Wednesday, July 3, 2013

Exploiting Blogger For Passwords

Disclaimer: I do not recommend doing this, and I am not responsible for any trouble you get in for doing this. This post is for educational purposes only. ETC ETC

While working on my site I stumbled upon a way one could harvest Google account passwords from a simple blog account. By setting up a Blogger page, you have the option to include a Google Friend Connect "Join this site" button widget complete with profile pictures of other members who have joined the site.

Look familiar?

At first, I was hesitant to post this, because this site uses the Google Friend Connect widget. Then I realized that no one has used to feature in almost a year, and that the number of users using the service have dropped off, while traffic to the site remained steady. That doesn't mean one could do this with any other sort of connect feature websites often have (Facebook, Reddit, etc).  Pointing out such flaws will hopefully make such services much more secure in the future, as it will hopefully be corrected in some way.

Clicking on the blue button prompts the user to input a Google, Twitter, or Yahoo account login and password. By simply misdirecting the path of the follow URL, one could then spoof the login page so that the information entered follows through to  malicious site. All one has to do is replicate the Google service login popup. No URL is displayed during the whole process.

Such a method has been used before. Mistyping the Craigslist URL might bring you to a page notifying you that you need to update your version of Adobe Flash. Everything from the color scheme used, the font, and the installer are all reminiscent of what Adobe uses for their flash program.

uh oh...

Of course, the URL supersavings.glidehomes.com should be a giant red flag! Following through with the install will almost certainly lead to viruses/maleware/adware. Another approach of this technique is exploited by the torpig botnet. Which university researches were able to take control of. THey learned that the botnet was spoofing online banking logins for major banks on the infected computers, then sending the login information to whoever owned the botnet. Pretty scary stuff.

Did Bots in Quake 3 "Learn" Pacifism?


Anon supposedly recreated the ending of Wargames


No. A 4chan post has been circulating the Internet recently, claiming that after four years on a server full of bots in a Quake 3 death match game, the bots learned that the best strategy was not to kill each other. Huffington Post jumped on the story, although they later updated the page admitting the story was a hoax. However, they did not explain why the story was fake. A major news outlet jumping on an anonymous 4chan copypasta should be a reflection of the current state of news today. 

The original 4chan thread. Click for large.
A whole thesis was published by ID Software in 2001 detailing the build and intricacies of the bots. Furthermore, in 2005 the Quake 3 source code was released under the GNU license, meaning anyone with a compiler could dig through the code. This should give us the tools necessary to scrutinize these claims.
Let us first take a look first at the original post:

"Quake 3 bots were designed off an artificial neural network.
They would effectively "think" to figure out the best way to do things. 
They would see which tactics worked and which didn't.
The longer they played the more they would learn about you, figuring out your patterns, and this would apply to other bots aswell. For all intents and purposes they were one of the first learning AI in a game.

When I found out that I set up a Quake 3 arena server on my pirating server just to have 16 bots over and over just to see how good they would get. 
I set the server up 4 years ago, it's been running the entire time, I forgot about it until this thread. I'm gonna go check on them."
From page 13 of the thesis on Quake AI:
Although neural networks can be useful in several areas in bot AI they are not used for the Quake III Arena bot.
John Carmack even tweeted a response to the claims being made:


The bots are programmed to react to players given reaction time and accuracy constraints given the particular map. The bots DO have an internal representation of the each map given the "volume" of the map. They are not self learning, and they do not aggregate information for use later. "Learning" might not even be an appropriate context for what the bots do. Instead, having your bots standing around is much more consistent with having a bug in the code. For example, the files could have reached a max size limit, and just stopped.

If each of his bot logs are 256 megs each, and there are 16 bots, loading 8 gigs of ram on a 32-bit computer game is implausible in the first place. Even if this guy had over 8 gigs or ram in his computer, he simply could not load all of that bot data in the first place. While the data could be loaded as needed into the rom, the thesis specifically states that not being able to load such specific data in a fast paced game was a limitation of the game, and why a neural network could not be used. Once again, from page 13 of the thesis:
It is also possible to train a neural network during gameplay, which allows the bot to acquire all kinds of knowledge. However training of a neural network is often a time consuming process. The learning capabilities of the neural network will often have to be limited due to the time constraints in a real-time application like a game.
Finally there are other aspects of the story that are bizarre. Who has a server running for four years and forgets about it? During that time the game never crashed; the electricity never went out? No screenshots or video of this situation exists? The particular conditions should be replicable, and could possibly take much less time than4 years to replicate. I am not saying that such a situation of pacifism is implausible, but this story is clearly a hoax.

Quake has almost always been predominantly a multi-player game, with AI rarely being a focus in lieu of graphics, networking, and game-play elements. The bots could still do some pretty impressive things however. They were able to parse per-determined chat sentences given certain environmental characteristics (p.57).

ex. 1

if
environmental change
then
if
bot wants to
chat
then
choose initial chat
use random strings in chat message
replace synonyms in chat message to add variation
output chat message
endif
endif
 
 ex. 2

if
bot receives a message
then
replace synonyms in the message
interpret message using match templates
if
match is found
then
perform action
else
if
messages is a chat message from another player
then
if
bot wants
to reply to this message
then
find a reply chat
use random strings in chat message
replace synonyms in chat message to add variation
output chat message
endif
endif
endif
endif
As mentioned before, the bots DO react to players given reaction time and accuracy constraints and traverse "nodes" in relation to the current map. In this way, the bots do "think", but they do not "learn". AI programming is still being developed interdependently for contemporary first person shooters, and none of them have replicated anything like this. It is not to say that something like this could never happen. But one should keep in mind the disclaimer pasted across the top of some 4chan boards. "The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact."