Death by Deprecation; ZERO DAY

1.  
2. Death by Deprecation; ZERO DAY
3. Back in 2016, some may remember the famous case of the FBI asking Apple to help them in the cracking of an iPhone owned by a dead terrorist. It turns out that they didn't need Apple's help at all. A zero day exploit was supposedly discovered and brought to the attention of the FBI that would allow the agency to gain access to the data stored on the smart-phone without Apple's help. Whether they even needed that exploit at all is a matter of personal conjecture, but Apple went forth and patched the newly made known exploit. It was also then apparently unnecessary for Apple to provide any extra help to the FBI in this matter, as the FBI had shown they were perfectly capable of accomplishing their mission without help from Apple at all; anything else would be superfluous beyond rational comprehension, one might think.
4. Anyone who considers smart-phones in their off-the-shelf form to be secure, or to be an appropriate implementation on which to store highly confidential data might perhaps ought have their head examined, but that particular case is just one drop in the bucket; perhaps the ratio of that one drop to the total volume in the bucket could be used as a crude approximation of the technological literacy of society at large. An iPhone that is truly secure could hardly be called an iPhone any longer I would think, and its warranty would certainly be void.
5. Some time in 2017, a man known as Frank had allegedly bought an older model Apple MacBook for what he claimed was a reasonable price. However, apparently the owner of the MacBook from which he bought the machine had failed to tell him the root password. Apparently he didn't know the password for his regular unprivileged account either. As far as is known, the name Frank is in fact the real first name of this person. The exact date of which this purchase occurred is unknown, but the hacker that Frank consulted to for help with the issues he was facing places the epoch time of the events that then transpired after the initial consultation to be 1491037200, in POSIX time; a Saturday afternoon in the month of April that year, 2017.
6. The hacker that Frank consulted was known only by the pseudonym sig_9, at least to Frank and anyone else Frank knew. Sig_9 had to repeatedly reiterate to Frank among many other less enlightened people that the name sig_9 has absolutely nothing to do with any type of firearm, and that that interpretation was only accurate in the most vague of ways that could possibly be conceived. Sig_9 doesn't in fact own any type of firearm to speak of.
7. It is probably much more likely that that his name refers to a signal sent by an operating system to a process, than a firearm or anything of that nature. No one knows for sure though, or the possibly many subtle implicit meanings of the name except for sig_9 himself. It is worth noting that sig_9 has many names, though sig_9 is the only person that he knows of that knows any of his other pseudonyms, or that they are in fact the same person as sig_9. For all intents and purposes, his other pseudonyms are different persons entirely, and in some cases, may be truly separate identities in fact as far as anyone is concerned.
8. It shall be worth noting that sig_9 is not a criminal, unless you take into consideration the Computer Fraud and Abuse Act of 1986, but according to sig_9, his only crime is that of curiosity. Sig_9 has very strong ethics, which quite succinctly align with the old-skool hacker ethic described by Steven Levy in his book, Hackers: Heroes of the Computer Revolution, and Dr. K in his comparatively more recent book, The Real Hacker's Handbook. “Governments and Corporations cannot be trusted to use technology for the benefit of ordinary people,” sig_9 would often say. He also believed that information is power; thus information should be free. A bit of an anarchist maybe, anti-authoritarian for sure, but not quite a criminal. He has often said, “I did it for the lulz.” His skills are probably just mediocre, on a very relative scale of course, but what he does, he does not do for money, and certainly doesn't intentionally cause anyone undue harm. That is, he doesn't commit fraud, or identity theft, and wouldn't be considered a hacker according to the common people's definition propagandized by the media.
9. Sig_9 has some rather unorthodox pastimes that he enjoys; opening telco cans and larger cabinets owned by the local telephone company containing punch down blocks and attaching alligator clips and jumper wires. He also enjoys exploring Time Warner Cable's call center topology, and printing reams of A4 sized QR codes and taping them to walls, mailboxes and inside of subway trains everywhere in Manhattan. He discovered a flaw once which would enable a phreak, social engineer, or one being the duality of both of the former to obtain personal information on TWC customers both previous and past; though after speaking with TWC about this they denied that this was a privacy risk, and ensured him that there was no cause for concern and that such a thing simply wasn't possible. He never used any of the information he obtained from such endeavors to commit crimes, after all, that was not his motive at all.
10. He was also responsible for a particular Walmart store making changes to it's telephone system and policies, restricting the ability to dial out from within the store after calling in from his mobile phone and getting on the P.A. exclaiming, “I'm phreakin'!”, and something about how the person who had transferred him to that extension should be employee of the month. He is unsure if similar system and policy changes have been made at other stores, but personally believes that whatever manager implemented those changes should be manager of the decade. Sig_9 also basically knows what changes were made and that they really didn't understand exactly what had really happened with their phone system. He also regularly overrides age restricted purchases in the self-checkout lanes of stores, as well as opening closed self checkout lanes for which other customers are usually appreciative of. He is old enough to buy anything sold at stores such as CVS or RiteAid, and figures that if the employees are too lazy to come pretend to check his ID card in a timely fashion, that they are certainly too lazy to care about this or even notice; this is especially obvious since he has done things of such nature right in front of store staff and they never bat an eye. He always pays for anything he purchases. These are just a few of the things sig_9 enjoys doing for fun.
11. Frank on the other hand is a bit of a sketchy fellow, who enjoys the company of other sketchy people and doing sketchy things together which probably aren't always lawful which Frank probably thinks is pretty cool. He also tends to have an unhealthy amount of paranoia, which is often based on very irrational premises. Frank will tell one the most bizarre of things, things that you just have to go along with and pretend to accept while wondering whether what he is telling you is pure delusion, has any basis at all in reality, as seen through some very distorted lens through which Frank views reality; or is just pure bullshit. Sig_9 isn't the type of person that cares whether or not someone believes they have fooled him. In some cases he sees it beneficial to let them go on thinking so, and really has no reason to care in most cases. Frank and Sig_9 don't really have much in common to speak of, other than that they each find each other to be rather interesting people, but for different reasons.
12. Frank shows sig_9 the just about a decade old MacBook and explains the problem. The person he bought it from, for as he claimed one hundred dollars, had not told him the password to the account, and as a consequence cannot install any software, among other issues. He also claims that the the person he bought it from was a CIA agent. “They probably want to spy on me and have made it this way to fuck with my head and make me go crazy so that I get myself in trouble!” Frank said to sig_9.
13. “Yeah, okay, whatever. Do you know the root password?” asked sig_9.
14. “What's that?”
15. “You need to be root to make changes to other accounts you don't own,” sig_9 explained to Frank.
16. Frank, not knowing what the root account was of course didn't know the password for root. Sig_9 didn't buy this CIA nonsense for a nanosecond, but realized that it was futile to argue about this with Frank; he did find it a slight bit amusing though.
17. “This MacBook is running Snow Leopard, so it might be vulnerable to shellshock,” sig_9 informed Frank.
18. “So you can crack it?”
19. “Probably,” sig_9 said to Frank.
20. After trying a one line shell script, sig_9 was able to get a root shell in bash, confirming that what Frank really was asking to be done could most likely be done in a single line as well, if one doesn't care about the aesthetics of their scripts.
21. Sig_9 knew that this computer had been acquired through devious and unscrupulous means, as Frank's story just didn't make any sense at all. Sig_9 is also exceptionally well tuned at picking up on the subtlest facets of human behavior and nonverbal communication, especially so when the other person has an IQ of several standard deviations below his own. Sig_9 despises theft, and things of that sort as these sorts of behaviors are as sharply in contrast with his ethics as the color blue is to yellow, which are actually two of sig_9's favorite colors, especially when they are featured together. He was very briefly distracted by the memory of Easter egg hunts as a kid, before remembering that he really never enjoyed being a child after which he quickly regained his concentration.
22. Sig_9 begins hammering away at the keyboard, the sound of which was music to his ears. He then put on some actual music to aid his concentration and motivation, but had to tell Frank several times to stop changing it to hip-hop, or whatever they call the garbage they play on so-called hip-hop stations these days, as it tends to make him write bad code. Out of all the so called hip-hop that exists, Frank enjoys best the absolute worst that the genre has offered to date.
23. What sig_9 wrote was technically about 1500 lines of shell script, give or take a few hundred lines, though it contained the source code for a complete C program stored in several string variables. The actual code used for privilege elevation, and changing passwords was only a few lines; the rest was mostly there for the purpose of compiling this source code to binary, and copying it to a certain place on disk, as well as modifying the first sector of the hard disk so that it would load this program upon boot, rather than the usual bootloader.
24. “Okay, I think this outta do the trick! Now watch and be amazed,” sig_9 said to Frank.
25. Frank peers at the screen in anticipation. In the home directory was a file named repwn.sh. In a small command line terminal window he ran a command that invoked the script. In an instance the script dissappeared, in fact it had overwritten itself with garbage data and removed all traces of it ever existing. In that small instance of time, a lot more than was obvious had actually been done by the computer.
26. “Your password is bar,” said sig_9, “for both your own account and root, all lowercase characters.”
27. “Bar?” asked Frank, as a slightly confused look came over his face.
28. “Yes, that is what I said,” said sig_9, “not a very strong password, so you should change it. I didn't want to make it anything too hard for you to remember. You can make it whatever you want now.”
29. “How do I do that.”
30. “Google it,” sig_9 said, somewhat frustrated at the fact that there are people that exist that don't know how to use Google.
31. “What happened to the script you wrote?” asked Frank.
32. “It deleted itself, since it's no longer needed. I have a copy of my own if I ever need it again.”
33. Sig_9 explained that this password could be bruteforced in just slightly more time than the amount of time that it takes to blink an eye, something that he doesn't do often enough when writing code. He also explained that bruteforcing would be a waste of time anyway, since this glaring and absolutely inexcusable vulnerability exists, and more recent versions of OSX don't support this older model of MacBook. Frank would have to replace bash with a newer version where the exploit has been patched, and told him to Google that if he was interested in hardening his security.
34. Of course Frank never changed his password, and never intended to as he simply didn't care about the security issues that sig_9 was rambling on about. All that he was concerned with was that he now had a fully functioning user account with a password that he knew. Sig_9 then left Frank's place.
35. When Frank eventually rebooted the laptop, he was greeted by the following screen, with a blue background and amber text:
36. BrikBoot 0x5169 Malware Detected.
37. This program will attempt to remedy this unfortunate situation.
38.  
39. Warning: Do not cycle power. If you do so, this screen will not be shown again. Do choose options carefully ;)
40.  
41. 1) Memory I/O only (no disk writes)
42. 2) Securely wipe hard disk
43.  
44. Enter the key of choice. Any other key will perform option 2, followed by option 1.
45.  
46. Frank called sig_9 in a panic, “What the hell is this, what do I do! What's this 5169 thing?”
47. Sig_9 began rapid speech, of which Frank only heard small pieces of what he had to say. Among these he heard something about hexadecimal, 5169 being a rather low memory address, something about memory mapped I/O and not rebooting.
48. Frank decided to hit the '1' key. The screen flickered before colored bands and lines corrupted and obscured the screen. Nothing else happened after that so he decided to reboot after waiting a few minutes; nothing happened. It was as if the machine was dead.
49. “I told you not to reboot,” said sig_9 with a slight chuckle in his voice.
50. “But I thought that option one was only going to write to memory and not touch the disk?!”
51. “That's exactly what it did,” said sig_9, “however it may have corrupted the firmware.”
52. “I can remove the hard disk and install it in another machine to attempt recovering data from it though,” he ensured Frank.
53. Sig_9 came over to Frank's place with another laptop, and installed the hard drive in that machine.
54. “Turn it on,” said Frank.
55. “Are you really sure that's what you want, I can try to boot a live operating system and recover data if you want?” sig_9 asked of Frank, “much less risky.”
56. “No, that will take too damn long. It said that if I rebooted that this screen wouldn't appear again. That's probably what I should have done in the first place dammit!” said Frank.
57. “Well, okay, if that's really what you want. But you have to press the power button yourself, I can't be held responsible for whatever consequences come.”
58. Frank pressed the power button on the laptop. A screen appeared that said that it was scrubbing the file system and that everything would be done and okay in 42 minutes. In fact 42 minutes was just enough time to overwrite the entire hard drive, though the friendly looking screen didn't mention this fact. Of course after waiting for this to complete, the machine wouldn't boot OSX, because OSX no longer existed on the disk.
59. “Now do you want me to try it my way?” asked sig_9.
60. “Yeah, it doesn't seem like there's any other option now,” Frank told sig_9 in a bummed out tone.
61. Sig_9 booted Kali Linux from a USB flash drive. He examined the contents of the disk using the xxd tool and showed Frank the output, which consisted of the the value 0x2BADF001, followed by garbage data which was padded out with line feeds and tab characters among other unusual ASCII codes so that it was word aligned on a 4 byte boundary. When viewed as ASCII text with just the right column width showed the Eye of Providence in eerie ASCII art; this pattern was repeated over every logical block of the disk.
62. “What is this number at the beginning, before that creepy image?” asked Frank, “is that supposed to say, too bad fool!?”
63. “No,” sig_9 told Frank, “what you should probably be more interested in, is what is the significance of the value 01F0AD2B.”
64. A blank look of utter confusion flashed across Frank's face, and remained for quite some time, gradually turning into a more puzzled expression suggesting Frank was in deep thought about what in the world had happened and what was really going on, and whether or not sig_9 was playing some sort of weird mind tricks on him.
65. Sig_9 told Frank that he would have to get a new laptop, that he had done all he can do. Frank thanked sig_9 for spending so much time helping him, and told him that it wasn't that big of a deal since he didn't pay much for the laptop anyway; though he did remark that it “really sucked” that he had lost all the pictures and other files he had on the laptop.
66. Sig_9 told him to remember that the only reason he spent so much time on this was that because he enjoys doing it, not because he felt obligated to help, though he does enjoy helping people when he can. Hopefully Frank learned something from this experience, but sig_9 doubts that he did, which he thought was unfortunate. He also advised Frank not to buy his next computer from a CIA agent, since obviously as can be seen, the CIA uses very insecure computers, and to pay more attention to detail next time he is in a strange situation involving a computer.