itek powered Raspberry Pi runs for over 7 hours

Summary

I tested a model B Raspberry Pi (512 MB) using an itek power bank (5600 mAh), with Internet enabled. It pinged my server every minute, and ran for about 7 hours 22 minutes.

Raspberry Pi & iTek battery pack — Raspberry Pi & itek battery pack

Set Up

Raspberry Pi Model B (512 MB RAM), running latest updated Raspbian Wheezy build (with no additional background services running) on an 8 GB class 4 SD card
itek power bank (5600mAh)
Internet connectivity through Ethernet

I wrote a shell script to call a web based PHP script on my server. I set a cron to run this shell script every minute. What happens is the shell scripts passes the client side timestamp, and server writes it, along with sever side timestamp to a file.
The source code of both scripts is provided below.

#!/bin/bash

rawurlencode() {
local string="${1}"
local strlen=${#string}
local encoded=""
for (( pos=0 ; pos<strlen ; pos++ )); do
    c=${string:$pos:1}
    case "$c" in
        [-_.~a-zA-Z0-9] ) o="${c}" ;; * )  printf -v o '%%%02x' "'$c"
    esac
    encoded+="${o}"
    done
    echo "${encoded}"
}

CLIENT_TIME=`date +"%c"`
URL=http://example.com/ServerSideLoggerPHPScript.php?t=$(rawurlencode "$CLIENT_TIME")

/usr/bin/wget -qO- $URL &> /dev/null

Conclusion

The script started at 4:45:12 AM client time and ended at 12:07:01 PM client time. That’s almost 7 hours 22 minutes
The reason to attach the device to Internet was because I don’t see the point of testing a bare naked Raspbery Pi. Most real life applications would require network connectivity
That brings me to another realization: I should have used my WiFi adapter instead of Ethernet to test real world situation. I plan to do this soon.
I was fortunate not to lose Internet connectivity, but I should have logged the timestamp locally as well
7 hours is all hunky dory but itek is a fairly heavy device, and takes eon to recharge. I don’t see it a very likely companion to my Raspberry, if I intend to shoot them in air sometime.

As mentioned, I’ll test the setup again with a WiFi adapter, and update the results.

January 26, 2009January 26, 2009

[OT] The Rant of a “Republic” Indian Hacker

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

September 4, 2008September 4, 2008

OWASP AppSec Conf Delhi – Day 2; and more

The pictures of Day 2 are here.

The second day consisted of 6 workshops – 3 before lunch and 3 after. I was confused on choosing between Sheeraj Shah and Mano Paul’s workshops during the first half; and Jason Li’s talk on “Web 2.0 Security” and “Secure Code Review” workshop (originally by Dinis Cruz, but conducted by Gaurav Kumar of Microsoft) on the second half.

Threat Modelling - Mano Paul

Mano Paul

Choosing Mano Paul’s Workshop on Threat Modelling was relatively easier because I am trying to push in Threat Modeling in my company. However, the disappointment of missing Sheeraj’s talk was no less. Although, I must confess Mano Paul is one heck of a presenter. I guess experience always count.

Code Review - Gaurav Kumar

Gaurav Kumar

The decision for the second half was pretty tough. I had finally chosen Secure Code Review talk over Jason Li’s talk, because I’ve a personal interest in Code Review; added by the fact that the workshop was to be conducted by Dinis Cruz. Since we had to pre-select the talks, there was no scope to change it later. Needless to say, I was a bit disappointed initially. However, I must also mention that I don’t regret attending it. It was conducted by Gaurav Kumar, Ace Team, Microsoft. The best part about him, apart from the fact that he knows his stuff, is that he took all the M$ jokes sportingly :).

Bipin with Walter and Jordan

Bipin with Walter and Jordan

I also got to meet Jordan Forssman (Armorize) and Walter Tsai (CTO, Armorize), although I regret not being able to spend enough time and talk some Geeky stuff. Oh and yes, Walter gifted me and Amit the 31337 Armorize T-Shirts :D. I also got to meet a couple of more like minded people, though very briefly. I couldn’t share cards with all of them. Today Lava (whom I met during Gaurav’s workshop), contacted me today via this blog. Feel greats to be in touch with fellow geeks and to be able to share the geekiness. 😉 I’d like to be in touch with others too. Please feel free to buzz me.

I must admit, the hangover remained for quite a few days. It had motivated us to evaluate the possibility of another OWASP conf at Banglore. We’ll be discussing it at the next meet. For now, I have another interesting announcement to make. OWASP Banglore Chapter is starting Open Workshops for developers, students, and anyone interested to learn about Web Security. The first one is on Sept. 7th, at Microland, Bellandur. If you are interested kindly drop me a mail; or even better, joing the OWASP Bangalore mailing list and put up your details.

August 21, 2008

OWASP AppSec Conf Delhi – Day 1

Special Note: I don’t have my Canon EOS 350D with me nowadays, so I had to borrow my roomates Canon Powershot. 🙁 The quality sucks, but still, the pictures are here.

I’ll be honest, going by the conf prices and some of the talk titles; I was expecting OWASP AppSec Delhi to be targeted mainly for managers. Moreover, I didn’t really have enough hopes for the first day talks, at least. It felt even worse when I realized that Dinis Cruz hasn’t been able to make it. I was looking forward to his workshop in App Sec Code Review. But boy, what a day! 🙂

The registration was scheduled to begin at 8:15 AM and I reached at 7:45. As if that was not enough, the registration was delayed by another 40-45 minutes. I like to be punctual, but end up playing the endless wait-game more than often. However, on the bright side I got to interact with a couple of great guys, like Amit Parekh (MPS). Quite surprisingly, I also came across Manjula (Aujas Networks). I say surprisingly because when we had discussed about the conference at a previous OWASP Bangalore chapter meet, she had no plans to visit. I am glad she decided at the last moment. 🙂

Before I mention about the talks, I feel obligated to thank Nitin of OWASP Delhi chapter for letting me attend the conference even though my company has failed to pay the conference fees at the moment due to some strange procedural issues.

Bipin & Amit

Bipin & Amit

The day began with the keynote speeches by Dhruv Soni and Puneet Mehta (OWASP Delhi Chapter), Murli Krishna(HP), Dr. Kamlesh Bajaj (DSCI), Jason Li(OWASP), and Mano Paul(ISC^2). The welcome notes by Dhruv and Puneet were followed by Dr. Bajaj and Murli Krishna’s keynotes. I couldn’t help but wish I could get seniors from the network management unit of my firm. I would love to believe that they would have had a heart change with respect to application security after the keynote 😉 . Jason spoke on behalf of Dinis and introduced the newbies to OWASP and a couple of its projects. In case you are unaware (like me), there has been an interesting addition to the OWASP projects called ESAPI. It looks good at first glance. Hopefully, I’ll be having a closer look pretty soon. Finally, Mano Paul provided some interesting metaphors to the security scenario, and also introduced the youngest hacker in the crowd, his two year old son. It’ll surely be fun to attend his workshop on Advanced Thread Modelling.

Following the Keynote speeches, Jason Li introduced the crowd to his AntiSamy project. I especially liked the way he’d organized his talk to compare several XSS mitigation techniques and then prove why AntiSamy’s (or HTMLPurifier’s) approach is better 😉 . His talk was followed by Rajesh Nayak’s (HP) talk titled Web App Security: Too costly to ignore. Although, it was more of a sales pitch, it did have some valid points; and we did manage to have our share of fun. When a certain demo of his failed a couple of times and he had to restart his system, I couldn’t control my tendency to pass on loud remarks and asked whether it was an HP laptop 😛 .

Bipin & Amit

Manjula, Sheeraj, & Amit

The much awaited Sheeraj Shah’s talk on Web 2.0 Security came after the lunch. As expected of him, the talk was pretty technical and wasn’t really for the noobs. He also talked about his home-brewed scripts to analyze Web 2.0 enabled/hyped portals. Later, Roshan Chandran of Paladion presented a very interesting case study on Testing 200+ applications in a $10 Billion Enterprise. This talk provoked a lot of techies in the crowd who were silent till now. Finally, Nischal Bhalla delivered a talk on Building Enterprise AppSec Program. This is something I’ve been trying to do at my workplace (with the help of my Bosses) and I guess I’ll be mailing Nischal for the presentation.

To summarize, none of the talks were any ground breaking research that we were not aware of, but the difference always comes in with experience; and that’s what made it an amazing day. It was great to look at things from the perception of these uber hackers. I am eagerly looking forward for tomorrows workshop’s – Advanced Threat Modelling by Mano Paul, and App Sec Code Review by Gaurav Kumar (which was originally scheduled by Dinis Cruz.

Oh and yes! The food was pretty good too. 🙂

July 26, 2008

No more lectures now…

Randy Pausch, fondly known as the Last Lecture Guy, is no more.

If you have not heard of him, I suggest you watch his “last lecture”. A summary of the lecture and Randy Pausch’s life can be read here.

p.s.:
@Johnny: Thanks for updating me.
@Slashdot-ters: Thanks for not making stupid and mean remarks this time.
@Randy Pausch: Rest In Peace dude.

July 12, 2008

SecurCamp and back.

I spent the first half of the day at SecurCamp -1 (or Security Barcamp). It always great to get together with the community and today was no different. It came a sweet surprise to me that I have quite a few acquaintances in the community. The best part of the whole day, however, was getting together with Lucky after a loooong time. It’s pretty strange that even after being in the same city, we haven’t been able to meet as often as we could have. So I decided to use the opportunity properly. In fact, I am now at his house, using his 1 mbs line while he’s away for his dance class (and hoping he doesn’t keep a sniffer on).

By flickr.com/photos/fortphoto/2563803794/

I presented on “A conceptual Phishing/Fraud IDS”, something I had worked in Jan/Feb, but have been sleeping on in for all this while. Thanks to Johnny’s pestering, I think I’ll write a small paper on it and distribute for review. I just hope the increased official workload is minimized by the new members joining the team. 🙂

We also used the opportunity to announce the OWASP Bangalore chapter revival. I have personally been working on identifying ways to ensure OWASP’s reach to the colleges, and have prepared a list of colleges in Bangalore. Let’s hope that we make it quick on that front too. Just to re-announce, if you are a student in/around Bangalore, drop me a note and we’ll put your college on top-priority. 🙂

I also had a very strange realization today. I have been a member of several communities (security and otherwise) and differences creep-in at some point. However, they are pretty quick (and a little more obvious) in the security communities. Be it mailing lists, blogs or even physical meets, people respond (and then re-respond) pretty loudly. 🙂 Is it because security is pretty demanding field where there isn’t much scope for a mistake, or is it because we all in the field carry a “I CAN’T be wrong” badge, or is it some other reason?

Time to move now. Hancock at 9:45PM 😛

May 6, 2008May 7, 2008

A new home for us :)

Link

People who know me, know that I desist Social networking portals. Don’t worry, this post isn’t another rant. It’s more of an announcement that I’ve joined a Social Network 🙂

Yup! The guys at GNUCitizen have started a social network for hackers, and very intelligently named it House of Hackers. I’d like to call it HoH (as in Hah!) 🙂

A few motives cited for creation of the network are:

To provide platform for hackers to exchange ideas, communicate, or/and even form groups -elite or otherwise. Although Slackers is an amazing place to communicate, web is never big enough for two similar houses. Moreover, they aren’t same, just similar
Create a Hacker recruitment market. Recruiters could advertise to recruit/hire people from here. The best part of this, as cited, would be that HoH would eliminate any middleman (or you employer), and hence help you earn more. Pretty obviously, this holds meaning for elite ones only. But then I have always believe that you can learn only to the extent you can challenge yourself… and good company definitely challenges you 🙂
Fund Research programs from time to time. Not so long ago, Ronald came up with idea of Router Hacking Challenge, where you had to hack your own router and make the findings public. The _cutest_ hack would be regarded the best. GNUCitizen (Ronald is now a part of GNUCitizen) hosted the contest. I mention this just to affirm that I really like the guys at GNUCitizen, and I am really excited to know that they’d be encouraging the community (and funding them too). The money is expected to come from the recruitment advertisements.

Needless to summarize that I am keeping my eyes open, fingers crossed and hoping that this turns out to be a great venture for the community.

Just one concern, these %*^*@#$ hackers will keep screwing the portal networking portal, you know. 😉

My profile link.

April 30, 2008July 6, 2008

iHacker

I have a special likeness for T-Shirt with quotes. More Geeky the quote, more geekier… I mean better.
I got this T-Shirt made for myself a couple of days ago.
I case you didn’t get, it’s a mockery of the crippled iPhone.

iHcaker

Oh by the way, this is my first post on the new blog, and this pic is a response to Swenny’s post on Adding an “i” 🙂

January 29, 2008July 6, 2008

A Phish floating in Google Survey!

Demo

1. Phizy-Phizy-Phizy

I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.
by-mcbeth www.flickr.com/photos/mcbeth/235875/

2. A Phish named GoogleSurvey

As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.

3. Anatomy of Google-Survey-Phish gills

The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is http://www.googlesurvey.co.nr/, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at http://googlesurvey.99k.org/. http://www.googlesurvey.co.nr/ only frames the page at with 100% width and 0px border.

Another interesting point to note is that the phisher used a free hosting service http://www.zymic.com/free-web-hosting/. Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. 🙂

Now, when you enter your id and password, the data is sent to a php script on the server located at http://googlesurvey.99k.org/LoginAuth.php. Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.

4. Demo: Farming your own Phishes for fun & profit cough

The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.

I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.

5. Conclusion

It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. 🙂

October 12, 2007November 4, 2014

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

"The Web Is Broken" by Bipin Upadhyay from Bipin Upadhyay

I hope you like it too. 🙂

September 13, 2007May 7, 2008

NoScript: For Guaranteed Protection From Evil IFrames

I know, I know… the title sounds like a cheap promotion ad. 😀

As I mentioned in my previous entry that Giorgio has addressed our (mine and Gareth’s) request to block iframes using NoScript. I must, however, admit that I did not expect it to be this fast. NoScript 1.1.7.1 (SilverNight) is here. The changelog has a mention to the thread which I started at Slackers (And our names).

Please note that the mozilla site may not be updated immediately. So, if you are restless soul like me, get it directly from the NoScript site.

Further, I am currently evaluating some security scanners for my company. I am little dis-heartened that there isn’t any amazing scanner available yet. However, I am very hopeful about w3af. I’ve this strong feeling that it has the potential to be the next “Metasploit Framework for www”. Expect an entry on w3af (and may be OWASPs LAPSE plugin).

September 10, 2007May 7, 2008

IFrames – To be or not to be?

Update: Aah. It’s not that there couldn’t have been any better news :P, but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks. 🙂
Oh and Yes! Ma1 Rocks too …;)

I have been pretty busy since the last few weeks (and this trend is likely to continue for the coming weeks). Thus, my posts have been more of “news-flashes”. Apologies for that. I’ve now decided to blog about things/technologies I am working on. (Expect some write-ups on security scanners like w3af and code auditing tools like LAPSE.) However, I couldn’t stop myself from putting forward this debate on IFrames. First, let’s see what are the *evil* things that IFrames can do for… *cough*… you

CASE-I
A couple of days ago, Bank of India site was compromised. It was serving malwares to the visitors. This was done by “drive-by downloads“. The criminals were (invisible) IFRAMES.

CASE-II
I hope most of you are aware how dangerous Javascript can be. Of course, I am referring to XSS attacks. However, the recent research, notably from Jeremiah Grossman, RSnake and Gareth Hayes, showed another shockingly dark side of XSS with CSS (yes, Cascading Style Sheets 🙂 ). The criminals here are IFrames, visited attribute, etc.

CASE-III
Gareth also gave a proof of concept on his blog to perform CSRF using CSS, even when Javascript is disabled. He (very wisely) used CSS to change the LOOK and FEEL of a Submit button to a link. Now, when a *smart* user is surfing the web with javascript disabled, he’d not worry about clicking a link, and may end up clicking on the *link* to submit the form.

CASE-IV
You decide… :).
I have anyways left some other known issues, I think.

Gareth has been preaching the evil nature of IFrames for quite some time now. Yesterday, he made a new entry titled “IFRAMES ARE EVIL” on his blog. He suggested using some attributes/tags to disable/enable iframes etc. Iframes have been on my mind for quite some time. I believe that Content Restriction, once introduced, can solve a number of issues. Till then, I believe, Maone’s NoScript can come to the rescue by proving optional feature to disable iframes. I know, this is definitely not a attractive suggestion, but who knew we’d have to browse with Javascript disabled!

Moreover, I thought it’d be a good opportunity to see what other researchers have to say about it. So, I posted it to the Slackers forum. I am watching keenly. 🙂

July 14, 2007May 7, 2008

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. 🙂

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

July 5, 2007May 7, 2008

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. 🙂 ]They presented a Paper “Vboot Kit: Compromising Windows Vista Security” at Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. 😉

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. 🙂

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. 🙂

July 3, 2007May 7, 2008

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

April 12, 2007

Idle Nights: Devil’s Mind

I stay back in the office during night and return back at around 6-7 am, when everybody is coming :). These nights are supposed to be LONELY as I am the only one in the building (actually in all the four buildings combined), apart from the security guards and office boys, of course. However, I’ve found my companions, and ways to refresh myself. I’ll list some of them.

1. Online Web/Security Cameras: Some of you who know that Google provides an API for refining the search queries (with a capital “R”) also know that the giant’s database is like an ocean. And you never really know what’s inside an ocean unless and until you dive in it. As you dive deeper, your jaw drops in awe.
Long story cut short, I use the query to discover (a part of) all AXIS cameras online.
For curious lot, the query is: inurl:/view/view.shtml AXIS and sometimes intitle:”Live View / – AXIS” | inurl:view/view.sht
[As I am writing this, I wanted check the second query. So I chose one of the results and something spooky happened. Someone was already controlling the camera. hehe.
I was moving it right, he/she was moving it left. We fought for a while but then I closed the window. I am nice guy you see :D)

Okay let’s proceed.
So I have a bookmarked folder called “PastTime” on my browser, which has my favorite cameras bookmarked. My most fave are:
i) A coffee/wine shop camera, which is more lively during the night. Luckily, the camera is provided officially, so I can provide the link without any worries. Find the link to the camera here: buzzjunction_webcam

ii) A camera in the study room of a Polytechnic school of NewYork. It’s a small room with a coffee machine, a microwave oven (?), a printer, a sofa, a bookshelf, and an elliptical table with power connection for the laptops and notebooks.
And that’s the best part. People come here with there laptops, and sometimes I sit down looking at there screens, trying to figure out what they are doing. 😛
I have also become acquainted with some regular visitors.
A spectacled guy with a cap and a laptop. (He is leaving right now. No kidding. What a coincidence [jawdrop])
A black girl, who has the headphones exactly like mine.
Two Muslim girls, with one Dell XPS laptop (probably).
The bad part is, there are no visitors on sundays 🙁
iii) A micro/nano lab camera of one of the world’s most famous universities. There’s nothing engaging about this, apart from the fact that the guys (or girls) roam around in spacesuit sort of dresses.
iv) A set of four surveillance cameras. Three of them pointing to car parking locations and one focussed inside some kind of room. I am still not able to get it yet. The only thing that makes me stick to it is the word “surveillance” 😀

There are couple of others focussed on traffic, colleges, hostels (I guess), lake, parks… but they are pretty boring and pictures are not really clear.
I’d like to try my hands on other cameras like linksys too. Let’s see when.

2. Google Again: Google queries can be real fun.
Have you ever come across a search result when Google tells you that the original number of results is pretty large, however, most of them are sort of repetitions hence they have been truncated.
Have a look at the following two pictures.

This one’s the normal result.

Here I ask Google NOT TO OMIT ANY RESULT.

You think that’s funny?
I leave it up to you to decide.

3. Slashdot, and blogs of others friends (and their friends) and some geeks like de Icauza etc. Initially I was a Digg addict, but then got completely fed up.
So guys, keep blogging. 🙂

4. Movies and Documentaries: Net speed during the night is awesome (generally). So I don’t mind downloading them. Though I don’t get time to watch them.

5. Off late I’ve also found some vulnerabilities in the policies and network of my company. I try to keep the management informed.
After all it’s my company. I’d definitely not like any jerk to poke his nose in.

That’s it.
These five (along with the songs being played ALL the time) are currently more than enough to consume my free time (In fact more than JUST the free time).
But even after all this, it gets freaking lonely sometimes… not that I am complaining 🙂