What a new year Gift! :)

W3AF LogoIt brings me immense pleasure to inform you that w3af (web application attack and audit framework) has been named the Best Application Scanner in BEST IT Security and Auditing Softwares 2007 list prepared by Security Database. 🙂

I had mentioned in a few previous articles that I see immense potential in w3af. I must, however, also admit that I wasn’t hoping something like this to happen so quickly. I am glad I was wrong 🙂

Hoping that more people contribute to the project, and wishing that I get some time to make a few w3af dedicated posts (preferably targeted at developers), at least.

Have a great year ahead.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. 🙂

1. YAWN [Yet Another Worm, Nanny]


Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo Vírus do Orkut at http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please 🙂 ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service 🙂

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday 😉

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

Stay away from social networking sites. Trust me, they are not worth the price.

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

I hope you like it too. 🙂

Yahoo! gone Insane!

No Yahoo! hasn’t changed it’s name to Insane!. It’s just their behavior that has gone insane.

If you’ve been a member of some online group for quite some time, chances are that the group is on Yahoo! Groups. Same with me. This story is concerned with my college batch online egroup. Yahoo! groups has a very useful feature which let’s you specify ANY email address for your mails to be delivered (and receive mails from, obviously). I had configured it to my company mail id.

Now like a lot of people, I have two Yahoo! ids, NB and AS. The group is configured with NB. Today, I decided to change it to one of my other Yahoo! id AS, mostly because I use it as the primary id.

….but it won’t get changed. The error

  • Your email address “AS@yahoo.co.in” is in an invalid format.
  • Invalid Email Address.Your Email address of AS@yahoo.co.in belongs to yahoo.co.in which is restricted from use in Yahoo! registrations. Please choose a different email address.


I thought, they might be allowing only “yahoo.com” addresses. So I changed my input to “AS@yahoo.com, hoping for an error message that the specified email address doesn’t exist… but what I get is:

  • Invalid Email Address.Your Email address of AS@yahoo.com belongs to yahoo.com which is restricted from use in Yahoo! registrations. Please choose a different email address.


Now WHAT IN THE HELL are the Yahoo! developers thinking? They don’t think that it’ll stop people from creating more than one id… or do they?

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

  1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
  2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. 🙂

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. 🙂 ]They presented a Paper “Vboot Kit: Compromising Windows Vista Securityat Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. 😉

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. 🙂

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. 🙂

Bill Gates no more The Richest

Slashdot updated today that Billy Boy is no more the Richest man in the world. The position is, however, not official. The standard is Forbes list.

Billy Boy has been surpassed by Carlos Slim, the Mexican Telecom tycoon. Bill’s current estimated wealth is $ 59.2 billion, while slims estimated wealth is $67.8 billion.

Two of the most obvious reasons are:

  1. A surge of 27% in the stock price of Slim’s wireless company, America Movil, in the second quarter
  2. Bill reduced his net wealth by more than $30 billion, which he put in the Bill and Melinda Gates Foundation. 🙂

What Next?
Nothing really. To a question asked to him at the Microsoft conference last year, whether he’d be upset if someday he wasn’t the richest creature ;), he responded, “”I wish I wasn’t. “There’s nothing good that comes out of that.”
Moreover, he’d be retiring in a year’s time and would be dedicating he’s time, energy, and money to the Bill & Melinda Gates Foundation. I wish him luck. 🙂

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Bill Gates wins me!

I realized that the title of this post has a contrast with my previous post, only after I wrote the topic. Thus, I feel that it is obligatory to mention that I am still Anti-M$. I still do not support there business model. Phew!
…and yes. The contrast in the names is just a mere coincidence. I know it’s tough to believe, but then I don’t lie.

Now coming to the topic.
I have always appreciated the way Bill Gates (and, of course, his wife) has spent time and money on Melinda Foundation. I remember posting my views a few days ago on Arpit’s blog.

A few minutes ago, I read Bill Gates speech transcript that he delivered at Harvard.
He starts the speech on a light note and calls himself a “bad influence” by reminding that he made Steve Ballmer drop out of B-School (Oh! How I wish that Gates had failed in convincing Ballmer 😉 ).
He continues his speech by talking about how ignorant he was about the socio-economic and health problems of the developing nations, when he joined Harvard (and even later.)
The thing that blew me was that for the most part of his speech, he talked about how technology can and should be used for the help of these people.

I won’t mention the details. I’d pursue you to read it. I hate to say, but Bill seems to be a bright candidate for my future plans (after he drops out of M$, of course).

Google Lost Me!

It’s strange writing something like this using a service that’s owned by Google. 🙂
But it was long overdue.

There was a time when I used address Google as “Google God” :).
Used to believe a lot that they religiously follow their “Do no Evil” motto. I forgot that as companies grow, there are bound to be employs who are evil by nature.
It reminds me of my Pre-Placement Training during college days when I was “tutored” that, Honesty is not a strength. You are supposed to be honest” This obviously isn’t true when people take the excuse of “everybody-is-doing-it-so-why-not-me”.
And lets face it.
Money matters!

Anyways, coming back to the topic; I mentioned in one my previous blogs when my Google AdSense account was disabled because of my own mistakes. I took the responsibility and had no complaints. However, when my AdSense account was disabled for the second time, I made a thorough study of their privacy policies. That’s when I came to know about their two-faces.
They allow several sites to utilize their services even when they falter with the terms and conditions. One thing common among all these sites was, “they all are High Traffic sites”.

As I mentioned, a post on the topic was long overdue. I stopped myself with one or other reason. The latest development, however, made me talk about it.
According to Privacy International’s latest report on Top 23 Internet Companies, Google held the last spot (even below M$). This topic, as Privacy International itself admits, is controversial. It’s report however, is substantially supported.
You might want to have a look at the post on the same topic on RSnake’s blog. Do not miss out on the comments.

Footnote: This post is not an outlet to my anguish. I (mistakenly) had more faith in Google than most of you. Another post on innovativeness of Google technologies is due.
And BTW, I do not mean to say that Google has turned evil. I believe as the company has grown, the motto has changed to “Do no Evil. If there is any, close your eyes“.

An insight into Sun’s *crazy* strategy.

I have been reading a lot of discussion on Sun’s current market position/revenue versus their *mad* strategy. I have simultaneously been working on Java’s history for my book. I thought it might be interesting to post my views on the topic and see what others are thinking. To justify/criticize Sun’s current modus operandi, I will talk a little about their past strategies, and their respective outcomes.

The Past

Most of the people know James Gosling as the father of Java. Only a few know that he was also the lead engineer of Gosmacs (gmacs or Gosling Emacs) and NeWS. Now, I won’t be talking about Gosmacs (which according to some people is/was the reason of some conflict between RMS and Gosling. Phew!)
However, NeWS (Network extensible Window System) is of a little concern, mostly because it was arguably superior to X Window System… and because it FAILED. The most important reason for its failure (and X Window’s success) is that Sun kept it proprietary.
Later on when Sun developed Java, some people, especially the genius Eric Schmidt (then CTO-Sun, now CEO-Google), were aware that keeping Java within enclosed fences will lead to similar devastating results. Not to mention that *7 (for which Java was developed) had already failed and Java was still in search of a viable market.

So what did he do?
He focused on making it as open as possible and tried building a *Java Community*. (Google SoC, IMHO, is also a “win-the-community-and-you-win-everything-else” approach. But then that’s a different topic altogether. 😉 )

Where were we?
Yeah! So he focused on building a Java Community.
Apart from organizing developer conferences like JavaOne, Sun also encouraged user groups (JUGs), which reached over a number of 400 in year 2000 itself. In fact they went a step further with JCP (Java Community Process) to make the development of Java *as open as possible*.
The reality behind all this community building scene was the fact that the direct control remained with Sun (well mostly).

Everything, however, was running smooth; for Sun as well as the Java developers.

“I envy you. But such a thing is not meant to last.”

Persephone, Matrix Reloaded

I guess the above statement is valid for every aspect of human existence.
In early 2004, Jonathan Schwartz, referenced Eric Steven Raymond’s “The Cathedral and the Bazaar” and compared JCP to the “Bazaar”, stating that development of Linux was more like a “Cathedral”. I would not expand on it but this was enough to infuriate ESR 🙂

ESR wrote an open letter addressed to Scott McNealy, CEO-Sun, with a subject line “Let Java Go”. He accused Sun on several fronts (for which I’d pursue you to read the letter) and appealed to Open Source Java. A few weeks later RMS wrote an essay on Java Trap and appealed the developers to contribute and use open source projects like GCJ/Gnu Classpath etc. Several other appeals/open letters were published (Apache’s Geir Magnusson Jr., IBM, etc.)

A series of events followed before Sun announced that it will be open sourcing Java. There main concern was Microsoft forking Java and hence, destroying its cross platform compatibility (which shows that they really were clueless on how Open source model works/ can work).
They had no other option than to Open Source the *giant*, and they did it.

The Present

The past unarguably affects, if not defines, the present. Sun’s experience since the NFS days to (forced) Open Sourcing Java days taught/reminded them of their most important lesson.
The Community is fruitful!
Build a community and everything else will follow, sooner or later.

So here they are.
Open sourcing EVERYTHING.
Building Community, and making it mutually encashable. It’s obviously not so profitable for them today, but the future holds immense potential.

The way they have been endorsing and promoting stuff is simply adorable. Even NetBeans has its own *arena*.
Not to mention the, so called, developer conferences organized all over the world in a distributed fashion to reach the most number of developers. I, however, have several concerns regarding them. You may read some of them at Amit’s blog. I hope Sun listens to the plea of developers and improves the quality of these summits.

Another amazing strategy, IMHO, is the blogs that Sun employees post regularly. I have subscribed some of them and it’s really amazing to see that how important role these blogs are playing in binding people. They often link each other’s (Sun Employees, of course) blogs. You can have a look at the Sun-Blogging homepage to get a feel of the number of hits the folks out there are getting. Now even if I read only one of these, I’d get to know about latest developments. I am not sure whether it’s a part of their strategy, but it’s definitely working as a powerful advertising medium.
Yup! I know that employees of other firms write blogs too and probably get bigger number of hits, but I haven’t seen anyone of them making so much of a difference on an organizational level. (Please correct me if I am wrong)

The Future

I am no Nostradamus and I cannot predict future.
All I can say is the future is (mostly) Free & Open. IBM (previously referred Satan) secured its place (with a Halo on head) by contributing to the Apache httpd project and winning the FOSS community. Now it’s Sun’s turn and they are playing pretty well.
Yes, their revenue might be a concern today; but I don’t really see a reason why there future shouldn’t be bright. 🙂

Rediffmail Bug. Anyone Interested?

The title may lure you to assume that I am going to talk about some security bug. Well, I am not… or I’d rather say I haven’t yet thought of any ways to exploit it. If you come up with something, do let us know.

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim. 🙂

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry. 🙁

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here. 🙂

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little :D), I am just interested in the figures.

Open JavaFX, an alternative to AJAX?

Strange things happen to me all the time.
When I came to the office a few hours ago, I came across JavaFX scripting language while reading random blogs.

I found it pretty interesting and decided to check it out.
So I added the module in my NetBeans IDE and started playing with it. Though I could not fiddle for quite long, I found it pretty good. In fact, it looks to be amazing through the initial glances (though I haven’t done any serious coding in it yet). I have bookmarked some of the pages with a motive to get back to the kid.
However, I must mention that it was pretty slow. I am not sure if office’s system has something to do with it.]

I then resumed my other tasks; little did I know that the language has already created waves.
Slashdot is running an article:
Sun Debuts JavaFX As Alternative To AJAX

That was a real surprise to me. JavaFX was unveiled at JavaOne today. I initially thought that the language has been there for quite sometime and I was stupid enough to have missed it somehow.

Finally, I too hope that it turns out to be an AJAX killer; not just because I have never been a javascript fan, but also because it’ll hopefully reduce the dangers of XSS, which according to Jeremiah Grossman is the next Buffer Overflow (and Javascript, the new ShellCode 🙂 ).

Footnotes: Hopefully, I’ll get some time from my official work to play with JavaFX and update on the same.
…and by the way, if it turns out to be an AJAX killer; will we rename it to AJilla??? [For the uninformed, Mozilla = Mosaic + killer 🙂 ]

Vista!!! (3 Exclamations.) is here? (Why :-/)

I don’t intend to post any review of the vista.
There are some neatly written essays on the topics by experts, like this one.
I was going through the article and stumbled on this page, which has the picture given below.

Vista Malware

What happened was due merely due to fast glance and my mouse cursor covering a part of the word; the hardware appeared to me as malware, making it Is it time to upgrade your malware?

Now that’s wrong on my part to ridicule someone because of my own mistake… but honestly. Is there any difference?

Very very honestly. I had read only the first two pages the security focus review before writing the above lines. However, the third page contains the following para:

So, one craplet pops up demanding to be enabled; you exit that, and a different one pops up telling you that you really ought not to have done that. Now, my definition of malware is pretty straightforward: malware is any code that causes my computer to behave in a way I don’t intend, or any code that prevents my computer from behaving in a way that I do intend. Thus the Vista Security Centre is, quite simply, malware.

I am a genius.

"COLUKABKI – AOL – MSN – YAHOO – RED CROSS"….. aaah Comm’n Gimme a break.

It’s really interesting that even enginieering students, who are supposed to have a very ANALYTIC are least bothered in verifying anything before believing it…… and that too when they have access to GOOGLE.

This blog of mine is in response to the hundreds and thousands of mails that are forwarded so that somewhere, somebody’s LIFE COULD BE SAVED BY FORWARDING THE BLOODY MAIL.
AOL, Yahoo, Red Cross, MSN etc. etc .etc. donated certain amount of money FOR EACH TIME THE MAIL IS FORWARDED (generally 1 cent).
Isn’t that interesting???? I mean what these sites could do generously (if they wished to), do it when some BIG HEARTED person forwards the mail.
And guess what??? They do it without attaching any kind of tracker in the mail… Not to mention that doing any thing even near to attaching a tracker would be a threat to an individuals privacy… 🙂

I cannot stop myself from sharing one other similar interesting mail. The mail said that an INDIAN BOY HAS CHALLENGED BILL GATES BY DEVELOPING AN O/S CALLED “O! YES”, which very Robust, Secure, blah blah blah… And HP has proposed to purchase it.
Now, the first thing… making such an O/S is no joke. This has nothing to do with the crappy nature of WINDOWS (hehehhe), it’s just means that it’s very difficult for a young child to do so.
Secondly, if someone succeeds in doing so, this news would be the hottest one around…. not one which has to be informed via email. 😛 And the most interesting part….. This mail has been doing rounds since 5 years (at least) :))

These mails are generally used for two reasons:

  1. For fun…. or to make mockery of someone.
  2. For stealing your mail id for spamming……. I know this is strange, but it’s true. If you have any such mail in your mail box, just try to count the number of email ids in it…. and then imagine what would you do with them if you were a spammer. These mails are infact sent by spammers so that they can have a reasonably beautiful number of such mail ids.

JUNTA, please don’t feel bad if you have been forwarding such mails.
Obviously, nobody knows everything… but you can be a little careful when you recieve such mails.

  1. Ignore such mails.
  2. If you really feel that the mail is genuine and need to be forwarded, GOOGLE some keywords contained in the mail,
  3. or forward it after removing all the previous email addresses.