nhellman's comments

We've been experimenting at my day-job with using the nix package manager to automate the fetching and building of dependencies, and also isolate them per project/revision.

In the root of each project repository, we have a shell.nix file that lists all dependencies needed to build and develop the project. Most of them are from the latest major nixpkgs tarball and we include its hash to account for the hashes of every package that it provides. Other packages are from e.g. PyPI, crates.io or internal repositories and each of those have their own hashes.

With the shell.nix file we can then get a working environment set up by running nix-shell or automatically when we enter the directory by using direnv. The first time it will fetch and build everything but it will be cached after that.

This has worked quite well for us so far, it makes it very convenient to maintain dependencies. We can try out new dependencies on a feature branch and easily run CI on it, and when we merge the branch to master the dependencies follow along automatically for both local and CI machines.

For older revisions or branches it is also very convenient to get a working environment as you just need to check it out and load its shell.nix file. No need to make sure your system has e.g. an older Python version available, it will be fetched automatically. In theory, older revisions should be usable indefinitively, as long as the sources we fetch the dependencies from are still available.

To try to ensure that all required dependencies are included in the shell.nix file our CI jobs run with nix-shell --pure to make sure it does not use any system programs. However, this does not prevent e.g. using files or binaries specified by an absolute path, if it is available both locally and from CI. Preventing unneeded dependencies from being listed is also difficult, as that requires removing a dependency and re-running everything to make sure nothing breaks without it.

This is not forced by Gentoo. My Gentoo installs have separate bin directories which is what I got by default.

Why return an owned string instead of a borrowed str slice? A substring can always be borrowed and should never require a heap allocation?

Aren't there symbols missing for the mid central vowels which are common in English? I.e. https://en.wikipedia.org/wiki/Mid_central_vowel.

How do you write e.g. "learn" or "bird"?

It seems to be needed in the first "This is a sentence..." example as well. Right now it uses U for the lone "a" and I for the second syllable in "sentEnce". But U represents /ʌ/ (as in but) and I represents /ɪ/ (as in bit), but a symbol for /ə/ would be a better fit for these two, right?

Germany does share an electricity market with its neighbours, you can see the live import and export e.g. here: https://www.iea.org/data-and-statistics/data-tools/real-time....

Currently, Germany is averaging around 6.4 GW of imports and 3.2 GW of exports. During production spikes caused by e.g. wind or solar power, the price quickly drops in the whole region, sometimes into the negative in order to help stabilize the grid frequency.

Besides for verifying that the compiled program works on the target, tests are also required to compile with PGO because you need to have a runtime example to optimize for.

> Then before I push, I have to temporarily rewind the branch to remove them, push, then cherry-pick them again.

You do not necessarily need to modify and restore your branch head just to push in this case. If you have e.g. two temporary commits at the top of the branch, you can use e.g. "git push origin HEAD~2:master" to skip those commits when pushing.

To me it feels like Cyrillic cursive has at least as many differences from its printed counterparts as Latin has. For example, д is written like a g, б kind of like a d, т like an m. The last one is especially confusing because м also exists.

It is not an entirely painfree experience, though. In some cases it is not a completely unwarranted question.

For example, the snow and ice melted here yesterday, exposing gravel on asphalt which is borderline painful to run on directly. Also, e.g. very cold winter days or just nasty gravel roads may inflict varying degrees of pain.

Otherwise, it can also be slightly painful for the soles during later parts of long runs, especially when inexperienced or when running for the first time in months.

What happened to C? It's the #5 top language and you never ruled it out but it is missing from the final list? It seems like a reasonable first language with simple operations and not much magic happening behind the scenes.

Yes, the three holes are very common in Sweden, the first time I even encountered covers without them was when moving abroad.

However, a few years ago Ikea removed them in Sweden also, unfortunately. From what I've heard it's because they got too many complaints internationally due to people believing that the covers were broken.

The link to the paper seems to be broken but it is openly available at IEEE explore: https://ieeexplore.ieee.org/document/9152719

The paper explores manually guiding AFL-based fuzzers using annotations in the source code in order to more easily reach deep states.

The Super Mario Bros example highlighted in the git repo uses a modified version of a C++ variant converted from disassembly of the original game: https://github.com/MitchellSternke/SuperMarioBros-C/

In this example, the only guidance used is an annotation that maximizes the x-position while accounting for different y-positions, allowing it to faster complete the game levels: https://github.com/RUB-SysSec/ijon-data/blob/c75433e1ce52523...

NHE looks interesting, they seem to have modified all clients to make the host player teleport above the map. With the current protocol, it seems like it is impossible to achieve this without modifying the guest clients as well. And by modifying all clients they are also able to add extra maps and make gameplay changes.

Heh, what a coincidence!

Does XSP stand for anything?

Are you thinking of Theater mode that first appeared in Halo 3? Unfortunately it was slimmed down in later Halo games and it is rarely seen in other games at all, especially not console games.

> So that's basically most of the lowest layers of the Xbox Live protocol as well. Simply game discovery happens over local broadcast instead of through the Live servers. There's some other specifics that change, such as logging into a host xbox doesn't diffie-hellman anymore but instead key sets are distributed by the server backends with the session information. Additionally the auth side is basically non existent on system link.

Ah, cool, there has been some similar work done before! Is there any documented resources or write-ups of the Xbox Live protocol somewhere?

> Great RE work!

Thanks!

> Disclaimer: I created a proof of concept implementation of the Xbox Live server infrastructure here: https://github.com/xombieonline

That is a really cool project! How does one make sure the console connects to the server instead of the (now shutdown) Xbox Live servers? Does it e.g. have a hardcoded domain so one can simply add a DNS entry?

> Loved it, thanks for being so thorough and document the train of thought.

Glad to hear! I was hoping to make the whole process easy to follow without any large skips or prior knowledge. It is more or less my process but with a lot of dead ends removed.

> I want to ask about one thing I could not understand completely on the final section: If there was a client that sent arbitrary values for selected weapon, forward, left, etc; would the host count them as valid? (I understood this is essentially what the MITM allowed to do)

Yes, it appears so. The host seems to accept more or less arbitrary values (at least for forward, left, actions) and also just re-broadcasts them to everyone. The guest client then also ignores what it sent and just uses what it receives from the host. This allows us to modify the inputs/speed of any guest client players without desyncing the clients.

> Also, a little feedback, my immersion broke when the video did not show Howard and Ghost anymore. Something like Howard1 and Ghost1 would've helped understand a little bit more.

Good idea, I could have made it clearer which perspective the video was taken from (the guest client). Might be able to re-record or simply mention it in the text.

I haven't tried this out, I wonder how well the Halo 1 net protocol works over a less reliable connection. I encounter issues as soon as I momentarily minimize the emulator and it does not recover without starting a new game.

I wonder if it is enough for XLink to simply send the packets through a networked tunnel or if it actually needs to modify the packet payload somehow. The consoles might be able to handle everything as long as they are able to communicate with each other?

> "age in a bot" might be a truncated form of "message in a bottle."

Yeah, that makes sense, it is a very odd sentence otherwise. Truncating on "bot" might be a play on words for game AI/NPC.

> The PRNG exponentiation scheme is essentially Diffie-Hellman.

Ah, of course, yes, I was thinking it reminded of public-key cryptography.

> Including, e.g., plasma pistol?

Yeah, it seems so, that was the first weapon I was thinking it to be used for. I tried e.g. setting the duration to zero and charging the plasma pistol. It still shoots like normal and does not seem to affect visual effects, audio or damage for neither host nor guest. It is still possible that it is used for something else that I have not noticed. Modifying the host's fire duration does not cause a desync so it might not affect the game state.

> Very cool investigation and writeup.

Thanks!

Thanks, I was initially surprised that they were encrypted but I can speculate on a few potential reasons:

- The Xbox was designed to be able to play online via Xbox Live (e.g. with Halo 2 that came out later in 2004), and they might have simply reused the network stack for System Link over LAN. I looked a little bit at Halo 2 system link, it uses the same system calls from the kernel but the protocol seems to be more complicated (e.g. the IV is never sent in plaintext, the two consoles derive it somehow). I haven't looked at Xbox Live, but Halo 2 could potentially use the same for System Link and Xbox Live.

- The Xbox also really tried to lock down its security in order to prevent game piracy and homebrew games. This might have been another attempt to reduce the attack surface.

- They also might have just wanted to keep their game protocols secret for trade secrets or simply avoiding scrutiny. In this case, we were able to create a kind of cheat, which they might have also wanted to avoid. Even though it is rarely an issue at LAN parties, it might have simply looked bad for the brand.