I can’t even start to express how much this comment means to me, it haven’t been a easy path, that’s a fact, so thank you for noticing all the hard work and the love I have for our community.
@STOKfredrik you actually inspired me to move into cyber security ..I always had a love for it but saw it as a hobby .. but your video about hacking a hardened target (I think some sort of http smuggling I can't remember exactly ) really rustled my jimmies and convinced me to push on even though it's difficult. I hope that one day I can buy you a beer 🍺 and say thanks
i was in a AIX troubleshooting class in ~2005 and the trainer warned us about ever, every opening log files for network services without cleansing them first (and not as root, duh). i try to still stick by that, and any security issue in strings/file or ox or regex libs triggers horrible paranoia. regex especially with mod_security being a massive regex target.
This is something I highlighted in a comment thread at ISC some years back, I think Johannes wrote a follow-up post about it. Back in the day, ins MS-DOS, you could print an ANSI sequence that would actually redefine what the keys did. So if you pressed space, you'd get "del c:\dos\*" for example ..
I remembered that. It was one of those “coolest thing ever that nobody around you can understand the coolness of” moments, when I discovered that as a teenager playing with the really obscure parts of DOS.
nice talk :D Remember that the middle of a dark LAN party with few 100 people playing CS 1.5 or was it CS 1.6 when you sent "net send" you could target all machines locally. Maan those nerds got a suntan when all machines in sync switched focus from their game and was forced into Windows! displaying the net send command :D
Super fun talk. Very slick! Back i the day you could encode vbScripts (probably because you had secrets in there). Someone made a vbScript decoder. I used to stuff my vbScritps with commented out ASCII DEL characters. After decryption you get an empty file. jättekul!!
this was truly amazing talk! love stoks work for many years now but he always has a fantastic way of conveying his knowledge so detailed but in a digestible way! thanks you!
Balls. I even use this in my bashrc # Function to set the title of the window function retitle(){ echo -ne "\033]2;$1\007" } # Export to allow scripts to retitle the window they're run in. export -f retitle
Fun and interesting talk. I discovered an angle on this many years ago on IRC. UTF-8 sequences can contain certain valid control codes in the 2nd byte and onwards, allowing you to "smuggle" them past sanitization when configuration of things doesn't line up. For example, some users' IRC clients would receive and interpret the byte sequences as UTF-8 but their terminal would honor the control codes. \x9B from the C1 control codes worked as a CSI when I played with it, and can be the second byte of a valid UTF-8 character.
Well done. This talk could use a followup with more nuts-and-bolts detail. I got heavily into all this over twenty years ago because of the explosion of abuse/attacks taking place back then, with a lot of it including or relying upon ANSI escape codes in multiple formats. It wasn't just terminals getting owned and logs getting edited, overwritten, and otherwise abused - it was full-spectrum abuse in browsers, apps, whatever. The issues with ANSI/Unicode abuse are not at all limited to escape sequences. It gets, of course, much worse. But the escape sequences in terminals (or relying on terminals) can do an enormous amount and there is readily available documentation on the general proper usage of these codes. And there are also documented accounts of past abuses, as this video discusses. So this subject captures a core set of built-in abuse vectors that to back to the dawn of computing. This core gets to the core of a big part of why computer networks remain fundamentally indefensible: American-institution stewardship of of computing standards, where those institutions trace back to secrecy-obsessed, transparency-averse, Cold-War agencies tasked with what we euphemistically call intelligence and defense. That last bit (which I include just to emphasize the importance of the topic, taken in general terms) gets too far ahead, however, of what I have in mind. What people could use now, it seems - smart or otherwise - would be a detail-focused companion presentation to this brilliant, decades-spanning introduction by Stök.
what a freakin' incredible presentation ~ the timing so poignant and comedic, while never undermining the seriousness of the situation. i'd work with this guy
my immediate thought after hearing about changing colours and needing to end the colour change with another escape sequence was that you could make all text the same colour as the terminal background. or maybe just some of the text
25 years ago a friend of mine and me implemented a BBS/Chat-Server in plain Java (Java1.2 on linux it was) to replace an existing old c implementation variant which was not maintainable anymore as uni-project. it never got live as the admins of the existing missed features and we did want to code further (after one and a half year extensive daily coding)without going live. we got our uni credits and we learned so much during that time we played a lot with ESC sequences, cursors tabs backspace/delete full color mode and stuff, all stuff which was not possible or mediocre in the c implementation. we did a serverside ncurses like gui builder and and and. and we made it optional to write colored logs Critical in bold red, Medium in yellow and status messages were green with esc sequences all full bells and whistles... at that time until your talk i saw yesterday, i never thought of abusing them for any evil stuff... man we were so naiv and good meaning :D thx for the great talk and bringing back a lot of great memories
Only just got chance to watch this now. Great work Stök , and it was great to hear you talking again. I know it was a 40 minute talk, but I can't imagine the amount of hard work and time that went into that 🤘
This talk makes me scared of using cat! Every once in a while i open a binary log/file with cat accidentally and the terminal rightfully barfs at me for doing it. But i never imagined rouge escape sequences could actually cause that much damage when abused by an attacker! yikes!
I had a friend back in the early to mid 1990's tell another friend of mine he put an ansi bomb into a video memory of a BBS me and him had a good laugh but my other friend ended up called the bbs provider and tell them that he had done this and they ended up shutting down the POP dial IN number for a week
I majorly use ANSI mode when editing images in Notepad++ it just makes it more visually enjoyable to work with. Opening up jpg, png or avif code can look pretty crazy in utf-8 xthis xthat...lol😂
Never heard of him, but he is quite a fun presenter. And I will never work with log files the same way again. I knew about these back in the day, and also what you could do with them on terminals because I use a lot of ncurses stuff,, but I never really thought of the impact they could have through injection.
11:00 "Is this even a security issue?" This is the long, long shadow of Master Mode and "Old = New(new)" is absolutely spot on, in this case. History repeats not because people don't know history but because they do.
Yes and No. This is just another view of failing to follow best practices. Too many things will use user input without validation or sanity. For example, whatever you type in at the login prompt will blindly be logged by "login" -- "Unknown user: [unsanitized user input]" If you ever allow that log message to be sent to any terminal without any filtering, you have a _potential_ problem. It's been the same _potential_ problem since escape sequences were invented. We've only made them *worse* over the years.
Talk doesn't start till ~6:45. Be warned, obscene amount of memes, GIFs, and such. Also, what's old is new again. I guess showiness, having a brand and tons of followers is what gets you the ability to present talks.
Well yes and no, you still have to pass a peer review and provide either new research or as in this case, a fresh look at something old. having a personal brand and showmanship definitely helps, adding comedy and a fast paced visual flow keeps the audience attention. And yes you are right, my presentation style isn’t for everyone, and that’s ok, But thanks for taking your time to comment and leave feedback, appreciate it.
@@STOKfredrik I think the only thing I'd add in the future would be a bit more history on the on the ANSI escape sequences. I think that would be helpful for newer generations to understand some of that. The context you added about what each terminal prefers is fantastic, I feel like in general that's glossed over/obscure. Also, your timing is fantastic considering the quantity of slides you presented. :)
This is hands down one of the best talks I've ever heard. Good job Stök!
Thanks, happy you liked it!
@@STOKfredrik omg you replied, yay!!
He's an amazing presenter .. and a gem for the community.. great job Stök ❤
I can’t even start to express how much this comment means to me, it haven’t been a easy path, that’s a fact, so thank you for noticing all the hard work and the love I have for our community.
@STOKfredrik you actually inspired me to move into cyber security ..I always had a love for it but saw it as a hobby .. but your video about hacking a hardened target (I think some sort of http smuggling I can't remember exactly ) really rustled my jimmies and convinced me to push on even though it's difficult. I hope that one day I can buy you a beer 🍺 and say thanks
Stönks
@@STOKfredrik14:50 "so even though I was like Fuk Yeah! ..confirmed!"
You're a legend, sir!
Wow, he got video and audio to work live first try!
I've never been so nervous to go look at logs.....
Mission accomplished, see it as security awareness training :)
This is probably one of the best presentation, if not the best, I ever saw, for any content, ever
Mind blown, thanks, seriously thanks!
i was in a AIX troubleshooting class in ~2005 and the trainer warned us about ever, every opening log files for network services without cleansing them first (and not as root, duh). i try to still stick by that, and any security issue in strings/file or ox or regex libs triggers horrible paranoia. regex especially with mod_security being a massive regex target.
This is something I highlighted in a comment thread at ISC some years back, I think Johannes wrote a follow-up post about it.
Back in the day, ins MS-DOS, you could print an ANSI sequence that would actually redefine what the keys did. So if you pressed space, you'd get "del c:\dos\*" for example ..
That is sometimes called "ANSI Bombs", I mentioned it in my talk: ruclips.net/video/Y4A7KMQEmfo/видео.html
I remembered that. It was one of those “coolest thing ever that nobody around you can understand the coolness of” moments, when I discovered that as a teenager playing with the really obscure parts of DOS.
nice talk :D Remember that the middle of a dark LAN party with few 100 people playing CS 1.5 or was it CS 1.6 when you sent "net send" you could target all machines locally. Maan those nerds got a suntan when all machines in sync switched focus from their game and was forced into Windows! displaying the net send command :D
Super fun talk. Very slick!
Back i the day you could encode vbScripts (probably because you had secrets in there). Someone made a vbScript decoder. I used to stuff my vbScritps with commented out ASCII DEL characters. After decryption you get an empty file. jättekul!!
Hilarious! Mischief 101
this was truly amazing talk! love stoks work for many years now but he always has a fantastic way of conveying his knowledge so detailed but in a digestible way! thanks you!
Wow that’s amazing to hear, mission accomplished, means a lot 🙏
ansi escape codes turing complete? :)
Don’t fully understand, but it’s a very interesting area and things definitely are happing in this space,
7:21 fun fact, there is an xterm OSC escape sequence reserved for emacs shell
Balls. I even use this in my bashrc
# Function to set the title of the window
function retitle(){
echo -ne "\033]2;$1\007"
}
# Export to allow scripts to retitle the window they're run in.
export -f retitle
Haha rip ❤️🪦
Fun and interesting talk. I discovered an angle on this many years ago on IRC. UTF-8 sequences can contain certain valid control codes in the 2nd byte and onwards, allowing you to "smuggle" them past sanitization when configuration of things doesn't line up. For example, some users' IRC clients would receive and interpret the byte sequences as UTF-8 but their terminal would honor the control codes. \x9B from the C1 control codes worked as a CSI when I played with it, and can be the second byte of a valid UTF-8 character.
Thanks for the amazing shout-out for dgl -- we think he's amazing, too :D
He is! If it wasn’t for dgl my research wouldn’t have evolved into what it is today.
This was such an entertaining presentation. Had a good time watching it. Very well done.
Thanks! Happy you liked it!
Well done. This talk could use a followup with more nuts-and-bolts detail. I got heavily into all this over twenty years ago because of the explosion of abuse/attacks taking place back then, with a lot of it including or relying upon ANSI escape codes in multiple formats. It wasn't just terminals getting owned and logs getting edited, overwritten, and otherwise abused - it was full-spectrum abuse in browsers, apps, whatever. The issues with ANSI/Unicode abuse are not at all limited to escape sequences. It gets, of course, much worse. But the escape sequences in terminals (or relying on terminals) can do an enormous amount and there is readily available documentation on the general proper usage of these codes. And there are also documented accounts of past abuses, as this video discusses. So this subject captures a core set of built-in abuse vectors that to back to the dawn of computing. This core gets to the core of a big part of why computer networks remain fundamentally indefensible: American-institution stewardship of of computing standards, where those institutions trace back to secrecy-obsessed, transparency-averse, Cold-War agencies tasked with what we euphemistically call intelligence and defense.
That last bit (which I include just to emphasize the importance of the topic, taken in general terms) gets too far ahead, however, of what I have in mind. What people could use now, it seems - smart or otherwise - would be a detail-focused companion presentation to this brilliant, decades-spanning introduction by Stök.
Thor After Love and Thunder. 🔥
Jesus Christ Stok you guys have changed the game entirely, way to go!
Good times, but I’m standing on the shoulders of giants, just viewing it in another perspective with a malicious mindset.
i teared up laughing at the billion peace signs part. you’re the man! keep pushing, love from Canada
Very glad this was put on youtube! I've been telling people about this talk since I walked out of it, and now I can send people the video
Such an entertaining talk, with great implications.
Great job!
Thanks 🙏
what a freakin' incredible presentation ~ the timing so poignant and comedic, while never undermining the seriousness of the situation. i'd work with this guy
Yet another example of devs who are forced to be clever to keep a job doing stupid and unnecessary things that make no sense and are insecure.
nice talk.. i dont knowe so much about ANSI security but did get a lot wiser. thank you very much 4 all time you put in. so easy when you explain it.
my immediate thought after hearing about changing colours and needing to end the colour change with another escape sequence was that you could make all text the same colour as the terminal background. or maybe just some of the text
25 years ago a friend of mine and me implemented a BBS/Chat-Server in plain Java (Java1.2 on linux it was) to replace an existing old c implementation variant which was not maintainable anymore as uni-project.
it never got live as the admins of the existing missed features and we did want to code further (after one and a half year extensive daily coding)without going live. we got our uni credits and we learned so much during that time
we played a lot with ESC sequences, cursors tabs backspace/delete full color mode and stuff, all stuff which was not possible or mediocre in the c implementation. we did a serverside ncurses like gui builder and and and.
and we made it optional to write colored logs Critical in bold red, Medium in yellow and status messages were green with esc sequences
all full bells and whistles...
at that time until your talk i saw yesterday, i never thought of abusing them for any evil stuff... man we were so naiv and good meaning :D
thx for the great talk and bringing back a lot of great memories
Too much bells and whistles
Ding!
Is this the guy behind all the stickers I used to see with that moniker? If so that’s super cool…
really great stuff man! i love the ideas building on ideas with comedy, awesome!
It’s a fine balance and a graceful dance to mix deep tech with comedy to entertain the neurodiverse mind.
This guy had me in the first 60 seconds
Only just got chance to watch this now. Great work Stök , and it was great to hear you talking again. I know it was a 40 minute talk, but I can't imagine the amount of hard work and time that went into that 🤘
Great talk!
Great talk! Keep up the good work!
All your log are belong to us
Indeed
is polyglot from 25:22 public somewhere to download?
This guy is super compelling! Really fun presentation
Thanks, happy you liked it !
What a legend. Wish I had a brain that worked like this. Also what a killer presentation!
Loved this! Stök always impresses!
Yoo Stök!!
Youre amazing, one of the best !
If you put it at .75 playback speed its a lot better
nice to see stok presenting in defcon 🔥
We all need more attitudes like Stök on our teams.
❤✌️
Thats cooooolll!!!!
8:00 Since editors nowadays (and their syntax highlighting) don't really like brackets that aren't closed, I tend to use "\033\133" instead of "\e[".
This talk makes me scared of using cat! Every once in a while i open a binary log/file with cat accidentally and the terminal rightfully barfs at me for doing it. But i never imagined rouge escape sequences could actually cause that much damage when abused by an attacker! yikes!
Playing Discworld
That's pure gold
Hay stock I know u are going through a lot mantlly
I really hope u ll get well soon
And u come back soon
May the karma be with u
I had a friend back in the early to mid 1990's tell another friend of mine he put an ansi bomb into a video memory of a BBS me and him had a good laugh but my other friend ended up called the bbs provider and tell them that he had done this and they ended up shutting down the POP dial IN number for a week
I majorly use ANSI mode when editing images in Notepad++ it just makes it more visually enjoyable to work with. Opening up jpg, png or avif code can look pretty crazy in utf-8 xthis xthat...lol😂
Never heard of him, but he is quite a fun presenter. And I will never work with log files the same way again. I knew about these back in the day, and also what you could do with them on terminals because I use a lot of ncurses stuff,, but I never really thought of the impact they could have through injection.
The smartest Dudeson
Wow, I didn't know Macaulay Culkin was big into ANSI escape sequences!
11:00 "Is this even a security issue?"
This is the long, long shadow of Master Mode and "Old = New(new)" is absolutely spot on, in this case. History repeats not because people don't know history but because they do.
Yes and No. This is just another view of failing to follow best practices. Too many things will use user input without validation or sanity. For example, whatever you type in at the login prompt will blindly be logged by "login" -- "Unknown user: [unsanitized user input]" If you ever allow that log message to be sent to any terminal without any filtering, you have a _potential_ problem. It's been the same _potential_ problem since escape sequences were invented. We've only made them *worse* over the years.
@@jfbeam any programmer who fails to filter any data field in their software isn't competent to work in the industry.
@@Mercurio-Morat-Goes-Bughunting I can't disagree. Most programmers *shouldn't be.*
Hey, it's 98 again.
I remember my takeaway from back then was to use less instead of more
Great presentation, you are a fun crazy man!
Kind regards.
Mrs. Ragone
what is a real content?
Thanks for the talk, very passionate :)
You are welcome!
nice ! best energy ever
The best professor
Woke me up... 😂. Excellent presentation and wired dude. 👍👍
This guy and his videos got me into infosec. So glad to see my boy at DefCon!
4:45 this is gonna be good. what about all that alexa stuff with this. sounds dangerous edit:sp
6:52 did that apostrophe get injected there via a rogue ANSI escape sequence?
Couple years back I tried to reach out to bro to collab on some bounties and he jus ignored me lol
Great talk!
the G.O.A.T
Talk doesn't start till ~6:45. Be warned, obscene amount of memes, GIFs, and such.
Also, what's old is new again. I guess showiness, having a brand and tons of followers is what gets you the ability to present talks.
Well yes and no, you still have to pass a peer review and provide either new research or as in this case, a fresh look at something old. having a personal brand and showmanship definitely helps, adding comedy and a fast paced visual flow keeps the audience attention. And yes you are right, my presentation style isn’t for everyone, and that’s ok, But thanks for taking your time to comment and leave feedback, appreciate it.
@@STOKfredrik I think the only thing I'd add in the future would be a bit more history on the on the ANSI escape sequences. I think that would be helpful for newer generations to understand some of that. The context you added about what each terminal prefers is fantastic, I feel like in general that's glossed over/obscure.
Also, your timing is fantastic considering the quantity of slides you presented. :)
STÖK i decrypt your msg at 2:20 on that alaram clock
😂💪
Woohoo!!!! STOK great talk man!
You know what I hate?
When I ask for logs and get EDITED logs, because people think they can read logs themselves... they can not.
strings badlog.txt
[31mESC-INJECTION:
[32mSUCCESSFUL
How dare you mock us MUD players!
This dude is awesome.
Thanks
amazing wow 👏👏👏👏
❤🙏✌️
Amazing talk!!
Thanks, happy you liked it
Snyggt jobbat
Soo cool
His accent makes it impossible.
I'll read the transcript, Thor.
I'm disappointed how the audience was silent when he said you could print stuff
.. hahaha the audience must not be programmers 🤣🤣🤣
This pseudohuman thing is a great demonstration of why drugs are bad for you.
If in doubt, add moar..