hsy2601 assignment 5

Register to study through Unisa

• Subjects & modules
• All modules

Themes in the 19th Century History: Power and the Western World - HSY2601

Due: Sat May 25 11:59 pm Late submissions accepted until Sun May 26 11:59 pm

Assignment by Michael Chang & Julie Zelenski idea originated by Randal Bryant & David O'Hallaron (CMU). Modifications by Nick Troccoli, Brynne Hurst, Kathleen Creel and Jonathan Kula.

Learning Goals

This assignment focuses on understanding assembly code representations of programs. You will be building your skills with:

• reading and tracing assembly code
• understanding how data access, control structures, and function calls translate between C and assembly
• reverse-engineering
• understanding the challenges of writing secure and robust systems
• understanding privacy, trust, and the role of the ethical penetration tester
• mastering the gdb debugger!

You have been hired as a security expert for Stanford Bank (a fictional on-campus bank). They need you to investigate reports of infiltration and security issues and replicate the issues so that they can fix them.

There are three parts to this assignment, each of which can be completed independently:

• an ATM withdrawal program containing some vulnerabilities - you'll need to use your C and assembly skills to find and demonstrate how to exploit these vulnerabilities.
• A dataset that you will use to deanonymize bank users.
• The SecureVault program, a new product designed by the bank to provide increased security to the master vault. You'll be given an executable of the SecureVault program (no C code provided!) to show that it is possible to reverse engineer this program and break into the master vault without being told the passwords.

These problems are like C/assembly "puzzles" to solve, and we hope you enjoy solving them and exploring this material as much as we enjoyed creating them!

Note: check out our assignment overview video on Canvas ; it goes over the different parts of the assignment, what to expect, and tips and tricks! Note the overview video is from this quarter last year, but the assignment is the same (save for the fact that questions 2 and 3 are exchanged).

Spring 2024: Lecture 22 (Mon 5/20) is necessary to work on questions 3 and 4 in part 2 of this assignment.

A few reminders:

• The working on assignments page contains info about the assignment process.
• The collaboration policy page outlines permitted assignment collaboration, emphasizing that you are to do your own independent thinking, design, writing, and debugging. Even without any code being submitted, you should not be doing any joint debugging/development, sharing or copying written answers, sharing specific details about SecureVault behavior, etc. If you are having trouble completing the assignment on your own, please reach out to the course staff; we are here to help!

To get started on this assignment, clone the starter project using the command

View Full Starter File List

• vault : Your SecureVault executable program, custom-generated for each student.
• custom_tests : The file where you will add custom tests to reproduce vulnerabilities in the provided ATM withdrawal program.
• input.txt : A blank text file where you should add the passwords for each SecureVault level, one per line. See the section on SecureVault for more information.
• readme.txt : A file where you should add answers to short written questions for all three parts of the assignment.
• .gdbinit : A gdb configuration file you can optionally use to run certain gdb commands each time gdb launches. See the section on using GDB in SecureVault for more information.
• samples : A symbolic link to the shared directory for this assignment. It contains:
• atm : The executable ATM program, which you will explore for vulnerabilities.
• atm.c : The C source code for the ATM program, which you will explore for vulnerabilities. Note that you're not able to edit or recompile this code/executable.
• checkins.csv : A file containing public social media location check-in data for various locations on Stanford campus over the past three months.
• search_checkins : An executable program to search the check-in data.
• bank : a folder containing the following:
• customers.db : A file with the list of all users and balances for the ATM program.
• transactions.csv : A file with ATM transaction information from the past three months at the Stanford campus ATM.
• SANITY.INI and sanity.py : Files to configure and run sanity check. You can ignore these files.
• wordlist : A list of dictionary words used for SecureVault.
• tools : Contains symbolic links to the sanitycheck and submit programs for testing and submitting your work. ( codecheck is not needed on this assignment)

You will be using gdb frequently on this assignment. Here are essential resources as you work - note that you should make sure you have downloaded the CS107 GDB configuration file mentioned in the Getting Started Guide if you didn't previously do so.

Open Getting Started Guide Open GDB Guide Open Lab5 GDB Tips Open Lab6 GDB Tips

1. ATM Security

Stanford Bank recently updated the ATM software to a version with some additional features. The IT team reviewed the new code and thought it all looked good, but having now installed it in production, they are observing some suspicious activity. The bank has called you because your superior C and assembly skills are just what's needed to investigate and resolve these problems!

In the samples folder, they have provided you the code ( atm.c ) and compiled executable ( atm ), which you can examine/run but cannot recompile or edit (since they want to ensure you work with the same executable installed on the ATMs themselves). The ATM program is invoked with an amount and the credentials for a particular account. If the credential is authorized and the account has sufficient funds, the amount is withdrawn and dispersed in cash. Accounts must maintain a minimum balance of $50, and the ATM is supposed to maintain bank security by rejecting unauthorized access. Every time you run the program, it will print out information to the terminal about the transaction that took place, or the error that occurred, if any. For example, if you ask to withdraw $100 from your account balance of $107, it should be denied with an error message because that would bring your current $107 balance below the required minimum of $50. If you try to sneak cash from another account or use a fake name, your credential should get rejected as unauthorized.

Here are a few examples - try it out yourself! Note that $USER automatically acts as your SUNET ID, and every account balance is set to be $107. Also, each time you run the program anew, all balances return to their original starting levels. No money actually changes hands in this ATM, which is a blessing given its security flaws.

Expand ATM Sample Runs

The bank has identified three anomalies in the ATM program behavior that they need your help investigating. For each of the anomalies (a), (b), and (c) below, you will need to do the following:

• include a test case in your custom_tests file to showcase how to reproduce the vulnerability. Note that there may be more than one way to trigger a vulnerability.
• A concise description of the underlying defect in the code.
• An explanation of exactly how you constructed your test case to exploit it.
• Your recommendation for fixing it. The bank is not looking for a major rewrite/redesign, so in your proposed changes you should directly address the vulnerability with minimal other disruption. Note that there may be more than one possible remedy for fixing each issue. Also make sure you do not remove intended functionality of the bank program, and account for any potential additional security issues introduced by your proposed fix .

NOTE: when running your own custom tests, make sure to inspect the output to ensure your tests are causing the behavior you expect! The sanitycheck tool itself does not verify that the tests cause the specified exploits.

As you work through your investigation, you will need to review the source code for the atm program. The program is roughly 175 lines of C code of similar complexity to what you have been writing this quarter, and is decomposed and fairly readable, though sorely lacking in comments. You should find that the program's approach seems reasonable and the code is sincere in its attempt to operate correctly. As you're reading, take a minute to reflect on how far your awesome C skills have come to let you read through this provided program!

NOTE: when running the ATM program under GDB, make sure you are in the samples folder first before running gdb atm .

a) Negative Balances

A prior version of the ATM program restricted a withdrawal to be at most the full account balance, allowing the customer to drain their account to $0, but no further. The current version has changed the withdraw function to require a non-zero minimum balance. The expected behavior should be that all account balances stay above this minimum. However, the bank saw an (otherwise ordinary) withdrawal transaction that not only caused an account to go below the minimum, but also overdrew so far as to end up with a negative balance. Oops, that's definitely not supposed to happen! Review the C code for the withdraw function, specifically the changes from the old version. It seems to work in many cases, but apparently not all. Read carefully through this function to try and discover the flaw - your understanding of signed and unsigned integers will be useful here! Once you have found the vulnerability, determine a command to make a withdrawal as yourself that withdraws more money than is present in your account . Put this command in custom_tests , and answer the specified readme questions.

b) Unauthorized Account Access

The bank has also received a customer complaint about an unauthorized withdrawal from their account. It seems that another user with different credentials was able to successfully withdraw money from the aggrieved customer's account. Moreover, the credential used appears to be entirely fake - no such user exists in the database! A user should not be able to access a different customer's account and especially not by supplying a bogus credential! Review the C code for the find_account function that is responsible for matching the provided username to their account number. It seems to work properly when the username matches an existing account, but not when the username doesn't match an existing account. Trace through line by line how the function executes when called with an invalid username that is not in the database. What lines are executed? Once you do this, you'll find that the function appears to behave unpredictably. Your next task is to examine the generated assembly to determine precisely how the function will behave - your understanding of the %rax / %eax register will be useful here! Once you have found the vulnerability, determine a command with a designed bogus name credential to withdraw $40 from one of the CS107 staff member's accounts. Put this command in custom_tests , and answer the specified readme questions. (The samples/bank/customers.db file contains information about all valid users and their balances, and the first 15 users in the database are staff accounts.)

c) Accessing The Master Vault

The most worrisome issue is repeated illicit withdrawals from the master vault account, account number 0. The name on the master account is not an actual user, so this account cannot be accessed using the simple username-based credential. Instead, the user must specify two account arguments, the account's number and its secret passcode, as a form of heightened security, like this:

At first the bank thought the vault passcode had been leaked, but changing the passcode did nothing to thwart the attack. In a fit of desperation, the bank removed the vault passcode file altogether, figuring this would disable all access to the vault, yet the rogue user continues to make withdrawals from it! It seems that the high-security passcode authentication may have its own security flaw! The code that handles this authentication is in the lookup_by_number and read_secret_passcode functions. These functions work correctly in many situations, but fail in certain edge cases. Remember that it seems that in certain cases supplied credentials are accepted despite the lack of a saved passcode file . The vulnerability is subtle in the C code, so you should also use GDB to examine the code at the assembly level and diagram out the memory on the stack for these functions . This problem is similar to the stack diagramming/exploit problem from lab6 - revisit that problem if you need a refresher! Your exploit should not involve reading from any file. Once you have found the vulnerability, determine a command to withdraw $300 from the bank vault despite its disabled passcode . Put this command in custom_tests , and answer the specified readme questions.

2. Dataset Aggregation

Separate from the faulty ATM software, Stanford Bank believes that someone was able to gain access to their account logs and get a list of ATM transaction information for their Stanford campus ATM. The company believes that this poses little threat because the transaction logs have limited recorded data. However, you are concerned that this data can be combined with other available data in dangerous ways, such as to learn private information. For instance, knowing someone's history of large (or small) transactions might tell you about their financial situation; knowing memberships in clubs or organizations might tell you about social relationships and webs of networks. Your task is to combine this data with another dataset you have found of public location check-ins to show the harms of a potential data breach. To aid in investigating your concerns, the bank has made the ATM transaction data available to you in the samples/bank/transactions.csv file. This file has one account transaction per line, and each transaction occurred at the Stanford campus ATM. Each line has the following format:

For example, here is one line from the file that represents a withdrawal of $15 on 2/15/21 at 4:54PM:

Transactions with the same account identifier are guaranteed to be for the same bank account, but the identifier doesn't give any information about whose account it is (intentionally done by the bank to obfuscate the data).

You have already downloaded a publicly-available location checkins dataset from an online social network, in the file samples/checkins.csv . It is too large to read through manually, so you also already created a program search_checkins that displays that checkin data and lets you search through it more easily. Run the program ( samples/search_checkins ) for instructions on how to use it.

Show the risks of dataset aggregation and express your concerns to the bank managers by answering the following questions in your readme.txt . Note that you are not expected to create any additional programs to parse or otherwise process these datasets with code - the intent is for you to skim the transactions.csv file by hand and use it along with the search_checkins program to answer the following questions.

• a) The likely user who made multiple large transactions?
• b) Two (there may be more, but you must identify only two) likely members of the Stanford SecurityStars Club, which has a club meeting on the 15th of each month where people must bring $15 to pay their membership dues? (Assume they are procrastinators in withdrawing the money)
• How were you able to de-anonymize the transactions data?
• Beyond encrypting the data, what recommendations would you give to Stanford Bank to further anonymize or obfuscate the account data in the case of accidental data breaches?
• Use one or more of the four models of privacy discussed in lecture to explain why disclosure of the information that can be aggregated here is (or is not) a violation of privacy.

3. SecureVault

Stanford Bank is rolling out a new tool, SecureVault, to provide increased security at the master vault at each of their branches. Employees must enter four secret passwords into this program to gain access to the master vault. For extra security, the bank creates a different SecureVault program for each branch with different expected passwords; the bank headquarters does not give the source code to any of the branches; and the program triggers an alarm that notifies the central system each time an incorrect password is entered. They are confident that this means only someone who is told the password can get access, and any potential intruders will be detected by the alarm system. They have hired you to test this. Your task is to show that you can reverse engineer the program to gain access to the bank vault without being told the password, and without alerting central security.

Do not start by running SecureVault and entering passwords to "see what will happen" . You will quickly learn that what happens is the alarm goes off and it deducts points :-) When started, SecureVault waits for input and when you enter the wrong password, it will raise the alarm and notify the central system, deducting points. Thoroughly read the SecureVault information below before attempting to enter any passwords! There is a lot of information below, but it is included to help provide useful tips for you to work through this part of the assignment.

Without the original source code, all you know is that SecureVault has four "levels" of security, each with a different password. If the user enters the correct password, it deactivates the level and the program proceeds on. But given the wrong input, SecureVault raises an alarm by printing a message, alerting central security and terminating. To reach the master vault, one needs to successfully disarm each of its levels.

This is where the bank needs your help. Each of you is assigned a different generated SecureVault executable unique to you, generated just as they would be for each bank branch. Your mission is to apply your best assembly detective skills to reverse engineer the SecureVault executable to work out the input required to pass each level and reach the master vault, thus proving the insecurity of the bank's approach.

Specifically, you must fill in your input.txt file with the passwords to defuse each level in order, 1 per line, for each level you have solved. You must also answer the following questions in your readme.txt file. Make sure to verify your input.txt file (with appropriate protections!) to ensure proper formatting and that all lines are entered correctly before submitting! We will test by running ./vault input.txt on your submission, using the original SecureVault program generated for you. Here are the readme questions to work through as you go:

• What tactics did you use to suppress/avoid/disable alarms?
• level_1 contains an instruction near the start of the form mov $<multi-digit-hex-value>,%edi . Explain how this instruction fits into the operation of level_1 . What is this hex value and for what purpose is it being moved? Why can this instruction reference %edi instead of the full %rdi register?
• level_2 contains a jg that is not immediately preceded by a cmp or test instruction. Explain how a branch instruction operates when not immediately preceded by a cmp or test . Under what conditions is this particular jg branch taken?
• Explain how the loop in the winky function of level_3 is exited.
• Explain how the mycmp function is used in level_4 . What type of data is being compared and what ordering does it apply?
• How would you describe Stanford Bank’s trust model? (In other words: who among the bank headquarters, the bank branches, and you was trusted?) Justify your answer.

SecureVault Information

From the SecureVault assembly, you will work backwards to construct a picture of the original C source in a process known as reverse-engineering . Note that you don't necessarily need to recreate the entire C source; your goal is to work out a correct input to pass the level. This requires a fairly complete exploration of the code path you follow to deactivate the level, but any code outside that path can be investigated on a need-to-know basis. Once you understand what makes your SecureVault program "tick", you can supply each level with the password it requires to disarm it. The levels get progressively more complex, but the expertise you gain as you move up from each level increases as well. One confounding factor is that SecureVault raises an alarm whenever it is given invalid input. Each time the alarm goes off (except for a free pass the first time), it notifies central security (the CS107 staff) and points are deducted from your score. Thus, there are consequences to setting off the alarm -- you must be careful!

The bank has confirmed to you a few things about how the SecureVault programs operate:

• If you start SecureVault with no command-line argument, it reads input typed at the console.

If you give an argument to SecureVault, such as input.txt :

SecureVault will read all lines from that file and then switch over to reading from the console. This feature allows you to store inputs for solved levels in input.txt and avoid retyping them each time.

Alarms can be triggered when executing at the shell or within gdb. However, gdb offers you tools you can use to intercept the alarms, so your safest choice is to work under gdb and employ preventive measures.

• It is not possible to know for sure whether the central system (course staff) is notified about an alarm. You must use your investigative skills and best defensive measures!
• The central system will give you a free pass (no point deduction) the first time they are notified about an alarm.
• The SecureVault program in your repository was lovingly created just for you and is unique to your id. It is said that it can detect if an impostor attempts to run it and won't play along.
• The SecureVault program is designed for the myth computers (running on the console or logged in remotely). There is a rumor that it will refuse to run anywhere else.
• It seems as though the function names were left visible in the object code, with no effort to disguise them. Thus, a function name of initialize_vault or read_five_numbers can be a clue. Similarly, it seems to use the standard C library functions, so if you encounter a call to qsort or sscanf , it is the real deal.
• There is one important restriction: Do not use brute force!   You could write a program to try every possible input to find a solution. But this is trouble because a) you lose points on each incorrect guess which raises an alarm, b) trying all possible inputs will take an eternity and risk saturating the network, and c) part of your submission requires answering questions that show you understanding of the assembly code, which guessing will not provide :)

Using tools such as gdb , objdump and new tools nm and strings is critical to effectively investigating and disarming each level. Once you are familiar with the tools at your disposal, first work to reliably prevent alarms from triggering , then proceed with disarming each of the levels .

Step 1: Familiarity with Tools

Here are some helpful tools to gather general information:

• nm : use the nm utility ( nm vault ) to print what's called the "symbol table" of the executable, which contains the names of functions and global variables and their addresses. The names may give you a sense of the structure of the SecureVault program.
• strings : use the strings utility ( strings vault ) to print all the printable strings contained in the executable, including string constants. See if any of these strings seem relevant in determining the passwords.
• gdb lets you single-step by assembly instruction, examine (and change!) memory and registers, view the runtime stack, disassemble the object code, set breakpoints, and more. Live experimentation on the executing SecureVault program is the most direct way to become familiar in what's happening at the assembly level.
• Compiler Explorer : pull up tools like the Compiler Explorer interactive website from lab, or gcc on myth , to compile and explore the assembly translation of any code you'd like. For example, if you're unsure how to a particular C construct translates to assembly, how to access a certain kind of data, how break works in assembly, or how a function pointer is invoked by qsort , write a C program with the code in question and trace through its disassembly. Since you yourself wrote the test program, you also don't have to fear it setting off any alarms :-) You can compile directly on myth using a copy of a Makefile from any CS107 assignment/lab as a starting point, and then use gdb or objdump to poke around.

GDB Suggestions

GDB is absolutely invaluable on this assignment. Here are some suggestions on how to maximize your use of gdb in addition to the tips in lab5 and lab6 :

• Expand your gdb repertoire. The labs have introduced you to handy commands such as break , x , print , info , disassemble , display , watch , and stepi/nexti . Here are some additional commands that you might find similarly useful: jump , kill , and return . Within gdb, you can use help name-of-command to get more details about any gdb command. See the quick gdb reference card for a summary of many other neat gdb features.

Get fancy with your breakpoints. You can breakpoints by function name, source line, or address of a specific instruction. Use commands to specify a list of commands to be automatically executed whenever a given breakpoint is hit. These commands might print a variable, dump the stack, jump to a different instruction, change values in memory, return early from a function, and so on. Breakpoint commands are particularly useful for installing actions you intend to be automatically and infallibly completed when arriving at a certain place in the code. (hint!)

gdb kill workaround : gdb 9.2 (current version on myth as of 04/2021) has a bug when attempting to use kill in the commands sequence for a breakpoint that creates a cascade of problems --can cause gdb itself to crash or hang. The gdb command signal SIGKILL can be used as an alternate means to kill a program from a commands sequence that doesn't trip this bug.

Use a .gdbinit file . The provided file named .gdbinit in the assignment folder can be used to set a startup sequence for gdb. In this text file, you enter a sequence of commands exactly as you would type them to the gdb command prompt. Upon starting, gdb will automatically execute the commands from it. This will be a convenient place to put gdb commands to execute every time you start the debugger. Hint: wouldn't this be useful for creating breakpoints with commands that you want to be sure are always in place when running the SecureVault program? The .gdbinit file we give you in the starter repo has only one command to echo Successfully executing commands from .gdbinit in current directory . If you see this message when you start gdb, it confirms the .gdbinit file has been loaded. If you see an error message about auto-loading .gdbinit being declined when starting gdb, this means you haven't installed the CS107 GDB configuration file - see the top of this page for instructions.

• Custom gdb commands . Use define to add your own gdb "macros" for often-repeated command sequences. You can add defines to your .gdbinit file so you have access to them in subsequent gdb sessions as well.
• Fire up tui mode (maybe...). The command layout asm followed by layout reg will give you a split window showing disassembly and register values. This layout will display current values for all registers in the upper pane, the sequence of assembly instructions in the middle pane, and your gdb command line at the bottom. As you single-step with si , the register values will update automatically (those values that changed are highlighted) and the middle pane will follow instruction control flow. This is a super-convenient view of what is happening at the machine level, but sadly, you have to endure a number of quirks and bugs to use it. The tui mode can occasionally crash gdb itself, killing off gdb and possibly the SecureVault program while it's at it. Even when tui is seemingly working, the display has a habit of turning wonky, often fixable by the refresh command (use this early and often!) but not always. A garbled display could cause you to misunderstand the program state, misidentify where your SecureVault is currently executing, or accidentally execute a gdb command you didn't intend. Any alarm suppression mechanism that requires you, the fallible human, to take the right action at a critical time could easily be waylaid by interference, so don't attempt tui before you have invincible automatic protection against alarms. Selective use of auto-display expressions (introduced in lab6) is a great alternative with less disruption. You can exit tui using ctrl-x a and re-enter it again (this doesn't require leaving gdb and losing all your state).

Step 2: General Investigation and Preventing Alarms

Once you are familiar with the tools at your disposal, your next step is to gather general information about how the SecureVault program works to figure out how to reliably prevent alarms from triggering . There are simple manual blocks that give some measure of protection, but it is best to go further to develop an invincible guard. Feel free to use any technique at your disposal, such as leveraging gdb features, tweaking the global program state, modifying your setup, tricking the SecureVault program into running in a safe manner, etc. Avoiding the alarm entirely is one straightforward approach to ensure that we won't hear about it, but there are ways to selectively disable just the transmission portion to the central system (course staff) . Once you figure how to set up appropriate protection against alarms, you will then be free to experiment with the levels without worry. Note that the program can only trigger an alarm when it is "live", i.e., executing in shell or running with gdb .

Step 3: Disarming Levels

Your next task is to approach each level individually to figure out a password that disarms it. There may be more than one password for each level; your task is to enter your 4 passwords, one per line, starting with level 1, into your input.txt file. Here are key tips for how to approach your reverse engineering exploration:

• Run the program live in GDB (with appropriate alarm protections!) and step through to better understand its behavior. Reading and diagramming the assembly by hand is useful to an extent, but quickly becomes infeasible with larger programs.
• Break the assembly into chunks. For instance, if it calls any functions, that's a good stopping point to orient yourself and understand the assembly just up to that point.
• Use gdb to verify your hypotheses. Verify key assumptions you make about the vault behavior to ensure you're on the right track. One helpful trick is you can change register contents while running gdb. E.g. if you think "I believe if %rdi stored this, it would do that", then try it! You can do p $rdi = val to change register contents mid-program. Or if you think something is a char * , cast and print it out, e.g. p (char *)$rdi .
• Document your knowns and unknowns. If you run into a situation where you are stuck due to seemingly-conflicting assumptions, document them and re-verify them. If you have multiple conflicting assumptions, at least one must not be the case.
• Use compiler explorer to see what code looks like in assembly. If you think you happened upon e.g. a loop, if statement, etc. try using compiler explorer to type in some code quickly and see what that code looks like in assembly. If it resembles the assembly you're seeing, perhaps that can help you better understand its structure.
• Use library functions to your advantage. If you spot a call to what looks like a library function, it's the real deal. Use the man page for that function to learn about what parameters it takes in, what it does, and what it returns. This can give you key information about the types of data in different registers - e.g. if you see a call to strlen , then the value put into %rdi must be of type char * , and what's stored in %rax afterwards must be a size_t string length.
• When tracing an unknown function, before dissecting its behavior first learn about the input/output of the function and what role it plays. Does it return anything? What parameters does it take in? If it has a return value, is it checked to be something in particular? Going into a function with an idea of what must be returned for you to continue with the vault can help you focus on understanding how to achieve that.

Sanity Check

The default sanitycheck test cases are ATM inputs and one test case that reports the line count of your input.txt file. This sanitycheck is configured to only allow test cases for ATM in your custom_tests file. The SecureVault executable is not run by sanitycheck.

Once you are finished working and have saved all your changes, check out the guide to working on assignments for how to submit your work. We recommend you do a trial submit in advance of the deadline to allow time to work through any snags. You may submit as many times as you would like; we will grade the latest submission. Submitting a stable but unpolished/unfinished version is like an insurance policy. If the unexpected happens and you miss the deadline to submit your final version, this previous submit will earn points. Without a submission, we cannot grade your work.

We would also appreciate if you filled out this homework survey to tell us what you think once you submit. We appreciate your feedback!

For this assignment, here is a tentative point breakdown (out of 119):

• custom_tests (24 points) Each successful attack test case earns 8 points. We will test by running tools/sanitycheck custom_tests on your submission. Your custom_tests should contain 3 test cases, one for each ATM attack.
• readme.txt (55 points) The written questions will be graded on the understanding of the issues demonstrated by your answers and the thoroughness and correctness of your conclusions.
• Input.txt (40 points) Each SecureVault level you have solved earns 10 points. We will test by running ./vault input.txt on your submission. The input.txt file in your submission should contain one line for each level you have solved, starting from level 1. Malformed entries in your input.txt or wrong line-endings will cause grading failures. To avoid surprises, be sure that you have verified your input.txt in the same way we will in grading (i.e., ./vault input.txt ).
• SecureVault alarms triggered (up to 6 points deducted) Each alarm notification (beyond the first one) that reaches the staff results in a 1 point deduction, capped at 6 points total.

Post-Assignment Check-in

How did the assignment go for you? We encourage you to take a moment to reflect on how far you've come and what new knowledge and skills you have to take forward. Once you finish this assignment, your assembly skills will be unstoppable, and you will have a better understanding of trust, privacy and security! You successfully found vulnerabilities in a program using its source and assembly, and reverse engineered a complex program without having access to its source at all. Rock on!

To help you gauge your progress, for each assignment/lab, we identify some of its takeaways and offer a few thought questions you can use as a self-check on your post-task understanding. If you find the responses don't come easily, it may be a sign a little extra review is warranted. These questions are not to be handed in or graded. You're encouraged to freely discuss these with your peers and course staff to solidify any gaps in you understanding before moving on from a task.

• What are some of the gdb commands that allow re-routing control in an executing program?
• What is the main indication that an assembly passage contains a loop?
• What makes someone a trustworthy fiduciary or guardian of personal data? How and why should an institution like a bank protect the privacy of its customers?
• Explain the difference between a function's return value and its return address.
• Consider the mechanics of function pointer work at the assembly level. How is a call through a function pointer the same/different when compared to an ordinary function call?
• For performance reasons, the compiler prefers storing local variables in registers whenever possible. What are some reasons that force the compiler to store a local variable on the stack instead?
• For the instruction sequence below, what must be true about values of op1 and op2 for the branch to be taken? What changes if ja is substituted for jg ? cmp op1,op2 jg target

Follow McCovey Chronicles online:

• Follow McCovey Chronicles on Twitter
• Follow McCovey Chronicles on Facebook

Site search

• Game Recaps
• They Might Be Giants
• Barry Lamar Bonds
• 50 awesome things about no-hitters
• Full Archive
• Yahoo Giants News
• Yahoo Giants Team Page
• Yahoo Giants Report
• Yahoo Giants Depth Chart
• Yahoo Giants Transactions
• Yahoo Giants Photos
• Fantasy Baseball
• Community Guidelines

Filed under:

Weekend BP: Blake Snell aces his tune-up

The southpaw was dominant in a second rehab assignment.

Share this story

• Share this on Facebook
• Share this on Twitter
• Share this on Reddit
• Share All sharing options

Share All sharing options for: Weekend BP: Blake Snell aces his tune-up

Things haven’t been going super smoothly for the San Francisco Giants lately, though it seems like they are perhaps starting to find a little momentum. And they have good news on the way: left-handed pitcher Blake Snell is returning, and he seems to be in excellent shape.

Snell made a rehab assignment on Sunday with the Low-A San Jose Giants and starred, pitching four perfect innings with seven strikeouts. And on Friday he took his rehab assignment to Sacramento for a second — and surely final — start, this time with the AAA River Cats.

And he was just as dominant there, striking out 10 batters in 5 no-hit innings. The total tally from his two rehab starts? Nine innings, no hits, one walk, no runs, and 17 strikeouts.

Blake Snell threw five no-hit innings and had 10 K’s in his rehab start tonight pic.twitter.com/Au7B1Sjjpr — Talkin’ Baseball (@TalkinBaseball_) May 18, 2024

Yep, that works. Snell should return at some point during the upcoming week, and hopefully he’ll look like he did in the Minor Leagues ... or like he did last season, for that matter. I, for one, am quite optimistic.

What time do the Giants play today?

The Giants continue their series against the Colorado Rockies this weekend, playing at 1:05 p.m. PT on both days.

More From McCovey Chronicles

• 5/18 Gamethread: Giants vs. Rockies
• Giants claim OF Ryan McKenna from Orioles
• Keep smiling, Luis
• 5/17 Gamethread: Giants vs. Rockies
• Minor League roundup, May 16: Hunter Bishop is fitting right in
• Jung Hoo Lee’s season is over

Loading comments...

• Share full article

Advertisement

Supported by

How MSNBC’s Leftward Tilt Delivers Ratings, and Complications

NBC’s leaders have been forced to grapple with how to square its cable news network’s embrace of progressive politics with the company’s straight-news operation.

By Jim Rutenberg and Michael M. Grynbaum

MSNBC placed a big bet on becoming comfort TV for liberals. Then it doubled down.

Time slots on the cable network once devoted to news programming are now occupied by Trump-bashing opinion hosts. The channel has become a landing spot for high-profile alumni of President Biden’s administration like Jen Psaki, who went from hosting White House press briefings to hosting her own show. On Super Tuesday, when producers aired a portion of a live speech by former President Donald J. Trump, Rachel Maddow chastised her bosses on the air.

The moves have been a hit with viewers. MSNBC has leapfrogged past its erstwhile rival CNN in the ratings and has seen viewership rise over the past year, securing second place in cable news behind the perennial leader, Fox News.

But MSNBC’s success has had unintended consequences for its parent company, NBC, an original Big Three broadcaster that still strives to appeal to a mass American audience.

NBC’s traditional political journalists have cycled between rancor and resignation that the cable network’s partisanship — a regular target of Mr. Trump — will color perceptions of their straight news reporting. Local NBC stations between the coasts have demanded, again and again, that executives in New York do more to preserve NBC’s nonpartisan brand, lest MSNBC’s blue-state bent alienate their red-state viewers.

Even Comcast, NBC’s corporate owner, which is loath to intervene in news coverage, took the rare step of conveying its concern to MSNBC’s leaders when some hosts and guests criticized Israel as the Hamas attack was unfolding on Oct. 7, according to three people with knowledge of the discussions. An abrupt course correction to that coverage followed.

This account of the tensions roiling NBC and its corporate overseers is based on interviews with more than two dozen people with knowledge of the company’s inner workings, almost all of whom insisted on anonymity to share details of internal discussions.

NBC declined to make its top executives available for interviews. The chairman of the NBCUniversal News Group, Cesar Conde, has said he wants his division — which encompasses MSNBC, CNBC, a digital streaming service, Telemundo and journalistic stalwarts like “Nightly News,” “Meet the Press” and “Today” — to be a big tent.

Yet his recent efforts to include more conservative voices on the airwaves generated newsroom suspicion and ultimately led to an embarrassing rebellion over the hiring of Ronna McDaniel, a former Republican Party chair who aided Mr. Trump’s attempt to overturn his 2020 election loss.

MSNBC hosts, for their part, view their role in the political debate as more important than ever. They dismiss the accusation that MSNBC is a “Fox News for Democrats” and say their message — that Mr. Trump’s candidacy represents a unique and clear threat to democracy — is an urgent one for the electorate to hear.

And executives inside NBC’s corporate suites at Rockefeller Center say they are confident that viewers know the differences between the company’s various news brands. Any related challenges, they argue, are of a high-class sort — because their cable channels give NBC an advantage in relevance and revenue over its original Big Three competitors, ABC and CBS, which have no cable presence.

“Our strategy is built on our distinct, complementary brands including NBC News, CNBC, NBC News Now, MSNBC and Telemundo,” the NBCUniversal News Group said in a statement. “That has driven our performance as the nation’s leading news organization with the largest reach.” (Comcast does not disclose the news division’s earnings in its reports to Wall Street.)

The tensions inside NBC are, in some ways, a microcosm of the challenges facing many traditional news organizations as the country hurtles toward a tense presidential election: how to maintain trust and present neutral, fact-based reporting in a fractionalized era when partisanship carries vast financial and cultural rewards.

But the company’s challenge is also unique. It must juggle a broadcast news operation bound by traditional standards of impartiality and a cable channel increasingly bound by the partisan preferences of an intensely loyal viewership. How NBC navigates these dueling imperatives will have important implications for Comcast, a Philadelphia-based conglomerate known for its aversion to the political spotlight.

It will also have consequences for coverage of the presidential campaign. Where MSNBC’s cable news opinion-makers sustain and galvanize the Democratic faithful, the NBC broadcast network reaches millions of the potentially persuadable voters critical to both parties, which have sought to turn NBC’s internal tensions to their own advantage.

Left, Right, Left

MSNBC has caused corporate headaches since its inception.

NBC formed the channel as a joint venture with Microsoft in 1996 with the hope that it would thrust “all the value of NBC News into the cable world,” as Tom Rogers, a former NBC executive who helped found the cable network, described it in an interview.

But critics mocked the new 24-hour channel for its informal approach to news, mixing NBC’s biggest stars with younger personalities on a set reminiscent of Central Perk on “Friends.” It was almost immediately outflanked by Fox News, which followed MSNBC to market that same year and rose to the top of the cable news ratings as the first 24-hour TV channel with an overt political appeal.

MSNBC struggled with its identity. It moved to the left ahead of the Iraq war — and later moved right by hiring new hosts like the former Republican congressman Joe Scarborough. Soon it shifted leftward again, as the host Keith Olbermann hit a nerve with his strident anti-Bush — and often anti-Fox — commentary.

But when Andrew Lack, a veteran producer, took over NBC’s news division in 2015, he decided the channel needed to tone down its partisan image. Under Mr. Lack — who oversaw MSNBC’s creation in an earlier NBC stint — the cable network bumped the Rev. Al Sharpton from the weekday schedule, hired the former Fox anchor Greta Van Susteren and added more straightforward news programs, including a daily version of “Meet the Press,” NBC’s flagship political show, with Chuck Todd.

Mr. Todd was game — but would come to believe that his MSNBC duties ultimately hurt the “Meet the Press” franchise, several people at NBC said in interviews. The daily version of the show fell increasingly out of step with MSNBC’s partisan slant even as Republicans used its association with the liberal cable network to deny interview requests from the flagship Sunday edition of “Meet the Press.”

Then, Mr. Trump’s ascent shocked the Democratic base and spiked viewership of Ms. Maddow and other left-leaning hosts, whose programs became a kind of televised safe space. MSNBC’s ratings surged .

Conde Faces the Messiness

Mr. Conde succeeded Mr. Lack in spring 2020. A Wharton-trained business executive who sits on the boards of Walmart and PepsiCo, he came up through the corporate side of news, having led a turnaround at Telemundo after serving as the president of Univision Networks. Accordingly, Mr. Conde was expected to impose a more disciplined and neater corporate sensibility to the division.

He was almost immediately confronted by the messiness he had inherited.

Within a few weeks of Mr. Conde’s ascension, Mr. Trump attacked NBC when it announced the hiring of a new contributor: Lisa Page, a former F.B.I. lawyer who became a lightning rod on the right for her role in the investigation into his campaign ties to Russia. After an initial MSNBC appearance she did not show up again.

A few months later, NBC faced criticism from the other direction when it booked Mr. Trump for a prime-time interview on the night of a presidential debate that he had boycotted. (Mr. Biden was appearing at the same time on ABC.) Ms. Maddow chastised her bosses about it on the air.

That sort of partisan tumult has often riled another important constituency for Mr. Conde: NBC’s affiliated regional stations, which the company relies on to carry its major news programs to markets throughout the country.

The stations tend to be deeply embedded — and deeply trusted — in their communities. Many of them operate in red states or counties and chafed whenever MSNBC, which Mr. Trump regularly calls “MSDNC,” drew conservative ire.

Over the years the affiliates, many of which would have been thrilled to see MSNBC’s leftward tilt abandoned entirely, increasingly urged NBC executives to better distinguish its content from the NBC journalism like “Today” and “Nightly News” that they carried on their stations.

At one point after Mr. Conde took over, executives talked about the possibility of doubling down on partisanship and stripping MSNBC of news altogether, defining it as a pure opinion channel. The company would use the new NBC News Now streaming service, started under Noah Oppenheim when he was NBC News president, for 24-hour news, according to two people with knowledge of the conversations.

That idea fizzled. Mr. Conde was not prepared to entirely abandon news, but he began to better distinguish the various parts of his news division — which effectively moved MSNBC and NBC News further apart.

In the Lack era, Mr. Oppenheim of NBC News and Phil Griffin, the longtime chief of MSNBC, often worked closely as they managed a collection of stars who worked for both networks, like Mr. Todd, Craig Melvin and Hallie Jackson.

Creating more distance between the cable and broadcast outlets, Mr. Conde and Mr. Griffin’s successor, Rashida Jones, moved Mr. Todd, Ms. Jackson and Mr. Melvin off MSNBC to work exclusively at NBC News and NBC News Now. MSNBC’s daytime block of hard news shrank to six hours from eight, as the cable network extended by an hour each two opinion shows with loyal followings: “Morning Joe” featuring Mr. Scarborough and his wife Mika Brzezinski, and “Deadline: White House” with Nicolle Wallace as host.

Nothing did more to signal that MSNBC was more tightly embracing its partisan direction than Ms. Jones’s decision to hire Ms. Psaki and another Biden aide, Symone D. Sanders, straight from the White House.

It was the kind of revolving-door hiring that liberal pundits used to criticize when it happened with Fox News and the Trump administration.

It also created an awkward situation for the NBC News White House team, which was caught off guard when word that Ms. Psaki was in talks for the job leaked while she was still serving as White House press secretary.

A tense, televised confrontation followed in the White House briefing room when Kristen Welker, then NBC News’s co-chief White House correspondent, asked her future colleague: “How is it ethical to have these conversations with media outlets while you continue to have a job standing behind that podium?”

Chasing a Broad Appeal

At the same time, NBC News was going through its own changes.

Early last year, Mr. Oppenheim left his post running NBC News, and Mr. Conde split his job in three. In a jigsaw-like structure, one executive now oversaw “Today,” another “Nightly News” and NBC News Now, and a third “Meet the Press,” “Dateline” and news coverage across numerous shows and platforms.

Mr. Conde said the new setup would provide “growth opportunities,” with each show acting like its own megafranchise. “Today,” for instance, includes an e-commerce business and online sites dedicated to cooking, wellness and books.

He gave his deputies another brief: making additional efforts to ensure that news coverage reflected a wider range of political viewpoints.

Mr. Conde wanted to get Republicans back onto shows.

That was in line with an industrywide recalibration. After four years of combat between the press and Mr. Trump, media companies have sought better ways to reach Trump supporters who feel alienated from mainstream news. Television executives were also concerned that Republican elected officials were shunning their shows in favor of the congenial confines of right-wing media.

It was especially thorny for NBC, as Mr. Trump continued to yoke NBC News to MSNBC while accusing them, along with Comcast, of committing “Country Threatening Treason.”

A chance for a fresh start seemed to come last September when Ms. Welker succeeded Mr. Todd as the moderator of “Meet the Press.”

According to several people with knowledge of the internal discussions, Mr. Conde and Ms. Welker agreed that she should make booking both Mr. Trump and Mr. Biden for interviews a priority. Mr. Biden declined; Mr. Trump accepted.

But when Mr. Conde said she should schedule the Trump interview for her debut episode, Ms. Welker disagreed. Questioning the mendacious former president can be a high-wire act for even the most experienced TV interviewers, and Ms. Welker did not think it was a wise way to introduce herself to viewers. She acquiesced only after coaxing from Mr. Conde and several of his deputies.

Ms. Welker worked to fact-check Mr. Trump in real time while also eliciting an admission that he ignored his own campaign lawyers when they told him there was no evidence the 2020 presidential election results were rigged. Mr. Trump steamrolled ahead with a litany of lies nonetheless. The interview was panned on social media — complete with a “#boycottmeetthepress” campaign — but was deemed a success by Mr. Conde.

Mr. Conde and Rebecca Blumenstein, a former editor at The New York Times whom Mr. Conde hired as one of his top deputies, also worked aggressively to secure a Republican primary debate in fall 2023, pitching Ms. McDaniel and other Republican officials in person.

They succeeded, but only after accepting terms that unsettled some journalists within the company. NBC agreed to include a moderator from a right-wing media company, Salem Radio, and stream the debate live on Rumble, a video site that frequently hosts pro-Nazi and other extremist content. (NBC executives have defended the decision, noting that Rumble was already the party’s official streamer and had no editorial input.)

The debate received good marks in the press. And in general, red-state affiliates felt that Mr. Conde was doing a better job of bringing balance to NBC News, according to an executive at one company that owns affiliates.

Reverberations Continue

Each network was now set on its own distinct course: MSNBC toward more partisan and progressive opinion, and NBC News toward Mr. Conde’s commitment to “presenting our audiences with a widely diverse set of viewpoints and experiences,” as he put it.

But each tripped over the limits of its approach in an election landscape already littered with ideological tripwires.

When Hamas staged its terror attack against Israel on Oct. 7, MSNBC mixed breaking news of the attacks with discussions about the historical backdrop of Israel’s treatment of Palestinians. The coverage reflected views on the left — and presaged the pro-Palestinian demonstrations that would soon grow in number — but it struck many others as discordant, or even offensive, given that the violence was still coming into view.

“I love this network, but I’ve got to ask: Who’s writing your scripts? Hamas?” Jonathan Greenblatt, the Anti-Defamation League chief executive, asked two days later on “Morning Joe.”

Some of the blowback came from within.

In a call with Mr. Conde, Michael Cavanagh, the president of Comcast, who oversees NBC, shared concerns about that initial coverage, according to three people with knowledge of the discussions. Mr. Conde harbored the same concerns, according to a person briefed on their conversation, and he directed MSNBC to be more circumspect and to focus on facts, not opinions, in those initial days.

Five months later, Mr. Conde thought he had achieved a milestone at NBC News in his efforts to integrate right-wing perspectives into its programming. At the recommendation of Ms. Blumenstein and Carrie Budoff Brown, who oversees political coverage, Mr. Conde hired Ms. McDaniel, the former Republican Party chair, as a contributor who could offer on-air commentary.

If the hiring was in service of Mr. Conde’s goal of adding balance, it came as an unwelcome surprise to NBC’s ranks of correspondents, hosts and anchors. Ms. Welker had booked Ms. McDaniel for her next episode of “Meet the Press” — as a guest, not as a colleague. In the interview, she grilled Ms. McDaniel about her role in Mr. Trump’s effort to overturn the 2020 election result, actions that many at NBC and MSNBC viewed as disqualifying for a job there.

Mr. Todd, appearing as a guest on that day’s episode, unleashed a live, on-air denunciation of his bosses after the interview that left the control room in stunned silence. His rebellion carried over the next day on MSNBC, from “Morning Joe” up through “The Rachel Maddow Show.” Under pressure, Mr. Conde broke the deal with Ms. McDaniel, a move that only served to upset the Republicans he was trying to attract.

In the aftermath, NBC’s public stumble turned into a point of contention on the presidential campaign trail. The Republican Party said it was weighing an attempt to restrict NBC News at this summer’s convention, while Mr. Trump yet again bashed “Fake News NBC.”

Aides to Mr. Biden were also perturbed about the McDaniel hire, viewing it as part of a broader attempt by NBC News to overcompensate for MSNBC’s decidedly pro-Biden stance. In private conversations with NBC correspondents, Biden aides have argued that “Nightly News,” whose huge audience is of critical political importance to the campaign, was taking it easy on Mr. Trump and treating Mr. Biden too harshly.

Executives at NBC dismissed these complaints, saying the partisan brickbats simply come with the territory. They believe that each campaign will use anything at its disposal to pressure news organizations for more favorable coverage.

The company pointed to comments made by Mr. Conde after the McDaniel imbroglio: “We will redouble our efforts to seek voices that represent different parts of the political spectrum.” It also shared data intended to show strong performance across its cable, broadcast and online operations.

The message was clear. Regardless of any turbulence, NBC has no plans to change course.

Jim Rutenberg is a writer at large for The Times and The New York Times Magazine and writes most often about media and politics. More about Jim Rutenberg

Michael M. Grynbaum writes about the intersection of media, politics and culture. He has been a media correspondent at The Times since 2016. More about Michael M. Grynbaum

Dedicated to Students: Discover a smarter way to study. Notes, Assignment Help, Exam Revision Packs and more.

• 4.97 rating from 64 reviews Rated 4.97 out of 5 based on 64 customer ratings

HSY2601 Assignment 2 Semester 1 (2024) Due April 2024 | Detailed Solutions, References and Explanations! {StudyPass : Dedicated to Students}💯

R 80.00 0 Downloads

HSY2601 Assignment 2 Semester 1 (2024) Due April 2024 | Detailed Solutions, References and Explanations!

This Document contains answers for HSY2601 Assignment 02 Semester 01 2024. The document includes Answers for all the questions as provided in your assignment booklet / 2024 Tutorial letter. All Answers are correctly written, thoroughly explained in detail and are to be used as GUIDELINES. Copying is strictly forbidden.

• What is in the document
• Reviews (0)
• More Products
• Additional Information

Description

HSY2601  Assignment 2 Semester 1 (2024) Due April 2024 | Detailed Solutions, References and Explanations!

This Document contains answers for HSY2601 Assignment 02 Semester 01 2024.   The document includes Answers for all the questions as provided in your assignment booklet / 2024 Tutorial letter.  All Answers are correctly written, thoroughly explained in detail and are to be used as GUIDELINES . Copying is strictly forbidden.

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

DSC1520 Assignment 3 Semester 1 (Quiz Solutions) (199410) 4 April 2024 | Detailed Solutions, References and Explanations! {StudyPass : Dedicated to Students}💯

FAC1502 (Financial Accounting Principles, Concepts and Procedures) Assignment 02 SEMESTER ONE ( 09 APRIL 2024) || Accurate Answers, References & Clear Explanations || ✷✷✷✷✷

PYC3704 Assignment 1 Semester 1 2024 Detailed Solutions, References and Explanations:(QUIZ SOLUTIONS) (Due Date: 18 April 2024) 🌟🌟🌟🌟🌟

LJU4801 Assignment 2 Semester 2 2023 – Due Date: September 2023 (Complete Answers) ⭐⭐⭐⭐⭐

TRL3702 Assignment 1 Semester 1 2024 Detailed Solutions, References & Explanations (Due Date: March 2024) {StudyPass: Dedicated To Students} 💯

AIN3701 ACTIVITY 7.1 STEP-BY-STEP SOLUTIONS 2023. ALL ANSWERS ARE COMPLETE – DUE DATE: 13 OCTOBER 2023

Related products.

IOP3702 Ultimate Pack for Assignments and Exams (Searchable Document) Covers every questions ever asked!

 RSC2601 Exam Answer Pack (2019 – 2020)

PYC3703: The Only Notes You Need!

PYC2606 Study Pack (Perfect for Assignments and Exams)

• Registration

Don't you have an account? Register Now! it's really simple and you can start enjoying all the benefits!

Username or email address  *

Password  *

Remember me Log in

Lost your password?

Email address  *

First Name *

Last Name *

Institute Name *

Shop URL * https://studypass.co.za/StudyNotes/

Phone Number *

I have read and agree to the Terms & Conditions .

I am a customer I am a Seller

Your personal data will be used to support your experience throughout this website, to manage access to your account, and for other purposes described in our privacy policy .

By creating an account you are agreeing to the Terms of Service and Privacy Policy .

Terms of Service

Privacy policy, here is what you need to know regarding the privacy of your personal information:.

• We at Study Pass, regard your personal information and the privacy thereof of high importance. We will always ensure that we maintain confidentiality, integrity and of course the security of your documents and personal information.
• We at Study Pass, will not allow any third party to have access to any of your personal information and under no circumstance will Study Pass share, exploit or sell your personal information to any third party.
• Should any information need to be shared to a third party, we at Study Pass will always make sure that we have your consent before your information is shared.
• If you feel at anytime that your personal privacy is being compromised or has been violated, please email us directly [email protected].
• When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, credit card information or other details so that we can provide our services to you.
• Study Pass strictly adheres to the Protection of Personal Information Act 4 of 2013.

Should you want to find out more about the POPI Act, please use the following link https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf .   

What personal data we collect and why we collect it

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, credit card information or other details so that we can provide our services to you. When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. 

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

We may use such information in the following ways:

• To personalize your experience on our site and to allow us to deliver the type of content and product offerings in which you are most interested.
• To improve our website in order to better serve you.
• To allow us to better service you in responding to your customer service requests.
• To administer a contest, promotion, survey or other site feature.
• To quickly process your transactions.
• To send periodic emails regarding your order or other products and services.

Contact forms

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

How we protect your data.

Our site is reviewed on a regular basis for security vulnerabilities in order to make your visit to our site as safe as possible.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We do not store credit/debit card information on our systems.

We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information.

All transactions are processed through a gateway provider and are not stored or processed on our servers.

How can you opt out, remove or modify information you have provided to us?

You can request to have your information removed by clicking on the Contact Us/Live Chat button on this or the home page.

Please note that we may maintain information about an individual sales transaction in order to complete that transaction and for record keeping purposes.

What third parties we receive data from

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Transfer Of Your Personal Information

Your information, including personal information, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal information will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure Of Your Personal Information

If we are involved in a merger, acquisition or asset sale, your personal information may be transferred. We will provide notice before your personal information is transferred and becomes subject to a different Privacy Policy.

Under certain circumstances, we may be required to disclose your personal information if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Retention of Your Personal Information

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Service Providers

We employ third party companies and individuals to facilitate our Website (“Service Providers”), to provide our Website on our behalf, to perform Website-related services or to assist us in analyzing how our Website is used. These third-parties have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page:  http://www.google.com/intl/en/policies/privacy/

Payments processors

We provide paid products and/or services on our Website. In that case, we use third-party services for payment processing (e.g. payment processors).

We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

Contacting Us

If there are any questions regarding this privacy policy you may contact us.