The first in the code art series is “Code Red,” an homage to Ryan Permeh, the co-founder and chief scientist at Cylance Inc. I had the honor of working with Ryan while I supported Cylance’s executive team from 2015-2017. He is a leader that has as much dedication to his team as passion for the products he creates. In 2001 when he served as the Founding Software Engineer at eEye, Ryan and co-founder Marc Maiffret discovered a worm that was targeting the US government and multinational corporations. While the worm was unable to penetrate the White House, major corporations lost billions of dollars in damages. They named the worm “Code Red” because they were drinking Code Red Mountain Dew at the time they confirmed the worm was a threat.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
Credential stuffing is the automated use of collected usernames and passwords to gain fraudulent access to user accounts. Billions of login credentials have landed in the hands of hackers over the past several years as a result of data breaches. These credentials fuel the underground economy and are used for everything from spam to phishing and account takeovers. Credential stuffing attacks are one of the most common ways cybercriminals abuse stolen usernames and passwords.
This is a brute-force attack technique, but instead of trying to guess passwords using “dictionaries” of common word combinations, attackers use lists of known valid credentials obtained from data breaches. The result is attacks that are much easier to execute and have a higher success rate because a large number of people continue to reuse their passwords across different websites, so credentials stolen from a low-profile website have a high chance of working on services that hold more sensitive data.
https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html
Duff’s Device is a creative request by Obsidian Security’s VP of Product Sean Borman. What is Duff’s Device? Here’s Sean’s take on it.
On very rare occasions, programming might involve some creative rule bending to get the job done. Doing something in a way that the original designers of the language probably never anticipated and might even be horrified to observe. When you come across code like this, you might stare at it and swear that it’s just broken. Yet it works. You’ll curse that you don’t know how it works. You’ll stare at it some more. Then the light goes on – the epiphany! And then it’s “How they hell did they come up with that?” You marvel at the ingenuity. The sheer sneakiness.
Well, here’s such a story. It’s become something of a cult classic (even if it’s a pretty small cult).
Tom Duff was a programmer working at Lucasfilm in the 1980s. You know, Lucasfilm, famous for that “Star Wars” thing. Well, Lucasfilm used some cutting edge technology and tended to push it to the limit. Tom was working on improving the performance of a real-time animation playback program that ran at only half the speed required. Tom traced the problem to code that copied large blocks of data. The naive implementation was too slow, but Tom figured he could use a well-known optimization technique called “loop unrolling” to eliminate half the instructions, thus doubling performance.
Tom wrote the loop unrolled code in the “C” programming language but used a fiendish trick that seriously bent the language rules. While Tom’s code was technically still legal “C” his creative rule bending almost certainly could not have been imagined by Dennis Ritchie, the creator of the C programming language. Tom’s hack was so bad that Tom later wrote to Dennis showing his code, along with the following admission:
“Disgusting, no? But it compiles and runs just fine. I feel a combination of pride and revulsion at this discovery. If no one’s thought of it before, I think I’ll name it after myself.”
And thus was born “Duff’s device.”
We’ll leave it to you to read the code and discover the surprise, disgust and admiration for Tom’s creative rule breaking.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
Source: https://www.lysator.liu.se/c/duffs-device.html
This exploitation technique is a favorite of Jed Mitten, Obsidian Security’s Senior Security Researcher. Here’s Jed’s explanation: SQL Injection has been a prime target for web application exploitation, and it has enjoyed the #1 spot on the OWASP Top 10 list for over a decade [1]. It involves accessing the backend SQL database through the browser by manipulating the query string. It has been used in hundreds of security incidents, defacements, and service interruptions [2], and thus all user-controlled web parameters must be sanitized first. The continued exploitation of SQL injection goes to show that security and convenience are still forever at odds with one another.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
Source:
[1]https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Main
[2] https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
This painting is "Hello world!" and I have Obsidian Security's VP of Product Sean Borman explaining a bit about it: "In the latest work in The Beauty of Code series, we turn to a classic rite of passage for beginner programmers - writing a program that outputs “Hello world!” For this artwork, we wrote “hello world” in the C programming language, compiled it to an ELF binary and used the hexdump utility to create the image that is featured in the artwork. Binaries like the one shown aren’t designed for people -- they’re for computers to execute, but to an experienced security researcher or an attacker, a binary is almost as good as having the source code itself." #code #programming #computerprogramming #binary
Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is widely understood to be a jointly built American/Israeli cyberweapon.
Mixed media (ink, watercolor) on watercolor paper, 13” x 19”, 2019
Source: https://en.wikipedia.org/wiki/Stuxnet
“Truncation” is a creative request from Obsidian’s Senior Security Researcher Jody Forness.
What is truncation? Here’s a deep dive from Jody: Integer truncation vulnerabilities result from the unintended consequence of converting a large number into an integer type that will only store a small number. For example, on a 32-bit machine, an int will store numbers from -2147483648 to 2147483647. An unsigned short will only store numbers from 0 to 65535. So, if one function defines a value as an integer, but then passes that same value to a function that defines the value as an unsigned short, some of the number will be “truncated”. In this example, the value 65536 has a binary representation of 10000000000000000 and when “converted” to an unsigned short “integer”…which can’t hold the entire value, the compiler will truncate to “0″. The user ID of “0” represents root. So a user ID of 65536 would unintentionally have elevated privileges as well.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
The source of this example is from “The Art of Software Security Assessment” by Mark Dowd, John McDonald, and Justin Schuh.
Heap sort is a a sorting algorithm that works by first organizing the data to be sorted into a special type of binary tree called a heap. The heap itself has, by definition, the largest value at the top of the tree, so the heap sort algorithm must also reverse the order. It does this with the following steps:
1. Remove the topmost item (the largest) and replace it with the rightmost leaf. The topmost item is stored in an array.
2. Re-establish the heap.
3. Repeat steps 1 and 2 until there are no more items left in the heap.
The sorted elements are now stored in an array. A heap sort is especially efficient for data that is already stored in a binary tree.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
Source: https://www.webopedia.com/TERM/H/heap_sort.html
One algorithm for finding the shortest path from a starting node to a target node in a weighted graph is Dijkstra’s algorithm. The algorithm creates a tree of shortest paths from the starting vertex, the source, to all other points in the graph.
Dijkstra’s algorithm, published in 1959 and named after its creator Dutch computer scientist Edsger Dijkstra, can be applied on a weighted graph. The graph can either be directed or undirected. One stipulation to using the algorithm is that the graph needs to have a nonnegative weight on every edge.
Mixed media (ink, watercolor) on watercolor paper, 13” x 19”, 2019
Source: https://brilliant.org/wiki/dijkstras-short-path-finder/
The Apollo 11 space program holds deep significance to me because my dad was a telemetry engineer at North American Rockwell in the 60s. Their operations facility in Downey, California focused extensively on testing the command and service modules before they shipped to Cape Canaveral. This testing insured Buzz Aldrin, Neil Armstrong and Michael Collins made it back to earth safely. The Apollo 11 project consists of thousands of lines of code with easter eggs peppered throughout, revealing the camaraderie of the original programming team. “Please crank the silly thing around” in one comment, for example, refers to the repositioning of the antenna for the landing radar. “Off to see the wizard…” in another leaves us imagining how excited the engineers must’ve felt as their code successfully ran. The code that put us on the moon is a marvel given the limited software tools available at the time.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019
The Morris Worm was a self-replicating computer program (worm) written by Robert Tappan Morris, a student at Cornell University, and released from MIT on November 2, 1988. According to Morris, the purpose of the worm was to gauge the size of the precursor “Internet” of the time - ARPANET - although it unintentionally caused denial of service (DoS) for around 10% of the 60,000 machines connected to ARPANET in 1988. The worm spread by exploiting vulnerabilities in UNIX send mail, finger, and rsh/rexec as well as by guessing weak passwords.
The United States v. Morris (1991) court case resulted in the first conviction under the 1986 Computer Fraud and Abuse Act, with Morris receiving a sentence of three years in prison, 400 hours of community service and a $10,000 fine.
Mixed media (ink, watercolor) on watercolor paper, 13” x 19”, 2019
Source: https://security.radware.com/ddos-knowledge-center/ddospedia/morris-worm/
Phineas Fisher became a wanted man in Spain after he breached and leaked data from Sindicat De Mossos d'Esquadra (SME), Spain's Catalan police union, in May 2016. The incident attracted worldwide attention after Phineas Fisher published a 39-minute video of the complete hack, detailing how he gained access, how he stole the data, and how he published it online. The video also showed the hacker defacing the police's Twitter account with pictures of people Fisher claimed were brutally beaten by police.
Source: https://www.bleepingcomputer.com/news/security/spanish-police-claim-to-have-arrested-phineas-fisher-hacking-team-hacker/
Love comes in various forms, even code. This painting explores the The ILOVEYOU (ILY) Worm, which was one of the earliest pieces of malware that impacted millions of computers around the world by clever social engineering. It was the simple principle behind the ‘I Love You’ worm which took advantage of human physiology, namely one of humanity’s most base desires (…to be loved).
Here is how the worm operated. The victim would receive an email love letter from a person he or she knew, entitled ‘ILoveYou’. “Kindly check the attached LOVELETTER coming from me,” read the email. But once the victim clicked on what seemed to be a text file called ‘Love-Letter-For-You’, the worm would install itself on the PC and then replace all files with media extensions (images, documents and MP3s) with copies of itself. Lastly, the virus would send an identical email to all the contacts of a victim’s Outlook address book.
Combating the ILY bug was very hard, and big companies were often the hardest hit because it caused email systems and computer networks to grind to a halt under the tsunami of emails the worm generated. This virus proved that love is powerful...especially in code.
Source: https://www.silicon.co.uk/security/cyberwar/tales-tech-history-love-bug-21368
This worm was created with only good intentions, but things went sideways….
On March 2, 1988 the MacMag virus infected Macintosh computers by which the screen would show the message "RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world", and the virus would then delete itself.
Brandow intended the virus to be benign, giving a friendly message and causing no harm. However a bug in the virus caused infected Mac II computers to undergo system crashes before this date. Another bug, which affected very few users, caused files other than the original virus to be deleted during the termination stage. It also caused a great deal of anxiety among users who found that their computers were infected with an unwanted program the nature of which was unknown. The virus infected Aldus software's FreeHand, and Aldus had to recall thousands of copies of FreeHand, leading them to threaten legal action.
Although things went awry, his heart was in the right place.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2020
Source: https://en.wikipedia.org/wiki/MacMag
Mydoom is a computer worm that affected Microsoft Windows in 2004 and became one of the fastest-spreading e-mail worms ever. Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown. Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. Twenty-five percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Mydoom was named by Craig Schmugar where he chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate." MyDoom is the most devastating computer virus to date, which caused more than $38 billion in damage. https://en.wikipedia.org/wiki/Mydoom
This code art painting features the WannaCry virus. I have Obsidian’s Security Engineer, Alfredo Hickman, explaining the compelling story behind it! WannaCry: A tale of stolen NSA hacking tools, forced encryption, financial extortion, and amateurish exploitation. A story that left many of us in the cybersecurity world wondering how many things had to have gone wrong for this attack to have even happened.
WannaCry started in 2017 and is believed to have been initiated by the Lazarus Group. WannaCry leveraged a sophisticated exploit developed by the NSA known as EternalBlue and which was either leaked by a malicious NSA employee or stolen and leaked by another hacker group known as The Shadow Brokers. EternalBlue exploited a vulnerability in Microsoft's implementation of Server Message Block (SMB) version 1 which allowed a remote attacker to execute code on a vulnerable machine. WannaCry then encrypted all data on the infected machines and held the data hostage until the victim paid a $300 ransom via Bitcoin.
Fortunately, this story has a somewhat happy ending. WannaCry leveraged a method in which an infected host checked if a randomly generated domain was registered and then would stop spreading if that was the case. This vulnerability in the malware made it possible for defenders to register the WannaCry shutoff domains and hinder the spread of the malware. In addition, Microsoft released a patch to the vulnerable SMBv1 implementation that helped stem the number of vulnerable hosts. Between these two developments, WannaCry was defeated relatively quickly and with minimal long-term damage.
10 Print carries social and aesthetic dimensions that demand we view it as a cultural artifact. The code takes us back to the early 1980s, when computers like the Commodore 64 started to become a common fixture in private homes. Before that, computers were primarily used for government applications and for a long time were only available at universities. The C64 came with a BASIC interpreter that would produce a pseudo-randomized pattern made up of “\” and “/” when a person input a single line of code: 10 PRINT CHR$ (205.5+RND (1)); : GOTO 10. The resulting pattern, both functional and beautiful, is symbolic of the time it was born; when creative computing would take off. Resembling the elaborate motifs of Chinese silk embroidery, the slashes replicate themselves in simultaneously unruly and methodical lines; quite like the way we approach software and art production today.
Mixed media (ink, watercolor) on watercolor paper, 8.5” x 11”, 2019