At some point in his or her life every working mathematician has to explain to someone, usually a relative, that mathematics is hardly a finished project. The mathematicians know, of course, that it is far too early to put the glorious achievements of their trade into a big museum and become happy curators. Our subject has, in certain respects, hardly begun.
— Barry Mazur, Foreword to Fearless Symmetry
The Best of Discrete & Recreational Maths
This is a work in progress! It will showcase some of the best, most underrated theorems in maths. Stay tuned and wait for your mind to be blown — or if you're impatient, solve the math jester challenges and submit your solutions to see the deeper meaning behind each problem.
'Tis not too late to seek a newer world. Push constants to the stack machines, And sitting well in order smite The sounding furrows; for my purpose holds To sail beyond the VM stacks, and the baths Of all the western stars, until I die. It may be that the GOOG will wash us down; It may be we shall touch the Hasty Likes, And see the great Turing, whom we knew. Though much is taken, much abides; and tho' We are not now that strength which in old days Moved earth and heaven, that which we are, we are, One equal temper of heroic hearts, Made weak by time and fate, but strong in will To strive, to seek, to find, and not to yield [control].
— Based on "Ulysses" by Alfred Lord Tennyson (1809-1892)
Modded by FX of Phenoelit; republished in Phrack Magazine
Cybersecurity Articles
Cryptography
Mystery Twister hosts countless cryptographic challenges. Take a look!
How to Know If Your Phone is Secure (Hint: It's Not)
Every year, nay, every month, there are new security vulnerabilities being found and exploited. This is especially true viz-à-viz our phones. Here I intend to keep a consolidated list of security vulnerabilities related to people's phones — security holes that most people are blissfully unaware of.
Cellular data plans got more affordable during recent yearsand cellular network coverage increased. Disabling Wi-Fi bydefault and only enabling it when using trusted networks canbe considered a good security practice, even if cumbersome.
The paper's mitigation recommendation includes "disabling Wi-Fi by default," which suggests that we should be using mobile network data plans by default instead. However, using these networks has drawbacks and security vulnerabilities of its own:
Computer science is no more about computers than astronomy is about telescopes.
— Edsger Dijkstra
Corollary: The best computer science courses are the ones that don't ever require you to touch a computer.
— The Math Jester
Fancy Algorithms
This is a place to collect interesting algorithms, many of which I did not even learn in my university curricula. Join me on a tour of some eye-opening algorithms. These are genuinely impressive creative accomplishments.
This is a collection of dialogues, some real and others imaginary, which help to solidify knowledge of C++. If you're reading this, please treat these as approachable lessons and parables, inspired by those in The Number Devil, Fearless Symmetry, and other books. The best part is, the code provided is easily copiable — so you can verify the results on your machine!
Prerequisite: These parables are geared toward someone with knowledge of C.
Disclaimer: They are provided as a reference[1] with NO WARRANTY.
I intend to use my own Dewey-Decimal System for organizing these... It will look something like the following:
0xxx
These are supposed to be high-level, less technical questions that a C++ beginner might have. If you want to start with something less technical, then start with this section.
1xxx
These are supposed to be basic technical questions about some of the perceived paradoxes of C++. The author posts them here as an opportunity to share what he wishes he had known when starting C++.
2xxx
A section dedicated to imaginary dialogues about intermediate concepts.
3xxx
These will include lessons deemed to be more advanced, e.g. copy elision and relocatable objects.
4xxx
This is the Restricted Section of the library. (lol)
Seriously though, this will contain some questions and comments about the Assembly code to which C++ compiles.
All hail the almghty compilation pipeline; it is beautiful.
5xxx
These dialogues are inspired by (or outright excerpted from!) conversations with the experts on IRC. Relative to the other dialogues, they are expected to be of the utmost quality and the highest difficulty.
[0001] Tedious Troubles, part 1 — a more practical discussion about how actions that are simple in other languages are not so simple in C++. Normally, the tradeoff is worth it, but this is the perfect example of a task that becomes overly tedious to code quickly in C++.
[1002] The Instantiation Paradox — an imaginary dialogue, based on real struggles in understanding C++ through the lens of C. It is technically a work-in-progress, but mostly finished.
[1003] C Linkage — an imaginary dialogue, based on even more compatibility problems between C and C++.
[2001] Template Trouble, part 1 — an attempt to help solidify the syntax for template methods and template classes in C++. Be patient for this one...
[2003] Understanding LValue and RValue References — an explanation, complete with diagrams, about RValue references, to settle my confusion once and for all. Again, be patient.
[2990] Conversations with a Guru (external!) — existing narratives, written by Herb Stutter and Jim Hyslop, which provide additional inspiration for these dialogues. I especially recommend the talk on null references.
[2992] C++ Seniores Blog (external!) — a more modern, up-to-date blog with a treasure trove of features and oddities from C++. Explore them. You won't be disappointed.
[5002] The C++17 Standard — a dialogue to help us remember the features introduced in modern C++ standards.
[1] no pun intended.
The Language Rants
These are my (very visceral) feelings when working with certain specific dynamically typed programming langauges. Please do not take this section too seriously! I will gladly use whatever language and toolchain is most suited for the job. We all have our preferences for the languages that we use for personal projects.
Python — The Twitter of Programming Languages
A significant fraction, between 11 and 46 percent, of packages distributed on PyPI have security vulnerabilities.
Whitespace is required. No language should require a particular quantity of blank space. Rather, the interpreter should be more concerned about semantics than about forcing a certain formatting scheme. More specifically, curly brackets should always be an option for the programmer to use to specify the bounds of a control structure.
Variables do not have a scope. You can have a variable that is defined within a nested control structure and use it outside that control structure by accident (e.g., by merely copying and pasting code and forgetting to rename a variable reference)! This has happened to me before, and it is insane.
Common English words, like sum, min, and list, are built-in functions in CPython, so it is a bad practice to use them as identifiers. This may not sound like such a bad thing — after all, it incentivizes you to "just use more descriptive names" — but it also restricts the developer's ability to write code that (a) is good-quality (using distinct variable names) and (b) doesn't take too long to write, e.g. for Advent of Code challenges, etc. It also appears to be an inescapable feature (is it not?).
People give you a weird look for using semicolons to demarcate the end of a statement.
Error messages are so often counter-intuitive and unclear. Allow me to present some examples.
File "/home/chozorho/ctf/advent/2021/11/./solve.py", line 77, in <module> if (newBoardState[size-1][width-1] > 9): TypeError: 'int' object is not subscriptable
This message is infuriatingly vague. It uses one and only one line to describe the error, and the description uses no more than six words. It does not state which expression corresponds to the 'int' object (e.g., is it newBoardState, or is it newBoardState[size-1]? etc.). It also does not give any column index, so this information cannot be easily inferred. In fact, because python is dynamically typed, it is difficult enough to track down the error: whereas a compiler would have checked this ahead of time before blindly running the program, with errors like these, the programmer must waste time re-checking the code manually. In this case, the error was caused on an earlier line of code, so as it turns out, the line being printed isn't even that helpful.
Traceback (most recent call last): File "/home/chozorho/git/redacted/censored_main.py", line 71, in <module> censored_locations = inner_object.get_stuff_locations(param1, empty_list) File "/home/chozorho/git/redacted/censored/inner_object.py", line 54, in get_stuff_locations loc_div = selenium_driver.find_elements_by_class_name(censored_html_class_name) TypeError: 'NoneType' object is not callable
How fun, another six-word message. The documentation suggests that find_elements_by_class_nameis a valid method on a Selenium webdriver. In practice, it does not exist; no problem, it is probably a simple matter of different versions in use. But then, why should the error mention a "NoneType object" if the selenium_driver object is not a NoneType?? If it is a method that is not found, then this should be made as clear and consistent as possible, without using any ambiguous or counter-intuitive language about "NoneType objects." Anything else runs a high risk of communicating poorly and acting smug when you're misunderstood:
Traceback (most recent call last): File "/home/chozorho/git/redacted/censored_main.py", line 71, in <module> censored_locations = inner_object.get_stuffs_locations(param1, empty_list) File "/home/chozorho/git/redacted/censored/inner_object.py", line 66, in get_stuffs_locations startInd = loc.index(">") + 1 File "/usr/lib/python3/dist-packages/bs4/element.py", line 1374, in index raise ValueError("Tag.index: element not in tag") ValueError: Tag.index: element not in tag
Does python have a rule that their error messages cannot exceed six words??? Apparently, even though I am printing the value of loc and see it displayed as a string, I soon discover that the variable loc is not even a string. This is yet another perfect example of how dynamic typing causes headaches and confusion at runtime.
JavaScript — "wat?"
The auto-casting rules in JavaScript always confused me. Let me reproduce a table to explain why.
Expression
Numerical Value
String Value
Boolean Value
false
0
"false"
false
true
1
"true"
true
0
0
"0"
false
1
1
"1"
true
"0"
0
"0"
true
"000"
0
"000"
true
"1"
1
"1"
true
NaN
NaN
"NaN"
false
Infinity
Infinity
"Infinity"
true
[]
0
""
true
[20]
20
"20"
true
null
0
"null"
false
undefined
NaN
"undefined"
false
"false"
NaN
"false"
true
The reason why this is so confusing is partly because it is not self-consistent: if you pass a variable through multiple stages of conversion, its boolean value may change in unexpected ways. undefined is false, but if you were to convert to a string, it becomes true. If you read a string from an input box, and the user input reads "false", then casting that string to a boolean yields true, but casting it to a number and THEN casting to a boolean yields false. Casting [355, 113] to a number and THEN to a boolean yields false, but converting it directly to a boolean yeilds true. In a sensible language like C, zero is false and false is zero, no matter how many "intermediate types" you cast it through. See what I mean?
But it gets even worse.
When you are working with an array, and you try to retrieve an element outside its bounds, you get an undefined. Simple enough, right? But here's the problem: you can manually set a value in the array to undefined (in which case the array length doesn't change!), and you can even set a value of the array at an out-of-bounds index! This is absurd because it violates the very concept of a fixed-length array.
This reinforces a joke I have made in the past: that Python and JavaScript are in constant competition for the title "Least Enjoyable Programming Language."
C# — "That Friend of a Friend"
Every time I have this discussion with a C# fanboy it always goes like this:
A: Yea, use C#!! It's faster and better-designed than crappy old Java! B: But I run Linux. I refuse to accept spyware and keyloggers on my computer just to be able to use a goddamn programming language. A: Aw, don't worry root! C# is cross-platform! It's great! You can just download this DotNET Core on Linux and voilà! B: Huh, ok, maybe I'll try it out.
... B: Oh, by the way, does your C# game project run on Linux? A: What? Oh no of course not lol. It uses winforms, silly! 🤪 B: Count me out.
Selected FOSS applications
Here are some obscure protocols & FOSS applications, if you're into that sort of thing:
This is a program that will allow you to access an Android phone from your laptop. After a lot of struggling and debugging, I have successfully tested this program from my Linux machine.
To access my phone and send texts from my computer has been a dream of mine for years (I will make a blog post about this sooner or later). Now this dream is becoming a reality!
GNU Net
How I Managed to Break My OS This Week
99 little bugs in the code. 99 little bugs in the code. Take one down, patch it around, 127 little bug in the code...
This is a place to collect many technical problems I've faced, across my different Linux machines (laptop and Linux server). Treat it as a way to store some valuable life lessons, and share them with whoever stumbles upon this page. A common theme you'll notice is that getting help from people on IRC makes solving these problems so much easier.
Episode I: Devuan Linux Breaks Again!
In January 2021, I re-installed Devuan on my daily-driver Linux laptop. In September of that year, I decided to experiment with this operating system, so I updated apt sources in order to include "chimaera," the more experimental repository. But when I did a reboot, I could no longer even decrypt my disk drive, let alone log in!!
Worry not, I said to myself. In the short run, I have a way to decrypt and access my data using a Devuanlivecd that I attach to the same hardware.
Update: This process has been a bit tedious, so I ended up writing a shell script to run these same routines (decrypting the drive, copying my SSH key and browser profile, etc.) automatically. I debugged it some more. It is reproduced below in case it turns out to be helpful to anyone else -- but be forewarned, it does require some review & customization before you run it:
#!/usr/bin/env bash set -o xtrace
# step 0: set non-root user settings mkdir /home/devuan/misc /home/devuan/.ssh echo "set nu hlsearch" | tee /home/devuan/.vimrc
# step 1: decrypt and mount the disk drive sudo cryptsetup open --type luks /dev/sda3 crypto_LUKS sudo mount /dev/quicksilver-vg/root /mnt sudo mount /dev/quicksilver-vg/home /mnt/home sudo swapon /dev/quicksilver-vg/swap_1
# step 3a: initiate firefox developer edition to populate the local profile tar -xjvf firefox-93.0b8.tar.bz2 cd firefox/ pushd . #local_ffdev_pid=`./firefox & echo $!` #local_ffdev_pid=`sh -c "echo $$; exec ./firefox"` # TODO debug this launch!! #sleep 6
# step 3b: auto-kill this browser instance... #kill -9 $local_ffdev_pid # This automatic "kill -9" feature is pending testing/optimization... # For now, simply close the browser manually when it opens. ./firefox
# step 4: get the new, temporary (livecd local) profile name, e.g. do0o40b9.dev-edition-default cd ~/.mozilla/firefox local_profile=`ls -t | grep dev-edition | head -n 1`
# step 5: get the inner profile name and copy it. DO NOT MODIFY IT!!! inner_profile=`ls -t /mnt/home/chozorho/.mozilla/firefox | grep dev-edition | head -n 1`
# step 6: actually run the replacement routine. Delete and copy the new into the old. rm -rf $local_profile cp -ipR /mnt/home/chozorho/.mozilla/firefox/$inner_profile $local_profile # do0o40b9.dev-edition-default/
# step 7: re-run firefox. The correct profile should be selected! popd ./firefox &
# step 8: install preferred software. Sit back and relax while it gets installed!
sudo apt-get install moc newsboat build-essential git git-core texmaker \
The thread above claims that "the upload of gcc-10 moved libgcc_s.so to /lib instead of /lib/x86_64-linux-gnu." But, on my machine, the library is in /lib/x86_64-linux-gnu and not in /lib. I try copying the library to make sure it is in both locations, but that doesn't fix the issue. Am I missing something obvious? It seems I need to modify a find command somewhere, but it's not clear where to add this.
In October, I finally find a time to ask the gods on IRC for some help. And sure enough, they are able to give me various recommendations for solving the root of the problem. I chroot into the system, mount the /boot files, and then re-install the initramfs for kernel version 5.10.0-8. I also may have re-installed grub2, but I cannot recall if that made a difference.
On October 15th, after doing another apt-get update/upgrade to be safe, I confirm that I can decrypt my drive and log in as usual. So: the issue is finally resolved!
Episode II: The Agony of Trying to Connect (to a Database)
For the longest time, I believed that the hardest part of backend webdev is setting up and connecting to a database in PHP.
2009 was the year I first tried to learn PHP, and I had no ideea what I was doing. Proceeding into the early 2020s, I experienced an astounding amount of stress and confusion whenever I tried to access a database from a PHP script.
Let me illustrate one issue I had in 2022 — and mind you, this is just one small taste of the PHP difficulties I've experienced.
I decide to actually try out a NoSQL database for a change. Therefore, I try to install mongodb on my Linux host (the same Debian droplet hosting this website! Say hello).
Thankfully, I am able to install this fairly easily; the instructions on the MongoDB website are very intuitive and to-the-point, and apt installs version 5.0.5.
I soon stumble upon some demos from tutorialspoint. Aha, I think to myself, this looks promising. I've used tutorialspoint before, in my efforts to learn perl and Rust (these deserve their own articles!) and when researching things like AJAX and Selenium. I know they won't let me down this time!
Alas, the very first line of their PHP script results in a failure. I dig deeper into the Apache logs (which is already a slightly painful endeavor) and find the following error:
[Thu Jan 13 05:46:44.933952 2022] [php7:error] [pid 23821] [client **.**.**.**:53632] PHP Fatal error: Uncaught Error: Class 'MongoDB' not found in /var/www/html/*****.php:31\nStack trace:\n#0 {main}\n thrown in /var/www/html/*****.php on line 31
But as soon as I go to run this recommended one-line adjustment, I see a awfully simiar-looking error:
[Thu Jan 13 08:23:15.791746 2022] [php7:error] [pid 23821] [client **.**.**.**:53632] PHP Fatal error: Uncaught Error: Class 'MongoDB\\Driver\\Manager' not found in /var/www/html/*****.php:31\nStack trace:\n#0 {main}\n thrown in /var/www/html/*****.php on line 31
How does this make any sense??? Have I really not installed the right PHP MongoDB driver? But I had already installed php7.4-mongodb, which matches my active version of PHP (that's right, active version... more ranting about that is sure to come later) and thus should've done the job! After all, when I invoke ls /usr/lib/php/20190902/ as recommended in still other StackOverflow posts, I indeed see a mongo.so in my installed extensions.
Do I seriously need to install this specific MongoDB PHP Driver using PECL? If so, why isn't it enough to do the php7.4-mongodb installation above? Only time will tell; I am too exhausted to continue.
Intermission
To this day, part of me wonders: does anyone else have this much trouble setting up databases and connecting with PHP? Surely I cannot be alone on this one. Perhaps it is comparable to the process of setting up a build environment when one is doing game development, i.e., a necessary prerequisite that is notoriously tedious but is always worth the effort. Or perhaps I started learning PHP in the "wrong order," before I even knew what Linux was and how to install a web server.
Sure enough, the following night, I try to install the aforementioned "mongo-php-driver." The command recommended on that GitHub page fails, with a simple "pecl: command not found" error. Ok, so I need to install PECL somehow.
I stumble through the top search results, which are vague websites stating that pecl is accessed through PEAR, which can be installed with a simple php invocation. But does this really help me? No. While it does give me access to pearl and pecl executables, once I try to actually use them to install mongodb (you know... like the GitHub page suggests), they exit with the following error:
WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update downloading mongodb-1.12.0.tgz ... Starting to download mongodb-1.12.0.tgz (1,392,375 bytes) ......................................................... ...done: 1,392,375 bytes 633 source files, building running: phpize sh: 1: phpize: not found ERROR: `phpize' failed
This is becoming increasingly frustrating the further I go. I then attempt to do research on this new command phpize.
Upon doing research on phpize, I need to remember to disregard the search result titled "How to install phpize for PHP7+", which, I kid you not, literally redirects to the base domain site newbedev.com. From other search results, I discern that it is used in the build-process for PHP extensions, which at least fits into the knowledge I already have, and it is allegedly included in a package called php<version>-dev. I then try to install that package as root, which miraculously works (all hail the debian maintainers).
Then I can finally run pecl to install the full, unmitigated mongodb package, right? The culmination of all this work! To the victor go the spoils!
...
The build proceeds...
...
...and terminates with the following few lines:
Build process completed successfully Installing '/usr/lib/php/20190902/mongodb.so' install ok: channel://pecl.php.net/mongodb-1.12.0 configuration option "php_ini" is not set to php.ini location You should add "extension=mongodb.so" to php.ini Segmentation fault
This is extraodinarily frustrating. Running a package manager ends in a segfault?? Normally, I am happy to debug software using GDB to diagnose a problem, but this is a package manager! One would expect it to be well-maintained and robust.
The only saving grace is that the error message gives a clear prescription for how to avert the problem (that is, assuming that the "you should add" suggestion is even related to the segmentation fault, which is no guarantee). But here's the problem: I have been checking my PHP configuration files (/etc/php/7.4/cli/php.ini and subdirectories) numerous times, and I have triple-checked the mongodb.so is set there explicitly.
None of this makes any sense.
How I Fixed My OS
As always, asking for help on IRC reveals answers that you never would've thought possible (see also, A Word with the Gods, a C++ dialogue).
The first takeaway is an obvious one, but it was so beginner-friendly that I had assumed I was above it: when debugging, don't hesitate to call phpinfo();.
The big revelation is an equally simple, though less intuitive, principle: cli !== webserver.
The version of PHP being invoked at terminal (e.g., if I run php --version and so on) is 7.4. By contrast, the version being invoked by the Apache2 web server is 7.3! They do not match! So, as a quick solution, I ended up enabling the PHP 7.4 module and disabling the PHP 7.3 module. I believe I could have stuck with the existing versions, but then I would have had to recompile the mongodb module for PHP 7.3, which could have been a hassle.
Special thanks to da_wunder nim on libera chat for sharing this insight.
The final lesson is not to trust tutorialspoint (lol). Even after I enable the matching version of PHP, I still encounter additional errors in the API for the MongoDB client!
Unfortunately, even this solution caused something else to break (I'm detecting a pattern here). Stay tuned for later when I debug Nextcloud, which broke entirely after the update to PHP 7.4!
Episode III: Docker is great!
I don't know if it's worth telling the full story. Just know that I try running docker and encounter a very difficult bug. After asking the gods on IRC, I am finally able to resolve the error. The problem is very well-explained on another tech blog you'll find here: my-take-on.tech
Episode IV: An SSH Authorization Error (2024-03-30)
I am experiencing a problem whenever I try to "push" commits, either on an existing branch or on a new branch, to a remote git repository on bitbucket. Note that it is a private repository, but this should not matter, since I am using SSH authentication, something I used to do all the time for previous repositories, public and private.
The error message reads:
Pushing to bitbucket.org:workspace/repo.git Unauthorized fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
The obvious answer is that I have not added my SSH key to the ssh agent. But I have done so, using ssh-add and the infamous eval "$(ssh-agent)" command and updating the known_hosts.
When I try ssh -T git@bitbucket.org, the response is "authenticated via ssh key. You can use git to connect to bitbucket."
I have been trying to follow the suggestions here at cyberciti. I have upgraded git (verison is now 2.30.2).
Even the git remote.origin.url matches the "clone URL" that bitbucket tells me! So this StackOverflow answer does not apply either.
Any advice for me?
Impossible Challenges
OpenPGP
Part I: May 2022
I am exploring a library to use PGP on PHP. However, I run ito a great many difficulties, as I describe below.
So far, I can:
export my PGP key as a binary file
sign a message and output a binary file
verify the message in PHP, using both binary files (woo!)
/* Parse public key */ $senderPublicKey = OpenPGP_Message::parse(file_get_contents('ale-public-noascii.key'));
/* Parse signed message from file */ $m = OpenPGP_Message::parse(file_get_contents('signed_message_binary'));
/* Create a verifier for the key */ $verify = new OpenPGP_Crypt_RSA($senderPublicKey);
/* Dump verification information to STDOUT */ var_dump($verify->verify($m));
If I run this basic example, using binary files, then the output is a rather complex JSON dump, but it appears to correctly identify the fingerprint of the public key, as well as the text in the file being verified.
That's a good start, I think to myself. But, for my eventual use-case, I really want to make this process more user-friendly, so I want to allow the user to submit ASCII (base-64-encoded) text as inputs to the function.
So I start to follow the same steps:
export my PGP key as an ASCII file
sign a message and output an ASCII file
But if I simply go to modify the php script to de-armor the files, it fails completely!
verify the message in PHP, using both ASCII-armored files
I try modifying the example script to use the OpenPGP::unamor method (as in the example below):
/* Parse public key */ $senderPublicKey = OpenPGP_Message::parse(OpenPGP::unarmor(file_get_contents('ale-public.asc'), "PGP PUBLIC KEY BLOCK"));
/* Parse signed message from file named "t" */ $m = OpenPGP_Message::parse(OpenPGP::unarmor(file_get_contents('t'), "PGP SIGNED MESSAGE"));
/* Create a verifier for the key */ $verify = new OpenPGP_Crypt_RSA($senderPublicKey);
/* Dump verification information to STDOUT */ var_dump($verify->verify($m));
The server script does load the public key correctly. However, the rest of the script fails, posting an extraordinarily unclear output:
PHP Notice: Uninitialized string offset: 2050 in /var/www/html/singpolyma-openpgp-php-9651038/lib/openpgp.php on line 471 array(0) { }
There must be some additional byte-processing calls that I am missing. If you know what these are, please contact me! In the meantime, I have decided to require binary signatures.
Part II: August 2022
As of March 2023, I have finally resolved this issue. However, if you're interested in diving deep into technical nonsense, click to show the problem.
Notice that the signed message contains the ASCII plaintext of the signed message as a short segment in the middle!
This gold standard was generated via direct gpg terminal call. Thus, the essence of my investigation (and my bounty) is, what is the best way to replicate this when running my Java program?
This implies that the preceding stream, the first thirty-six bytes of the file, constitute a One-Pass Signature Packet.
Assuming that Chapter 4 of RFC4880 isn't lying and that the message has a packet Header whose first byte includes the "Packet Tag." Well, in that case, We'd have to assume that a3 is our first packet tag. Using the bit interpretation specified in Section 4.2, we can conclude that:
the packets are using the "old format;"
the tag value is 0b1000, or 8 in decimal;
the length value is "of indeterminate length."
If my work so far is correct, then the conclusion of Chapter 4 tells us that this packet is a "Compressed Data Packet" (tag 8) rather than a "One-Pass Signature Packet" (tag 4). Does this make sense? It is possible that the One-Pass Signature (and perhaps other data packets) are wrapped inside a Compressed Packet, but that sure would increase the tedium of this analysis. We'll either have to contact an expert or press forward until we get a clear answer.
I would have expected the tag to be a One-Pass Signature packet; however, it is perhaps noteworthy that "a One-Pass Signature does not interoperate with PGP 2.6.x or earlier." Isn't this a bad sign? Earlier in chapter 4, it reads:
PGP 2.6.x only uses old format packets. Thus, software that interoperates with those versions of PGP must only use old format packets. If interoperability is not an issue, the new packet format is RECOMMENDED. Note that old format packets have four bits of packet tags, and new format packets have six; some features cannot be used and still be backward-compatible.
But, look. If we did this correctly so far, then note that Section 5.6 directs us to the "Packet Composition" section to understand how this data is compressed. Section 11.3 is most relevant to us, since this is an OpenPGP message.
As it turns out, this StackExchange answer suggests that my work so far is correct — and that gpg contains a feature to list the packets in a given PGP-related file! And sure enough, when run on our gold-standard file, the first packet is indeed a Compressed Packet! (I didn't bother reading the rest of the output yet, so as to not spoil it.)
To Be Continued...
Takeaways
One upshot of this entire investigation (reading the specification and experimenting) is: were the BouncyCastle experts wrong when they told me to use a LiteralData Packet??? A literal data packet uses tag 11 rather than tag 8, and in Chapter 11.3, Literal Data Packets are shown to comprise Literal Messages rather than Signed Messages and One-Pass Signed Messages. In fairness, in Chapter 5.6 does state that a Compressed Data Packet "contains a literal data packet," but why didn't they explain this missing link to me in their emails?? It doesn't make any sense!
This may look relatively simple and memorable, but the fact that the resulting file is generated by redirecting std output, rather than using a -o flag, is counter-intuitive, as is the fact that the resolution is passed as a string and not an int.
Anywhere (General-purpose)
Select a desired Java version to use (on a system with alternatives).
sudo update-alternatives --config java
Remove CRLF from a file using vim! (source: StackOverflow)
:set noendofline binary
Record the timestamp for each executed bash command!
This helps in cases when you want to distinguish between different times you ran the same command consecutively, or when you want to search through commands you run on a particular day. You can do it by setting the following variable in your .bashrc:
export HISTTIMEFORMAT="%F %T $ "
Get the most used commands on your Linux terminal! (source: Linux Reviews)
history | awk '{print $2}' | sort | uniq -c | sort -nr | head
Most of these piped commands are self-explanatory, but the awk syntax is counter-intuitive: print $0 prints an entire line, and then each token in the line is indexed from $1
(akin to how python regexes work).
In this case, invoking index $1 prints a line index (simply the line number, starting at one!),
but I believe this is because it is part of the output from the history command.
Be sure to use single-quotes and not double-quotes!
The other upshot is that the $2 may need to change to a $5 if you apply the
"history timestamps" suggested above.
Require root access in a shell script (source: xmatthias)
If you've made it this far, congratulations! Here's a GIF I made, using the advice on this forum:
Career Gatekeeping: Year After Year
Or, How They Managed to Lock Me Out of the Good Jobs This Month
Rationale
First, allow me to explain that I have a passion for understanding a system at a deep conceptual level and I also have a fascination with old-fashioned technologies (languages and hardware). These interests lend themselves well to mainframe development. But I have no hands-on experience with these things, because, how would I (how many people have a decades-old mainframe sitting in their basement?). Meanwhile, by pure coincidence, I hear rumors about how people can get paid large sums of money to do work with fortran and COBOL — allegedly, because there are so few programmers who know these languages. Soon after I start recording these narratives in writing, a tech journalist writes that, "if you can wrap your head around this relatively simple but verbose language, you are basically guaranteed a job."
However, as I soon discover, there are no entry-level mainframe positions, as I will attempt to illustrate below.
Ok, well, perhaps this is like the other good jobs in computer science: they demand a few years of experence even for their entry-level positions.
Over the course of several years, as I gain more years of experience, the job openings explicitly require an even greater number of years of experience (a moving goalpost). This leads me to the conclusion that the most interesting jobs at the most interesting companies are being reserved for a static set of people: those born before 1997.
So, which is it? Are the jobs paying a high salary because of low Supply, i.e., they cannot find any programmers who know the languages (mere knowledge)? Or are they using that as a pretense, when in reality, they only want highly experienced engineers (several "years of experience")? Or is there an element of ageism, in which Gen Xers "pulled the ladder up behind them?" I have set out to investigate these narratives, by recording data about job vacancies and how their "minimum qualifications" change over time (month after month).
Methodology
The following are actual excerpts from COBOL-related vacancies. I promise you, I did not skew the data by cherry-picking jobs wth unusually high requirements for "prior experience;" rather, these are very representative job openings. If you doubt this, then I challenge you to search it yourself and prove me wrong. In the long run, I intend to integrate a PHP script to automatically append vacancies to this table to drive the point home.
Data
Date Posted
Demanded Years of Experience
Type of Experience Preferred
Position Title
Additional Notes
Feb. 20, 2022
4-5 Years
"ESB Integration experience" plus unspecified amnt. of experience with "COBOL, CICS, JCL/PROC, VSAM, DB2, Easytrieve."
Mainframe Developer
Feb. 20, 2022
10 Years (z/OS)
"z/OS, TSO, SYSVIEW and/or ISPF, Basic IBM utilities IDCAMS"
Mainframe IMS Database Administrator
"Candidates that do not meet or exceed the minimum stated requirements (skills/experience) will be displayed to customers but may not be chosen for this opportunity." The grammar of this sentence is both incorrect andambiguous. I'm surprised they would dare to make it this unclear.
Feb. 20, 2022
5-8 Years*
"ESB Integration experience" plus unspecified amnt. of experience with "COBOL, CICS, JCL/PROC, VSAM, DB2, Easytrieve."
Senior Software Developer, Technical Lead
*"Experience with COBOL and other programming languages such as [...]" i.e., the number of years of COBOL is technically unclear.
Feb. 19, 2022
10 Years
"The candidate must have the below skills: [...] 10+ years' experience in basic z/OS utilities, TSO, SYSVIEW and/or ISPF, Basic IBM utilities IDCAMS, IEFBR14"
Mainframe Administrator
Feb. 19, 2022
7 Years
"7+ years of experience in COBOL/JCL/VSAM/CICS."
Mainframe Developer
Mar. 22, 2022
7 Years
"Must have seven (7) years of experience in the Information Technology field," including "At least five (5) years of experience as a Mainframe SME." "Proven experience on IBM Mainframe z/OS"
Mainframe Developer
Apr. 19, 2022
10 Years
"Hands-on technical experience with mainframe non-x86 legacy systems and with technologies such as COBOL, JCL, CICS, DB2 for z/OS, Assembler, PL/I, Java, Rexx, flat/sequential files, GDGs, and VSAM — 5 years."
Mainframe Developer
June 8, 2022
7-12 Years
"Minimum of 3 years of experience working on mainframe, SQL and Relational Databases such as DB2, Oracle, and SQL Server."
Systems Analyst
The mainframe-specific year threshold is more attainable, for once, but they still insist on seven years of professional experience.
August 26, 2022
20 Years
"opportunity to work on the same systems you used to as a kid: IBM Mainframe; IDMs; COBOL; [...]"
Software Engineer
September 23, 2022
Bachelor's Degree + 3 Years
"Autosys: 3 years (Required)" "z/OS Mainframe: 3 years (Required)." "Cobol: 3 years (Required)"
Infrastructure Governance Deployment Technician
Notice that many positions give ambiguous descriptions that do not give an exact number of years for COBOL specifically, but nonetheless state that it is required. Examples include: "Experience with mainframe and Cobol is a plus" (Edward Jones); "Experience with COBOL and other programming languages such as [...]" (Zigabyte); "Experience with COBOL, CI/CD, DB2 is required" (Benedsoft).
MIT License Copyright (c) 2019 AKIRA-MIYAKE Permission is hereby granted, free of charge, to any person obtaining a copyof this software and associated documentation files (the "Software"), to dealin the Software without restriction, including without limitation the rightsto use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the Software, and to permit persons to whom the Software isfurnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in allcopies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THESOFTWARE.
Copyright (c) 2014, The Fira Code Project Authors (https://github.com/tonsky/FiraCode) This Font Software is licensed under the SIL Open Font License, Version 1.1.This license is copied below, and is also available with a FAQ at:http://scripts.sil.org/OFL
SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
PREAMBLEThe goals of the Open Font License (OFL) are to stimulate worldwidedevelopment of collaborative font projects, to support the font creationefforts of academic and linguistic communities, and to provide a free andopen framework in which fonts may be shared and improved in partnershipwith others.
The OFL allows the licensed fonts to be used, studied, modified andredistributed freely as long as they are not sold by themselves. Thefonts, including any derivative works, can be bundled, embedded,redistributed and/or sold with any software provided that any reservednames are not used by derivative works. The fonts and derivatives,however, cannot be released under any other type of license. Therequirement for fonts to remain under this license does not applyto any document created using the fonts or their derivatives.
DEFINITIONS"Font Software" refers to the set of files released by the CopyrightHolder(s) under this license and clearly marked as such. This mayinclude source files, build scripts and documentation.
"Reserved Font Name" refers to any names specified as such after thecopyright statement(s).
"Original Version" refers to the collection of Font Software components asdistributed by the Copyright Holder(s).
"Modified Version" refers to any derivative made by adding to, deleting,or substituting -- in part or in whole -- any of the components of theOriginal Version, by changing formats or by porting the Font Software to anew environment.
"Author" refers to any designer, engineer, programmer, technicalwriter or other person who contributed to the Font Software.
PERMISSION & CONDITIONSPermission is hereby granted, free of charge, to any person obtaininga copy of the Font Software, to use, study, copy, merge, embed, modify,redistribute, and sell modified and unmodified copies of the FontSoftware, subject to the following conditions:
1) Neither the Font Software nor any of its individual components,in Original or Modified Versions, may be sold by itself.
2) Original or Modified Versions of the Font Software may be bundled,redistributed and/or sold with any software, provided that each copycontains the above copyright notice and this license. These can beincluded either as stand-alone text files, human-readable headers orin the appropriate machine-readable metadata fields within text orbinary files as long as those fields can be easily viewed by the user.
3) No Modified Version of the Font Software may use the Reserved FontName(s) unless explicit written permission is granted by the correspondingCopyright Holder. This restriction only applies to the primary font name aspresented to the users.
4) The name(s) of the Copyright Holder(s) or the Author(s) of the FontSoftware shall not be used to promote, endorse or advertise anyModified Version, except to acknowledge the contribution(s) of theCopyright Holder(s) and the Author(s) or with their explicit writtenpermission.
5) The Font Software, modified or unmodified, in part or in whole,must be distributed entirely under this license, and must not bedistributed under any other license. The requirement for fonts toremain under this license does not apply to any document createdusing the Font Software.
TERMINATIONThis license becomes null and void if any of the above conditions arenot met.
DISCLAIMERTHE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENTOF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THECOPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIALDAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISINGFROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROMOTHER DEALINGS IN THE FONT SOFTWARE.
