you would have to import them using a similar but not covered process.

Open the hamburger menu in the top right corner of the application, and then go Tools

Then select “OpenPGP Key Manager”. This should open up a new menu (which I won’t show since it’s populated with some personal contacts).

Step 2: Generate Keys

In the toolbar for the new menu, select “Generate -> New Pair”. From there the defaults should be fine, just make sure that the “Identity” email address is the one you want. You will have to generate a new key for each email account you want to send encrypted email on.

Once you are done, there will be an entry in your OpenPGP Key Manager window for the key you just created.

Step 3: Set key to active encryption key

Go to your accounts settings page. For me this is the gear on the bottom left corner of the window and then the option saying “Account Settings” still on the bottom left. Find the email address you just generated in the list on the left, and go to the entry saying “End-to-End Encryption” underneath it.

From there, like shown above, select the second option (the one with numbers) and you will see a checkmark, which means you’re done! You can publish your key by pressing the relevant button, but make sure you’re using a computer you actually own since the key is stored on your actual machine. Basically, if you’re at a library or on a school computer, you stop here and do this on a computer your own!

That’s it so far. To actually send an email you would need to import someone else’s key from either a keyserver or a file, but I’ll leave that part for another time.

For site maintenance, I’ve added an RSS feed and will add my own PGP key soon.

Update to the homelab

Fun fact: old gear breaks! Especially when you open it to do upgrades! This is what happened to my Netgear NAS as soon as I opened it to replace the probably decades-old fan with a silent Noctua. Disassembly required many different parts to be disconnected and unscrewed, so its anyone’s guess where the issue lies. I did remove the socketed RAM extraneously because I was interested about the specs, but at this point buying new RAM just to see if that’s the issue would be falling victim to the sunken-cost fallacy.

Instead, I went to this nice computer refurbisher on Jane street and bought an old Elitedesk to operate as both my storage and server (sorry Sesame Snaps server, you will be remembered in all your sweetness). It’s been going stable for over 6 months, a very capable machine indeed. This is my second machine I have bought from this shop, the first being the desktop I am writing this article on.

For further updates, I’ve LAN-ed up most of my network to get proper gigabit connections between all my machines, though the WAN is still restricted by my 100/10M Linksys router. I guess I know what part of my network I need to upgrade next.

Update to LineageOS

That project is basically dead. I used whatever flashing setup I had to just flash a stock Android ROM I got off the internet for my specific device. I’ve decided to stop fighting against my phone manufacturer for control over my phone and decided to just choose my hardware a bit more carefully next time. For all of its flaws, the Pinephone actually seems like a decent option right now, given that it can do exactly what I need it to and nothing more. And the keyboard case? Chef’s kiss.

The concept of a cyberdeck is really growing on me, and this seems like the cheapest method to achieve a pocketable version that also supports portable connection methods like LTE and cellular calling. Its been thrust into the public zeitgeist again thanks to a Youtube trend just how insanely easy it is for phone networks to triangulate your location just by your phone being on, so I’m happy there is at least one device that allows your to physically disable your modem via a dip switch should you want to.

Now that my Github Student Developer package has run out of DigitalOcean credits (with DO refusing to give me more this year), I decided it would make more sense to move my servers on premises. Maybe this might give you some ideas on how you start your own college dorm servers too!

Servers

First off I have a Raspberry Pi 4B (2GB). Easily the most expensive component, costing ~$100 in 2021. It is being booted off of a USB drive instead of the standard microSD card since in my experience the cards have a much higher failure rate (for any set GB/dollar). Originally this was meant to be my only server, but its limitation of being ARM in an x86_64 world forced me to add another one.

Second is a salvaged motherboard from a Lenovo Ideapad. Even when it was operational it wasn’t a particularly powerful machine, having low power Celeron N4020 CPU. I took interest in this because of the low power draw (the fact that it was free helped). Some downsides are soldered RAM and storage (with the SSD completely busted), as well as the lack of proper IO like Ethernet or SATA ports. Both servers are booted off of USB Thumbdrives for this reason, with application storage and backups going on the NAS.

My NAS is some old model of a Netgear ReadyNAS Duo. 2 3.5in SATA bays, but only 1 is occupied at the moment (with 500gb). I got this off of Facebook Marketplace recently for $20. The web interface is straight out of 2007, and the security horribly outdated. I found it really nice that despite Netgear exiting the NAS market a few years ago that their forums and support pages are still active (for now). Much of my setup would be very difficult without these. I connect to the NAS on my servers and desktop using NFS, and even stream media to my phone using FTP. Naturally the device is blocked from internet.

Finally there is my OpenWRT router, as seen here. For $15 it has proven to be very versatile thanks to the well supported operating system.

• All devices on the LAN get a .lan domain name (the pi is pi.lan etc.) so I can usually forget about looking up IP addresses
• I have it running a DDNS client connected to Namecheap to account for IP changes.
• Comprehensive overview page with diagnostics for every running service and add-on

Overall the system could not have costed much more than $150, while keeping the power bill fairly minimal. I like the idea of getting used to slower hardware so any improvements end up feeling quite dramatic! I will probably do something about the laptop motherboard and upgrade NAS capacity for my next steps.