headermask image

header image

ICICI Bank’s stupid “feature” introduces privacy concerns

March 23, 2009 – 11:12 am

A couple of days back, I received an sms from ICICI bank informing me that I can view my credit card statement without logging into my account. As you may expect, it blew me away. It still beats me why someone would like to access her/his credit card statement without any password.

No Privacy

No Privacy :’(

To be fair to ICICI, this doesn’t mean that one can simply access the information using the credit card number. It does put three fields forward.

Field 1- Card Number: The problem here is that most of the swipe machines that you come across, at least in India, will print your complete card number on the receipts. One copy is left with merchant where you shop. Moreover, in all probability, you keep you credit card in your purse which is easily accessible to your parents, wi[fe|ves], girl|boy-friend[s], and even friends. Hell, the waiter could jot it down. So let’s face it, it’s not really a secret anymore in the current scenario.

Field 2- Date Of Birth: Doh!

Field 3- Card valid from: Now this one might sound a bit tricky, considering that only the expiry date of your credit card is specified on the receipts. However, please note that:
(1) this date can be noticed by a cursory glance on the card,
(2) the from and end months alomst always are the same, i.e., if your card expiry is 05/2015, the start month, in all it’s probabilty will be 05 (May). Just try a few combinations, and bang.

…and if all this sounds too complex and useless, consider that all of the above information is easily accessible to your family members and close friends. I am not sure about you, but I prefer a certain degree of privacy.

…and if the cynic in you is still not convinced, consider this –the total effort of keystrokes and clicks combing your card number+date of birth (via a date picker)+card valid from will most probably exceed the keystrokes for ICICI userid+password. Unless of course, you are paranoid who writes a poem in 1337 for the password. ;)

So although there could be a debate on the level of privacy concern that it raises, there can’t be any debate on the sheer stupidity of this feature. Uh!

Bipin Upadhyay | Uncategorized | Comments (3)

[OT] The Rant of a “Republic” Indian Hacker

January 26, 2009 – 11:25 pm

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

Bipin Upadhyay | bug, hack, hackers, india, irony, life, off-topic, politics, rant | Comments (0)

[How To] Implementing Shindig.

September 30, 2008 – 10:37 am

I should have written an article/tutorial on how to implement/use Shindig to convert your SNS into and OpenSocial compliant SNS. Time, however, has prevented me from doing it so far. May be sometime later.

For now, you can have a look at my presentation on the same topic. I had presented it at Barcamp Bangalore 7, and PHPCamp Pune. It was recommended by Dan Peterson, Google, on the Shindig developer’s mailing list. :)

For those who don’t have an idea what I am talking about; I have been (officially) working on OpenSocial for quite sometime. OpenSocial is a specification developed by giants like Google, MySpace, Ning, etc. to provide a common platform (API) for social app developers. Shindig, an Apache incubator project, is what can help your site become OpenSocial compliant.

[Phpcamp]Shindig An OpenSocial container

View SlideShare presentation or Upload your own. (tags: shindig phpcamp)

By the way, I am referring to the Six degrees of Separation in the initial slides. :)

Bipin Upadhyay | apache, google, guide, opensocial, php, presentation | Comments (2)

OWASP AppSec Conf Delhi – Day 2; and more

September 4, 2008 – 12:07 am

The pictures of Day 2 are here.

The second day consisted of 6 workshops – 3 before lunch and 3 after. I was confused on choosing between Sheeraj Shah and Mano Paul’s workshops during the first half; and Jason Li’s talk on “Web 2.0  Security” and “Secure Code Review” workshop (originally by Dinis Cruz, but conducted by Gaurav Kumar of Microsoft) on the second half.

Threat Modelling - Mano Paul

Mano Paul

Choosing Mano Paul’s Workshop on Threat Modelling was relatively easier because I am trying to push in Threat Modeling in my company. However, the disappointment of missing Sheeraj’s talk was no less. Although, I must confess Mano Paul is one heck of a presenter. I guess experience always count.

Code Review - Gaurav Kumar

Gaurav Kumar

The decision for the second half was pretty tough. I had finally chosen Secure Code Review talk over Jason Li’s talk, because I’ve a personal interest in Code Review; added by the fact that the workshop was to be conducted by Dinis Cruz. Since we had to pre-select the talks, there was no scope to change it later. Needless to say, I was a bit disappointed initially. However, I must also mention that I don’t regret attending it. It was conducted by Gaurav Kumar, Ace Team, Microsoft. The best part about him, apart from the fact that he knows his stuff, is that he took all the M$ jokes sportingly :) .

Bipin with Walter and Jordan

Bipin with Walter and Jordan

I also got to meet Jordan Forssman (Armorize) and Walter Tsai (CTO, Armorize), although I regret not being able to spend enough time and talk some Geeky stuff. Oh and yes, Walter gifted me and Amit the 31337 Armorize T-Shirts :D . I also got to meet a couple of more like minded people, though very briefly. I couldn’t share cards with all of them. Today Lava (whom I met during Gaurav’s workshop), contacted me today via this blog. Feel greats to be in touch with fellow geeks and to be able to share the geekiness. ;) I’d like to be in touch with others too. Please feel free to buzz me.

I must admit, the hangover remained for quite a few days. It had motivated us to evaluate the possibility of another OWASP conf at Banglore. We’ll be discussing it at the next meet. For now, I have another interesting announcement to make. OWASP Banglore Chapter is starting Open Workshops for developers, students, and anyone interested to learn about Web Security. The first one is on Sept. 7th, at Microland, Bellandur. If you are interested kindly drop me a mail; or even better, joing the OWASP Bangalore mailing list and put up your details.

Bipin Upadhyay | education, hackers, life, news, security, webappsec | Comments (4)

OWASP AppSec Conf Delhi – Day 1

August 21, 2008 – 12:11 pm

Special Note: I don’t have my Canon EOS 350D with me nowadays, so I had to borrow my roomates Canon Powershot. :( The quality sucks, but still, the pictures are here.

I’ll be honest, going by the conf prices and some of the talk titles; I was expecting OWASP AppSec Delhi to be targeted mainly for managers. Moreover, I didn’t really have enough hopes for the first day talks, at least. It felt even worse when I realized that Dinis Cruz hasn’t been able to make it. I was looking forward to his workshop in App Sec Code Review. But boy, what a day! :)

The registration was scheduled to begin at 8:15 AM and I reached at 7:45. As if that was not enough, the registration was delayed by another 40-45 minutes. I like to be punctual, but end up playing the endless wait-game more than often.  However, on the bright side I got to interact with a couple of great guys, like Amit Parekh (MPS). Quite surprisingly, I also came across Manjula (Aujas Networks). I say surprisingly because when we had discussed about the conference at a previous OWASP Bangalore chapter meet, she had no plans to visit. I am glad she decided at the last moment. :)

Before I mention about the talks, I feel obligated to thank Nitin of OWASP Delhi chapter for letting me attend the conference even though my company has failed to pay the conference fees at the moment due to some strange procedural issues.

Bipin & Amit

Bipin & Amit

The day began with the keynote speeches by Dhruv Soni and Puneet Mehta (OWASP Delhi Chapter), Murli Krishna(HP), Dr. Kamlesh Bajaj (DSCI), Jason Li(OWASP), and Mano Paul(ISC^2). The welcome notes by Dhruv and Puneet were followed by Dr. Bajaj and Murli Krishna’s keynotes. I couldn’t help but wish I could get seniors from the network management unit of my firm. I would love to believe that they would have had a heart change with respect to application security after the keynote ;) . Jason spoke on behalf of Dinis and introduced the newbies to OWASP and a couple of its projects. In case you are unaware (like me), there has been an interesting addition to the OWASP projects called ESAPI. It looks good at first glance. Hopefully, I’ll be having a closer look pretty soon. Finally, Mano Paul provided some interesting metaphors to the security scenario, and also introduced the youngest hacker in the crowd, his two year old son. It’ll surely be fun to attend his workshop on Advanced Thread Modelling.

Following the Keynote speeches, Jason Li introduced the crowd to his AntiSamy project. I especially liked the way he’d organized his talk to compare several XSS mitigation techniques and then prove why AntiSamy’s (or HTMLPurifier’s) approach is better ;) . His talk was followed by Rajesh Nayak’s (HP) talk titled Web App Security: Too costly to ignore. Although, it was more of a sales pitch, it did have some valid points; and we did manage to have our share of fun. When a certain demo of his failed a couple of times and he had to restart his system, I couldn’t control my tendency to pass on loud remarks and asked whether it was an HP laptop :P .

Bipin & Amit

Manjula, Sheeraj, & Amit

The much awaited Sheeraj Shah’s talk on Web 2.0 Security came after the lunch. As expected of him, the talk was pretty technical and wasn’t really for the noobs. He also talked about his home-brewed scripts to analyze Web 2.0 enabled/hyped portals. Later, Roshan Chandran of Paladion presented a very interesting case study on Testing 200+ applications in a $10 Billion Enterprise. This talk provoked a lot of techies in the crowd who were silent till now. Finally, Nischal Bhalla delivered a talk on Building Enterprise AppSec Program. This is something I’ve been trying to do at my workplace (with the help of my Bosses) and I guess I’ll be mailing Nischal for the presentation.

To summarize, none of the talks were any ground breaking research that we were not aware of, but the difference always comes in with experience; and that’s what made it an amazing day. It was great to look at things from the perception of these uber hackers. I am eagerly looking forward for tomorrows workshop’s – Advanced Threat Modelling by Mano Paul, and App Sec Code Review by Gaurav Kumar (which was originally scheduled by Dinis Cruz.

Oh and yes! The food was pretty good too. :)

Bipin Upadhyay | Uncategorized, hackers, life, news, security, webappsec | Comments (2)

No more lectures now…

July 26, 2008 – 4:06 pm

Randy Pausch, fondly known as the Last Lecture Guy, is no more.

If you have not heard of him, I suggest you watch his “last lecture”. A summary of the lecture and Randy Pausch’s life can be read here.

p.s.:
@Johnny: Thanks for updating me.
@Slashdot-ters: Thanks for not making stupid and mean remarks this time.
@Randy Pausch: Rest In Peace dude.

Bipin Upadhyay | hackers, humour, irony, life, news | Comments (0)

SecurCamp and back.

July 12, 2008 – 8:55 pm

I spent the first half of the day at SecurCamp -1 (or Security Barcamp). It always great to get together with the community and today was no different. It came a sweet surprise to me that I have quite a few acquaintances in the community. The best part of the whole day, however, was getting together with Lucky after a loooong time. It’s pretty strange that even after being in the same city, we haven’t been able to meet as often as we could have. So I decided to use the opportunity properly. In fact, I am now at his house, using his 1 mbs line while he’s away for his dance class (and hoping he doesn’t keep a sniffer on).

By flickr.com/photos/fortphoto/2563803794/

I presented on “A conceptual Phishing/Fraud IDS”, something I had worked in Jan/Feb, but have been sleeping on in for all this while. Thanks to Johnny’s pestering, I think I’ll write a small paper on it and distribute for review. I just hope the increased official workload is minimized by the new members joining the team. :)

We also used the opportunity to announce the OWASP Bangalore chapter revival. I have personally been working on identifying ways to ensure OWASP’s reach to the colleges, and have prepared a list of colleges in Bangalore. Let’s hope that we make it quick on that front too. Just to re-announce, if you are a student in/around Bangalore, drop me a note and we’ll put your college on top-priority. :)

I also had a very strange realization today. I have been a member of several communities (security and otherwise) and differences creep-in at some point. However, they are pretty quick (and a little more obvious) in the security communities. Be it mailing lists, blogs or even physical meets, people respond (and then re-respond) pretty loudly. :) Is it because security is pretty demanding field where there isn’t much scope for a mistake, or is it because we all in the field carry a “I CAN’T be wrong” badge, or is it some other reason?

Time to move now. Hancock at 9:45PM :P

Bipin Upadhyay | hackers, irony, life, security, webappsec | Comments (2)

[OT] Sad demise of Guru Ammannur Madhava Chakyar

July 2, 2008 – 8:36 pm

This post is not technical. However, being a SPICMACAYite and an Indian, I felt compelled to let my readers know about the sad news; especially when the news channels are not finding any slot for this legend.

Koodiyattam exponent Ammannur Madhava Chakyar, recipient of the Padma Shri as well as the Padma Bhushan honours by the Govrnment of India. He was not only responsible for bringing the art form Kutiyattam (or Koodiyattam) out of temples, but also with reviving it.

Ammannur Madhava ChakyarThe following news article from The Hindu provides other details.

Koodiyattom expert Ammannur Madhava Chakyar died at his residence, Ammannur Chakyar Madom, at Irinjalakuda, near here, on Tuesday. He was 92.
The end came around 9.30 p.m.
The history of modern Koodiyattom is inexorably entwined with Madhava Chakyar’s life and art.
He did not want Koodiyattam to be restricted to the temple arena. His major contribution to the art was to take it beyond traditional confines.
Ammannur’s debut performance was at the age of 11 at the Thirumandhamkunnu temple, Angadipuram. He played the role of Sutradhara in the play ‘Balacharita.’ His first-ever Prabandha Koothuwas held at Trikkovil temple at Chendamangalam.
He trained under the princes of the royal family of erstwhile Kodungallur. He played his first major role, Sreerama in ‘Soorpanakankam’ at the Koodalmanikya temple in Irinjalakuda. He was a recipient of Padma Bhushan, Kalidasa Samman, Kerala Sangeeta Nataka Akademi Award and Kendra Sangeet Nataka Akademi Award. He is survived by his wife Parukutty Nangiaramma.

May his soul rest in peace.

Bipin Upadhyay | music, news, off-topic | Comments (0)

Adieu, Billy Boy!

June 30, 2008 – 5:47 pm

Taken from Joy of Tech

by Joy Of Tech -- geekculture.com

On a personal note, you did change the world Billy Boy. Hope you do the same again. :)

p.s. BTW, Joy Of Tech guys are good. Subscribe to them if you like a laugh once in a while.

Bipin Upadhyay | Bill Gates, humour, microsoft | Comments (0)

Reviving OWASP Bangalore Chapter

June 29, 2008 – 7:53 pm

The OWASP Bangalore Chapter met after almost an year today, and I was priviledged to be a part of it. As happens often with technical groups, including LUGs (Linux User Groups), they tend to loose participation and go to indefinite hibernation mode. OWASP-Bangalore’s fate was no different.

Meeting room stencil graffiti by -- flickr.com/photos/clagnut/252185030/

Anyhoo! The important point is that we finally met today. There were around 12 peole who turned up, and boy, It’s always an honour to meet enthusiastic people from the Security community. Minutes of the meeting will be posted by Hari, Chapter coordinator, pretty soon on the OWASP-Bangalore mailing list. To cut things short, we discussed and decided on a couple of points to revive the Bangalore Chapter. I’ll personally be looking forward to spreading the information to younger audience. So, just in case you are a part of some College around Bangalore, feel free to drop me a note. We’d love to visit your campus and deliver talks, free of charge. :)
As for the regular meetings, we’ve decided to meet every fourth Wednesday of the month. Venues will of course, keep changing.

p.s. I love the song “Jaane Kya Baat Hai” from the movie Sunny. But somehow, I am not able to get the other song,”Aur Kya Ahde Wafaa Hote Hain”, out of my mind since morning. Not that I am complaining ;)

Aur Kya Ahede Wafa…

Bipin Upadhyay | life, music, news, security, webappsec | Comments (0)

WordPress database error: [Table 'projupa6_wordy.pau_categories' doesn't exist]
SELECT COUNT(*) FROM pau_categories