How my Kindle cover saved my Kindle, OR How I got robbed of my DSLR and laptop

"Scene of Crime" by
"Scene of Crime" by

‘Robbed’ not in the strictest sense, but yes there was theft at my house yesterday. The lovely dudes took away my Nikon D90 along with the 18-105 lens, and Dell XPS (my lovely old wife). Yes, I’d recently ditched my wife for a super hot Macbook Air, but she still was a companion. Polygamy is amazing!

The Prologue

I come home from office, all hungry and tired, and find the iron gate without a lock. The first thought that hits me is that maybe my cook’s inside and has forgotten to lock the door. Sigh! If only it was true.
I enter the hall, switch on the lights and find the wash basin broken in pieces and lying on the floor. A whole lot of stuff lying on my study table. Thankfully, my bookshelf seems untouched. My bike is still there. I feel hopeful. I walk with a heavy heart, but high hopes, to Bedroom #2. The camera bag is lying on floor. I pick it up and it feels lighter than ever. I’ve always wanted it to weigh a little lighter while traveling, and my wish is granted. My Nikon is gone.
Then I remember my roommate’s camera pouch, which by the way looks like a camera bag unlike my camera-cum-laptop-cum-lenses backpack, and lies next to it. It’s still there. I lift it. It’s still heavy. Some joy. Some confusion.

Everything else seems to be in its original place, including the camera’s battery charger, and our newly washed and ironed clothes. I remember I’ve a Dell in the other bedroom. I don’t want to know, but I must. Alas and damn the human inquisitiveness.
Her cooling pad is in place. Her power cord is in place. But she isn’t. She’s left me.
Was it me cheating on her with an Air? No no, it can’t be. She still loved me. She loved my polygamy.

Bittu, in the golden days :(
Bittu, in the golden days 🙁

O’ 3rd generation kindle-cover-with-light, Thank you!

I notice my new and shiny, but slightly twisted kindle cover lying between the cooling pad and the new and shiny “Depths of the Ocean -Sushmit Sen” music CD (which by the way is as amazing as hyped). My heart sinks little more. I pick it up. It’s still heavy. It doesn’t make sense. I open the cover and there’s “Jules Verne” looking as thoughtful as ever (To non-Kindle users, Kindles have standby wallpapers). But he seems a little sad today.
On further investigation, we later realize that they did indeed try to snatch the device out of the cover, and twisted it in the process, but failed. And so they left it. Apparently, they like to travel light. Why else would they leave the laptop’s power cord, or my awesome camera backpack (which also had my small HD video camera in one of the lens pouches, along with my portable HD and some Macbook Air accessories).

Kindle and its cover, twisted but safe
Kindle and its cover, twisted but safe

Oh the plunder! Oh the horror!

At some point -I know not when, and for some reason -I know not what, I realize that if they’ve broken the wash basin in the hall, it is possible that they have made violent love to my other wash basin. Akin to characters who are about to die in horror movies, I open the door of my bathroom adjacent to bedroom #1. These characters in the movies know that what they discover besides the door might get them killed, but they still open the door. And so do I. Alas and damn the human inquisitiveness.

Lo and behold! There’s huge dirty stone lying on the floor along with the the pieces of my lovely wash basin. The basin which I’d cleaned and polished and shined just a couple of days ago. Lying on the floor, like a tired prostitute. (Not that I’d know what a tired prostitute looks like.)

Sadly this isn’t the end of the terror story. As my gaze rises from the floor and falls upon the walls, my emotions run an all time high. If I weren’t shocked with what I saw, I would have surely been proud of my emotions which run so fast and so high like a tide.
They have taken away all the water taps and shower knobs and flush pipes and shower thingy and the cloth hanging rod thingy.
And they haven’t unscrewed them. No sir!. Rather used stones to break them from the walls -an act which as we would later discover, may cost us around 20K. In the end, I do wish they’d unscrewed the components rather than screwing us like that.
I move to the other bathroom. It’s confirmed, they’ve screwed us here as well. Oh yes, how can I forget the kitchen!
Getting screwed at so many different locations in such a short span of time has left me tired. I want to sit down now.

Stone that they used to break it all in the bathroom
Stone, which they used to break it all, lying in the bathroom

12 Angry Men (or may be just 5), and their analysis

So I call my roommate Abhijit, and my friend Dabbu in the meantime. Dabbu also gets his elder brother and roommate with him.
It is important to note that both of these men have had theft at their previous houses. Both have lost their laptops. Yeah, same pinch. I know!

All the five do what any reasonable person who’s had a theft at his place does. Socialize with neighbors and police, analyze, and bitch about it.
No, none of this matters and it seldom makes any difference. But you must. It’s a social custom. Ask Dr. Sheldon Cooper.

We talk to neighbors, call police, analyze and discuss and analyze again. The modus operandi is investigated and debated. Police guy, who is a rather soft spoken guy for a change, notes down details in his diary, sympathizes with us, and leaves.

Here’s how our final analysis looks like:
* It could have be my roommate. After all none of his stuff was stolen
* While we are at it, it may have been Dabbu. Apart from the fact that he loved my camera, he’s studied in a KV (Kendriya Vidyala), the same school where my younger brother went. And we all know how talented KV products are

Abhijit, Dabbu, and the wash basin that was
Abhijit, Dabbu, and the wash basin that was


The entire post may present a jovial outlook. Part of it is forced, but mostly natural. I owe the jolly response for materialistic loss to a certain event in my life.

Years ago when I was in B.Tech, one fine evening my hard drive crashed. It wasn’t out of the blue. Remember the text mode Linux installations? Yes yes, fdisk and stuff. Yeah! So the hard drive crashed and I lost everything. All the songs, and the movies, and the songs, and the software, and the songs. It was the end of my life as I knew it. I crashed on my bed too.

As I was brooding on my cot, trying to analyze my options of data recovery, one question constantly and repeatedly came up –Now what?
The question was rather simple, and I didn’t have any answers, but it did have a profound effect on me.

It’s funny how we existentialists look around for answers all our lives, and how a simple question can liberate us.
It’s funny how we brood over our problems, and the acceptance of lack of a solution helps us reconcile.

Yes I loved my Nikon D90. I have been getting better with every picture I clicked. I loved when my friends smiled at the pictures I’d taken of them. I was looking forward to handing over the Dell to my brother, who’s been having problems with his laptop.
But well, it can’t be anymore. If it can’t be, it won’t be. If it won’t be, what am I going to brood over?

As Ghalib said:

Na tha kuchh toh khuda tha, kuchh na hota toh Khuda hota,
Duboya mujhko hone ne, na hota main toh kya hota.

[P.S. All said and done, why did those bastards have to take the taps man. There’s no water at home. Sigh! :'( ]

Update 1: Apparently, these thieves may have been addicts. It’s easier and quicker to sell off bathroom accessories.

Update 2: I finally managed to get an FIR filed. One the 11th day, mind you. Yeah, I know. We might be better off without a police department.

Life, so far…

Apparently the last time I wrote something here was on Jan’26th Mar’ 23rd, 2009 -almost 3 years ago. Obviously a lot’s happened and much has changed in life -or may be nothing’s changed. I recall lines from a Gulzar saab’s poem:

Pal bhar mein sab kuchh badal gaya,
Aur kuchh bhi nahi badla.
Jo badla tha, woh toh guzar gaya

by Jen Son

In any case, here’s a few of my experiments I can remember:

  • Left Satyam to join Directi and moved to Bombay  from Bangalore
  • Satyam went nearly broke and bankrupt, thanks to Mr. Raju, and the overly emotional and messed up capitalist system
  • Worked on the despicable, and yet vital, online advertisement and traffic monetization business
  • Learned about the awesome algorithms that go behind powering a beautiful, but annoying, parked page
  • Learned the art of writing Firefox addons and wrote a couple interesting ones (none open source, sorry)
  • Joined null security group’s core team and played the role of Mumbai chapter’s moderator
  • Did something I wanted to do for a long time -an experiment of living alone (for an year). Had the painful realization that human touch is an underrated indulgence.
  • Met a lot of crazy (and) talented people, and made some friends
  • Won an Olympus E450 in a photography contest (Yay!). Sold both cameras and bought a Nikon D90
  • Became the proud owner of a 3rd generation Amazon Kindle B-)
  • Became an entrepreneur… eh, no, not entrepreneur. Rather a startup-businessman. Yeah, better!
  • Moved (back) to Bhubaneswar to work full time on the product
  • Volunteered for SPICMCAY’s 26th National Convention and worked on the first ever LIVE streaming of performances
  • Launched two products, including
  • Working on a third product -sort of derivative and related, but the one that’s got me pretty excited

Like any startup guy would tell you, every dawn starts with a bunch of promises and hopes, and you’d be super lucky if even one of them materializes by sundown. For now, all  can say is life’s frustrating, irritating, brutal, lonely, rewarding, and fun -in short, fulfilling.

Oh by the way, I’m going to conduct another interesting experiment with a fellow nerdA Road Trip 🙂

[OT] The Rant of a “Republic” Indian Hacker

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

OWASP AppSec Conf Delhi – Day 2; and more

The pictures of Day 2 are here.

The second day consisted of 6 workshops – 3 before lunch and 3 after. I was confused on choosing between Sheeraj Shah and Mano Paul’s workshops during the first half; and Jason Li’s talk on “Web 2.0  Security” and “Secure Code Review” workshop (originally by Dinis Cruz, but conducted by Gaurav Kumar of Microsoft) on the second half.

Threat Modelling - Mano Paul

Mano Paul

Choosing Mano Paul’s Workshop on Threat Modelling was relatively easier because I am trying to push in Threat Modeling in my company. However, the disappointment of missing Sheeraj’s talk was no less. Although, I must confess Mano Paul is one heck of a presenter. I guess experience always count.

Code Review - Gaurav Kumar

Gaurav Kumar

The decision for the second half was pretty tough. I had finally chosen Secure Code Review talk over Jason Li’s talk, because I’ve a personal interest in Code Review; added by the fact that the workshop was to be conducted by Dinis Cruz. Since we had to pre-select the talks, there was no scope to change it later. Needless to say, I was a bit disappointed initially. However, I must also mention that I don’t regret attending it. It was conducted by Gaurav Kumar, Ace Team, Microsoft. The best part about him, apart from the fact that he knows his stuff, is that he took all the M$ jokes sportingly :).

Bipin with Walter and Jordan

Bipin with Walter and Jordan

I also got to meet Jordan Forssman (Armorize) and Walter Tsai (CTO, Armorize), although I regret not being able to spend enough time and talk some Geeky stuff. Oh and yes, Walter gifted me and Amit the 31337 Armorize T-Shirts :D. I also got to meet a couple of more like minded people, though very briefly. I couldn’t share cards with all of them. Today Lava (whom I met during Gaurav’s workshop), contacted me today via this blog. Feel greats to be in touch with fellow geeks and to be able to share the geekiness. 😉 I’d like to be in touch with others too. Please feel free to buzz me.

I must admit, the hangover remained for quite a few days. It had motivated us to evaluate the possibility of another OWASP conf at Banglore. We’ll be discussing it at the next meet. For now, I have another interesting announcement to make. OWASP Banglore Chapter is starting Open Workshops for developers, students, and anyone interested to learn about Web Security. The first one is on Sept. 7th, at Microland, Bellandur. If you are interested kindly drop me a mail; or even better, joing the OWASP Bangalore mailing list and put up your details.

OWASP AppSec Conf Delhi – Day 1

Special Note: I don’t have my Canon EOS 350D with me nowadays, so I had to borrow my roomates Canon Powershot. 🙁 The quality sucks, but still, the pictures are here.

I’ll be honest, going by the conf prices and some of the talk titles; I was expecting OWASP AppSec Delhi to be targeted mainly for managers. Moreover, I didn’t really have enough hopes for the first day talks, at least. It felt even worse when I realized that Dinis Cruz hasn’t been able to make it. I was looking forward to his workshop in App Sec Code Review. But boy, what a day! 🙂

The registration was scheduled to begin at 8:15 AM and I reached at 7:45. As if that was not enough, the registration was delayed by another 40-45 minutes. I like to be punctual, but end up playing the endless wait-game more than often.  However, on the bright side I got to interact with a couple of great guys, like Amit Parekh (MPS). Quite surprisingly, I also came across Manjula (Aujas Networks). I say surprisingly because when we had discussed about the conference at a previous OWASP Bangalore chapter meet, she had no plans to visit. I am glad she decided at the last moment. 🙂

Before I mention about the talks, I feel obligated to thank Nitin of OWASP Delhi chapter for letting me attend the conference even though my company has failed to pay the conference fees at the moment due to some strange procedural issues.

Bipin & Amit

Bipin & Amit

The day began with the keynote speeches by Dhruv Soni and Puneet Mehta (OWASP Delhi Chapter), Murli Krishna(HP), Dr. Kamlesh Bajaj (DSCI), Jason Li(OWASP), and Mano Paul(ISC^2). The welcome notes by Dhruv and Puneet were followed by Dr. Bajaj and Murli Krishna’s keynotes. I couldn’t help but wish I could get seniors from the network management unit of my firm. I would love to believe that they would have had a heart change with respect to application security after the keynote 😉 . Jason spoke on behalf of Dinis and introduced the newbies to OWASP and a couple of its projects. In case you are unaware (like me), there has been an interesting addition to the OWASP projects called ESAPI. It looks good at first glance. Hopefully, I’ll be having a closer look pretty soon. Finally, Mano Paul provided some interesting metaphors to the security scenario, and also introduced the youngest hacker in the crowd, his two year old son. It’ll surely be fun to attend his workshop on Advanced Thread Modelling.

Following the Keynote speeches, Jason Li introduced the crowd to his AntiSamy project. I especially liked the way he’d organized his talk to compare several XSS mitigation techniques and then prove why AntiSamy’s (or HTMLPurifier’s) approach is better 😉 . His talk was followed by Rajesh Nayak’s (HP) talk titled Web App Security: Too costly to ignore. Although, it was more of a sales pitch, it did have some valid points; and we did manage to have our share of fun. When a certain demo of his failed a couple of times and he had to restart his system, I couldn’t control my tendency to pass on loud remarks and asked whether it was an HP laptop 😛 .

Bipin & Amit

Manjula, Sheeraj, & Amit

The much awaited Sheeraj Shah’s talk on Web 2.0 Security came after the lunch. As expected of him, the talk was pretty technical and wasn’t really for the noobs. He also talked about his home-brewed scripts to analyze Web 2.0 enabled/hyped portals. Later, Roshan Chandran of Paladion presented a very interesting case study on Testing 200+ applications in a $10 Billion Enterprise. This talk provoked a lot of techies in the crowd who were silent till now. Finally, Nischal Bhalla delivered a talk on Building Enterprise AppSec Program. This is something I’ve been trying to do at my workplace (with the help of my Bosses) and I guess I’ll be mailing Nischal for the presentation.

To summarize, none of the talks were any ground breaking research that we were not aware of, but the difference always comes in with experience; and that’s what made it an amazing day. It was great to look at things from the perception of these uber hackers. I am eagerly looking forward for tomorrows workshop’s – Advanced Threat Modelling by Mano Paul, and App Sec Code Review by Gaurav Kumar (which was originally scheduled by Dinis Cruz.

Oh and yes! The food was pretty good too. 🙂

No more lectures now…

Randy Pausch, fondly known as the Last Lecture Guy, is no more.

If you have not heard of him, I suggest you watch his “last lecture”. A summary of the lecture and Randy Pausch’s life can be read here.

@Johnny: Thanks for updating me.
@Slashdot-ters: Thanks for not making stupid and mean remarks this time.
@Randy Pausch: Rest In Peace dude.

SecurCamp and back.

I spent the first half of the day at SecurCamp -1 (or Security Barcamp). It always great to get together with the community and today was no different. It came a sweet surprise to me that I have quite a few acquaintances in the community. The best part of the whole day, however, was getting together with Lucky after a loooong time. It’s pretty strange that even after being in the same city, we haven’t been able to meet as often as we could have. So I decided to use the opportunity properly. In fact, I am now at his house, using his 1 mbs line while he’s away for his dance class (and hoping he doesn’t keep a sniffer on).


I presented on “A conceptual Phishing/Fraud IDS”, something I had worked in Jan/Feb, but have been sleeping on in for all this while. Thanks to Johnny’s pestering, I think I’ll write a small paper on it and distribute for review. I just hope the increased official workload is minimized by the new members joining the team. 🙂

We also used the opportunity to announce the OWASP Bangalore chapter revival. I have personally been working on identifying ways to ensure OWASP’s reach to the colleges, and have prepared a list of colleges in Bangalore. Let’s hope that we make it quick on that front too. Just to re-announce, if you are a student in/around Bangalore, drop me a note and we’ll put your college on top-priority. 🙂

I also had a very strange realization today. I have been a member of several communities (security and otherwise) and differences creep-in at some point. However, they are pretty quick (and a little more obvious) in the security communities. Be it mailing lists, blogs or even physical meets, people respond (and then re-respond) pretty loudly. 🙂 Is it because security is pretty demanding field where there isn’t much scope for a mistake, or is it because we all in the field carry a “I CAN’T be wrong” badge, or is it some other reason?

Time to move now. Hancock at 9:45PM 😛

Reviving OWASP Bangalore Chapter

Update – Jan’ 13th, 2014: I’m excited to let you know that Bangalore OWASP chapter has been up and running, and growing for the last three years now. I no longer live in Bangalore, but the chapter and its people remain a source of knowledge exchange (read, nerd-talk). For more information, check out the OWASP Bangalore homepage.
If need be, you may contact the chapter leads Akash Mahajan (akash [DOT] mahajan {AT} owasp [DOT] org), and KV Prashant (kvprashant {AT} owasp [DOT] org.)


The OWASP Bangalore Chapter met after almost an year today, and I was priviledged to be a part of it. As happens often with technical groups, including LUGs (Linux User Groups), they tend to loose participation and go to indefinite hibernation mode. OWASP-Bangalore’s fate was no different.

Meeting room stencil graffiti by --

Anyhoo! The important point is that we finally met today. There were around 12 peole who turned up, and boy, It’s always an honour to meet enthusiastic people from the Security community. Minutes of the meeting will be posted by Hari, Chapter coordinator, pretty soon on the OWASP-Bangalore mailing list. To cut things short, we discussed and decided on a couple of points to revive the Bangalore Chapter. I’ll personally be looking forward to spreading the information to younger audience. So, just in case you are a part of some College around Bangalore, feel free to drop me a note. We’d love to visit your campus and deliver talks, free of charge. 🙂
As for the regular meetings, we’ve decided to meet every fourth Wednesday of the month. Venues will of course, keep changing.

p.s. I love the song “Jaane Kya Baat Hai” from the movie Sunny. But somehow, I am not able to get the other song,”Aur Kya Ahde Wafaa Hote Hain”, out of my mind since morning. Not that I am complaining 😉

Aur Kya Ahede Wafa…

Bittu’s back :)

Bittu, my wife, got revamped. For unemotional people, it simply means I bought a new laptop 🙂

She is red, and she’s hot!


She’s a Dell XPS M1330. Other features include:

1. Intel Core-2 Duo, 2.1 GHz (My first intel. I used to be with AMD)
2. 200GB HD , 7200rpm
3. 128 MB Nvidia graphics card (the games run awesomely, and I have re-entered the gaming arena. Currently re-re-replaying Serious Sam, Second Encounter)
4. Pre-Loaded Vista 🙁  (I am still a little confused, whether I go ahead with OpenSuse 10.3 or wait 6 more days for OpenSuse 11 to arrive. 😉 )
5. and other regular features like DVD writer, fingerprint scanner, built-in webcam, etc. etc. etc.

I should have updated about her by now, but have been very very busy with an official work involving OpenSocial till yesterday. Hoping to publish other draftified articles soon.


I have a special likeness for T-Shirt with quotes. More Geeky the quote, more geekier… I mean better.
I got this T-Shirt made for myself a couple of days ago.
I case you didn’t get, it’s a mockery of the crippled iPhone.


Oh by the way, this is my first post on the new blog, and this pic is a response to Swenny’s post on Adding an “i” 🙂

How about a Better & Cheaper MacBook Air!

Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.

Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.

A Phish floating in Google Survey!


1. Phizy-Phizy-Phizy

I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.

2. A Phish named GoogleSurvey

As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.

3. Anatomy of Google-Survey-Phish gills

The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at only frames the page at with 100% width and 0px border.

Another interesting point to note is that the phisher used a free hosting service Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. 🙂

Now, when you enter your id and password, the data is sent to a php script on the server located at Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.

4. Demo: Farming your own Phishes for fun & profit *cough*

The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.

I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.

5. Conclusion

It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. 🙂

Yahoo!’s javascript based media player!

Yahoo! launched it browser based media player written in javascript. All you have to do is link the javascript code (located at in a web page having links to audio file(s) .

Although it takes a while for the “player” to load completely, yet I am pretty okay with it (for now). Moreover, it’s in beta. I, however, sincerely hope that it doesn’t follow GMail beta path. urghh!

Check back again in a few hours. I’ll posting a demo of the player on my portal. A demo is here. The demo would have This demo has a special meaning for the Indians of my age (or older than) because the songs I’ll be using will be the one we all grew up with, viz. Jungle Book, Mile Sur Mera Tumhara, Baje Sargam, Byomkesh Bakshi, Malgudi Days, Surabhi, Tipu Sultan & Mahbharat. 🙂

Special thanks to Madhav for sharing them.

AdSense exploited by malware (Trojan.Qhost.WU)

1. Life & Code


(The title of this section is taken from Johnny’s blog of the same name, Life and Code. Although my implementation of the phrase isn’t in terms with Johnny’s, yet I could resist using it. 🙂 )

Life: Three days ago I found that there are some strange entries in my local Apache web server logs. Something like: - - [18/Dec/2007:19:39:26 +0530] "GET /iview/msnnkhac001160x600Xdig1600000185msn/direct;wi.160;hi.600/01 HTTP/1.1" 404 352 - - [18/Dec/2007:19:42:19 +0530] "GET /pagead/show_ads.js HTTP/1.1" 404 320

Code: Bitdefender informs of a malware, termed as Trojan.Qhost.WU, is redirecting all the requests made to the Google’s ad server ( by the victims browser to a rougue ad server.

2. Impact of the issue:

Reportedly, a big part of Google’s earnings comes from it’s Ad services. Thus this trojan is not only depriving Google of it’s earning’s, but also the publishers who work hard and hope to make some quick buck for their evening coffee.

3. The enigmatic “hosts” file:

You all know that every system connected directly to the internet is assigned a unique IP address. The domain name (viz. is nothing but a unique name assigned to a unique IP (although more than one domain name can be mapped to an ip address, that is not our concern right now). This mapping is stored in DNS servers. Each time the browser tries to open up a site, a nearby DNS server is queried to find the ip address.
However, before all this, the DNS server of your local system, hosts file, is queried. (Don’t mistake me, this DNS server is just a metaphor 🙂 ). The hosts file stores a domain name to ip address mapping for domains that don’t need a query to DNS server. e.g., localhost is mapped to, the loopback ip, i.e. the ip of local system.
On your windows 2000/NT onwards system, it’s located at %systemroot%\system32\drivers\etc\hosts and on your *nix systems at /etc/hosts. More info on location can be found here.

Now coming back to my problem; unable to find any satisfactory answer, I posted it on Slackers. (Giorgio) Maone, better known as author of the awesome NoScript plugin for Fx, immediately responded, and asked me to check my hosts file.
I had added a number of entries of ad serving sites to point to the local ip in my hosts file and forgotten. I did this to prevent ads from being loaded. Hence, each time any of these sites were called, the hosts file redirected the requests to my local server.
So pretty obviously, I was/am not infected.
“Why do you post the junk about your issue then?”, you ask.
“Because it was a strange coincidence, and because I can, honey :P”

4. How the exploit works?

It’s fairly simple, the malware modifies your hosts file and adds an entry for to prevent DNS lookups and direct all the requests to the malicious server.

5. How do I protect myself?

1. Locate your hosts file and remove any entry for Alternately, you can even modify the entry to point to your local ip, in case you don’t wish to see those ads.
2. Let your Antivirus/AntiSpyware do it for you.

6. Conclusion

What! Dump M$ Windows for Linux. 😛
Seriously, “Linux ain’t easy to use” is a myth. Moreover, if you are into flashy looks, try compiz-beryl package. It IS Awesome… (and consumes amazingly less resources than…uh Vista.)

7. Bonus Tip

In case you wish to prevent your kids, partner, (or even parents) from visiting some sites; or do not wish to see those crappy ads from being loaded, you might consider editing your hosts file. For more information or even sample hosts files, use Yahoo! search.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. 🙂

1. YAWN [Yet Another Worm, Nanny]

Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo Vírus do Orkut at The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please 🙂 ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service 🙂

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday 😉

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

Stay away from social networking sites. Trust me, they are not worth the price.

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

I hope you like it too. 🙂