December 2020 – Page 4 – Juan's adventures in security & compliance

Days 3, 4 & 5

For day 3 it was required to find how many trees a specific slope would encounter. The field was given as a field of limited width, far smaller than the height. The problem states that the pattern repeats to the right, which means for any real position X, the relative position within the input would be given by modulo division. That is to say if the input has a width of 10, any real position X can be mapped onto the limited width input by X mod 10. For part 2 it was required to find the product of encountered trees across various slopes, which I hard coded and then got the product from.

Day 4

Day 4 had data in key:value pairs but the formatting was not constant accross the entries. The idea was then to split each record into a hash table and test that hash table. For part 1 it was a case of hard coding the required fields and then checking if they existed in the keys of the record (hash table). With return 0 in the case of a negative it reduces the number of tests.

Part 2 required the same tests and then data validation. The three year data fields were simple comparisons. However, the other fields di allow for some interesting regular expressions. By making the check subroutine return 0 upon the first failed test reduced (a little) the amount of tests performed.

Day 5

The input for this challenge consisted in a set of letters representing a seat. The first letters used a binary representation of the row, and the final 3 represented the which seat in that row the seat was. The data is already binary numbers, just with different characters… Regex to the rescue. Capturing the part which was required (row or column), converting to binary and then to decimal => easy to understand. With the getRow and getCol subroutines sorted and tested, all that remained was to find the highest sanity check. Part 1 sorted.

Part 2, perhaps as I was running on remnants of ~~sleep~~ coffee fumes encountered far more issues. Initially I wanted to create an array of anonymous arrays such that if a seat existed it would get marked as “X”, and I could then look up which seat was not labeled as “X”. Except that was not what the questions was asking -> I needed the missing ID. What data structure lets me find items incredibly fast? The hash table. By using the same code from part 1, it was then just a matter of adding each sanity check into a hash table. $seats{$sanity} = 1.

From part 1, the highest sanity check is 801, so simply checking for all numbers up to 801 if exists $seats{$_} and printing all those where the check failed. The terminal printed the numbers 0-39 and then one single ID in the hundreds. The problem stated that the first couple IDs weren’t occupied as they were not seats => verifying that the ids 1 above and 1 below the result existed and voila. Could it have been done more neatly? Yes, but then, that would mean keeping up with perl idioms and using it more than once a year.

From my time as a SysAdmin I always defined Authentication as the process of verifying an users identity, essentially logging on. Athorisation was the process whereby certain file shares, printers, or applications were made accesible to them through GPOs. Fairly simple differentiation then, authentication lets the system know who is logging in, and then some protocols define what that person is allowed to do / access, similar to access cards where a printed ID shows a person has certain clearance and some RFID locks will grant access to certain areas.

The exam centre authenticated who I was by verifying my ID card. For the 3 computer based exams I was provided an user number and a system generated password. At the first component I thought they were only authenticating me, and the exams were being distributed centrally. At the 2nd exam I saw that with our login they were also ensuring we were only doing the required exam component. The user number remained the same, but the passwords changed.

3 exams, 1 username, 3 passwords. My guess is that on login, the username is validated and then a login hash created with both the username and password is tested against the central service. If the given password is incorrect, no login is possible wether that’s due to a wrong password or the exam not being available yet. So now I’ve authenticated myself with the exam centre (ID), on the central service (user number, pw) and then by logging in I’ve been authorised to take part in the exam.

This is no longer AD authentication and SSO. The login function essentially managed both authentication and authorisation. But, could these authentication processes all also be authorisation? The ID check proves my identity, and because I’m on the register am allowed to take part in the exam. Arguably the invigilators authorised me before authenticating, given they checked ID against roster before verifying the ID was real. You can establish similar controls on infrastructure limiting which services an user can connect to, when they can connect to the services and more importantly, what they can do with the services.

The clear takeaway from this is that I need to play with AD more. The more subtle takeaway is that when securing an infrastructure, it is not enough to limit access to data & applications to registered & allowed users, but it is also important to limit what those users can access. For example, the HR intern should not be looking into the finance folders at 3am on saturday. As we move to cloud based solutions and companies which can start employing remote workers, being able to limit when users can connect to the infrastructure provides a little help in mitigating both insider threat (reduced timeframe) and compromised accounts.