Tag Archives: code

Zero Hour – S01E11 – The Hand

Yay, more code! If you split the view four ways and scroll each a little differently, it looks a lot more impressive. Source is: http://www.csee.wvu.edu/~cukic/CS350/Spring98/C_Ch10.txt

They C++-ified the code (ie, cout instead of printf). See leftmost pane in screenshot:

   unsigned number1 = 960;

   printf("\nThe result of left shifting\n");
   printf("8 bit positions using the ");
   printf("left shift operator << is\n");
   displayBits(number1 << 8);

   printf("\nThe result of right shifting\n");
   printf("8 bit positions using the ");
   printf("right shift operator >> is\n");
   displayBits(number1 >> 8);
   return 0;

Screen Shot 2013-08-01 at 22.40.43

Castle – S05E24 – Watershed

Screen Shot 2013-05-15 at 00.15.03

I have never seen a security/firewall system like this.  On the left, I see emacs or some variant of, the status line says “edit code: mySysScan.c“.  And the middle bottom window says “*shell*“.  The lower right is some code that I cannot make out.  The rest looks familiar but I cannot identify it.

But the bigger question is, if they were looking into how somebody broke into a system, wouldn’t either/both the Security Scan or Firewall Protection Scan have alerted when the incursion occurred?  And if they did not, why would a post mortem scan produce a different result?

The Following – S01E04 – Mad Love

Screen Shot 2013-02-11 at 23.36.24

There are so many things wrong with this.

  • Once again, the window on the left is source code, because we always have source code up.  The code is unp.h from http://socketprogrammer.blogspot.com/2009/04/unix-network-programming.html
    /* OSF/1 actually disables recv() and send() in <sys/socket.h> */
    #ifdef	__osf__
    #undef	recv
    #undef	send
    #define	recv(a,b,c,d)	recvfrom(a,b,c,d,0,0)
    #define	send(a,b,c,d)	sendto(a,b,c,d,0,0)
  • North Korea does not have a gigabit uplink to the rest of the world.
  • While none of the IP addresses are (understandably) valid (all have one octet > 255), the last few hops are multicast addresses which are not traceable.  See Wikipedia – Multicast address.
  • The real command is “traceroute” (or “tracert” in Windows land) and it shows you the path from the computer you are running it on to another IP address.  You can trace back to a mail/web/ftp/etc. server (cpanengine.com if it actually existed), but not to an email address.  Some mail servers add a header line that shows the client IP, which you can trace back to.
  • If the recipient of the message was at Host A (126.55.341.66), and the sender was Host B (cpanengine.com), an investigator at Host C (shown above) cannot run a traceroute to see how Host A would talk to Host B.
  • The hop times are simply replicated, 160ms/240ms 174ms/436ms alternating.
  • The normal traceroute does not show the type of device, ie., wifi router, satellite, etc.  It is possible to determine the type of device from its MAC address, but only the next/previous hop sees the MAC address, and it is not passed along.
  • Traffic going through a satellite would be layer 1 (the satellite does not have an IP on the customer traffic side) and thus the satellite would not show up as a hop.  This article is from 2008 but still valid – Identifying undersea fibre and satellite links with traceroute.
  • Why would traffic bounce through 10 satellites?
  • traceroute does not show the local computer’s network card as the first hop.
  • Why would every window have a WiFi menu?

A real traceroute looks like this:

Screen Shot 2013-06-09 at 16.04.25

The Mob Doctor – S01E09 – Fluid Dynamics

Screen Shot 2012-12-03 at 23.14.39

Screen graphics people love scrolling source code whenever somebody is working on a computer.  This appears to be Module1.bas from https://kenai.com/projects/jkatalog but reordered:

Attribute VB_Name = "Module1"
Option Explicit

' Copyright ©1996-2006 VBnet, Randy Birch, All Rights Reserved.
' Some pages may also contain other copyrights by the author.
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.

Public Const IOCTL_STORAGE_EJECT_MEDIA As Long = &H2D4808
Public Const IOCTL_STORAGE_LOAD_MEDIA As Long = &H2D480C

Public Const DRIVE_REMOVABLE As Long = 2
Public Const DRIVE_CDROM As Long = 5
Public Const INVALID_HANDLE_VALUE As Long = -1&
Public Const GENERIC_READ As Long = &H80000000
Public Const FILE_SHARE_READ As Long = &H1
Public Const FILE_SHARE_WRITE As Long = &H2
Public Const FILE_ANY_ACCESS As Long = &H0
Public Const FILE_READ_ACCESS  As Long = &H1
Public Const FILE_WRITE_ACCESS As Long = &H2
Public Const OPEN_EXISTING As Long = 3

   PreventMediaRemoval As Byte
End Type