How my Kindle cover saved my Kindle, OR How I got robbed of my DSLR and laptop

"Scene of Crime" by http://www.flickr.com/photos/zizzy/4582604955/
"Scene of Crime" by http://www.flickr.com/photos/zizzy/4582604955/

‘Robbed’ not in the strictest sense, but yes there was theft at my house yesterday. The lovely dudes took away my Nikon D90 along with the 18-105 lens, and Dell XPS (my lovely old wife). Yes, I’d recently ditched my wife for a super hot Macbook Air, but she still was a companion. Polygamy is amazing!

The Prologue

I come home from office, all hungry and tired, and find the iron gate without a lock. The first thought that hits me is that maybe my cook’s inside and has forgotten to lock the door. Sigh! If only it was true.
I enter the hall, switch on the lights and find the wash basin broken in pieces and lying on the floor. A whole lot of stuff lying on my study table. Thankfully, my bookshelf seems untouched. My bike is still there. I feel hopeful. I walk with a heavy heart, but high hopes, to Bedroom #2. The camera bag is lying on floor. I pick it up and it feels lighter than ever. I’ve always wanted it to weigh a little lighter while traveling, and my wish is granted. My Nikon is gone.
Then I remember my roommate’s camera pouch, which by the way looks like a camera bag unlike my camera-cum-laptop-cum-lenses backpack, and lies next to it. It’s still there. I lift it. It’s still heavy. Some joy. Some confusion.

Everything else seems to be in its original place, including the camera’s battery charger, and our newly washed and ironed clothes. I remember I’ve a Dell in the other bedroom. I don’t want to know, but I must. Alas and damn the human inquisitiveness.
Her cooling pad is in place. Her power cord is in place. But she isn’t. She’s left me.
Was it me cheating on her with an Air? No no, it can’t be. She still loved me. She loved my polygamy.

Bittu, in the golden days :(
Bittu, in the golden days πŸ™

O’ 3rd generation kindle-cover-with-light, Thank you!

I notice my new and shiny, but slightly twisted kindle cover lying between the cooling pad and the new and shiny “Depths of the Ocean -Sushmit Sen” music CD (which by the way is as amazing as hyped). My heart sinks little more. I pick it up. It’s still heavy. It doesn’t make sense. I open the cover and there’s “Jules Verne” looking as thoughtful as ever (To non-Kindle users, Kindles have standby wallpapers). But he seems a little sad today.
On further investigation, we later realize that they did indeed try to snatch the device out of the cover, and twisted it in the process, but failed. And so they left it. Apparently, they like to travel light. Why else would they leave the laptop’s power cord, or my awesome camera backpack (which also had my small HD video camera in one of the lens pouches, along with my portable HD and some Macbook Air accessories).

Kindle and its cover, twisted but safe
Kindle and its cover, twisted but safe

Oh the plunder! Oh the horror!

At some point -I know not when, and for some reason -I know not what, I realize that if they’ve broken the wash basin in the hall, it is possible that they have made violent love to my other wash basin. Akin to characters who are about to die in horror movies, I open the door of my bathroom adjacent to bedroom #1. These characters in the movies know that what they discover besides the door might get them killed, but they still open the door. And so do I. Alas and damn the human inquisitiveness.

Lo and behold! There’s huge dirty stone lying on the floor along with the the pieces of my lovely wash basin. The basin which I’d cleaned and polished and shined just a couple of days ago. Lying on the floor, like a tired prostitute. (Not that I’d know what a tired prostitute looks like.)

Sadly this isn’t the end of the terror story. As my gaze rises from the floor and falls upon the walls, my emotions run an all time high. If I weren’t shocked with what I saw, I would have surely been proud of my emotions which run so fast and so high like a tide.
They have taken away all the water taps and shower knobs and flush pipes and shower thingy and the cloth hanging rod thingy.
And they haven’t unscrewed them. No sir!. Rather used stones to break them from the walls -an act which as we would later discover, may cost us around 20K. In the end, I do wish they’d unscrewed the components rather than screwing us like that.
I move to the other bathroom. It’s confirmed, they’ve screwed us here as well. Oh yes, how can I forget the kitchen!
Getting screwed at so many different locations in such a short span of time has left me tired. I want to sit down now.

Stone that they used to break it all in the bathroom
Stone, which they used to break it all, lying in the bathroom

12 Angry Men (or may be just 5), and their analysis

So I call my roommate Abhijit, and my friend Dabbu in the meantime. Dabbu also gets his elder brother and roommate with him.
It is important to note that both of these men have had theft at their previous houses. Both have lost their laptops. Yeah, same pinch. I know!

All the five do what any reasonable person who’s had a theft at his place does. Socialize with neighbors and police, analyze, and bitch about it.
No, none of this matters and it seldom makes any difference. But you must. It’s a social custom. Ask Dr. Sheldon Cooper.

We talk to neighbors, call police, analyze and discuss and analyze again. The modus operandi is investigated and debated. Police guy, who is a rather soft spoken guy for a change, notes down details in his diary, sympathizes with us, and leaves.

Here’s how our final analysis looks like:
* It could have be my roommate. After all none of his stuff was stolen
* While we are at it, it may have been Dabbu. Apart from the fact that he loved my camera, he’s studied in a KV (Kendriya Vidyala), the same school where my younger brother went. And we all know how talented KV products are

Abhijit, Dabbu, and the wash basin that was
Abhijit, Dabbu, and the wash basin that was

Reconciliation

The entire post may present a jovial outlook. Part of it is forced, but mostly natural. I owe the jolly response for materialistic loss to a certain event in my life.

Years ago when I was in B.Tech, one fine evening my hard drive crashed. It wasn’t out of the blue. Remember the text mode Linux installations? Yes yes, fdisk and stuff. Yeah! So the hard drive crashed and I lost everything. All the songs, and the movies, and the songs, and the software, and the songs. It was the end of my life as I knew it. I crashed on my bed too.

As I was brooding on my cot, trying to analyze my options of data recovery, one question constantly and repeatedly came up –Now what?
The question was rather simple, and I didn’t have any answers, but it did have a profound effect on me.

It’s funny how we existentialists look around for answers all our lives, and how a simple question can liberate us.
It’s funny how we brood over our problems, and the acceptance of lack of a solution helps us reconcile.

Yes I loved my Nikon D90. I have been getting better with every picture I clicked. I loved when my friends smiled at the pictures I’d taken of them. I was looking forward to handing over the Dell to my brother, who’s been having problems with his laptop.
But well, it can’t be anymore. If it can’t be, it won’t be. If it won’t be, what am I going to brood over?

As Ghalib said:

Na tha kuchh toh khuda tha, kuchh na hota toh Khuda hota,
Duboya mujhko hone ne, na hota main toh kya hota.

[P.S. All said and done, why did those bastards have to take the taps man. There’s no water at home. Sigh! :'( ]

Update 1: Apparently, these thieves may have been addicts. It’s easier and quicker to sell off bathroom accessories.

Update 2: I finally managed to get an FIR filed. One the 11th day, mind you. Yeah, I know. We might be better off without a police department.

[OT] The Rant of a “Republic” Indian Hacker

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

No more lectures now…

Randy Pausch, fondly known as the Last Lecture Guy, is no more.

If you have not heard of him, I suggest you watch his “last lecture”. A summary of the lecture and Randy Pausch’s life can be read here.

p.s.:
@Johnny: Thanks for updating me.
@Slashdot-ters: Thanks for not making stupid and mean remarks this time.
@Randy Pausch: Rest In Peace dude.

SecurCamp and back.

I spent the first half of the day at SecurCamp -1 (or Security Barcamp). It always great to get together with the community and today was no different. It came a sweet surprise to me that I have quite a few acquaintances in the community. The best part of the whole day, however, was getting together with Lucky after a loooong time. It’s pretty strange that even after being in the same city, we haven’t been able to meet as often as we could have. So I decided to use the opportunity properly. In fact, I am now at his house, using his 1 mbs line while he’s away for his dance class (and hoping he doesn’t keep a sniffer on).

By flickr.com/photos/fortphoto/2563803794/

I presented on “A conceptual Phishing/Fraud IDS”, something I had worked in Jan/Feb, but have been sleeping on in for all this while. Thanks to Johnny’s pestering, I think I’ll write a small paper on it and distribute for review. I just hope the increased official workload is minimized by the new members joining the team. πŸ™‚

We also used the opportunity to announce the OWASP Bangalore chapter revival. I have personally been working on identifying ways to ensure OWASP’s reach to the colleges, and have prepared a list of colleges in Bangalore. Let’s hope that we make it quick on that front too. Just to re-announce, if you are a student in/around Bangalore, drop me a note and we’ll put your college on top-priority. πŸ™‚

I also had a very strange realization today. I have been a member of several communities (security and otherwise) and differences creep-in at some point. However, they are pretty quick (and a little more obvious) in the security communities. Be it mailing lists, blogs or even physical meets, people respond (and then re-respond) pretty loudly. πŸ™‚ Is it because security is pretty demanding field where there isn’t much scope for a mistake, or is it because we all in the field carry a “I CAN’T be wrong” badge, or is it some other reason?

Time to move now. Hancock at 9:45PM πŸ˜›

Slashdot, uh! :|

Slashdot is supposed to be a respectable (news) portal for geeks and nerds. It’s punch line says News for nerds, Stuff that matters. I must admit that there was a time when I used to start my day with Slashdot, trying not to miss even a single news. That phase, however, is over. The two biggest problems with Slashdot today are:

1. The Slashdot community, which is getting reduced to people who lurk around to post comic and sarcastic comments. It’s very seldom that you come across an intelligent and insightful comment.
2. The news, if I may say so, itself.



By flickr.com/photos/nesster/



This rant is a direct result of a news titled Google Assists In Arrest Of Indian Man, posted on 19th. First of all this is an Old News. In fact I’d used the context to post a legal analysis of the impact of another Orkut worm, as per my knowledge and belief. I have nothing against reading old news, but for God’s sake, don’t claim it to be new.

Secondly, the post cites Shivaji as a saint. He was not a saint. He was a king and a warrior. Do your homework before posting, or rather approving such news.

Thirdly, the tone in which the post is written is as vague, if not more, as the point the post tries to make. If you wish to blame Google, get proper info before doing that. Google has a pact with Indian law enforcement. They are bound to provide such info. If you wish to convey the news that a false person was convicted, say it. If you wish to bring about the role of Yahoo! and Google in such cases, do it properly.

Being said all that, I don’t think I’ll completely stop reading /. . However, the prestige of being Slashdotted now seems to be just about traffic now.

How about a Better & Cheaper MacBook Air!

Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.

Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.

AdSense exploited by malware (Trojan.Qhost.WU)

1. Life & Code

By http://www.flickr.com/photos/13798876@N02/1466880287/

(The title of this section is taken from Johnny’s blog of the same name, Life and Code. Although my implementation of the phrase isn’t in terms with Johnny’s, yet I could resist using it. πŸ™‚ )

Life: Three days ago I found that there are some strange entries in my local Apache web server logs. Something like:
127.0.0.1 - - [18/Dec/2007:19:39:26 +0530] "GET /iview/msnnkhac001160x600Xdig1600000185msn/direct;wi.160;hi.600/01 HTTP/1.1" 404 352
127.0.0.1 - - [18/Dec/2007:19:42:19 +0530] "GET /pagead/show_ads.js HTTP/1.1" 404 320

Code: Bitdefender informs of a malware, termed as Trojan.Qhost.WU, is redirecting all the requests made to the Google’s ad server (page2.googlesyndication.com) by the victims browser to a rougue ad server.

2. Impact of the issue:

Reportedly, a big part of Google’s earnings comes from it’s Ad services. Thus this trojan is not only depriving Google of it’s earning’s, but also the publishers who work hard and hope to make some quick buck for their evening coffee.

3. The enigmatic “hosts” file:

You all know that every system connected directly to the internet is assigned a unique IP address. The domain name (viz. http://projectbee.org) is nothing but a unique name assigned to a unique IP (although more than one domain name can be mapped to an ip address, that is not our concern right now). This mapping is stored in DNS servers. Each time the browser tries to open up a site, a nearby DNS server is queried to find the ip address.
However, before all this, the DNS server of your local system, hosts file, is queried. (Don’t mistake me, this DNS server is just a metaphor πŸ™‚ ). The hosts file stores a domain name to ip address mapping for domains that don’t need a query to DNS server. e.g., localhost is mapped to 127.0.0.1, the loopback ip, i.e. the ip of local system.
On your windows 2000/NT onwards system, it’s located at %systemroot%\system32\drivers\etc\hosts and on your *nix systems at /etc/hosts. More info on location can be found here.

Now coming back to my problem; unable to find any satisfactory answer, I posted it on Slackers. (Giorgio) Maone, better known as author of the awesome NoScript plugin for Fx, immediately responded, and asked me to check my hosts file.
I had added a number of entries of ad serving sites to point to the local ip in my hosts file and forgotten. I did this to prevent ads from being loaded. Hence, each time any of these sites were called, the hosts file redirected the requests to my local server.
So pretty obviously, I was/am not infected.
“Why do you post the junk about your issue then?”, you ask.
“Because it was a strange coincidence, and because I can, honey :P”

4. How the exploit works?

It’s fairly simple, the malware modifies your hosts file and adds an entry for page2.googlesyndication.com to prevent DNS lookups and direct all the requests to the malicious server.

5. How do I protect myself?

1. Locate your hosts file and remove any entry for page2.googlesyndication.com. Alternately, you can even modify the entry to point to your local ip, in case you don’t wish to see those ads.
2. Let your Antivirus/AntiSpyware do it for you.

6. Conclusion

What! Dump M$ Windows for Linux. πŸ˜›
Seriously, “Linux ain’t easy to use” is a myth. Moreover, if you are into flashy looks, try compiz-beryl package. It IS Awesome… (and consumes amazingly less resources than…uh Vista.)

7. Bonus Tip

In case you wish to prevent your kids, partner, (or even parents) from visiting some sites; or do not wish to see those crappy ads from being loaded, you might consider editing your hosts file. For more information or even sample hosts files, use Yahoo! search.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. πŸ™‚

1. YAWN [Yet Another Worm, Nanny]

http://flickr.com/photos/aqlott/1735501790/

Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo VΓ­rus do Orkut at http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please πŸ™‚ ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service πŸ™‚

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday πŸ˜‰

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

What!
Stay away from social networking sites. Trust me, they are not worth the price.

M$ WindowsXP just got a newer version of Update with new Components!

I am not sure if anyone is aware of it or not, so kindly spare me if it’s not NEW in the sense I wish to convey. (Or may b, you didn’t discover it the way I did) πŸ˜›
For no particular reason, I visited the windows update page today (using IE7) and got this message:

WindowsUpdateComponent

As you can see, the *latest version* of Windows Update requires a few components to be installed on your system. There’re also some details regarding the components, which are hidden using a javascript function.

I’d encourage you to read all the benefits that are provided by the latest version. Once you are done reading them (and figuring which of them are new and which makes sense), proceed to discover the *special component*.

WindowsUpdateComponentDetails

Yahoo! gone Insane!

No Yahoo! hasn’t changed it’s name to Insane!. It’s just their behavior that has gone insane.

If you’ve been a member of some online group for quite some time, chances are that the group is on Yahoo! Groups. Same with me. This story is concerned with my college batch online egroup. Yahoo! groups has a very useful feature which let’s you specify ANY email address for your mails to be delivered (and receive mails from, obviously). I had configured it to my company mail id.

Now like a lot of people, I have two Yahoo! ids, NB and AS. The group is configured with NB. Today, I decided to change it to one of my other Yahoo! id AS, mostly because I use it as the primary id.

….but it won’t get changed. The error

  • Your email address “AS@yahoo.co.in” is in an invalid format.
  • Invalid Email Address.Your Email address of AS@yahoo.co.in belongs to yahoo.co.in which is restricted from use in Yahoo! registrations. Please choose a different email address.

yahoogoneinsane.jpg

I thought, they might be allowing only “yahoo.com” addresses. So I changed my input to “AS@yahoo.com, hoping for an error message that the specified email address doesn’t exist… but what I get is:

  • Invalid Email Address.Your Email address of AS@yahoo.com belongs to yahoo.com which is restricted from use in Yahoo! registrations. Please choose a different email address.

yahoogoneinsane2.jpg

Now WHAT IN THE HELL are the Yahoo! developers thinking? They don’t think that it’ll stop people from creating more than one id… or do they?

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. πŸ™‚ ]They presented a Paper “Vboot Kit: Compromising Windows Vista Securityat Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. πŸ˜‰

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. πŸ™‚

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. πŸ™‚

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Bill Gates wins me!

I realized that the title of this post has a contrast with my previous post, only after I wrote the topic. Thus, I feel that it is obligatory to mention that I am still Anti-M$. I still do not support there business model. Phew!
…and yes. The contrast in the names is just a mere coincidence. I know it’s tough to believe, but then I don’t lie.

Now coming to the topic.
I have always appreciated the way Bill Gates (and, of course, his wife) has spent time and money on Melinda Foundation. I remember posting my views a few days ago on Arpit’s blog.

A few minutes ago, I read Bill Gates speech transcript that he delivered at Harvard.
He starts the speech on a light note and calls himself a “bad influence” by reminding that he made Steve Ballmer drop out of B-School (Oh! How I wish that Gates had failed in convincing Ballmer πŸ˜‰ ).
He continues his speech by talking about how ignorant he was about the socio-economic and health problems of the developing nations, when he joined Harvard (and even later.)
The thing that blew me was that for the most part of his speech, he talked about how technology can and should be used for the help of these people.

I won’t mention the details. I’d pursue you to read it. I hate to say, but Bill seems to be a bright candidate for my future plans (after he drops out of M$, of course).

Google Lost Me!

It’s strange writing something like this using a service that’s owned by Google. πŸ™‚
But it was long overdue.

There was a time when I used address Google as “Google God” :).
Used to believe a lot that they religiously follow their “Do no Evil” motto. I forgot that as companies grow, there are bound to be employs who are evil by nature.
It reminds me of my Pre-Placement Training during college days when I was “tutored” that, Honesty is not a strength. You are supposed to be honest” This obviously isn’t true when people take the excuse of “everybody-is-doing-it-so-why-not-me”.
And lets face it.
Money matters!

Anyways, coming back to the topic; I mentioned in one my previous blogs when my Google AdSense account was disabled because of my own mistakes. I took the responsibility and had no complaints. However, when my AdSense account was disabled for the second time, I made a thorough study of their privacy policies. That’s when I came to know about their two-faces.
They allow several sites to utilize their services even when they falter with the terms and conditions. One thing common among all these sites was, “they all are High Traffic sites”.

As I mentioned, a post on the topic was long overdue. I stopped myself with one or other reason. The latest development, however, made me talk about it.
According to Privacy International’s latest report on Top 23 Internet Companies, Google held the last spot (even below M$). This topic, as Privacy International itself admits, is controversial. It’s report however, is substantially supported.
You might want to have a look at the post on the same topic on RSnake’s blog. Do not miss out on the comments.

Footnote: This post is not an outlet to my anguish. I (mistakenly) had more faith in Google than most of you. Another post on innovativeness of Google technologies is due.
And BTW, I do not mean to say that Google has turned evil. I believe as the company has grown, the motto has changed to “Do no Evil. If there is any, close your eyes“.

Rediffmail Bug. Anyone Interested?

The title may lure you to assume that I am going to talk about some security bug. Well, I am not… or I’d rather say I haven’t yet thought of any ways to exploit it. If you come up with something, do let us know.

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim. πŸ™‚

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry. πŸ™

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here. πŸ™‚

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little :D), I am just interested in the figures.

Open JavaFX, an alternative to AJAX?

Strange things happen to me all the time.
When I came to the office a few hours ago, I came across JavaFX scripting language while reading random blogs.

I found it pretty interesting and decided to check it out.
So I added the module in my NetBeans IDE and started playing with it. Though I could not fiddle for quite long, I found it pretty good. In fact, it looks to be amazing through the initial glances (though I haven’t done any serious coding in it yet). I have bookmarked some of the pages with a motive to get back to the kid.
However, I must mention that it was pretty slow. I am not sure if office’s system has something to do with it.]

I then resumed my other tasks; little did I know that the language has already created waves.
Slashdot is running an article:
Sun Debuts JavaFX As Alternative To AJAX

That was a real surprise to me. JavaFX was unveiled at JavaOne today. I initially thought that the language has been there for quite sometime and I was stupid enough to have missed it somehow.

Finally, I too hope that it turns out to be an AJAX killer; not just because I have never been a javascript fan, but also because it’ll hopefully reduce the dangers of XSS, which according to Jeremiah Grossman is the next Buffer Overflow (and Javascript, the new ShellCode πŸ™‚ ).

Footnotes: Hopefully, I’ll get some time from my official work to play with JavaFX and update on the same.
…and by the way, if it turns out to be an AJAX killer; will we rename it to AJilla??? [For the uninformed, Mozilla = Mosaic + killer πŸ™‚ ]