Tuesday, November 25, 2008

Halting State

.

Charlie Stross's latest novel Halting State starts out as a hilarious post-cyberpunk police procedural, turns into a gripping post-cyberpunk technothriller, and escalates into a Big Ideas book about the future of economics, virtual worlds, the nation state and policing, while managing to crack a string of geeky in-jokes, play off a heaping helping of gripping action scenes, and telling a pretty good love story.

Here's the gimmick: Halting State opens when a virtual bank in a distributed, multiplayer world is robbed by a horde of orcs who march in and clean it out of all its prestige items and other loot, a direct frontal assault on the game-economy's integrity. The losses run to millions, which triggers an insurance audit -- led by Elaine, who's not only a forensic accountant, but also a sword-swinging LARPer who likes her espionage alternate reality games. She contracts with Jack, an extraordinary gamespace hacker who's just been made redundant from his Edinburgh gaming company, to serve as her native guide, and finds herself working alongside of Sue, a lesbian mom detective-sergeant with the Edinburgh Polis who has been called to the scene with a report of a "robbery" and is now duty-bound to pursue the matter in compliance with the tenets set out in the ISO 9000 binder for police-stations.

I've been following Halting State since Charlie and I sat in a coffee shop in the Strand in London about five years ago and talked about a novel about a "multimillion dollar heist in gamespace." It's a sticky idea, and one that a lot of us are going to end up playing with over the years -- but it's also clearly one that Charlie has had an indecent amount of fun playing with. This is his tightest-plotted novel to date, a detective story with a million perfectly meshed moving parts, and a hundred magnificent surprises that had me gasping and shouting YES (to the general alarm of the guy in the next seat on my airplane).

This is the apotheosis of Stross -- a book chock-a-block with great ten-minutes-from-now technology (big hunks of the plot hinge on anonymized digicash, onion-routers, FreeNet crypto, and GNU Radio), RPG humor straight off Phil Foglio's old Dragon Magazine strip, and an impassioned series of valentines to Edinburgh, Charlie's adopted hometown.

Blend an Iain Banks thriller with a copy of Count Zero, throw in the Tokyo Games Show and a Bourne movie (and possibly a Bourne shell) and you've got something approximating Halting State. This is a book that will change the way you see the way the world works.

You can find a copy of this book in #bookz at undernet

.

Sunday, November 23, 2008

Minority Report Interface for real

.
.


Oblong Industries is the developer of the g-speak spatial operating environment.

The SOE's combination of gestural i/o, recombinant networking, and real-world pixels brings the first major step in computer interface since 1984; starting today, g-speak will fundamentally change the way people use machines at work, in the living room, in conference rooms, in vehicles. The g-speak platform is a complete application development and execution environment that redresses the dire constriction of human intent imposed by traditional GUIs. Its idiom of spatial immediacy and information responsive to real-world geometry enables a necessary new kind of work: data-intensive, embodied, real-time, predicated on universal human expertise.


http://oblong.com/

.

Tuesday, November 11, 2008

Changes

.
Ok, since this moment I decided I'll post everything in English.
I hope you understand, and if you don't bad for you...
but if you don´t understand this, I don't know why I'm writing it hehe

Trojanin´ imported Python programs

.
Python programs use .py as file extension, and its an interpreted
language, but to speed up load times in programs importing lots of
libraries, Python automatically creates a .pyc file that its a bytecode
platform independent compiled file.

So when you are importing a file into your code, Python will use file.pyc
instead of file.py if it exist in the same directory.

Python engine compares the "last modified" time in the .py file against a
timestamp stored in the .pyc header to know if it can use the .pyc or if
there were some changes and now should recompile the source.

.pyc file header

> bytes 0-3 magic number
> bytes 4-7 timestamp (mtime of .py file)
> bytes 8-* marshalled code object


The first 3 bytes basically identify the Python version that generated the
.pyc, then we have the timestamp, and then the object code, that would
be our program.

Yeah, I know its pretty fooking funny that these guys only check a
timestamp to know if they have a valid .pyc

So, lets do an experiment

Lets create a program called "lib.py" that will print the word "Clean" when
executed.

And lets write caller.py that will import lib and print "caller executed"


import lib
print "caller executed"

When you run caller using "python caller.py" you will see the following output:

clean
caller executed

And Python will create a pre compiled version of lib.py called lib.pyc.

Next time we use caller.py Python will import lib.pyc instead of lib.py.

So, lets have some fun, we will create a rogue lib to replace lib.pyc, in
this case our malignant lib will print "BAD BAD BAD" (Yeahhhhh it's
extremely bad, don´t be afraid)

And when we compare both .pyc files using an hex editor...





ORIGINAL:
00000000 6D F2 0D 0A F2 D9 19 49 63 00 00 00 00 00 00 00 00 01 00 00 m......Ic...........
00000014 00 40 00 00 00 73 09 00 00 00 64 00 00 47 48 64 01 00 53 28 .@...s....d..GHd..S(
00000028 02 00 00 00 74 05 00 00 00 63 6C 65 61 6E 4E 28 00 00 00 00 ....t....cleanN(....
0000003C 28 00 00 00 00 28 00 00 00 00 28 00 00 00 00 74 1E 00 00 00 (....(....(....t....
00000050 2F 64 6F 77 6E 6C 6F 61 64 73 2F 73 73 73 73 73 73 73 73 73 /downloads/sssssssss
00000064 2F 70 74 2F 6C 69 62 2E 70 79 74 01 00 00 00 3F 01 00 00 00 /pt/lib.pyt....?....
00000078 73 00 00 00 00 s....

MALIGNANT:
00000000 6D F2 0D 0A BD D9 19 49 63 00 00 00 00 00 00 00 00 01 00 00 m......Ic...........
00000014 00 40 00 00 00 73 09 00 00 00 64 00 00 47 48 64 01 00 53 28 .@...s....d..GHd..S(
00000028 02 00 00 00 73 0B 00 00 00 42 41 44 20 42 41 44 20 42 41 44 ....s....BAD BAD BAD
0000003C 4E 28 00 00 00 00 28 00 00 00 00 28 00 00 00 00 28 00 00 00 N(....(....(....(...
00000050 00 74 1E 00 00 00 2F 64 6F 77 6E 6C 6F 61 64 73 2F 73 73 73 .t..../downloads/sss
00000064 73 73 73 73 73 73 2F 70 74 2F 6C 69 62 2E 70 79 74 01 00 00 ssssss/pt/lib.pyt...
00000078 00 3F 01 00 00 00 73 00 00 00 00 .?....s....





So we need to modify the .pyc header to match the original timestamp, in
this case that's done modifying the 5th byte.

If we execute lib.py we will still get "clean" as output, but all the
programs importing lib will end up using our trojaned version lib.pyc that
will output "BAD BAD BAD".

Running python caller.py as output we get


BAD BAD BAD
caller executed

so...

If we have +w in the directory where the imported .py files are, or we
are in some crappy windows box, we can place a trojan written in Python
and it will be executed each time the file is imported.
Some of you will think that in a well configured environment that will be
extremely rare to find, but in development environments it's much easier
to find +w directories with utility scripts, or with tests automation
scripts in QA environments, and in those cases this kind of trick can be
easily used to impersonate some other user.

Best thing is that if someone decides to inspect the .py file the source
code will be intact, so it wont arise suspicion.

Hope you like it, any ideas or comments are appreciated

Cheerz

Saturday, November 1, 2008

When Fembots go bad

.



The Doll is a short film about death, desire, and robots; made for boutique lingerie label Lascivious in 2007 by moving image company Wyld Stallyons.
Lascivious approached Wyld Stallyons in late 2006 with the idea of producing a collaborative short film which would act as a viral campaign for them, and also a promotional piece for Wyld Stallyons.
Inspired by the infamous Real Doll sex toys, a token dollop of Greek myth, and countless teenage evenings watching straight-to-video sci-fi b-movies of dubious quality, Wyld Stallyons quickly developed a concept based around the idea of a mail order sex robot, delivered in parts. Once assembled, the robot becomes sentient and takes a shine to its owner's lingerie, with fatal consequences.


Official webpage: http://www.wyldstallyons.com/work/thedoll/
HQ widescreen version (20 MB): http://www.wyldstallyons.com/video/thedoll/video.flv
 
hit counter script