Security Everywhere

I found this at UNSW, where a construction worker had just left their high-vis shirt laying around. My first thought was that someone could take this home, once there dry it off or wash it. Then they could use it to impersonate a construction worker to obtain access to otherwise restricted areas. Furthermore, its location was quite secluded which makes it that much easier for an attacker to steal.

SA - Toddler’s Bottle: col

We are given this program, as you can see we need the result of check_password to return the value of hashcode (0x21DD09EC). A string of 20 characters is passed to the function where it is converted into 5 integers. My first thought is to check if the hashcode is divisible by 5 as thus we can then just repeat a 4 letter string 5 times. Unfortunately, its decimal value is 568134124 which clearly isn’t divisible by 5. However, we can represent it as 4 * 113626825 + 113626824, maybe by converting these back to hexadecimal and then inputting the raw values will give us the answer?

Unfortunately, this wasn’t the result, after checking the numbers on paper the hexadecimal values do add up to the correct amount so I’m unsure why it isn’t working... After trawling through the Wikipedia page on integers (https://en.wikipedia.org/wiki/Integer_(computer_science)) I came across this:

Reading through this it showed that maybe I had to change the order of how the bits were being stored in memory. I spent about 15 minutes trying to convert the hex code to binary and then reversing it, after which I realised that \x06\xC5\xCE\xC9 in the opposite endianness is just \xC9\xCE\xC5\x06 making things much easier. Thus the two hex “strings” I had to use were \xC9\xCE\xC5\x06 (four times) and \xC8\xCE\xC5\x06 (once) after trying this I was successful!

Note that the order in which the hex strings were placed doesn’t matter, as the string gets split up into 5 parts. Therefore so long as they stayed within the integer boundaries it would work. For example:

Case Study: The Stargate Ghost Problem

You’re an army major and all of a sudden an alien appears from some portal technology claiming that the soldier you’d just sent through not 5 minutes earlier has been disincorporated and can only communicate through them, what should you do? This was the dilemma presented during our analysis session this week and we were asked to create a protocol that would allow the major to securely communicate with the soldier. This involves many aspects of security such as authentication and integrity. After doing some brainstorming my group decided to split up the attitudes of the alien, we considered if it was hostile or peaceful. Note that the major and soldier don’t know the alien's alignment in either case!

Peaceful: First the major (M) asks for the invisible man (IM) to go into the room with him that is separate from the alien (in such a way that it is entirely unaware of what happens inside!). The M then tells the IM an encryption key for a one time pad and asks him to tell him something that only he and the IM would know. Note this relies on the assumption that they have a shared secret. The M then asks for the IM to encrypt his response using the key and to tell the alien the encrypted message. The IM then tells the alien who then passes the message correctly (as we are assuming they are peaceful and thus don’t want to impede communications) which M decodes and confirms that it is only something the IM could know if they were the claimed soldier. Next communications can occur between the IM and M, although they must still use the OTP key as they don’t know that the alien is peaceful.

Hostile: This case is much more interesting and harder to analyse, as depending on the aliens own deductive reasoning many outcomes come to occur. The first thing that should happen from a security perspective is lock-up and restrict the alien such that its only possible action is to communicate. Next, we attempt to authenticate the identity of the soldier using the same method as used in the peaceful protocol. If the message told by the alien doesn’t decode to something meaningful then IM’s identity cannot be verified as such the alien should be kept in holding until a message that is meaningful is given. Once a meaningful message has been given so that we have authenticated the IM, we can now proceed to establish a conversation. At this point, we need to worry about the alien tampering with the message however if we use a redundant message as well as OTP encryption then this can be mitigated thus we have set up a communication channel between the M and IM. Now to get a bit meta if the alien was smart it would realise that all the above it a possible way for it to be prevented from engaging in hostile behavior through miscommunication. Thus the only option it has is to not say anything! Moreover, if we consider from M’s perspective he must also come to this same conclusion so if the alien comes through and doesn’t say anything they must eradicate it immediately! Thus if the alien does attempt to communicate then it is either peaceful or hostile but lacking in strategic thinking.

So overall the hostile protocol should be used until it can be established that the alien is acting peaceful (I’m not actually sure if it could ever get to this point!). At which point the remainder of the peaceful protocol should be used. Furthermore, the given protocols most likely have made assumptions or mistakes that allow for them to be circumvented, this is indicative of the general problem of authenticating someone!

SA - Toddler’s Bottle: shellshock (Updated)

We are given the files:

With the contents of shellshock.c:

Looking through the man page for bash I found that the -c option allows for a command to be run immediately when the shell is executed. I’m thinking that I may have to exploit this by changing the string passed to the shell. I tried using gdb to see if I could use it somehow but was greeted with:

I think I’ll have to investigate further into how I can alter the string.

Update: After talking to a friend I found out there exists a vulnerability in older versions of bash called shellshock. Looking through the Wikipedia page for the vulnerability (https://en.wikipedia.org/wiki/Shellshock_(software_bug)) I found that it can be exploited by adding commands to the end of a function definition in environment variables. There was an example:

Modifying this slightly I tried:

Unfortunately, the flag file wasn’t read, I’m not sure why it isn’t working. I’ll have to continue looking into the shellshock vulnerability.

SA - Toddler’s Bottle: blukat (Updated)

We are given the files:

With the contents of blukat.c being:

After looking at the following code for 5 minutes or so I realised that when fgets gets input from stdin it takes up to 128 characters but buf can only store 100. Furthermore, the password array is right above flag on the stack so I think we can use a buffer overflow attack to get the string comparison to return false. I’ve devised the string “a\0\0...\0\0a\0″, where there are 99 null terminators between the “a”’s. After trying `python -c “print(’a’ + ‘\x00′*99 + ‘a’ + ‘\x00′)” | ./blukat` I was unsuccessful and given the message:

At first, I wasn’t sure why this wasn’t working and then proceeded to scour the Wikipedia page on buffer overflow protection (https://en.wikipedia.org/wiki/Buffer_overflow_protection). I realised that canaries could possibly be used to prevent my attack from succeeding. To get around this I need to figure out a way to get around it, possibly by determining its value which I can then just overwrite with itself. Unfortunately, after many failed attempts, I’m still not sure how to get the canaries value.

UPDATE: After driving myself crazy trying to determine the value of the canary I discovered that I could actually read the password file! It was sneakily disguised as the actual password was:

Which made it seem like it was unreadable, however after opening it in vim to double-check the password was clearly readable.

Extra: Just for fun I thought I’d go through XOR’ing the strings together to check that the output is what is in the password file. After passing in the password file through a pipe for stdin to the blukat program we are given the result:

The below C code simply XOR’s the strings together.

Which outputted:

Which is what we expected!

SA - Toddler’s Bottle: leg

This challenge involves analysing some assembly and determining the values produced by inline assembly:

key1(): The inline assembly (IA) shows that the 3rd register is set to the value of the pc register (program counter). I’m not sure how this returns a value to the function or how I can find the value of pc.

Inline x86 Assembly C: I’ve found that the newlines in the IA are simply there for style and can be ignored. Also, in all the key functions the r0 or return value register is set to the value of r3.

key1(): We now know that key1() returns the value of pc. After researching how to find this value, I realised that the address of the instructions is given in the asm file! Note that the program counter holds the address of the next instruction, so we can see that the returned value must be 0x00008ce4.

key2(): The ‘push’ instruction places that register on top of the stack. Also, the $ allows for the immediate value to be used, i.e. $1 = 1. So r6 is given the value of pc + 1, which by looking at the asm file we can see that r6 = 0x00008cfc + 1. I can’t seem to find anything on what the “bx” instruction does, however, I remembered that the only register we should be watching is r3! It is only modified twice, once setting it to the pc and then adding 0x4 to it. Thus we that r3 = 0x00008d0c + 0x4, which is the value key2() returns.

key3(): r3 is just set to the lr register which is called the “link register” it holds the address of where the function should jump back to when it completes. So we must find where key3() is called in the main function. Looking through the asm file I found that it is 0x00008d7c is where key3() is called. Thus it should also return this value.

So the final value that must be given to the running program is 0x00008ce4 + 0x00008d0c + 0x4 + 0x00008d7c. The result of this addition is 0x1A770 which has a decimal value of 108400.

Discussion - Government Surveillance

Today our analysis session was spent debating both sides of whether the government should increase the amount of surveillance that we currently have in Australia. I personally thought that we shouldn’t increase how close citizens are watched. I’ve come up with some points that address those brought up during other people in the class today:

Monitoring to detect criminals: “If we have more surveillance then the likelihood of catching criminals goes up and it also acts as a deterrent”.  This solves the symptoms but not the actual problem. For example, if we have someone commit murder and they are caught on tape, they’d be sent to prison. While identifying the perpetrator is good it’s not going to bring their victim, unfortunately. Surveillance can only act after the fact which really makes it a deterrent and not an actual way of preventing crimes (Unless we go full Minority Report!). As such I think there are better avenues available to curb crimes, which don’t require citizens to relinquish their privacy.

Information gathering: “All surveillance does is gather information and you need information to make decisions”. I think we can all agree that information is required to make decisions, however, the type and breadth of the data is important. Governments should be making decisions at a macro level, not an individual one, as micromanaging individual citizens doesn’t seem feasible.

Information Protection: “Procedures are in place within the government to prevent misuse of collected information”. All I have to say is that procedures are only as good as the people following them. Also what happens if a new government comes in and repeals the procedures? I think there are too many unknowns to make this call and trust the government will responsibly handle our information.

The below points are standalone:

Single Point of Failure: Information all in one place is a single point of failure. Assume the government is completely benevolent with our data, this doesn’t prevent another entity from attacking/obtaining this information. Furthermore, this information has unlimited value, as it presents opportunities for blackmail, targetted biological weapons and gaslighting. Moreover, all this assumes that the government is acting in everyone's best interest! Imagine then if they weren’t...

Human Spirit: Suppose that we were all monitored constantly and incessantly, how would this affect us psychologically? A simple example of this is doing a presentation, many of us get nervous from the attention. There seems to be something quintessential about our natural aversion to being watched, maybe this has something to do with being watched by a predator? Regardless I think that our mental health would suffer and as a result, reduce our liberties. Could you live the rest of your life being constantly watched?

Black Mirror: “The Entire History of You” is a Black Mirror episode which touches upon the idea of being endlessly watched through your own eyes and those around you. I highly recommend checking it out, it gave me new insights into the issue on both sides.

Overall I think it’s clear that government surveillance should not be increased as the risks significantly outweigh the benefits. 

Crypto Terms

`As one of the activities this week we needed to research and define the following terms:

- Confusion: There must be a complex relationship between the key and ciphertext. In other words, each character of the ciphertext should depend on multiple parts of the key.

- Diffusion: This is the property that the statistics of the plaintext is not represented in the ciphertext. The more diffusion the harder it is to perform a statistical analysis of the ciphertext to gain information about the plaintext. For example, a substitution cipher is not diffuse as there is a one-to-one matching between characters which makes it very vulnerable to frequency analysis.

- Avalanche Effect: If a small change is made in the plaintext, then a large change should occur in the ciphertext. Generally for every 1 bit changed in the plaintext, 50% of the bits in the ciphertext should change.

- SP Boxes/Networks: This is also known as a substitution permutation network, which is used in block cipher algorithms. It takes a block of plaintext and the key, which are applied in a series of substitutions and permutations to produce the ciphertext. As you can see in the graphic above substitutions are applied (the “S-Boxes”), which are then scrambled (the “P-Boxes”). This process is repeated multiple times which finally outputs the ciphertext.

- Fiestal Networks/Cipher: A symmetric structure used in the construction of block ciphers. Pretty much it encrypts plaintext in “rounds”, so it just repeatedly encrypts the plaintext using a different “subkey” which depends on part of the plaintext.

- Block Ciphers: A deterministic algorithm which operates on a fixed-size group of bits (a block). I.e. it encrypts plaintext in chunks.

- Stream Ciphers: Technically the same a block cipher but each “block” is a single unit of information (could be a digit or a single bit). For any given plaintext we have another pseudorandom text of length at least as large as the plaintext. Each bit of both texts is combined together to produce the ciphertext when combining on the bit-level XOR is an example of a function that could be used. 

Case Study: Cyber Warfare

This week we had to make 10 recommendations for reducing our vulnerabilities to attacks over the internet. My group began by identifying what mechanisms could information impact citizens. Power, food, water, military defenses, and currency were what we focussed most on, our recommendations were as follows:

1. Decentralise our power generation. Almost everything in modern times relies on electricity one way or another. As such it is important that it is guarded. Initially, we thought about disconnecting power stations from the internet (i.e. air gap them). However, we realised that while this may reduce the chance of an attack it still doesn’t completely protect it. For example, if an employees phone was infected, which was then able to connect to the power plants systems then an internet attack could still be feasible. After coming to this conclusion we recognised it as a single point of failure. To mitigate this risk decentralising power generation would be effective in shielding it from attack. Imagine all businesses and homes had their own independent renewable sources of energy, then it would be almost impossible to attack the grid.

2. Military defenses should be air-gapped from the internet, as this seems like the only feasible way to drastically reduce the chance for a digital attack. Also in the case that our communications were disrupted, ham radios could be used as a backup which would be very hard to interfere with through a digital incursion.

3. Defection poses a large risk as it quite possible and changes the paradigm through which an attack could occur. For example, the use of blackmail by an attacking country could convince Australians to act against the countries best interest. Furthermore, defection doesn’t have to be a stark attack against Australia but could be much more intangible, such as using propaganda to sow descent in citizens. To combat this we recommend informing people of the dangers that online misinformation can cause. Moreover, attacks of this nature are likely to be targetted at younger adults and even possibly children, which reinforces just how important it is that citizens are aware that they may be being manipulated.

4. Currency, if Australian banks were compromised in an attack this could be catastrophic as this would likely lead to riots and a much higher rate of crimes related to theft. For example, if ransomware was able to infect the banks’ systems making people unable to spend or access their money this would prevent people buying supplies necessary for their survival. As a result, decentralising the banks' systems such that if a single bank goes down then others are still able to operate. Moreover, if daily backups of data are made then which are then air-gapped from networks such that in an absolute worst case scenario everything could be rolled back. 

5. Water is a resource that we all need to survive, as such it presents a large attack vector. How such an attack would be conducted would likely involve preventing correct operation of water purification systems and pumps responsible for supplying the water. In the case of purification systems not operating correctly, it seems feasible that everyone just boils their water (this is what happened during a giardia breakout in Sydney’s water supply). As for the supply of water, once again decentralisation seems to be the most effective measure. In rural areas, many people have their own water tanks which can provide a temporary supply until a makeshift solution can be devised in the meantime. However, in population dense areas this wouldn’t be feasible as not everyone has the space for tanks. We propose a communal tank for multiple buildings/houses, implementing will be difficult, unfortunately. 

Clearly we didn’t manage to make 10 recommendations, even so, I think those that were presented have a good chance of hardening our defenses against cyber attacks.

5G Networks

Dear CEOs,

I have deemed it necessary that Huwaei is prevented from building their network in Australia. Below I outline the main concerns and reasons for this decision:

Political Allies: The US has made it clear that they will be preventing Huwaei from building a similar 5G network in their country. Moreover, the political landscape could be radically altered if we were to present a fractured relationship with the US. They have declared that our partnership could become strained if we were to build the network. Finally, China is an upcoming economic superpower whose tensions with the US may rise in the future, as such, it is of paramount importance that our alliances remain strong.

Security: This is the main issue as the potential for vulnerabilities is quite high, as the relationship between Huwaei and the Chinese government is unclear. In the event, they were able to build their network this could allow the surveillance of our citizens by the Chinese government. The result of which could be disastrous for the country. Furthermore giving control of our 5G network could allow them to intentionally slow it down or completely shut it off. I don’t need to explain how this is another attack vector with high potency. 

PM of Australia.

Analysis - Dropping The Bomb

Background: Two workers at a nuclear missile launch site, performed a check using the wrong tool which led to a socket piercing a fuel tank which then leaked and eventually exploded.

Important Assets:

What were the most important assets that required protecting? First and foremost would be the lives of the civilians, as the missiles were created to defend them. Next would be the lives of those working at the facility. Finally the reputation of the US government. I’ll now list how these assets could be protected from future disasters.

Civilians: Simply moving the launch site of the missiles to remote locations where there are little to no people would mitigate some of the negative outcomes. Furthermore ensuring that the location is heavily shielded so in the case of an explosion it doesn’t reach the surface. This is mainly because if the nuke had exploded the radiation alone could present a serious problem.

Staff: Ensure that in a disaster there is transport that could allow workers to escape. Furthermore, ensure that they have more training in regards to safety procedures and what to do in an emergency, as a lack of communication during the original disaster led to an ineffective attempt at controlling the situation.

America’s Reputation: The fact that knowledge of this event got released to the public seems to reflect poorly on the US government. At the beginning of the podcast, it is mentioned how the movie trope of missiles quietly sitting in their silos patiently awaiting their launch order to come through is not the case in real life. I would see it of benefit to the US government if this is how the public thought of it, as it provides more of a sense of security to its civilians. Moreover, it provides a good deterrent to enemies of the country as it presents them as being competent.

OWASP - Cross-Site Scripting

XSS enables attackers to inject client-side scripts into web pages viewed by other users. For a simple explanation consider if I asked you what your name was, I’m expecting you to give me a name. However, if you told me to sit on the floor was your name I would proceed to sit on the floor. This is effectively what XSS is, it allows you to tell a webpage to do something when you shouldn’t be able to tell it what to do. For example, during my time at high school, we had a school portal which had a calendar application. By creating an event with javascript in the title that code executed which allowed us to change the colour of the page. Of all the security vulnerabilities in webpages, XSS accounted for 84% of all vulnerabilities in 2007. Even in more recent times, it is still considered a major risk that all website developers should ensure they sanitise their inputs to prevent this from happening.

Case Study - Self-Driving Cars

This week we had to give a recommendation to the prime minister on whether self-driving cars should be allowed on Australian roads. Before this, we had to establish the assets that would need to be protected, as well as how they could be protected. My group came up with the following assets collectively:

Infrastructure: Self-driving cars have the potential to crash into buildings, speed signs and general infrastructure. This also includes other cars on the road!

People: This refers to both the passengers of the car and pedestrians. Furthermore, this issue is particularly tricky as it relates to the trolly problem and how if it comes down to it should the car protect the passengers or pedestrians?

Traffic Efficiency: Self-driving cars need to ensure that people are still able to get to their destination in a timely manner.

The main issues with self-driving cars are their ability to be hacked and the trolley problem involving passengers and pedestrians. I think the best way to handle the latter is to always protect the passengers, as who's going to buy a car that might kill them every time they get in it? Furthermore with the potential to be hacked, ensuring that all communications between the car and the network is encrypted to a high standard. While air gapping the car when it is driving is possible most of them rely on the ability to see what other cars are doing to maximise efficiency. Moreover, it can allow processing to be done elsewhere minimising the complexity of the design of the car. My group's overall decision ended up recommending that self-driving cars be allowed to operate on roads. After talking to the rest of the groups during the tutorial there was some contention of ideas. Eventually, it was revealed we had all be asked different questions, while we were making recommendations to the government, others were deciding whether a car company should move into the self-driving market. Some good points were brought up as to why self-driving cars shouldn't be introduced. The one I thought had the most merit related to the truck driving industry. As truck drivers would all lose their jobs, but even worse all the small towns that serve these drivers would have significant downturns in their local economy with people losing their jobs as well. I think the best way to avoid or reduce this impact would be to roll-out self-driving trucks over time and make these communities aware of it. This would allow them to transition their economy and hopefully mitigate the effect of losing the truck drivers. Moreover, it could possibly present new jobs for those to maintain self-driving trucks and monitor them.

SA - Toddler’s Bottle: lotto

We are given the files:

Inside lotto.c we find:

The first thing that stood out to me is that they’re using /dev/urandom instead of /dev/random. After looking online I found that the “u” means unlimited and that the process won’t halt. I’m thinking that maybe I can run two separate threads of execution and get them to read the same values. Then I could read what the bits generated were and pass them into the program. After mucking around looking for how I can go about getting to threads to run and read values from urandom simultaneously I realised that it won’t work. As read is a syscall thus two can’t run at the same time. I’m unsure where to go next. After looking at the code for another 5ish minutes I noticed the loop where the match is checked against the submission.

For each submitted letter it loops through lotto array and checks it against all its entries. This means we only need to guess one character in the lotto array, as if we just put the same letter 6 times for our submission it will hit a match 6 times if that letter exists once in the lotto array. Moreover, the numbers generated are between 1 ~ 45, looking at an ASCII table I found that the only characters I can use are “-`+*)(’&%$#”! “. After attempting to use “!!!!!!” I realised that this wasn’t an instant workaround as the probability of getting one “!” in the lotto numbers was roughly a 12% chance. So after multiple attempts the numbers were finally in my favour:

Vulnerabilities

We have been given recipes to make different types of cakes and must look at the cooking instructions to identify vulnerabilities in the recipe. Moreover, we have also been given some C code which has vulnerabilities that could lead to the program operating in unintentional ways. I’m beginning with Martha’s Recipes:

Vanilla Cake

Step 1: “Grease and flour” this provides no concrete measurements or details, as such it could be exploited for example by adding too much flour or grease.

Step 2: “Medium bowl” this is a subjective term which allows for an attack to use whatever size bowl, which could possibly overflow with ingredients if it was too small.

Step 3: “Combine flour and baking powder” once again no definitive amounts given which could easily be exploited.

Step 4: We’ve been instructed previously to preheat the oven to “180F ~ 80C” which is a fixed value, this is good as it can’t be changed. Furthermore, strict ranges have been given for different things, this prevents over or undercooking the ingredients.

Caramel Slice

Ingredients: Only two ingredients need more objective amounts which are the “1/2 desiccated coconut” and “2 x 395 sweetened condensed milk”. In both cases, we can effectively take these to be any amount we want.

Step 1: “Line with baking paper”, doesn’t give an absolute amount. I could fill the entire pan with baking paper and it would technically be “lined with baking paper”, but would result in all the ingredients falling out.

Step 2: “Combine flour, sugar, and coconut”, this needs to be more specific, as they could simply be placed in the same bowl and be considered “combined”.

Step 3: “Microwave uncovered on MEDIUM (50%) for 1 minute”, different microwaves have different wattages. As such this provides an attack vector by either using a very high or low wattage microwave.

Cheese Souffle

Ingredients: All measurements are good, the only possible vulnerability I can see is “4 eggs”, as eggs come in many sizes. This could be prevented by indicating whether they should be large, medium, etc. (Objective sizes for these labels do exist: https://en.wikipedia.org/wiki/Chicken_egg_sizes).

Step 1: “Gradually add the milk”, a subjective term, although I don’t think adding all the milk immediately would have too great of an impact on the outcome of the dish. Replacing this part with a specific rate or even just time (as the volume has already been given in the ingredient list) should prevent this from being exploited.

Step 2: “stiff and glossy”, more objective terms would be better, as it is currently too subjective.

Step 3: “When the skewer comes out clean”, by exploiting a previous part of the recipe it may be possible to make the skewer become clean too early or late in the recipe. For example, taking the skewer out immediately after it has been placed in the oven so that the mixture isn’t cooked at all.

Overall for all the recipes more objective terms need to be used to remove vulnerabilities. However, I think many would consider cooking an art and as such subjective, so I’m not too sure how these vulnerabilities could be prevented otherwise.

I C your problem there:

The mixing of “unsigned shorts” and shorts, can lead to a situation in which the first if statement doesn’t run but the second one does, which could potentially end up reading more data than what is wanted.

Scanning into userstring is done safely as only 1023 characters are read with the last character being set to a null terminator. Next, the code scans for a colon (:) using the function strchr (which returns a pointer to the first occurrence of the character in the string). If strchr returns a pointer to somewhere in the string the next character is set to a null terminator. When sprintf is called we have a format string vulnerability, as we could place a “%n” inside our userstring which isn’t checked for “%n”. This could allow an attacker to load malicious code.

We have “if(f > sizeof(mybuf) - 5)”, which compares variables of types short and size_t. In general, comparing different types of integer variables is not a good idea as it can lead to some bit trickery that allows for more information to be read from memory.

SA - Toddler’s Bottle: mistake

We have the files:

Inside mistake.c:

The hint for this challenge is “operator priority”. I found a list of these at the site https://en.cppreference.com/w/c/language/operator_precedence. After looking at the code for 10 minutes I still had nothing so I decided to copy the code onto my local machine and follow the code execution through gdb. I replaced parts of the code with code that would be relevant on my computer.

Once I ran the program and checked the value of the variables it became clear that when fd initialised it was set as 0 because (open(whatever) < 0) evaluates to 0. After running the program it prompted for input as it was reading from 0 which is stdin. Each character in the string is then XOR’d with 0 and compared to the second input. I then chose my initial string to be “aaaaaaaaaa”, the ascii value of a is 97 which XOR’d with 1 gives:

Which is the character `. Finally entering the two strings into the program gave:

Security Everywhere

Today I was wandering around the science and engineering building, which was built recently. Walking around the underground section I managed to find this:

I tried my card on the scanner to see if I would’ve been able to get in without the doors being already open, however, I was unable. Clearly, I shouldn’t have been able to get behind this door. Also, the fact that the broom and mop were left there presents a large security risk. For example, if I was wearing cleaner clothing I may have been able to take this gear and impersonate them. I was tempted to go further down the hall and see if I could get access to any of the other doors, but I realised it would clash with the good faith policy.