2014 Cicada-competition started on schedule

There has been a lot of specultation the last couple of years about who is behind the mysterious and quite difficult competition called Cicada 3301. There are websites and wikis dedicated to the hunt, but there is no hard evidence of what the competition really is about. Many believe it is a way to recruit programmers with extra good skills in security and cryptography. This is what the mysterious people behind the competition have been hinting at, but there has never been any identified winners. 

My hypothesis is a bit different. I believe the whole thing is a way to test vulnerabilities in different ways to communicate secretly and to find new methods to reveal such communication. There are always many different types of clues, and the arrangers will be able to see how many are able to make use of each of them and how fast they progress.

This year somebody even discovered something which probably was not meant to be a clue:

  • Cicada use Apache server, Apache server offers a server-status page available only from localhost for local use only, and not normal Internet user. This page give various information about apache status for administrator.
  • In Cicada case, to configure a hidden service with Tor and Apache, usually you add TOR as a proxy, so all the request between TOR network and apache are made through localhost address. Best pratice in security is don’t use Apache with TOR, if you do it, reconfigure it. It was not the case here. The page changed some hours after, it was clearly a unplanned security vulnerability, and Taiiwo found it.
(From CICADA_3301_2014_PUZZLE_FACTS_PART_3)

It is interesting to see how those guys approach the problem. I am, however, surprised at how relatively similar the problems are and how few tools it takes to solve them. It is also strange that nobody goes into what I find very interesting: A couple of the puzzles are presented very slowly, with one character at a time and variable intervals. To me, that just cries out that information is coded in the time intervals. Possibly in conjunction with the transmitted content, possibly not. There might actually be a branching in each of the puzzles, with one or more trails leading in different directions from different solutions. And – if I were making such a set of puzzles, I would use results from the most diverse methods for the “high-value” trail.

Another try at creating havoc.

Let us see if it will swallow this copy/paste:

 

Trace-basedJust-in-TimeTypeSpecializationforDynamic
Languages
AndreasGal
+
,BrendanEich
,MikeShaver
,DavidAnderson
,DavidMandelin
,
MohammadR.Haghighat
$
,BlakeKaplan
,GraydonHoare
,BorisZbarsky
,JasonOrendorff
,
JesseRuderman
,EdwinSmith
#
,RickReitmaier
#
,MichaelBebenita
+
,MasonChang
+#
,MichaelFranz
+
MozillaCorporation
{gal,brendan,shaver,danderson,dmandelin,mrbkap,graydon,bz,jorendorff,jruderman}@mozilla.com
AdobeCorporation
#
{edwsmith,rreitmai}@adobe.com
IntelCorporation
$
{mohammad.r.haghighat}@intel.com
UniversityofCalifornia,Irvine
+
{mbebenit,changm,franz}@uci.edu
Abstract
DynamiclanguagessuchasJavaScriptaremoredifficulttocom-
pilethanstaticallytypedones.Sincenoconcretetypeinformation
isavailable,traditionalcompilersneedtoemitgenericcodethatcan
handleallpossibletypecombinationsatruntime.Wepresentanal-
ternativecompilationtechniquefordynamically-typedlanguages
thatidentifiesfrequentlyexecutedlooptracesatrun-timeandthen
generatesmachinecodeontheflythatisspecializedfortheac-
tualdynamictypesoccurringoneachpaththroughtheloop.Our
methodprovidescheapinter-proceduraltypespecialization,andan
elegantandefficientwayofincrementallycompilinglazilydiscov-
eredalternativepathsthroughnestedloops.Wehaveimplemented
adynamiccompilerforJavaScriptbasedonourtechniqueandwe
havemeasuredspeedupsof10xandmoreforcertainbenchmark
programs.
CategoriesandSubjectDescriptorsD.3.4[ProgrammingLan-
guages]:Processors—Incrementalcompilers,codegeneration.
GeneralTermsDesign,Experimentation,Measurement,Perfor-
mance.
KeywordsJavaScript,just-in-timecompilation,tracetrees.
1.Introduction
DynamiclanguagessuchasJavaScript,Python,andRuby,arepop-
ularsincetheyareexpressive,accessibletonon-experts,andmake
deploymentaseasyasdistributingasourcefile.Theyareusedfor
smallscriptsaswellasforcomplexapplications.JavaScript,for
example,isthedefactostandardforclient-sidewebprogramming
Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor
classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed
forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitation
onthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistribute
tolists,requirespriorspecificpermissionand/orafee.
PLDI’09,June15–20,2009,Dublin,Ireland.
Copyright
c
2009ACM978-1-60558-392-1/09/06…$5.00
andisusedfortheapplicationlogicofbrowser-basedproductivity
applicationssuchasGoogleMail,GoogleDocsandZimbraCol-
laborationSuite.Inthisdomain,inordertoprovideafluiduser
experienceandenableanewgenerationofapplications,virtualma-
chinesmustprovidealowstartuptimeandhighperformance.
Compilersforstaticallytypedlanguagesrelyontypeinforma-
tiontogenerateefficientmachinecode.Inadynamicallytypedpro-
gramminglanguagesuchasJavaScript,thetypesofexpressions
mayvaryatruntime.Thismeansthatthecompilercannolonger
easilytransformoperationsintomachineinstructionsthatoperate
ononespecifictype.Withoutexacttypeinformation,thecompiler
mustemitslowergeneralizedmachinecodethatcandealwithall
potentialtypecombinations.Whilecompile-timestatictypeinfer-
encemightbeabletogathertypeinformationtogenerateopti-
mizedmachinecode,traditionalstaticanalysisisveryexpensive
andhencenotwellsuitedforthehighlyinteractiveenvironmentof
awebbrowser.
Wepresentatrace-basedcompilationtechniquefordynamic
languagesthatreconcilesspeedofcompilationwithexcellentper-
formanceofthegeneratedmachinecode.Oursystemusesamixed-
modeexecutionapproach:thesystemstartsrunningJavaScriptina
fast-startingbytecodeinterpreter.Astheprogramruns,thesystem
identifieshot(frequentlyexecuted)bytecodesequences,records
them,andcompilesthemtofastnativecode.Wecallsuchase-
quenceofinstructionsatrace.
Unlikemethod-baseddynamiccompilers,ourdynamiccom-
pileroperatesatthegranularityofindividualloops.Thisdesign
choiceisbasedontheexpectationthatprogramsspendmostof
theirtimeinhotloops.Evenindynamicallytypedlanguages,we
expecthotloopstobemostlytype-stable,meaningthatthetypesof
valuesareinvariant.(12)Forexample,wewouldexpectloopcoun-
tersthatstartasintegerstoremainintegersforalliterations.When
bothoftheseexpectationshold,atrace-basedcompilercancover
theprogramexecutionwithasmallnumberoftype-specialized,ef-
ficientlycompiledtraces.
Eachcompiledtracecoversonepaththroughtheprogramwith
onemappingofvaluestotypes.WhentheVMexecutesacompiled
trace,itcannotguaranteethatthesamepathwillbefollowed
orthatthesametypeswilloccurinsubsequentloopiterations.

Sappho from Mytilene

A small gem in Ancient Greek, or more exactly Ancient Aeolic. 

δέδυκε μὲν ἀ σελάννα
καὶ Πληΐαδες, μέσαι δὲ
νύκτες, παρὰ δ’ ἔρχετ’ ὤρα,
ἔγω δὲ μόνα κατεύδω.

 

Still no arbitrary limitations to the Unicode ranges. Must find something more challenging.

Ottar

This test is in Old English, it is the earliest known case of a Norwegian boasting about his travels. The rather odd XML markup is one used by linguists.

Ōhthere sǣde his hlāforde, Ӕlfrede cyninge, þӕt he ealra Norðmonna norþmest būde. cwӕð þӕt būde on þǣm lande norþweardum wiþ þā Westsǣ.

sǣde þēah þӕt þӕt land sīe swiþe lang norþ þonan; ac it is eal wēste, būton on fēawum stōwum styccemǣlum wīciað Finnas, on huntoðe on wintra, ond on sumera, on fiscaðe be þǣre .

sǣde þӕt æt summe cirre wolde fandian lo̧nge þӕt land norþryhte lǣge, oþþe hwӕðer ӕnig mon be norðan þǣm wēstenne būde.Þā fōr norþryhte be þǣm lande: lēt him ealne weg þӕt wēste land on ðӕt stēorbord, ond þā wīdsǣ on ðӕt bӕcbord, þrīe dagas. Þā wӕs swā feor norþ swā þā hwӕlhuntan firrest faraþ. Þā fōr þā gīet norþryhte swā feor swā meahte on þǣm ōþrum þrīm dagum gesiglan. Þā bēag þӕt land þǣr ēastryhte, oþþe sēo in on þӕt land, nysse hwӕðer, būtan wisse þӕt þǣr bād westanwindes and hwōn norþan, ond gesiglde þā east be lande swā swā meahte on fēower dagum gesiglan. Þā sceolde ðǣr bīdan ryhtnorþanwindes, forðǣm þӕt land bēag þǣr sūþryhte, oþþe sēo in on ðӕt land, nysse hwӕþer. Þā siglde þonan sūðryhte be lande swā swā meahte on fīf dagum gesiglan. Ðā lӕg þǣr ān micel ēa up in on þӕt land.Þā cirdon hīe up in on ðā ēa, forðǣm hīe ne dorston forþ þǣre ēa siglan for unfriþe; forðǣm ðӕt land wӕs eall gebūn on oþre healfe þǣre ēas. Ne mētte ǣr nān gebūn land, siþþan fram his āgnum hām fōr; ac him wӕs ealne weg wēste land on þӕt stēorbord, būtan fiscerum ond fugelerum ond huntum, ond þӕt wǣron eall Finnas; ond him wӕs ā wīdsǣ on þӕt bӕcbord. Þā Beormas hӕfdon swīþe wel gebūd hira land: ac hīe ne dorston þǣr on cuman. Ac þāra Terfinna land wӕs eal wēste, būton ðǣr huntan gewīcodon, oþþe fisceras, oþþe fugeleras.

The heaviest element

This is currently spreading on lists around the net:

 

 

 Scientists at CERN in Geneva have announced the discovery of the heaviest element  

The new element is Governmentium (Gv). It has one neutron, 25 assistant neutrons, 88 deputy neutrons and 198 assistant deputy neutrons giving it an atomic mass of 312.

These 312 particles are held together by forces called morons which are surrounded by vast quantities of lefton-like particles called peons.

Since Governmentium has no electrons or protons, it is inert.  However, it can be detected because it impedes every reaction with which it comes into contact with.

Even a tiny amount of Governmentium causes a reaction which normally takes only a few days to complete to four years or more to finish or resolve.  

Governmentium has a normal half-life of 2- 6 years.  It does not decay but instead undergoes a reorganisation in which a portion of the assistant neutrons and deputy neutrons exchange places.

In fact, Governmentium’s mass will actually increase over time since each reorganisation will cause more morons to become neutrons, forming isodopes. 

This characteristic of moron promotion leads some scientists to believe that Governmentium is formed whenever morons reach a critical point of concentration.

When catalysed with money, Governmentium becomes Administratium, an element that radiates just as much energy as Governmentium since it has half as many peons but twice as many morons.  Vast sums of money are consumed in the exchange yet no other by-products are produced. 

 

What the world needs now

The last couple of years has shown the world what some of us have known all the time – internet services like Dropbox, Gmail and Facebook are vulnerable. Facebook was made as a series of quick and dirty hacks without any thought of privacy or security, and Gmail was build on a reasonably secure platform. Dropbox used an encryption scheme for the stored data. None of them provide enough security to be used for important personal or business information.

Dropbox shows us that encryption managed by the site is only as strong as the least trustworthy employee. Gmail shows us that there are many ways to penetrate a shell defence, and once you are on the inside the lack of encryption makes information harvesting trivial. Facebook shows us that security cannot be added on to an insecure system, it must be designed in from the beginning.

What we need, then, is a service built on sound principles from the ground up. It is a tough job, and the team that makes it must follow some quite rigid (and sometimes boring) methods. It is also a challenge to make it sufficiently user friendly.

To have a system reasonably safe against both spying and data mining, the users must have strong encryption software. This has existed since PGP was launched, but has been too difficult for most users to get right. A scheme for a “social” website needs to have a lot of flexibility. It is not enough to encrypt things that only can be read by a certain receiver, you also need to make postings and messages that can be read by groups or all users. The reason why even public forum articles and the like should be encrypted, is that this will prevent data mining. Only real people with an account should be able to read from the site.