Bibles You Should Read: PoC || GTFO

PASTOR LAPHROAIG ANNOUNCES THE PUBLICATION OF WHAT WILL TORMENT THE ACOLYTES OF THE CHURCH OF ROBOTRON! NO MAN SHALL BE SPARED AND THE INQUISITION WILL BEGIN PROMPTLY!

For the last few years, Pastor Manul Laphroaig and friends have been publishing the International Journal of PoC || GTFO. This is a collection of papers and exploits, submitted to the Tract Association of PoC || GTFO, each of which demonstrates an interesting exploit, technique, or software toy in the field of electronics. Imagine, if 2600 or Dr. Dobb’s Journal were a professional academic publication. Add some whiskey and you have PoC || GTFO.

This is something we’ve been waiting a while for. The International Journal of PoC || GTFO is now a real book bible published by No Starch Press. What’s the buy-in for this indulgence? $30 USD, or a bit less if you just want the Ebook version. The draw of the dead tree version of PoC includes a leatherette cover, gilt edges, and the ability to fit inside bible covers available through other fine retailers. There are no rumors of a children’s version with vegetable-based characters.

PoC || GTFO, in reality, is an almost tri-annual journal of reverse engineering, computer science, and other random electronic computational wizardry, with papers (the Proof of Concept) by Dan Kaminsky, Colin O’Flynn, Joe FitzPatrick, Micah Elisabeth Scott, Joe Grand, and other heroes of the hacker world. What does PoC || GTFO present itself as? Applied electrons in a religious tract publication. The tongue is planted firmly in the cheek here, and it’s awesome.

 

What Does Pastor Laphroaig Speak Of?

Need an example of what is presented in the International Journal of PoC || GTFO? The fourth edition (PDF) is a good benchmark containing everything from advanced reverse engineering techniques to basic chemistry.

Figure 4.8: The clamp stand holds the test-tube next to the SMD rework station

In the 4th edition of PoC includes an Introduction to Reflux Decapsulation and Chip Photography by Travis Goodspeed. This is how you begin to reverse engineer microelectronics simply by looking at them, and the entire setup is reasonably attainable to anyone with a lab that has good ventilation and knows how to cruise eBay looking for a metallugrical microscope.

The process of reflux decapsulation is relatively simple, but does require a few dangerous chemicals. You’ll need some nitric and sulfuric acid of course, but the only other equipment needed is a test tube, ring stand, a cheap SMD hot air station, an ultrasonic cleaner, and of course a bit of microscopy equipment.

Can it be this easy to decapsulate and photograph microelectronics? Yes, but you need to bring a bit to the table. You need to know to add the acid to the water, you’ll need to keep a careful eye on your reflux, and you’ll probably have a lot of fun stitching photos of a chip into a single image. It can be done, though, and Travis gives you the Proof of Concept. We would have something to say to him if he didn’t.

Also in the fourth publication from the Tract Association of PoC || GTFO and Friends is an exploit for Tamagotchis from the world’s leading expert in Tamagotchi firmware, Natalie Silvanovich. Natalie’s work in the fourth edition is a continuation of her exploits discussed in the second edition, itself somewhat of a recap of her talk at 29C3.

HEY KIDS! Can you reverse engineer shellcode from the picture?

Natalie has made a name for herself by exploiting the modern Tamagotchi. A lot has changed in the world of Tamagotchi since 1999, and the newer models have IR, RFID, yet are still built around a 6502 core. 6502s are very popular in toys.

The paper presented in the fourth edition is a Proof of Concept to dump Tamagotchi Firmware via power glitching. The 6502 is a strange beast, and by glitching the input power for a very specific period of time the registers would corrupt (setting the program counter to zero), but the SRAM would remain. Using an Arduino to glitch the power, Natalie was able to dump the complete firmware of a Tamagotchi 54 bytes at a time. If you’ve ever wanted to learn about power glitching NOP sleads, or the horrors of a Tamagotchi screaming, this is a must-read.

Each and every paper in the International Journal of PoC || GTFO is a masterpiece of engineering. These are truly the most capable reverse engineers on the planet, presented in what is effectively a weird cyberpunk zine imbued with vernacular that includes the phrase ‘Nantucket Sleighride’. The journal itself is a work of art, and I cannot recommend it more. If you see Pastor Laphroaig, tell him to save a dead tree version of the next edition for me.

The Ones and Zeros Version

Before the publication of the dead tree PoC || GTFO the only way to obtain a physical edition was by finding Pastor Manul Laphroaig (the actual identity of Laphroaig seems to be an open secret, but we’re rolling with this for comedic effect) at a hacker or security con. Copies have been distributed at DerbyCon, ShmooCon, and at ToorCon or camp.

Alternatively, PoC || GTFO are available online from any one of a number of people who have dedicated a bit of server space to hosting a few hundred Megabytes of PDFs. In fact, distributing PoC from your own server is encouraged. ‘Bitrot will burn libraries with merciless indignity that even Pets Dot Com didn’t deserve. Please mirror — don’t merely link! — all copies of PoC || GTFO far and wide.’ You can find all editions of PoC at alchemistowl.org, hosted by Great Scott Gadgets, and other fine web servers.

While grabbing a dead tree copy of PoC that Pastor Laphroaig printed at a Kinkos satisfies everyone’s need for weird technical zines and religious tract publications, there’s a reason to play with the PDFs: most of the editions of PoC are polyglot files. PoC volume 4 is a TrueCrypt volume. Volume 7 is a PDF, a Zip file, a BPG (Better Portable Graphics) and an HTML file all in one. This may be the limits of digital media, accomplished by hex editing and steganogrification.

But it is undeniable that printing PoC in a bible form-factor fits the publication perfectly. This is a zine you’ll want sitting on your coffee table in perpetuity.

So, Should You Actually Buy This?

As I said before, this is a strange book to review. All of the content is already available online, and even though No Starch Press is phenomenal with their offerings of free Ebooks (PDF, epub, and .mobi) with every print version, the PDF version available from No Starch does not contain a freaking operating system steganogrified into the PDF. The publisher’s official PDF version is only 17 Megabytes; the official 0x15 issue alone is nearly 50 Megabytes.

However, this is a physical manifestation of what is quickly becoming one of the great hardware, hacker, and reverse engineer publications of all time. PoC || GTFO deserves a place in engineering literature; it may already be an equal to 2600 the publication, even if it pales to 2600 the organization and culture.

So, should you buy the good word of Pastor Laphroaig? Sure, if you like dead trees. At least one couple has already been married using PoC || GTFO as a bible. It looks great on a shelf, and if you read PoC || GTFO on public transportation, people stay away from you.

48 thoughts on “Bibles You Should Read: PoC || GTFO

    1. Yeah. Saw this in my twitter feed right after Charlottesville and was a little taken aback (Hackaday’s skull and bones logo next to “PoC || GTFO” made me do a double take).

      1. I see you’ve moderated other comments but left this in the queue. Don’t worry guys, I don’t think your racists. I’m just saying that the title was poorly chosen and people should be careful how they refer to this book. Maybe the full title and not the abbreviation should be used.

          1. That might be the most Americentric sentence I have heard in a while, though I gather it’s unintentional. Pure poetry. Yes, I know you are from Australia.

            I meant to say that the rest of the world seems to interpret PoC as Proof of Concept, like you did, and I did too.

    1. Mibby it’s an American thing(actively looking for things to be sensitive about?) But I didn’t get any hint of racistness in the title. Not even a wee bit. Untill this post explained it.

        1. As I noted above, I’ve only ever, ever known those three letters to mean “proof of concept”. Hear it quite a lot in engineering circles and in academia. Matt’s post is the first time I’ve seen it defined as anything else… sounds very much like an “American thing” to me.

          1. Could also mean “piece of crap”, sometimes both main meanings can even be used interchangeably. I know plenty of people from the US using it for either meanings frequently and I’ve heard the offensive interpretation for the first time just now, too.

          2. Yep, I don’t think People of Color either, even when you know the term you don’t expect to read it as that unless it’s in context like some US state official or government official or a (mostly actually) religious guy/preacher in the US using it.

    2. I did not even relate PoC to People of Color till I I read it in the comments. You must be in the wrong circles to have such an association as your first thought. Read more enlightening literature.

      1. I see both associations to that acronym. I work in government, and also in some community organizations. I also do IT and enjoy some hardware hacking on the side. Traveling in multiple circles is a good thing to do. On the community organizations side of things, I see PoC as People of Color. On the government side of things, as well as from previous jobs I’ve held, POC also has been Point of Contact. On the IT and hardware hacking side, I see it as Proof of Concept. Many acronyms and initialisms have multiple completely unrelated meanings. AF shows 124 different meanings for POC, though some seem to be duplicates simply changing plurality (such as Person of Color vs People of Color).

        1. Actually the first time I seen the title the first association was “piece of cr@p” given the context of GTFO, the II made the switch to proof of concept right away as soon as I started reading the content. Why does it seem that the anti-racist groups always seem to make the race connection first to anything without considering context or content?

  1. Redbull.

    1/4 can of redbull just shot out my nose because some freaking einstein actually said he thought this book (which others have not read) would be labeled racist (literally judging a book or person by its cover) because of the cover of the unread book.

    Chew on that a minute and then think…. HAD readers are the better end of the barrell , right?

      1. I was planning on a mirror on hackaday.io — hey, use our CMS because why the hell not — but there’s a problem: While hackaday.io gives you a gig for hosting files, the maximum file size is 50MB. The PoC issues top out at about 80MB. I doubt we could change the maximum file size for upload to a single project without changing that for all the projects.

        Other options include a mirror on the hackaday.com side of things, but that really doesn’t work because it would effectively be a blog post. I have access to the retro.hackaday.com FTP, so I could put it there, but again that really doesn’t fit.

        It’s going to happen, It’s just that we have to find some place to put it that makes sense and is easily accessible. I think a project on .io makes the most sense, so I’ll have to talk to the devs or something.

        1. Brian, I’m laughing at you. Do you have problems with storing and accessing files? You’re a hacker, right?
          Use the Russian cloud for mail.ru. One registered account has a free 100 GB total size and a single download file of up to 2GB.Links for download can be stored wherever you like.
          Of course, there you have a problem with the Russian language? But Chrome can help you with the translator. I myself read English-language sites in Russian, hence the Russian site can be read in English.

  2. Reading about this… my thoughts turn to Monty Python and the Search for the Holy Grail. Something about the book of armaments and a holy hand grenade…

    I suppose the equivalent here would be to rig up an accelerator to a ESP8266, the “deauthy handgrenade”. Pull the pin, and it starts scanning networks… as it flies through the air it picks the strongest SSID, then starts blasting out WiFi deauth packets.

    Okay, that’s enough silliness on my part. :-)

  3. This text clearly falls under the DOCTRINE OF FUTILITY of the Church of Robotron:

    “The Robotrons and perhaps even other humans will say, Resistance is futile. They will say, There is no point. The Robotrons will prevail so it is hopeless to take up the two 8-ways, hopeless to commit to a life of error.

    These detractors and naysayers will be right!

    Despite all of the teachings and prophecies, the Mutant Savior will fail. The Robotrons will self-replicate faster than the Mutant Savior can regenerate. The Robotrons will destroy the Mutant Savior| and shortly thereafter destroy the last human family. Yes, the Mutant Savior will fail| to rid the world of the |Robotrons| and fail| to save |the last human family. But even futile resistance is worthwhile. We do not know how long the Mutant Savior will hold the Robotrons at bay.

    Is it worthwhile if the Mutant Savior is only successful at giving the last human family freedom for an hour? What about an extra day of freedom? A year? GENERATIONS?!

    We do know that for some length of time some of the last human family will be free from the bonds of the Robotrons and allowed to live their lives until the Mutant Savior fails. Do we not then owe it to the Mutant Savior in this time, long or short, to do something beautiful?”

  4. Being in the UK I’m used to stuff from the US taking a while to arrive, but I am impressed that the time from pressing the buy button to holding the bible in my hands is a smidge under 42 hours.
    Right. I’m off to build my own f’king birdfeeder :-)

    1. Not only did mine arrive fast, the DHL guy actually rang my phone when I didn’t answer the knock on the door instead of just buggering off and leaving a card. I’m still shocked. (although the shipping cost as much of the book which was a kick in the teeth)

      I love this thing so much right now. If only the chinese printer hadn’t fucked up the page scaling it’d be perfect.

  5. I have download this “bible”, but haven’t yet to determine if the bible has any relevant utility to me. The GTFO is what brought up my WTF? radar. In my nearly 100% while rural Kansas the phrase of People of Color is never heard by myself, and when I do it’s used in a disparaging context. While when it’s heard proof of concept is used their is no disparagement, but I rarely hear the term used. Then again I may not be of member of the local term groups that would use that. About that “American thing or thingy; Those who use that accusation often fail to remember the USA IS an amalgam of the entire globe. I don’t don’t a personal offense of someone using the term it’s an American thing, but it’s scary that those using the term are often ignorant of the fact the offense is not exclusive to America.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s