Blackbox – the big mystery


This is a screen shot of Hydra running live on 6 Bitcoin markets in parallel. I believe it’s the first time i post it public. The social media call it BlackBox – in other words – a computer running an algorithm (high frequency in this case) to find out nuances on the market and use speed to gain profits before others do. Why do they call it BlackBox? It’s obvious because nobody knows what’s going on inside that generates the profits.

At some point i got interested in financial world – but more from a tech side, not really the financial and business talks. This part of the business is called Fin-Tech and to be precise i got interested in Algorithmic Trading (Blackbox trading) and Direct Market Access.

It wasn’t just because i thought i’ll get rich in one month – i already knew playing the market is a losers approach. The thing that really got me was the Algo-trading wars that are going on behind the scenes. It’s not people who trade the markets today, it’s machines and their algorithms that fight for a penny millions times per second. And this got me, speed and competition in technology that comes with a reward.

Just to be clear, Algo Trading is not Quantitative Trading – these two are coupled together at some point, but Algo Trading is the whole automated/semi automated system that does strategy, risk, portfolio and etc.. Quantitative – is the cool name for all of these that are Masters and PhD’s in maths and physics – these guys make the best algotrading strategies in the world and earn best money around.

I picked BITCOINS as market data is freely available and the fees are still low. Additionally 95% of the Bitcoin markets work with REST api, so there’s no need to deep dive to FIX protocol in the beginning. Sounded like a quick learning curve, but believe me it’s not.

A spike like this can last only 1 second, above – Hydra missed the execution, somebody was faster.

I really like this name – it reflects the way the blackbox works.
The initial idea to start with algotrading was to go with a risk-free strategy called Arbitrage. In few words – you find out a spread (difference) between markets and if numbers are fine (after fees, transaction costs) you Buy low (cheapest market) and Sell high (most expensive market). You should always buy the same quantity as you sell for the  arbitrage to work. This is very important, as seen later on – sometimes (due to slippage/miss) this can be very tricky.

To get things done, HYDRA required to have an access to Market Data and poll it continuously without delays. So a MarketLink’s had to be implemented – these are the classes that talk to Markets via SSL (wolfssl in my case) and HTTPS.

The data required by HYDRA consists mainly of the publicly available OrderBooks for Markets (to get best offers in BID/ASK + Quantities) and my own Portfolio (Wallet) to ensure how much money and BTC i still have at each market.

HYDRA includes a simple deviation value for every market it monitors. This deviation value tells the strength of the change since last time for a given market (ASK/BID) price. Thanks to this HYDRA knows which market moved and by how much, this is useful when a decision : WHERE TO PLACE ORDER FIRST is needed.

Imagine a situation :

MarketA) BID 80 ASK 90
MarketB) BID 80 ASK 90
MarketC) BID 80 ASK 90

MarketA) BID 80 ASK 90
MarketB) BID 100 ASK 103
MarketC) BID 80 ASK 90

(Forget about quantities now)
You quickly find out that there is an arbitrage possibility between MarketA and MarketB.
You buy low (ASK 90) at MarketA and Sell high (BID 100) at Market B.

Now after calculating income you find out that executing on this you’ll earn 8$ after fees.
So you start placing order in the naive approach BUY first, SELL last.

You place a BUY order – got executed.

Meantime new data comes in
MarketA) BID 80 ASK 90
MarketB) BID 80 ASK 90
MarketC) BID 80 ASK 90

You place a SELL order  on MarketB – missed (not executed)

What happened? Well, MarketB “Moved” when you’ve been placing a BUY order on MarketA. This is mostly because placing order takes time.. (ssl, connect, send(), recv()).

This is common, so HYDRA takes that into consideration by calculating strength of the move (deviation) and placing the order first on the market that moved most ( in this situation, HYDRA would place a SELL first and BUY later ). See below, HYDRA missing an order when the Bid (green) spike happened (market manipulation).


So knowing that HYDRA calculates the deviation, how does actually HYDRA choose the order of the action?

It might happen that there are more than two markets at a time vulnerable for Arbitrage.
So HYDRA is calculating what is called OrderProfit by calculating a matrix between all markets and returning best profit found. This is actually pretty easy.

Hydra is calculating buy/sell profit between available markets – takes into account BTC quantities both at the current order book and in your wallets on the markets. Then profit matrix is sorted and best BUY/SELL markets are taken for execution.

Zrzut ekranu 2016-08-04 o 22.24.39

At this moment Hydra has all it needs to get the job done – so it fires up the orders.
And here comes the trouble.


Approach 1. Buy first (higher deviation), Sell later

What if your first order is missed?
Well nothing happens, you don’t action the second one.
No loss.

What if your first order is slipped
You need to adjust your sell order QTY to ensure you don’t oversell.
Partial loss.

What if your second order is missed?
Well nothing you can do, you bought but didn’t sell.

What if your second order is slipped?
Well you didn’t loose but earned a bit less.
Partial loss.


Approach 2. Sell first (higher deviation), Buy First

What if your first order is missed?
Nothing, do not action the second one.
No loss.

What if your first order is slipped?
So you sold less than you expected? Ensure that you buy enough to cover the profit.
Partial loss.

What if your second order is missed?
Pity, you sold without a Buy.

What if your second order is slipped?
You sold QTY but bought less – unfortunately you’re a bit lost.
Partial Loss.

So as you see, there are couple possible things that can happen and HYDRA takes them all into consideration. Bare in mind you need to include FEES in order to get out from cases like that with a profit (if possible).

Zrzut ekranu 2016-01-11 o 20.59.11

Above Hydra owning the markets.

Additionally thing like socket that hangs on recv() can happen too, so you this needs to be taken into consideration too 🙂

Ok this was very briefly, i don’t want to make a long post here – let’s treat this as an introduction to HYDRA. I want to describe more details and how did i approached them all in next posts. But by looking into this intro i hope you start to see the challenge and fun in coding a blackbox from scratch.

And if you ask, the GUI – i had to made it myself earlier before. I used it a lot for a Raytracing tool on GridMan.

Hydra was supposed to run on a dedicated (VPS) machine as close as i could get to a markets. So it is using a direct frame buffer operations to render the pixels on the screen – this later on is turned into a PNG file and displayed on the web page for monitoring. However at the beginning i ran it on Raspberry PI at home. This gave an option to click through the GUI and play a bit.

After running it for a couple of days i decided to move to VPS due to network latency issues i had on PI. Secondly Hydra became fully automated – so there was no need for a PANIC button at all :).

It all starts with a single pixel 🙂

Zrzut ekranu 2016-08-04 o 22.50.55


Hope you liked it, stay tuned for more!



Recently i turned my attention to security, but this time i took a peak into what’s called Fuzzing.

Long story short, fuzzing is mainly brute force vulnerability detection and has a lot of categories. Take a look here. What caught my attention is fuzz testing Web applications and local binaries (mainly black box /grey box fuzzing).

I am total noob in this area, never tried it and never seen a fuzzer doing a good job – however interested in this area i have a low power distributed approach idea somewhere behind.

Just started to read a great book on the topic check it out.

As always, there are some basics that i’ll be focusing on at the start.

  1. Fuzzing arguments passed to suid binary, you just randomly generate a set of characters and put them into binary arguments to discover eventual input handling issues.
  2. Fuzzing WEB applications, this is a bigger topic however here i would like to focus mainly on SQL injection discovery, directory traversal, and POST/GET argument fuzzing.

The whole fuzzing area is wide but i have decided to pick up two pretty major destinations to see if i come up with something interesting. Ideally i would like to be able to write a vulnerable binary, fuzz it and get back with some results. Finally i am thinking of getting this stuff distributed, as it is known fuzzing can take some time – it would be good to pack it all up with GridMan.

So let’s treat this as an intro, i will be posting in Security/Fuzzing area some updates as i go through the learning curve.

Fingers x.

Spooky and PS_POLL incident

Just placed a new Spooky at my apartment on the balcony.
Btw, every time a blue internal led blinks – it means Spooky has parsed a packet.

And guess what next?


Just got a notification after couple of hours running of a PS_POLL traveling from unknown to unknown.

Zrzut ekranu 2016-08-04 o 20.22.17

A PS_POLL frame indicates (in shortcut) that some device went sleep and checks at some point wether there is any packet queued on the AP to be received.

To assist stations with power saving, Access Points (APs) are designed to buffer frames for a station when that station is in power save mode and to transmit them later to the station when the AP knows the station will listen. When a station is in power save mode, it turns off its transmitter and receiver to preserve energy. It takes less power for a station to turn its receiver on to listen to frames than to turn it its transmitter on to transmit frames. For this reason, it’s more power-efficient for an AP to inform a station if it has buffered frames present on the AP than to have the station poll the AP querying if frames are present.

…if its sees that the AP has buffered frames for it, it must send a Power Save Poll (PS-Poll) control frame to retrieve each buffered frame on the AP

So far so good, but i don’t recognize source and destination here.
First let’s find out if there is any packet flying over WiFi with these MAC addresses.

root@kali:~# airodump-ng wlan0mon

Comes back with
Zrzut ekranu 2016-08-04 o 20.47.07

It doesn’t ring a bell, this is not my AP, Spooky is monitoring for A4:2B:8C:18:59:BA.
So it looks like a station (18:E2:C2:21:BE:68) is sending PS_POLL to AP(DC:53:7C:99:E8:97) and has my BSSID(A4:2B:8C:18:59:BA)..

Let’s find out if i can sniff 18:E2 in the air…

Zrzut ekranu 2016-08-04 o 21.08.40

And this station is certainly associated with the strange AP.

Zrzut ekranu 2016-08-04 o 21.09.10

A quick MAC Vendor check returns
Zrzut ekranu 2016-08-04 o 21.09.58

So most probably this is a phone.
Still i don’t understand why is it trying to push PS_POLL to my BSSID ?

Let’s mark this as “Investigation in progress”.

GridMan – intro

Zrzut ekranu 2016-08-04 o 13.14.13

As everything in my dev life GridMan started because of a need. And yes i did some research on the topic but all projects that i found were not exactly what i was looking for, so i decided to write my own Distributed Computing Library.

So here it begins.
Somewhere around 2014 after diving into the pen testing (again:) i found that working with the WPA and WEP and MD5 cracker on a single host is just a pain in the ass and i waiting weeks or months for some password to popup is just a waste of time. So at that time i was playing around with MD5 hashes and i knew john the ripper could do the job but it was not acceptable to let a 24 core cpu running at home with all his fans operating, cables lying around, power consumption and kids wandering around. I opened my garage and found couple of Raspberry PI’s laying around. Then it started. It was clear decision to start developing with raspberries, why?

Because of costs, power consumtion and lack of noise they generate. If GridMan will work on Raspberries it is obvious it will work on a dedicate Blades/… after recompiling, so the goal was set.

Zrzut ekranu 2016-08-04 o 13.40.28

What i needed at that time is pretty what i am using the GridMan today for.
All i wanted is a network connected group of computers working together on projects that are made of tasks of binaries with payloads. Payload in the sense of passing argv’s to the binary so that each node can start binary with some arguments.

Infrastructure and hardware – I needed to ensure that the whole h/w part is easy – as mentioned, i didn’t want to have cables lying around for weeks, routers and lots of space taken so i had to figure out how to approach it so that the Grid was small and fully customizable and what’s more important – cool looking – so that i could place it somewhere at home and look at it when it’s crunching.

Zrzut ekranu 2016-08-04 o 13.46.56

WiFi – packets flying to/from GridMan are very small, i strip the binaries (tasks) and payloads are just arguments passed so mainly uint_16’s or some chars. WiFi is enough to get this connected and it obviously safes a lot of space around (no cables mess).

Stacking – i used some bolts and screws to stack the boards on top of each other, couple of minutes of work and its done. Even looks good.

Power – a single power unit would be perfect, therefore i use a DLINK 7 port active USB hub to power up 5 PI’s.

Power cycling – sometimes grid goes off, i used a Belkin WEMO switch to poweron / poweroff the grid from my phone.

Zrzut ekranu 2016-08-04 o 13.52.36

So the hardware part was easy, stack the PI’s however you want, let them connect to your network and play. And btw.. new PI’s have a big advantage over old ones ( 4 cores, Wifi built in ).

The software
Yes, the best part.

GridMan consists of a Dedicated Server binary ( GridMaster ), a Worker (GridNode) and a command line tool for playing around with the projects, tasks, grid itself. In addition to that, there are couple of Grid Tasks that i’ve made that can be kicked off on the grid for crunching. Some of these are : MD5 cruncher, WPA, WEP, Raytraycer, NN learner and something new that i’m working on is Distributed Fuzzer.

GridMaster (Server) – this guy is responsible for work management mainly. You upload a Project (that is just a container of tasks with a name) and tasks you want to run on Nodes.

Zrzut ekranu 2016-08-04 o 14.04.36
Server keeps track of all the tasks and distributes them to idling nodes.
What he really does is finds out the Idling nodes within the grid and sends them the Binary  + Payload, then flags the node as active and keeps getting heartbeats with load average from crunching node. When node finishes, it sends back the new payload (return of the binary) to the server, then the task is set to Complete (or failed) and next task is given to a node / next node meantime.

GridNode (worker) – these guys are like bees. They connect to the GridMaster and wait for tasks to be received. If a task is received, worker saves the binary and payload in the /tmp/. Then it chmods the binary and spawns a child that runs it.
There are two possible options at this moment:

1) the binary exec fails – then a failure is returned to server, you can later on decide what to do (restart for example),

2) the binary starts and keeps working

Zrzut ekranu 2016-08-04 o 14.21.09

After completion, a success code together with payload is returned to server and worker starts waiting for another task.

CommandLine – handy tool for a grid manager 😉
Zrzut ekranu 2016-08-04 o 14.12.04
This command line utility is to drive the whole grid. You can do all project management down to a task operations with a single command. It’s nothing more than exposed api from GridMan lib to control the whole system.

Zrzut ekranu 2016-08-04 o 14.18.09

Above, example showing 2 workers 1 project with 6 tasks. You can also see which node is working on which task.

Zrzut ekranu 2016-08-04 o 14.18.55

Above, example showing 2 tasks running from MD5_TEST project

GridMan IOS – yeah, the pocket GridMan administrator.
Not everybody likes consoles so i made a fine looking easy to use grid manager. Play with the grid from all over the world 😉 A single gif is worth more than thousands of words.


So that’s mainly it for an intro, i will go in to details with next updates on GridMan.

There are couple of GridMan Vids you can watch :YouTube
And a (Polish) article: osworld article

ESP8266 – WIDS – “Spooky”

Okay this is both #ESP8266 and #Security.

When i first got my hands on the ESP8266 i was curious how much can be done with the chip in terms of security. Knowing that the chip can go ‘monitor’ mode it was clear to me that first thing i’ll code would be the Wireless Intrusion Detection thing running on a 5v low power chip. At that time i ordered something what is called #NODEMCU and the fun started.


The chip itself is capable of running a callback on ever packet it receives with a function:

static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

There is actually an official “Sniffer” PDF document by Espressif, google it for more details.

So the way Spooky works is simple. It captures packets within BSSID that is your local home Access Point. When a packet is received, it scans through 802.11 to find the source and destination. If Source or Destination is not listed on the ‘trusted mac’s’ list then it adds this traffic to a list that is then sent out to your Gmail account every hour.

So long story short, Spooky monitors for a non-trusted traffic (that has to be defined by user) and reports it when found via E-Mail, see below for example.

A Spooky generated e-mail notifying of unknown traffic (this is an unknown device authenticating on my AP)



And a simple configuration page with trusted devices added


static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

So how is this all programmed?
Firstly all is coded in C with Arduino IDE – it’s just great we can code chips with C. It was my first adventure with chip programming and i was very happy i didn’t have to lear myself some ASM or other script-kiddie language around.

The code itself is very easy, ESP8266 has a file system (SPIFF) so the configuration is loaded/stored directly from that file. I could easily skip writing/reading from EEPROM thanks to this.

All these Web server things are built in and available as ready to use classes so i will not go into details with that.

The Sniffer Callback function has to be very quickly executed or WatchDog will restart the chip, so there is no room and space and time for a lot of work to do. Knowing that i am only doing quick 802.11 inspection to find out RSSI, BSSID, Source, Destination and packet type in accordance to the below 802.11 header


First i find out the packet type by defining them as below:
Zrzut ekranu 2016-08-04 o 10.58.11

Then i filter out all Beacon and Probe request type of frames as they fly around and Spooky will identify them as unknown traffic. So i’m looking only after DATA and MANAGEMENT type frames that are Directed towards user selected Access Point BSSID. This is how i get only the interesting packets out of the chaos around.

Next i read out Source / Destination by looking into ToDS FromDS fields – these are swapped around in regards to the frame type, so be careful how you read them. An example below:

Zrzut ekranu 2016-08-04 o 10.57.11

Then we get the RSSI of the packet, this is easily taken from ESPRESSIF RxControl header within 802.11.

At this moment Spooky knows:
– What is the Packet type
– What BSSID is packet traveling within
– What source is this packet coming from
– What destination is this packet going to

Now having all above and list of trusted MAC addresses, it is easy for Spooky to identify wether a traffic directed within a defined BSSID is trusted or non trusted.
Anything coming from/to a MAC address that is not on the trusted list and having BSSID as defined by user is considered untrusted – and Spooky will email you the details.
All the rest is trusted so Spooky will ignore the traffic.

So the idea of using Spooky is quite simple:
Whenever you get an untrusted traffic notification from Spooky – you either block the MAC address on your Router (if you can’t identify it) or add it to Spooky Trusted MAC’s list (if you know the MAC).

Thanks to this you keep your AP safe and you are notified of unknown events. The word Notified is important because you don’t have to check your AP logs (who does it anyway?)  for intruders and you can respond to events immediately. And yes i know routers can be configured to block untrusted MACs, but i never used that option.

Spooky went into release and some of the users even made a small TicTac version of it.


I expect to make some 3d printed cube for spooky in free time. If you are interested in the code i will be posting it shortly.


std::sort – let’s arrange things a bit

So, let’s start with arranging bits and pieces on the blog.


Bitcoin/Algotrading – as i am interested in what’s called high frequency trading, algotrading and market data – i decided to place a separate category for tools and apps that i wrote for fin tech sector.

ESP8266 – this is something that i picked up this year for the first time, however many apps were written and it’s one of those things that i like to play with from time to time. It’s time consuming (yeah.. cables, soldering) but gives a lot of opportunities with WiFi built in.

Realtime Rendering – my old hobby and full time interest. I am not doing a lot in this are these days but there are quite a few things i want to mention (gamedev included)

GridMan – this is one of my main interests, distributed computing – mainly number crunching, raytracing and other stuff goes here.

Security – well history likes to repeat. In my highschool time i played with this a lot – buffer overflows, remote exploitation and #hacking overall was my daily fun. Today i am trying to do a step forward by playing with security and trying to link i to other mentioned categories above.

I hope i catched it all 😉