Tag Archives: TV

Zero Hour – S01E11 – The Hand

Yay, more code! If you split the view four ways and scroll each a little differently, it looks a lot more impressive. Source is: http://www.csee.wvu.edu/~cukic/CS350/Spring98/C_Ch10.txt

They C++-ified the code (ie, cout instead of printf). See leftmost pane in screenshot:

   unsigned number1 = 960;

   printf("\nThe result of left shifting\n");
   printf("8 bit positions using the ");
   printf("left shift operator << is\n");
   displayBits(number1 << 8);

   printf("\nThe result of right shifting\n");
   printf("8 bit positions using the ");
   printf("right shift operator >> is\n");
   displayBits(number1 >> 8);
   return 0;

Screen Shot 2013-08-01 at 22.40.43

Mystery doc used as background in America’s Book of Secrets

I was watching America’s Book of Secrets – S02E10 – Presidential Assassins, and @18:57, I spotted hexdump output scrolling behind the images.  Unfortunately, the beginning frames had no obviously unique text:

Screen Shot 2013-06-18 at 23.10.13

But a few frames later, I spotted probably searchable text “rafrht Alwera”:

Screen Shot 2013-06-18 at 23.10.41

Here is where it becomes strange.  Googling for “rafrht alwera” returns just 1 hit, a PDF file that looks like it also contains hexdump output:

Screen Shot 2013-06-18 at 23.44.15

Opening the file in Acrobat and searching for the text “rafrht” returns one match but not the hexdump Google found.

Screen Shot 2013-06-18 at 23.02.20


Oddly, hexdump on the PDF does not show any “rafrht”. So what did Google and Acrobat find?

Castle – S05E24 – Watershed

Screen Shot 2013-05-15 at 00.15.03

I have never seen a security/firewall system like this.  On the left, I see emacs or some variant of, the status line says “edit code: mySysScan.c“.  And the middle bottom window says “*shell*“.  The lower right is some code that I cannot make out.  The rest looks familiar but I cannot identify it.

But the bigger question is, if they were looking into how somebody broke into a system, wouldn’t either/both the Security Scan or Firewall Protection Scan have alerted when the incursion occurred?  And if they did not, why would a post mortem scan produce a different result?

The Following – S01E04 – Mad Love

Screen Shot 2013-02-11 at 23.36.24

There are so many things wrong with this.

  • Once again, the window on the left is source code, because we always have source code up.  The code is unp.h from http://socketprogrammer.blogspot.com/2009/04/unix-network-programming.html
    /* OSF/1 actually disables recv() and send() in <sys/socket.h> */
    #ifdef	__osf__
    #undef	recv
    #undef	send
    #define	recv(a,b,c,d)	recvfrom(a,b,c,d,0,0)
    #define	send(a,b,c,d)	sendto(a,b,c,d,0,0)
  • North Korea does not have a gigabit uplink to the rest of the world.
  • While none of the IP addresses are (understandably) valid (all have one octet > 255), the last few hops are multicast addresses which are not traceable.  See Wikipedia – Multicast address.
  • The real command is “traceroute” (or “tracert” in Windows land) and it shows you the path from the computer you are running it on to another IP address.  You can trace back to a mail/web/ftp/etc. server (cpanengine.com if it actually existed), but not to an email address.  Some mail servers add a header line that shows the client IP, which you can trace back to.
  • If the recipient of the message was at Host A (126.55.341.66), and the sender was Host B (cpanengine.com), an investigator at Host C (shown above) cannot run a traceroute to see how Host A would talk to Host B.
  • The hop times are simply replicated, 160ms/240ms 174ms/436ms alternating.
  • The normal traceroute does not show the type of device, ie., wifi router, satellite, etc.  It is possible to determine the type of device from its MAC address, but only the next/previous hop sees the MAC address, and it is not passed along.
  • Traffic going through a satellite would be layer 1 (the satellite does not have an IP on the customer traffic side) and thus the satellite would not show up as a hop.  This article is from 2008 but still valid – Identifying undersea fibre and satellite links with traceroute.
  • Why would traffic bounce through 10 satellites?
  • traceroute does not show the local computer’s network card as the first hop.
  • Why would every window have a WiFi menu?

A real traceroute looks like this:

Screen Shot 2013-06-09 at 16.04.25