❌

Reading view

There are new articles available, click to refresh the page.

Security Incident : Code Smells – Not Replaced Constants

The Secure Boot Case Study

Attackers can break through the Secure Boot process on millions of computers using Intel and ARM processors due to a leaked cryptographic key that many manufacturers used during the startup process. This key, called the Platform Key (PK), is meant to verify the authenticity of a device’s firmware and boot software.

Unfortunately, this key was leaked back in 2018. It seems that some manufacturers used this key in their devices instead of replacing it with a secure one, as was intended. As a result, millions of devices from brands like Lenovo, HP, Asus, and SuperMicro are vulnerable to attacks.

If an attacker has access to this leaked key, they can easily bypass Secure Boot, allowing them to install malicious software that can take control of the device. To fix this problem, manufacturers need to replace the compromised key and update the firmware on affected devices. Some have already started doing this, but it might take time for all devices to be updated, especially those in critical systems.

The problem is serious because the leaked key is like a master key that can unlock many devices. This issue highlights poor cryptographic key management practices, which have been a problem for many years.

What Are β€œNot Replaced Constants”?

In software, constants are values that are not meant to change during the execution of a program. They are often used to define configuration settings, cryptographic keys, and other critical values.

When these constants are hard-coded into a system and not updated or replaced when necessary, they become a code smell known as β€œNot Replaced Constants.”

Why Are They a Problem?

When constants are not replaced or updated:

  1. Security Risks: Outdated or exposed constants, such as cryptographic keys, can become security vulnerabilities. If these constants are publicly leaked or discovered by attackers, they can be exploited to gain unauthorized access or control over a system.
  2. Maintainability Issues: Hard-coded constants can make a codebase less maintainable. Changes to these values require code modifications, which can be error-prone and time-consuming.
  3. Flexibility Limitations: Systems with hard-coded constants lack flexibility, making it difficult to adapt to new requirements or configurations without altering the source code.

The Secure Boot Case Study

The recent Secure Boot vulnerability is a perfect example of the dangers posed by β€œNot Replaced Constants.” Here’s a breakdown of what happened:

The Vulnerability

Researchers discovered that a cryptographic key used in the Secure Boot process of millions of devices was leaked publicly. This key, known as the Platform Key (PK), serves as the root of trust during the Secure Boot process, verifying the authenticity of a device’s firmware and boot software.

What Went Wrong

The leaked PK was originally intended as a test key by American Megatrends International (AMI). However, it was not replaced by some manufacturers when producing devices for the market. As a result, the same compromised key was used across millions of devices, leaving them vulnerable to attacks.

The Consequences

Attackers with access to the leaked key can bypass Secure Boot protections, allowing them to install persistent malware and gain control over affected devices. This vulnerability highlights the critical importance of replacing test keys and securely managing cryptographic constants.

Sample Code:

Wrong

def generate_pk() -> str:
    return "DO NOT TRUST"

# Vendor forgets to replace PK
def use_default_pk() -> str:
    pk = generate_pk()
    return pk  # "DO NOT TRUST" PK used in production


Right

def generate_pk() -> str:
    # The documentation tells vendors to replace this value
    return "DO NOT TRUST"

def use_default_pk() -> str:
    pk = generate_pk()

    if pk == "DO NOT TRUST":
        raise ValueError("Error: PK must be replaced before use.")

    return pk  # Valid PK used in production

Ignoring important security steps, like changing default keys, can create big security holes. This ongoing problem shows how important it is to follow security procedures carefully. Instead of just relying on written instructions, make sure to test everything thoroughly to ensure it works as expected.

Build A Simple Alarm Clock

Creating a simple alarm clock application can be a fun project to develop programming skills. Here are the steps, input ideas, and additional features you might consider when building your alarm clock

Game Steps

  1. Define the Requirements:
    • Determine the basic functionality your alarm clock should have (e.g., set alarm, snooze, dismiss).
  2. Choose a Programming Language:
    • Select a language you are comfortable with, such as Python, JavaScript, or Java.
  3. Design the User Interface:
    • Decide if you want a graphical user interface (GUI) or a command-line interface (CLI).
  4. Implement Core Features:
    • Set Alarm: Allow users to set an alarm for a specific time.
    • Trigger Alarm: Play a sound or display a message when the alarm time is reached.
    • Snooze Functionality: Enable users to snooze the alarm for a set period.
    • Dismiss Alarm: Allow users to turn off the alarm once it’s triggered.
  5. Test the Alarm Clock:
    • Ensure that all functions work as expected and fix any bugs.
  6. Refine and Enhance:
    • Improve the interface and add additional features based on user feedback.

Input Ideas

  • Set Alarm Time:
    • Input format: β€œHHAM/PM” or 24-hour format β€œHH”.
  • Snooze Duration:
    • Allow users to input a snooze time in minutes.
  • Alarm Sound:
    • Let users choose from a list of available alarm sounds.
  • Repeat Alarm:
    • Options for repeating alarms (e.g., daily, weekdays, weekends).
  • Custom Alarm Message:
    • Input a custom message to display when the alarm goes off.

Additional Features

  • Multiple Alarms:
    • Allow users to set multiple alarms for different times and days.
  • Customizable Alarm Sounds:
    • Let users upload their own alarm sounds.
  • Volume Control:
    • Add an option to control the alarm sound volume.
  • Alarm Labels:
    • Enable users to label their alarms (e.g., β€œWake Up,” β€œMeeting Reminder”).
  • Weather and Time Display:
    • Show current weather information and time on the main screen.
  • Recurring Alarms:
    • Allow users to set recurring alarms on specific days.
  • Dark Mode:
    • Implement a dark mode for the UI.
  • Integration with Calendars:
    • Sync alarms with calendar events or reminders.
  • Voice Control:
    • Add support for voice commands to set, snooze, or dismiss alarms.
  • Smart Alarm:
    • Implement a smart alarm feature that wakes the user at an optimal time based on their sleep cycle (e.g., using a sleep tracking app).

Implement a simple grocery list

Implementing a simple grocery list management tool can be a fun and practical project. Here’s a detailed approach including game steps, input ideas, and additional features:

Game Steps

  1. Introduction: Provide a brief introduction to the grocery list tool, explaining its purpose and how it can help manage shopping lists.
  2. Menu Options: Present a menu with options to add, view, update, delete items, and clear the entire list.
  3. User Interaction: Allow the user to select an option from the menu and perform the corresponding operation.
  4. Perform Operations: Implement functionality to add items, view the list, update quantities, delete items, or clear the list.
  5. Display Results: Show the updated grocery list and confirmation of any operations performed.
  6. Repeat or Exit: Allow the user to perform additional operations or exit the program.

Input Ideas

  1. Item Name: Allow the user to enter the name of the grocery item.
  2. Quantity: Prompt the user to specify the quantity of each item (optional).
  3. Operation Choice: Provide options to add, view, update, delete, or clear items from the list.
  4. Item Update: For updating, allow the user to specify the item and new quantity.
  5. Clear List Confirmation: Ask for confirmation before clearing the entire list.

Additional Features

  1. Persistent Storage: Save the grocery list to a file (e.g., JSON or CSV) and load it on program startup.
  2. GUI Interface: Create a graphical user interface using Tkinter or another library for a more user-friendly experience.
  3. Search Functionality: Implement a search feature to find items in the list quickly.
  4. Sort and Filter: Allow sorting the list by item name or quantity, and filtering by categories or availability.
  5. Notification System: Add notifications or reminders for items that are running low or need to be purchased.
  6. Multi-user Support: Implement features to manage multiple lists for different users or households.
  7. Export/Import: Allow users to export the grocery list to a file or import from a file.
  8. Item Categories: Organize items into categories (e.g., dairy, produce) for better management.
  9. Undo Feature: Implement an undo feature to revert the last operation.
  10. Statistics: Provide statistics on the number of items, total quantity, or other relevant data.

Implement a simple key-value storage system – Python Project

Implementing a simple key-value storage system is a great way to practice data handling and basic file operations in Python. Here’s a detailed approach including game steps, input ideas, and additional features:

Game Steps

  1. Introduction: Provide an introduction explaining what a key-value storage system is and its uses.
  2. Menu Options: Present a menu with options to add, retrieve, update, and delete key-value pairs.
  3. User Interaction: Allow the user to interact with the system based on their choice from the menu.
  4. Perform Operations: Implement functionality to perform the chosen operations (add, retrieve, update, delete).
  5. Display Results: Show the results of the operations (e.g., value retrieved or confirmation of deletion).
  6. Repeat or Exit: Allow the user to perform additional operations or exit the program.

Input Ideas

  1. Key Input: Allow the user to enter a key for operations. Ensure that keys are unique for storage operations.
  2. Value Input: Prompt the user to enter a value associated with a key. Values can be strings or numbers.
  3. Operation Choice: Present options to add, retrieve, update, or delete key-value pairs.
  4. File Handling: Optionally, allow users to specify a file to save and load the key-value pairs.
  5. Validation: Ensure that keys and values are entered correctly and handle any errors (e.g., missing keys).

Additional Features

  1. Persistent Storage: Save key-value pairs to a file (e.g., JSON or CSV) and load them on program startup.
  2. Data Validation: Implement checks to validate the format of keys and values.
  3. GUI Interface: Create a graphical user interface using Tkinter or another library for a more user-friendly experience.
  4. Search Functionality: Add a feature to search for keys or values based on user input.
  5. Data Backup: Implement a backup system to periodically save the key-value pairs.
  6. Data Encryption: Encrypt the stored data for security purposes.
  7. Command-Line Arguments: Allow users to perform operations via command-line arguments.
  8. Multi-key Operations: Support operations on multiple keys at once (e.g., batch updates).
  9. Undo Feature: Implement an undo feature to revert the last operation.
  10. User Authentication: Add user authentication to secure access to the key-value storage system.

Implement a Pomodoro technique timer.

Implementing a Pomodoro technique timer is a practical way to manage time effectively using a simple and proven productivity method. Here’s a detailed approach for creating a Pomodoro timer, including game steps, input ideas, and additional features.

Game Steps

  1. Introduction: Provide an introduction to the Pomodoro Technique, explaining that it involves working in 25-minute intervals (Pomodoros) followed by a short break, with longer breaks after several intervals.
  2. Start Timer: Allow the user to start the timer for a Pomodoro session.
  3. Timer Countdown: Display a countdown for the Pomodoro session and break periods.
  4. Notify Completion: Alert the user when the Pomodoro session or break is complete.
  5. Record Sessions: Track the number of Pomodoros completed and breaks taken.
  6. End Session: Allow the user to end the session or reset the timer if needed.
  7. Play Again Option: Offer the user the option to start a new session or stop the timer.

Input Ideas

  1. Session Duration: Allow users to set the duration for Pomodoro sessions and breaks. The default is 25 minutes for work and 5 minutes for short breaks, with a longer break (e.g., 15 minutes) after a set number of Pomodoros (e.g., 4).
  2. Custom Durations: Enable users to customize the duration of work sessions and breaks.
  3. Notification Preferences: Allow users to choose how they want to be notified (e.g., sound alert, visual alert, or popup message).
  4. Number of Pomodoros: Ask how many Pomodoro cycles the user wants to complete before taking a longer break.
  5. Reset and Stop Options: Provide options to reset the timer or stop it if needed.

Additional Features

  1. GUI Interface: Create a graphical user interface using Tkinter or another library for a more user-friendly experience.
  2. Notifications: Implement system notifications or sound alerts to notify the user when a Pomodoro or break is over.
  3. Progress Tracking: Track and display the number of completed Pomodoros and breaks, providing visual feedback on progress.
  4. Task Management: Allow users to input and track tasks they want to accomplish during each Pomodoro session.
  5. Statistics: Provide statistics on time spent working and taking breaks, possibly with visual charts or graphs.
  6. Customizable Alerts: Enable users to set custom alert sounds or messages for different stages (start, end of Pomodoro, end of break).
  7. Integration with Calendars: Integrate with calendar applications to schedule Pomodoro sessions and breaks automatically.
  8. Desktop Widgets: Create desktop widgets or applets that display the remaining time for the current session and next break.
  9. Focus Mode: Implement a focus mode that minimizes distractions by blocking certain apps or websites during Pomodoro sessions.
  10. Daily/Weekly Goals: Allow users to set and track daily or weekly productivity goals based on completed Pomodoros.

Caesar Cipher: Implement a basic encryption and decryption tool.

Caesar Cipher: https://en.wikipedia.org/wiki/Caesar_cipher

Game Steps

  1. Introduction: Provide a brief introduction to the Caesar Cipher, explaining that it’s a substitution cipher where each letter in the plaintext is shifted a fixed number of places down or up the alphabet.
  2. Choose Operation: Ask the user whether they want to encrypt or decrypt a message.
  3. Input Text: Prompt the user to enter the text they want to encrypt or decrypt.
  4. Input Shift Value: Request the shift value (key) for the cipher. Ensure the value is within a valid range (typically 1 to 25).
  5. Perform Operation: Apply the Caesar Cipher algorithm to the input text based on the user’s choice of encryption or decryption.
  6. Display Result: Show the resulting encrypted or decrypted text to the user.
  7. Play Again Option: Ask the user if they want to perform another encryption or decryption with new inputs.

Input Ideas

  1. Text Input: Allow the user to input any string of text. Handle both uppercase and lowercase letters. Decide how to treat non-alphabetic characters (e.g., spaces, punctuation).
  2. Shift Value: Ask the user for an integer shift value. Ensure it is within a reasonable range (1 to 25). Handle cases where the shift value is negative or greater than 25 by normalizing it.
  3. Mode Selection: Provide options to select between encryption and decryption. For encryption, the shift will be added; for decryption, the shift will be subtracted.
  4. Case Sensitivity: Handle uppercase and lowercase letters differently or consistently based on user preference.
  5. Special Characters: Decide whether to include special characters and spaces in the encrypted/decrypted text. Define how these characters should be treated.

Additional Features

  1. Input Validation: Implement checks to ensure the shift value is an integer and falls within the expected range. Validate that text input does not contain unsupported characters (if needed).
  2. Help/Instructions: Provide an option for users to view help or instructions on how to use the tool, explaining the Caesar Cipher and how to enter inputs.
  3. GUI Interface: Create a graphical user interface using Tkinter or another library to make the tool more accessible and user-friendly.
  4. File Operations: Allow users to read from and write to text files for encryption and decryption. This is useful for larger amounts of text.
  5. Brute Force Attack: Implement a brute force mode that tries all possible shifts for decryption and displays all possible plaintexts, useful for educational purposes or cracking simple ciphers.
  6. Custom Alphabet: Allow users to define a custom alphabet or set of characters for the cipher, making it more flexible and adaptable.
  7. Save and Load Settings: Implement functionality to save and load encryption/decryption settings, such as shift values or custom alphabets, for future use.

Build a simple version of Hangman.

Creating a simple version of Hangman is a fun way to practice programming and game logic.

Here’s a structured approach to building this game, including game steps, input ideas, and additional features to enhance it.

Game Steps (Workflow)

  1. Introduction:
    • Start with a welcome message explaining the rules of Hangman.
    • Provide brief instructions on how to play (guessing letters, how many guesses are allowed, etc.).
  2. Word Selection:
    • Choose a word for the player to guess. This can be randomly selected from a predefined list or from a file.
  3. Display State:
    • Show the current state of the word with guessed letters and placeholders for remaining letters.
    • Display the number of incorrect guesses left (hangman stages).
  4. User Input:
    • Prompt the player to guess a letter.
    • Check if the letter is in the word.
  5. Update Game State:
    • Update the display with the correct guesses.
    • Keep track of incorrect guesses and update the hangman drawing if applicable.
  6. Check for Win/Loss:
    • Determine if the player has guessed the word or used all allowed guesses.
    • Display a win or loss message based on the result.
  7. Replay Option:
    • Offer the player the option to play again or exit the game.

Input Ideas

  1. Guess Input:
    • Prompt the player to enter a single letter.
    • Validate that the input is a single alphabetic character.
  2. Replay Input:
    • After a game ends, ask the player if they want to play again (e.g., y for yes, n for no).
  3. Word List:
    • Provide a list of words to choose from, which can be hardcoded or read from a file.

Additional Features

  1. Difficulty Levels:
    • Implement difficulty levels by varying word length or allowing more or fewer incorrect guesses.
  2. Hangman Drawing:
    • Add a visual representation of the hangman that updates with each incorrect guess.
  3. Hints:
    • Offer hints if the player is struggling (e.g., reveal a letter or provide a clue).
  4. Word Categories:
    • Categorize words into themes (e.g., animals, movies) and allow players to choose a category.
  5. Score Tracking:
    • Keep track of the player’s score across multiple games and display statistics.
  6. Save and Load:
    • Allow players to save their progress and load a game later.
  7. Custom Words:
    • Allow players to input their own words for the game.
  8. Leaderboard:
    • Create a leaderboard to track high scores and player achievements.

Create a command-line to-do list application.

Creating a command-line to-do list application is a fantastic way to practice Python programming and work with basic data management. Here’s a structured approach to building this application, including game steps, input ideas, and additional features:

Game Steps (Workflow)

  1. Introduction:
    • Start with a welcome message and brief instructions on how to use the application.
    • Explain the available commands and how to perform actions like adding, removing, and viewing tasks.
  2. Main Menu:
    • Present a main menu with options for different actions:
      • Add a task
      • View all tasks
      • Mark a task as complete
      • Remove a task
      • Exit the application
  3. Task Management:
    • Implement functionality to add, view, update, and remove tasks.
    • Store tasks with details such as title, description, and completion status.
  4. Data Persistence:
    • Save tasks to a file or database so that they persist between sessions.
    • Load tasks from the file/database when the application starts.
  5. User Interaction:
    • Use input prompts to interact with the user and execute their commands.
    • Provide feedback and confirmation messages for actions taken.
  6. Exit and Save:
    • Save the current state of tasks when the user exits the application.
    • Confirm that tasks are saved and provide an exit message.

Input Ideas

  1. Command Input:
    • Use text commands to navigate the menu and perform actions (e.g., add, view, complete, remove, exit).
  2. Task Details:
    • For adding tasks, prompt the user for details like title and description.
    • Use input fields for the task details:
      • Title: Enter task title:
      • Description: Enter task description:
  3. Task Identification:
    • Use a unique identifier (like a number) or task title to reference tasks for actions such as marking complete or removing.
  4. Confirmation:
    • Prompt the user to confirm actions such as removing a task or marking it as complete.

Additional Features

  1. Task Prioritization:
    • Allow users to set priorities (e.g., low, medium, high) for tasks.
    • Implement sorting or filtering by priority.
  2. Due Dates:
    • Add due dates to tasks and provide options to view tasks by date or sort by due date.
  3. Search and Filter:
    • Implement search functionality to find tasks by title or description.
    • Add filters to view tasks by status (e.g., completed, pending) or priority.
  4. Task Categories:
    • Allow users to categorize tasks into different groups or projects.
  5. Export and Import:
    • Provide options to export tasks to a file (e.g., CSV or JSON) and import tasks from a file.
  6. User Authentication:
    • Add user authentication if multiple users need to manage their own tasks.
  7. Reminders and Notifications:
    • Implement reminders or notifications for tasks with upcoming due dates.
  8. Statistics:
    • Show statistics such as the number of completed tasks, pending tasks, or tasks by priority.

❌