When Day Breaks: The nature of Lies and their Relation to Information

Every lie we tell incurs a debt to the truth, and sooner or later that debt is paid.

— Valery Legasov

We often define the lie has the utmost dishonest act someone can do to his friends, family, and associates. We get quite mad when we catch the ones we trust in blatant lying. We also often tend to exclude our own lies from their dishonesty, reasoning that we told them under pressure or as defense from something that would have easily overtook us if we didn’t lie. Comically enough, we are quick to forgo the concept of the honest lie when we are caught telling one, eventually leading to immediate regret. In those situations, we push the one that caught us to show lenience, not realizing that we would probably not do so in a similar situation. In short, the invisible dance that is lying and hearing lies is chockful of hypocrisy, a relatively unsurprising observation.

However, a lie is contextually no different than any other statement. The structure it follows, the information it conveys and the language it is written in — akin to any other factual statement. Ultimately, a lie is a piece of information, and it is equal to all other information one can tell, the only tiny difference being its falsehood. If you tell a lie that means relatively nothing, such as “I ate Macaroni for lunch”, then its falsehood means very little because that information will accomplish, in return, practically nothing. It is also pretty difficult to get caught, and when caught, it will be ignored. In fact, lie or not, it will bore others. The point is that we socially uphold the lie as a radically different manner of interaction, when in reality it is simply the sharing of information, but information that is false.

I defined the relation between a lie and its context because it is what defines the power of the lie and its honesty. It is not unknown that almost every single existing individual with the power of speech will tell a lie at some point in its life, but whether the lie makes him a horrendous being depends solely on the context; the information itself matters not in most cases. All social relations can be defined by the exchange of information, and when there is an absence of information (to accomplish a social exchange), it must be created. The lie thus comes into play, as it builds the last bridge necessary to accomplish the exchange.

Is the lie necessary wrong? Why would the creation of information be wrong? The lie itself isn’t right or wrong, as it is only but a medium. To say a statement with hurtful intentions can seem wrong, but to say a statement with no hurtful intentions cannot possibly wrong (to say the truth is, in the end, a correct act). Lying is similar: to lie with hurtful intentions, such as self gain, can seem wrong. However, to lie with sympathy cannot possibly be wrong. Most people correlate the lie with self gain or mislead, but there are numerous instances wherein one can lie in order to help or defend himself. You can perhaps recall such instances yourself!

Recall the quote by Valery Legasov — “Every lie we tell incurs a debt to the truth, and sooner or later that debt is paid.” To tell a lie is to borrow information from the truth. A liar is merely but a debtor. It is the act of creating a temporary truth to fulfill an absence of information. One day, this temporary truth – the lie, expires, and it is by expiring that the debt to the truth is paid by the one that borrowed. A lie expires when:

  • The lie is forgotten by those that heard it. By forgotten, it is not the material or social results of the lie that is forgotten, but rather the very language used by the debtor to convey the lie. When the language is forgotten, the lie expires.
  • The context of the lie is forgotten. If someone tells a lie to escape a vile situation, and the vile situation is subsequently forgotten by those in it excluding the debtor, then the lie expires.
  • The lie is discovered. If someone tells a lie and another discovers the lie, then no matter what the debtor may do, the lie expires. The debtor may incur a greater debt by borrowing more temporary truths, but each lie told accumulates into a greater lie, and they will have to be paid too; they will equally expire.

While some may interpret Legasov’s quote as a variation of “The truth eventually reveals itself“, I think the meaning can be expanded, just like I did above. The debt comes from the usage of temporary truths, and when the lie becomes useless or meaningless by expiration, the debt is paid.

Remember, a lie is only a piece of information. It is treated as such in all situations until it expires, either by forgettance or by discovery. It is not right or wrong – its rightfulness or wrongfulness becomes according to intention. And borrowing lies from the truth – temporary truths – means that one day, the debt you incur will have to be paid when the lies expire.

The Implementation of Authority

First and foremost, authority exists insofar it is recognized. Authority will do its hardest to get itself recognized by those it wishes to subjugate, but as long there is a persistent effort to ignore it or subdue it, it will never truly exist.

Authority is simply a state wherein an entity accepts another entity as its controller, subsequently transforming the controlled entity into a device, an entity that is partially or fully subjugated by another one because of subjective reasoning or force. It is this device-controller relationship that defines many concepts of the universe, such as the law and the individual, parents and their children, bourgeois and proletariat, etc. This article isn’t meant to necessarily criticize authority, but to analyze its creation, its behavior, its termination and to put it under more measurable terms.

Subjugation Gradient of the device

A device isn’t always completely subjugated under a controller. There is a subjugation gradient, which starts from a state of uncontrol (the default state of the entity, Full Entity) to a state of control (the subjugated state of the entity, Full Device). An entity is rarely on either end, most commonly balancing around the center of the gradient without deviating to the extremes, signifying that a device’s subjugation slowly increases and decreases over time as part of control’s nature.

The principal reasoning behind why an entity loses its status as an entity and becomes a device is because an entity possesses the ability to govern itself in thought and action, whereas a device essentially loses partly or fully that ability. When an entity becomes partly or fully subjugated by an authority (its control augments), it slowly loses its status as an entity.

Force application versus Subjection application

The application of authority upon an entity and its transformation into a device can be done in three clearly defined and unchangeable ways: via force, via subjection.

  • Via force implies that the application of authority comes from consequences first and reasoning after. In this instance, an applicator of authority will explicitly tell the entity that if they do not subjugate, they will suffer from consequences applied by the applicator. If the entity recognizes the authority and obeys to it, it becomes subjugated and is hence transformed into a device.
  • Via subjection implies that the application of authority comes from reasoning first and consequences after. In this instance, an applicator of authority will appeal to logic and facts to convince the entity that they are in a position of authority, and that not obeying to it can bring forth consequences, but they won’t necessarily be from the authority itself. If the entity recognizes the authority and obeys to it, it becomes subjugated and is hence transformed into a device.

Shifting of Control over time

As previously mentioned, a device’s subjugation usually balances around the center of the gradient without deviating to the extremes and slowly increases and decreases over time as part of control’s nature. This is because it’s incredibly difficult for an entity to lose all resistance to controlling factors; the entity is naturally bound to reject some (if not all) of the control as the existence itself of the entity relies upon its independence and separation from other things. However, it is possible under specific circumstances for an entity to lose its status as a device and become a full entity in uncontrol, or for an entity to become a full device of control. When an entity revolves around the center of the gradient, we call it an Orbiting entity, whereas an entity that usually transitions to either extremes is a Merger entity.

This is historically and socially shown in everyday life: while a citizen think highly of himself for his respect of the law, it’s statistically probable that he will eventually break it out of his own accord. In this case, the citizen being the entity affirms its independence and resistance to control (the law being the authority), shifting his control to the left of the subjugation gradient (uncontrol). At other times, the same citizen may practice more caution to respect the law in order to avoid foreseeable consequences, shifting his control to the right of the gradient. Therefore, we can conclude that the citizen as device within the context of law as authority is an Orbiting entity.

In a more personal instance, and to demonstrate that control can shift to the extremes, we can also consider the relationship between a parent and his child: we could say that the child itself, as device, is almost under the full control of his parent during his younger years. Over time, as the child grows, it develops an independence and thus shifts grandly to the left of the subjugation gradient, until it is completely devoid of the parent’s control and becomes a full entity. Therefore, we can conclude that the child as device within the context of maturation is a Merger entity.

The case of Voluntary authority (Wilful Control)

There are some cases wherein authority is wilful. The principles of subjugation and control still apply, but the entity does it while acknowledging the source of authority as an authority and not as an embodiment of something else that possesses control.

To better explain this concept, we can draw a comparison between a voluntary authority and a non-voluntary authority: the doctor and the police officer. When you consult a doctor and get diagnosed with a disease that requires treatment, you are free to either listen to the doctor (subjugation) or reject his advice. To listen to the doctor’s advice is, in fact, the application of his authority over you, but it is voluntary since you recognize the doctor as a voluntary authority that won’t punish you for your purported disobedience. Recall the concepts of Force application versus Subjection application: Subjection application occurs here as the doctor is using reasoning to subjugate, and it is up to you in this scenario to acknowledge the authority.

In the case of the police officer, if you are caught “breaking” the law, you will be forced to listen to his orders, or else punishment will be applied by the authority. In this case, the authority can be considered non-voluntary as it will act upon your rejection of it, and gives you no choice in your obeying of it, even if you do not recognize its authority. Recall the concepts of Force application versus Subjection application: Force application occurs here as the police officer is using force and threats to subjugate, and you are expected to follow without condition.

As I said in the very first words of this article, authority exists insofar it is recognized. A doctor’s advice or a police officer’s orders will only be listened to if the entity recognizes the authority. Else, the authority will simply not exist.

I wrote this article to reflect upon some of my friends that are currently under the non-voluntary subjugation of their religion, being Jehovah’s Witnesses. Their religion’s authority exists insofar my friends’ parents believe in it, and will cease to exist when my friends eventually break free from its grasp.

Let them be free, they may lose that chance when you think they’ll be old enough to be


Take me out tonight
Where there’s music and there’s people
Who are young and alive
Driving in your car
I never, never want to go home
Because I haven’t got one anymore
Take me out tonight
Because I want to see people
And I want to see light

The Smiths, from “There Is A Light That Never Goes Out”


I’ve met a couple of young people lately whose mother prevents them from leaving home. It’s not because of what they can do either, its solely the matter of leaving home that puts the mother at odds. She truly believes that her teenagers will end up making horrible, horrible mistakes with irreparable consequences if she dares to leave them flock away from the nest, may it be for an hour or for a day.

Maybe her life in relative paradise made her forget, but we are currently surviving an era wherein those young people are allowed to make mistakes. We live in an age of luxury and plenty, an age of comfort and facilitated travels. Eons ago, daily life was constituted of work and shielding oneself from the dangers of the outside, ranging from infectious disease to destitute people seeking an extra day by pillaging those under a roof. Those living far away from dense communities had lives in knee-deep farmwork, requiring often a hefty amount of manual labor on a daily basis, with only the comfort of a warm meal and a bed at the end of each day to escape from the routine. When life got a bit more comfortable in the industrialist booms of the 19th and early 20th centuries, labor in the farms morphed into labor in the factories, in mostly unsanitary conditions and subjected to extremely long shifts, all for a mediocre salary that barely paid rent and a family’s worth of foodstuff.

As time went on, so did comfort. Labor regulations, lowered shift time, increased productivity and the general production of commodities — all of this economical good put together formed, seemingly, the basis of first world society wherein work equated wealth. Whether or not this was ever the case is irrelevant, the only true observation to be noted is the apparition of the slightly wealthy middle class, which is currently diminishing.

The middle class is so disillusioned with its slight wealth that it believes it to be permanent and unceasing. They know little of the poor struggling to make a dime, and god forbid they ever become poor ⸮ Unfortunately, little do they know that their wealth will disappear! All of society is undergoing the superficially unexpected process where salaries are failing to meet the rising prices of things, where it’s becoming increasingly harder for fresh adults to find employment and shelter, where the stability of our somewhat organized social world is slowly crumbling due to mass culture and commodification of human behavior, where the climate situation is worsening week by week due to the ignorant inaction of those with power — simply, the world is becoming tougher, and I myself hold bleak hopes for the future.

And how does any of this become related to the freedom attributed to the precedently mentioned teenagers whose lives are akin to prisons? Simply because they are living in the golden era of comfort, and they will see its downfall. Currently, they are free of responsibility. They are, legally and socially, irresponsible and free. They have no jobs to actively attend to thanks to the shelter and resources provided by their parent(s). They have only school as their sole responsibility, and even then, the frequent breaks they have allow them to enjoy what they want how they want without the burden of work, debt or other unnecessary things unfortunately granted to us by organized society. All of this, tied up and wrapped with the foil of plenty. They are not living in poverty (and let us help those that are, I struggle for them both in thought and in action), they have access to commodities and those lucky enough may even be so free of existential burden that they can care about luxuries, travel or the weird food they want to try out for supper. They live in undemanding times, and it would be a shame for some to lose the opportunity to fully experience those.

That is why I mentioned the crumbling luxury of our society. They are young. They will see it fall. One day, all of this comfort will be gone, and if I’m not dead by then, so will I. By restricting the time they’re out, by using fear of mistakes and parental care as pejorative to restricting their individual liberty, they slowly lose the time they have in teenage land. Perhaps, their mother is failing to realize the luck of their situation. Perhaps she is so infatuated with the grime, pessimistic outlook of our world that she believes giving a modicum of liberty to her children will end horribly. Perhaps she has trust issues with those hanging out with them. I could babble about the necessity of mistakes and how they’re a learning experience for teenagers, but that would distance me from my point: their time in comfort is short, and she should let them be free. Free, not of discipline but of burden and responsibility.

I’m writing this because those I’m talking about are some of my dearest friends. They often complain about their restrictive mother, and it saddens me deeply because not only does it prevent them from living amazing experiences, but it equally distances me from them ever so slightly.

But again, I have yet to become a parent. Perhaps I do not understand something.

Doing it for what I love

I’ve never concerned myself over my weight. To me, it was something I didn’t care much about because I thought of it rashly and carelessly. I always lived in a pretty big family and surrounded myself with people that cared very little about weight, aesthetically or socially. For that, I am forever grateful because I wasn’t socially raised in an hurtful environment wherein I presume I would have been ceaselessly told about my stoutness. Instead, I was raised in an environment where I was made solely conscious about my weight and the many health problems it will surely bring to me in my adult future, but no pressure had ever been applied onto me concerning weight loss. This made me aware of the complications of obesity (heart disease, diabetes, socially setbacks, etc.) without the dread and obsession stereotypically accompanying weight consciousness and desire for weight loss.

Because of the above, I was able to slowly put together the pieces of my current weight loss plan. I found myself to be no man capable of doing orderly things. I’ll frequently jump between ideas and when I draft up plans I do so because of my spontaneous nature (and thus, those plans will have spontaneous features!). My weight loss journey, which has seen more than a couple beginnings unfortunately, has also been the product of my spontaneity, leading to equally spontaneous and premature endings. However, every time I planned a new beginning and experienced a new ending, I put forth a new piece of my plan. As time went on, I gradually realized the completeness of my unlikely plan. I went from knowing the basics of weight loss to barely understanding (but still understanding nonetheless) its most arcane specifics simply by blindly trying to cut calories and eating green instead of red.

Despite now having a clear idea of what to do, I seemingly forwent the when. For moons, I always thought there was a moment I could wait for before beginning my journey. “I should wait until summer, there I’ll have plenty of free time!“. “I should wait until winter, of course. The cold will only ease my weight loss efforts!“. I unknowingly told myself all those stupid lies. There is no future day one. There is no date apart from today’s date. Day one is now. If I do it later, I’ll only continue to gain weight and further my plan’s hardships.

Following the when, there was the why. There are the obvious reasons — health, looks, self-satisfaction and myself within a social context, but I never found any of those to properly motivate me into weight loss. I (perhaps mistakenly) infatuated myself with existentialism in my confusing times, leading to the belief that I should only thrive for my happiness and anything that doesn’t contribute to it is essentially a waste of time. A subjectively true statement to many, it led me to forgo things such as health (why should I live a long, boring life if I can live a short, joyful one?) and looks (why should I preoccupy myself with what others think of my looks, given that I am already surrounded with people content of what I currently am?), basically deleting the principal motivation anyone would usually have to lose weight. In short, I overly think of myself and what I want to see, experience, live.

A slight introspection into the worries of those I love and all of my previous egotistic beliefs fall to their knees. I love many, and many of those don’t love me (usually with licit reason), but those that do knows deeply of worry for my health and my well-being. I usually say that I feel fine to calm their anguish, but so does a drunkard bordering coma — unaware of his condition because of his inability to judge and feel it appropriately. In my most lucid moments, I thought deeply of their worries and I eventually shared them too. Wouldn’t it be a shame for your friend to outlive you, just because of your poor taste in junk food? Don’t you deeply wish to live side by side with those you love, may it be family, friends or perhaps someone even closer? Wouldn’t it be great if you, even in such a decaying trunk of wood, manage to carve your own epic in the bark of history? When it comes to mine — I expect critics!

And so, I want to lose weight. I know when: now. I know why: because I love people and some of those love me back. I know how: tales of calorie counting and exercise awaits me. I’m motivated. I’m gonna do it. I ain’t gonna die before I turn 35. And if you want to make a change in your life, you’re just as apt as I am. It all comes to your personal willingness, and a change in that mind of yours.

The metamorphosis of gender identity

Note: When I write articles, I consider them to be opinion pieces. I want to make them as true and scientific as possible, but I solely base them upon my own thoughts and rationality along with my own interpretations of factual research, which is of course bound to be imperfect.

Let’s begin this mind piece with the definitions of gender and sex. It is, after all, confusion behind truly knowing what gender and sex is that leads to today’s most unfortunate controversy.

  • Sex is the biological spectrum between male and female. It is otherwise impossible to be physically outside of this spectrum, as a third sex does not exist. I call sex a biological spectrum because males can exhibit usually female traits (such as breast formation and lactation) and vice versa, both sexes can have a varying amount of sexual hormones which influence behavior and physical development, and because intersex individuals exist. In a word, those closer to the male end of the spectrum develop a significant amount of male traits including male genitals, whereas those closer to the female end of the spectrum develop another significant amount of female traits, but it is completely normal to be in the middle of the spectrum (and develop traits common to both sexes) or in between two stages.
  • Gender is the cultural reflection of sexual identity. It differs from society to society, with some variations being subtle while others being quite remarkable. The phenomena of specific clothing for each gender, oriented (but generally unenforced) career roles for men and women and other societal expectations (for example, shaving for women and bearing short hair for men) are all the product of gender identity in the West. After millenniums of cultural evolution, the western outlook on gender hasn’t gone complex: inspired by religious teachings and centuries-old philosophies, it has always been that someone that has male genitals is a man and must follow the gender norms of men, and those that have female genitals is a woman and must follower the gender norms of women.

Interestingly enough, recent times have been quite important to the phenomenon of gender culture. We are currently experiencing a metamorphosis of sorts, one where gender identity is going from being correlated to biological sex to being correlated with sexual orientation and feelings. Of course, as with any drastic change in society, this metamorphosis has seen some resistance, most of which is based on reasons of “logic” or “nature”. Simply, the western outlook on gender has grown to a point where gender culture has became allegedly natural and inherent. “Men have worn classically male garments and will continue wearing them because… that’s what men do. That’s what a man is. And the same applies to women. The contrary of this is unnatural and wrong.” In reality, there is nothing wrong, nor nothing unnatural; it is merely the defying of the western outlook on gender, the breaking of the gender norms and the mere evolution of culture.

The principal reason behind why those who resist this change resist, is because they have been basking in this gender culture since their youth. They have grown to understand the perceived inherence of the gender binary as a simple product of nature, including all societal gender traits (such as the aforementioned gender-oriented clothing). By being exposed to very little or no opposition to this reality, the “fact” of the gender binary has been ingrained into this person as a permanent and unchanging feature of human society. Thus, opposition to it is seemed as a changing and inhuman act, something inherently unnatural.

We accept the reality of the world with which we are presented.

Christof, from The Truman Show

Anyone apt to change this outlook immediately realizes that there is much more to gender culture. It is not this restrictive, binary system that we are used to. It is a varying collection of phenomena that changes across societies, more than just a boolean randomly determined at conception. Gender suddenly becomes more interesting and liberating. I know that I can wear anything now. Clothing being assigned to a sex? Pink being for women and blue being for men? That’s culture, not nature. I’ve always liked wearing skirts… now, I know I can. I know I wasn’t wrong. You begin to understand how those stuck in the binary belief are restricted, that maybe they prefer certain things that they cannot wear, use or experience just because it’s outside of their perceived “gender role”. Perhaps some people do prefer the gender role they’re in, and appreciate all of it, and that is completely fine as after all it is a matter of preference.

But even the gender binary ends up hurting those that like it, that are in it, consciously or not. I was taught since I was a young boy that boys don’t cry. That boys shouldn’t show their feelings because it’s showing weakness and that’s bad if you’re a man. I cry alone at nights to make sure no one sees me, and I do not speak to anyone about it because I am a man, and men don’t cry.

https://webappa.cdc.gov/sasweb/ncipc/mortrate.html

Spring of Cybercrime and Adolescent Cybernetic Adventures

Note: When I write articles, I consider them to be opinion pieces. I want to make them as true and scientific as possible, but I solely base them upon my own thoughts and rationality, which is of course bound to be imperfect. This time, I tried blending in a bit of external research into my own train of thought. Let’s see how that turned out!

When people think of cyber crime, they usually think of holed-up hackers sporting Guy Fawkes masks in some underground bunker. Some may see them as a clique of government-employed security researchers who’ve been paid to do a bit of extralegal work. Surprisingly enough, most cyber criminals are neither. While it is true that a vast array of competent security analysts trained by state-funded cyber security agencies do tend to turn into cyber criminals (or, well, cyber terrorists/traitors when designed by the governments themselves) when they stop working for their agencies, it is a popular misconception that you truly need advanced training to commit devastating crimes.

Just like your average criminal can buy himself tools to commit atrocities without any prior training, your average cyber criminal can himself, too, buy his toolset without knowing a single thing about cyber criminality. Considering that almost everything is powered by the Internet nowadays, having the ability to maliciously affect it or components of it is incredibly dangerous, and the ease of access of it all certainly doesn’t help.

The demography of cyber criminals and the why

Interestingly enough, most cyber criminals are young teenagers. This is, however, without surprise when you consider the reason why they turn into cyber criminals. To begin with, consider the fact that young teenagers were born into a world of computers and the Internet. As they grow up, they realize that the world is now powered by both of those things. They inevitably learn to use them, and eventually learn how they work on the inside. The more time you spend recreationally using a computer, the higher your chances are at learning their internals and how they work.

Second, young teenagers today are less satisfied with their social lives. There are a thousand and one reasons why this is happening, but I’d like to specifically point out this study published by the American Psychological Association (“Decreases in psychological well-being among American adolescents after 2012 and links to screen time during the rise of smartphone technology.” Twenge, Jean M.,Martin, Gabrielle N.,Campbell, W. KeithEmotion, Vol 18(6), Sep 2018, 765-780), which, in a word, reveals a correlation between time spent in front of a screen (computers, smartphones, etc.) and the adolescent’s social happiness. It is unfortunately normal that due to the rise of computers and widely available personal technology, teenagers who spends a lot of time on them tend to experience general social dissatisfaction.

In an attempt to fulfill their social interest (or desire of attention, which is usually a component of the desire to fulfill the aforementioned social interest), teenagers with great technological knowledge may resort to cyber crime. Committing cyber crime, especially in the increasingly social Internet, is a social activity in itself. For example, young netizens may find comfort in associating with a cyber criminal with access to powerful illegal tools as they could possibly act as a “defender” in case another netizen wrongs them. In another example, when a large enough cyber crime is committed, the bad news is spread incredibly rapidly among social networks, increasing the attention the cyber criminal receives. Additionally, the general anonymity offered by the Internet somewhat guarantees the crimes they commit won’t be associated with their personal identity – only if they hide their identity right in the first place, all of it in the comfort of their own homes, which makes cyber criminality an easy path to fulfill social interests.

By the way, hackers don’t actually wear Guy Fawkes masks when hacking because they turn out to be impractical. I mean, if they weren’t, I would gladly wear them when doing some bug bounty work! Despite their obstructive nature, they remain a good allusion to the anonymity the Internet gives you.

The cyber crimes themselves

Cyber crimes are incredibly varied. When we think of cyber crime, we usually think of things such as hacking bank accounts or illegally accessing someone’s data, but there is much more to it:

  • Doxxing, which is the malicious art of making otherwise hardly accessible personal identification easily accessible. While not a crime as long the information obtained was from the publicly accessible Internet, it is a tactic widely used by cyber criminals to socially, economically or physically injure the criminal’s opponents. Those well versed in digital security and online privacy are the toughest to dox, whereas those with little knowledge in information technology tend to be easily doxxable. When the information within the dox is not publicly accessible, which implies that the information was obtained from an illegally accessed resource, the act of doxxing is illegal and the information itself is illegal: in Canada, the Personal Information Protection and Electronic Documents Act enforces protection of undisclosed personal information; in the United States, there is the RICO act, the FERPA, the Privacy Act of 1974, the CFAA (which has been amended four times since 1984), the ECPA, the Federal Information Security Management Act of 2002, and much more, all of which contributes to the overall illegality of doxxing. I’d also like to mention and cite this article written by Mary Mock of the the Reeves Law Group, which further explains the legality of doxxing in the United States.


Most victims of doxing should also look to their state law. Much of the conduct that is considered “doxing” may fall under multiple state laws relating to cyber stalking, stalking, harassment, threats, or extortion (e.g., threatening to make information public if money is not paid). A doxer can also be charged if he illegally obtained the data about his victim, such as from protected government databases.


  • Spying, which is classically done via malware known as spyware. Spying on users via malware isn’t exactly new, but it is a tactic that has been revived and renewed by the new generation of cyber criminals, under the name of remote administration tools, otherwise shortened to RAT(s). Disguised as legitimate tools for monitoring remote users (think of school teachers wishing to supervise the work of its pupils), they are in fact well-hidden, easily accessible and cheap tools mostly used by cyber criminals to remotely view the files of users, obtain their information or damage their computers. Not only are they easily accessible, but they are easily made as well. With sufficient knowledge of a programming language (C# is a popular choice of many spyware developers nowadays) and networking, it is surprisingly easy to write a covert program allowing a remote user to illegally control computers. Fortunately, the legal consequences of writing and spreading spyware is much more accurately defined in the law than doxxing, and if the malware is destructive enough, may result in many years in prison in most modern countries.

In July 2017, Huddleston pleaded guilty to charges of aiding and abetting computer intrusions by developing, marketing and distributing a prolific remote access Trojan called NanoCore RAT, as well as “Net Seal” licensing software. Huddleston had faced a prison sentence of up to 10 years. NanoCore was designed to steal information from PCs, including passwords and emails; access, modify and obtain copies of any files on the PC; surreptitiously activate webcams to spy on victims; as well as log keystrokes, according to court documents.

NanoCore RAT was tied to attacks in at least 10 countries, including 2015 attacks against energy firms in the Middle East and Asia. Huddleston originally claimed that NanoCore was a legitimate remote access tool designed to allow IT administrators to remotely manage their networks. After he was arrested in early 2017, attorney Travis Morrissey, who represented Huddleston at his bail hearing, told the Daily Beast’s Kevin Poulson that the defendant shouldn’t be held responsible for a legitimate product that buyers used in an illegal manner. “Everybody seems to acknowledge that this software product had a legitimate purpose,” Morrissey said. “It’s like saying that if someone buys a handgun and uses it to rob a liquor store, that the handgun manufacturer is complicit.” Prosecutors, however, argued that Huddleston intentionally developed and sold the software for criminal use, making it a remote access Trojan. “Huddleston designed the NanoCore RAT for the purpose of enabling its users to commit unauthorized and illegal intrusions against victim computers,” Assistant U.S. Attorney Kellen Dwyer wrote in a 14-page indictment unsealed in 2017.

The Nanocore remote administration tool. Its developer has been arrested for developing it.
  • Booting, which is in short DDoSing. DDoSing has always been the bane of website stability since the Internet became a thing, but recently, it has been easier than ever to boot a website off the Internet (and so in even more powerful attacks), and due to this, some services such as CloudFlare or Fastly were designed in order to provide sufficient mitigation for huge DDoS attacks. Today, cyber criminals wishing to access the powers of DDoSing can simply buy themselves a monthly subscription to their favorite booting service, input the IP address or the domain of the website they wish to temporarily take down, set the output bandwidth and the amount of time they wish to conduct the attack, press a button and sit back and enjoy the power of dozens of gigabits per second being sent to a single website. It is currently considered by many to be the easiest way to commit a cyber crime, as you can gain access to immense amounts of power in under a minute in certain cases. Before, the efficiency of booting was limited to the power of your home connection (and since your home connection was rarely secured against identification, a mere call to the nearest police department or the FCC was enough to get you arrested), but now underground companies are renting huge arrays of servers dedicated to booting, and making them up for rent to any power-hungry cyber criminal. Fortunately, booting is illegal in most modern countries. In the United States, the CFAA has explicit causes against booting and they are used widely by entities wishing to take down both booter users and the booting services.

There are many more cyber crimes you can possibly commit, but those seems to be in vogue lately, which is a shame.

Solutions to this criminality

To me, and to multiple agencies also utilizing this, the best solution is to reform their technological talents into a set of job-worthy skills. Most of cyber criminals slowly developed a background in information technology and even programming, which are today knowledge and skills that are increasingly being needed as the technological world grows. The NSA, with all of their cyber security research programs, has been actively hiring hackers and cyber criminals to aid them in their research. Turning cyber criminals into professional security researchers guarantees an even safer digital world and, of course, a reduction in cyber criminality overall.

And it doesn’t have to stop to cyber criminals too, but also gray hat reverse engineers: when someone persistently finds vulnerabilities in your product for his own purposes (and becomes really good at it), it’s always an interesting opportunity to hire this person as a security researcher slash developer. If he is able to easily locate the worst of vulnerabilities, then he should be able to fix them, too. Not only would you get rid of his exploitation, but you would end up furthering the security of your software, web service, platform, et cetera. Neat!

In short,

there is a recent increase in young cyber criminals. This is partly due to the social conditions of the new generation and the omnipresence of technology in everyday life, and also because cyber crimes and general illegal acts are becoming easier to commit, not forgetting the increasing amount of easily-accessible cyber crime tools. However, if we are to consider this increase in cyber criminality an opportunity to train the next generation of security researchers, we could turn this unfortunateness into the next generation in safe technology and privacy.

Copyright Infringement and Reverse Engineering

Some of the subjects I speak and write about concern reverse engineering, which to some individuals may sound like blatant copyright infringement. While the act of reverse engineering a copyrighted product is not itself illegal, using material produced from reverse engineering may be illegal depending on how you obtain, use and reverse the software. Fortunately, me and my company’s reverse engineering philosophy is fully legal and non-infringing as it is based on the following aspects:

  • Clean room design. I do not reverse engineer products and re-implement their functionality into a separate product for profit, but when I have to re-implement certain features in order to properly analyse the software I’m researching, I usually do so by following clean room procedure: studying the original mechanism implemented by the software, writing a specification of what I studied without using any copyrighted material from the software then reproducing its behavior in my own original code. My digital security research and software engineering company, Synapse, also follows clean room design reverse engineering.
  • Interoperability research. In most jurisdictions, it is entirely legal to reverse engineer software in order to implement interoperability between the software and my own. Most of my work consists of indeed achieving interoperability between the software I research and my own programs/libraries, and sometimes I do it in order to achieve interoperability between old hardware devices and modern operating systems. For instance, lately, I’ve been reverse engineering a magnificent Way Tek Mk06 trading keyboard in order to make it compatible with my Windows operating system. There isn’t any publicly available driver for the keyboard and the connector box for the keyboard so I’m practically forced to develop my own.
  • Not infringing digital rights management. My reverse engineering philosophy does not constitute circumventing digital rights management. For instance, I will never attempt to “crack” a video game. It’s neither the objective of my company, Synapse: we have no interest in circumventing DRM whatsoever.

With that being said, the term “reverse engineering” usually implies that the material you will analyze will inevitably be reused. Most of my reverse engineering does not constitute of reusing reversed components, I mostly do it for analysis, research and writing specifications for protocols, unless I am trying to achieve interoperability between two software components in which case my right to reverse engineer is protected by the law in most jurisdictions.

In case you are a learning software reverse engineer, the best tip is that if you don’t exactly know the legality of your reverse engineering, it’s best to stop for now and ask. The overall legal aspects of reverse engineering software is a huge gray area and while the law is concrete on some aspects, it’s vague in others. The best we can do is simply be more legal, for we don’t know if we can be legal.

Lua 5.1 security and commercial obfuscation solutions

As Lua is slowly but surely becoming the world’s foremost solution for embed scripting languages in gaming engines and production software alike, protecting the innards of the language is increasingly becoming important as well. Leaving the language fully unprotected opens a vast number of weaknesses, ranging from mere modifications to the software’s logic (such as modifying the interface’s look and feel) to cracking the program’s license validation algorithms. In the case of the video gaming world, abusing poor Lua security leads to cheating and changing the game’s rules, which is an evidently big no-no in today’s popular MMOs.

The matter of the fact is that Lua itself is insecure by design. Compare Lua to, say, C or C++. The latter are languages that usually compiles to a binary format normally difficult to reverse by most engineers, which under proper conditions leave no debugging information or readable information about the code whatsoever, whereas Lua compiles to its own bytecode format which includes:

  • The name of each and every variable used in the script.
  • An entire package of debug information necessary for debugging and error messaging, which can reveal bits of the script’s own source code in certain cases.
  • A list of the constants used in the script.

Combine the above with Lua’s incredibly simple instruction set and you got a language that is easy to read by a machine and by a human being. Fact is, Lua 5.1’s power stems from its virtual machine, powered by an instruction set constituted solely of 36 instructions, leaving practically no room for complex optimization or compilation. Due to that simplicity, it’s very easy to automatically convert a set of Lua instructions back to its original source code. When compared to the complexity and optimizability of x86, Lua’s instruction set lacks a grand amount of features. This doesn’t make Lua any less powerful though, it just means that Lua’s insides are very simple and thus easy to learn by beginners new to programming (or, well, beginners new to looking at how a runtime language works). 

While its simplicity is a good thing for hobbyists, it’s certainly not for the commercial scene. If you wish to build commercial software in Lua, then without modifying the core of Lua itself to include some additional security you can kiss goodbye your digital rights management. Let’s list a number of reasons why the commercial scene despises Lua for programming commercial software:

  • Lua is incredibly simple to reverse. If you want to protect your application from pirates, you must make pirates unable to interface with your Lua runtime in any way, which is impossible to do out of the box as Lua does not offer any API protection. In fact, poor program design combined with Lua could lead to your application’s source code being revealed to a competent reverse engineer.
  • Lua is a runtime language. While it is certainly possible to build your entire software with Lua (especially with implementations of Lua such as LuaJIT), it cannot compile to a binary format by itself. You’ll need to build a bootstrapper for your Lua source code or bytecode if you wish to write software in the language. This alone can create a number of security holes provided your bootstrapper is not secure.
  • Lua functions are objects, thus hardly protectable. Say that it is in your interests to redirect Function A to your own Function B. In most instruction sets, subroutines and their instructions are stored directly in memory, making it complex for malicious software to overwrite the function.
    • Most of the time, reverse engineers will write code that will hook the function instead of overwriting it. That is, they will place a jump instruction at the very beginning of the function (detour) or somewhere within the function (mid-level hook) that will jump to the reverser’s function, acting as a “replacement” even though the entirety of the function wasn’t overwritten.
    • Of course, that’s not the only way to hook functions. For example, if the program makes extensive use of C++ virtual classes with a compiler such as MSVC then a reverse engineer can hook individual methods within what is called the virtual method table in order to redirect method calls. That’s one example many others.
    • In Lua’s case, functions are stored as movable objects. In other languages, as I said above, you usually need to hook a function to redirect its flow. However, since every Lua object is overwrittable, you can simply invoke code such as A = B (or use Lua’s own language API, with functions such as lua_xmove) to overwrite values and, consequently, entire functions. If the program stores a function in value “ABC”, then in order to replace the function all the reverse engineer needs to do is execute a script setting ABC to its own value, thus overriding and replacing the function and changing the software’s behavior.
  • Lua includes its compiler in the runtime. Even if you make your software incredibly secure, some programmer may just invoke Lua’s own vulnerable API to run his own unsigned Lua code. After all, all it needs to run that code is a call to loadstring and pcall.

Considering that Lua does not offer its own protection, it is up to individuals to implement such security. Thankfully, Lua’s relatively simple internals makes it easy for a developer to secure the runtime. However, Lua’s own API will always be a weakness vector unless you remove it. It offers a complete interface to the language, which means that even if you were to, say, remove the compiler from the runtime, you can still use the internal API to achieve results equal to a Lua script. And even then, removing the compiler in itself does not mean you cannot execute Lua. After all, you can simply download the Lua source code and compile your own bytecode before feeding it to the client’s runtime of the language, rendering code removals useless.

Truly securing Lua: implementing an obfuscated instruction set

If a company offering commercial software truly wishes to secure its Lua runtime, then the only foreseeable and secure way to get those pesky hackers on their toes is to change the Lua instruction set and internal structures. Changing both of those elements fundamentally changes the internals of the language to the point the original runtime cannot interface correctly with it. And guess what? That’s what imagination company Roblox did to secure its platform.

Roblox’s anti-cheat solution is severely underrated. In usermode, it’s completely capable of detecting memory editing, page permission changes, virtual method table hooks, binary injection, illegal software (such as Cheat Engine), foreign VEH handlers, foreign SEH handlers, a variety of usermode+kernelmode debuggers and much more. You would classically expect those features from a kernelmode anti-cheat solution such as EAC or BattlEye, but Roblox managed to do it all from usermode. In addition to all this, they severely modified their Lua runtime. In fact, they replaced the entire bytecode format with their own and changed the instruction set to a set of randomized values, which is obfuscated at compile time and deobfuscated at runtime.

Just like Counter-Strike: Global Offensive, Fortnite, PU:BG and a variety of online games, Roblox has its own cheating scene. Now, unlike those aforementioned games, knowledge about Roblox’s internals and its anti-cheat is very scarce. This is partly because most of the cheats for the game were written by a couple of young organized programmers who keeps their sacred knowledge to themselves, mainly for commercial purposes. While I can personally admit that reversing Roblox and producing cheats for it is very hard, which can lead to people not wanting to publicly release their research (especially if they want to profit from it after all), it incredibly sucks for newcomers that wishes to reverse Roblox and develop cheats for it. In fact, those veteran developers are not very welcoming either…

Putting anecdotal experience aside – the point is that Roblox did a lot to secure their platform. Today, I’m going to demonstrate what Roblox did to their Lua runtime, and how other commercial entities wishing to secure their own can reproduce such changes to ensure their own implementation of Lua is protected and partially safe from hackers.

The compilation scheme, bytecode format and instruction set of Roblox’s Lua

In untouched, fresh-out-of-the-tar-gz Lua, the compiler is included. Usually, in order to run Lua scripts, you need to compile it using the API and execute it, which is done through functions such as luaL_loadstring and lua_pcall. Roblox, not wanting hackers to run their own unsigned Lua scripts on their platform, stripped the runtime of its compiler and moved it to the server.

You see, Roblox is a platform that allows individuals to build their own games in Lua using an application called Roblox Studio. In order to play those games, you need to go on their website, choose a game from the game list and press the big “Play” button. Doing so launches the Roblox client, which connects to a remote server (called the RCCService, “Roblox Compute Cloud Service”) and allows the player to play the game. It is during this connection that the scripts are compiled on the server and then sent to the client in a bytecode format, which is then unserialized and ran whenever the client requests it. The bytecode format in question differs greatly from the original Lua format, not only in layout but also in content: certain things are not excluded, which reduces the over-all size of the bytecode while also making it harder to reverse.

The bytecode format, along with the instruction set, is heavily obfuscated and encrypted. Using a number of compression algorithms and weird bitwise operations, the bytecode format and the custom instruction set is incredibly difficult to understand (I mean, they didn’t add or remove any instructions, but they did change the behavior of some while moving certain instructions around and obfuscating them behind bitwise obfuscation). Case in point, it would require a degree in computer sciences to fully understand the deobfuscation algorithms for the instruction set… for those hackers I mentioned earlier, it did.

The only exception to the above is code that MUST be on the client at all times, and mustn’t change. In Roblox, CoreScripts are trusted Lua scripts that operates vital user interfaces, and those scripts, while being in the encrypted format, are not downloaded from the server. Instead, they are embed directly into the client and executed at runtime.

Changes to the Lua internal structures

When you compile a structure with MSVC (or any C/C++ compiler for that matter), the layout of the structure in memory is usually equal to the layout specified in the source code, discarding alignment.

typedef struct
{
    int an_integer;
    double a_double;
    const char* a_c_string;
} example_structure;

turns into

.STRUCT example_structure
    DW an_integer ?
    DD a_double ?
    DW a_c_string ?

When you compile the Lua runtime, it will compile code based on the structure definitions of its own code… obviously. Leaving those structure definitions as they are would open additional security weaknesses, considering reverse engineers can simply take a peek at the Lua source code and learn how the program’s Lua data is structured internally. Roblox dismisses this vulnerability by simply changing the structures’ fields around, requiring hackers and reverse engineers to figure out how data is structured the Roblox-way, which is a pain and time-consuming.

In addition to all of this, Roblox also obfuscates pointers using simple addition/subtraction arithmetic. This is obviously not difficult to figure out, but can be nonetheless surprising to those reversing Roblox’s platform.

Summing it all up

Roblox does much more to secure their platform than what I wrote on this page, but this should cover a good amount of their Lua-related security. If you want a to-do list to protect your Lua runtime for commercial applications, it would look something like this:

  1. Strip the compiler from the runtime linked to your application, forcing it to accept only precompiled bytecode of your own format.
  2. Reimplement the Lua instruction set to ensure incompatibility with the original implementation, adding in bitwise obfuscation and other algorithms making it difficult to reverse the instruction set.
  3. Change the structures’ members around within their struct definition, making their layout incompatible with original Lua code. Additionally, obfuscate pointers to confuse reverse engineers.

This, of course, requires an additional level of automaton, both for compiling your code and for obtaining it (if you are following Roblox’s server-to-client bytecode transfer model). Nevertheless, I believe it’s worth the effort if you want to properly secure your Lua runtime! It worked for Roblox, it can surely work for you in this situation.