How about a Better & Cheaper MacBook Air!

Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.

Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.

A Phish floating in Google Survey!

Demo

1. Phizy-Phizy-Phizy

I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.
by-mcbeth www.flickr.com/photos/mcbeth/235875/

2. A Phish named GoogleSurvey

As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.

3. Anatomy of Google-Survey-Phish gills

The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is http://www.googlesurvey.co.nr/, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at http://googlesurvey.99k.org/. http://www.googlesurvey.co.nr/ only frames the page at with 100% width and 0px border.

Another interesting point to note is that the phisher used a free hosting service http://www.zymic.com/free-web-hosting/. Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. 🙂

Now, when you enter your id and password, the data is sent to a php script on the server located at http://googlesurvey.99k.org/LoginAuth.php. Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.

4. Demo: Farming your own Phishes for fun & profit *cough*

The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.

I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.

5. Conclusion

It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. 🙂

Yahoo!’s javascript based media player!

Yahoo! launched it browser based media player written in javascript. All you have to do is link the javascript code (located at http://mediaplayer.yahoo.com/js) in a web page having links to audio file(s) .

Although it takes a while for the “player” to load completely, yet I am pretty okay with it (for now). Moreover, it’s in beta. I, however, sincerely hope that it doesn’t follow GMail beta path. urghh!

Check back again in a few hours. I’ll posting a demo of the player on my portal. A demo is here. The demo would have This demo has a special meaning for the Indians of my age (or older than) because the songs I’ll be using will be the one we all grew up with, viz. Jungle Book, Mile Sur Mera Tumhara, Baje Sargam, Byomkesh Bakshi, Malgudi Days, Surabhi, Tipu Sultan & Mahbharat. 🙂

Special thanks to Madhav for sharing them.

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

I hope you like it too. 🙂

Bill Gates wins me!

I realized that the title of this post has a contrast with my previous post, only after I wrote the topic. Thus, I feel that it is obligatory to mention that I am still Anti-M$. I still do not support there business model. Phew!
…and yes. The contrast in the names is just a mere coincidence. I know it’s tough to believe, but then I don’t lie.

Now coming to the topic.
I have always appreciated the way Bill Gates (and, of course, his wife) has spent time and money on Melinda Foundation. I remember posting my views a few days ago on Arpit’s blog.

A few minutes ago, I read Bill Gates speech transcript that he delivered at Harvard.
He starts the speech on a light note and calls himself a “bad influence” by reminding that he made Steve Ballmer drop out of B-School (Oh! How I wish that Gates had failed in convincing Ballmer 😉 ).
He continues his speech by talking about how ignorant he was about the socio-economic and health problems of the developing nations, when he joined Harvard (and even later.)
The thing that blew me was that for the most part of his speech, he talked about how technology can and should be used for the help of these people.

I won’t mention the details. I’d pursue you to read it. I hate to say, but Bill seems to be a bright candidate for my future plans (after he drops out of M$, of course).

Rediffmail Bug. Anyone Interested?

The title may lure you to assume that I am going to talk about some security bug. Well, I am not… or I’d rather say I haven’t yet thought of any ways to exploit it. If you come up with something, do let us know.

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim. 🙂

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry. 🙁

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here. 🙂

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little :D), I am just interested in the figures.

Open JavaFX, an alternative to AJAX?

Strange things happen to me all the time.
When I came to the office a few hours ago, I came across JavaFX scripting language while reading random blogs.

I found it pretty interesting and decided to check it out.
So I added the module in my NetBeans IDE and started playing with it. Though I could not fiddle for quite long, I found it pretty good. In fact, it looks to be amazing through the initial glances (though I haven’t done any serious coding in it yet). I have bookmarked some of the pages with a motive to get back to the kid.
However, I must mention that it was pretty slow. I am not sure if office’s system has something to do with it.]

I then resumed my other tasks; little did I know that the language has already created waves.
Slashdot is running an article:
Sun Debuts JavaFX As Alternative To AJAX

That was a real surprise to me. JavaFX was unveiled at JavaOne today. I initially thought that the language has been there for quite sometime and I was stupid enough to have missed it somehow.

Finally, I too hope that it turns out to be an AJAX killer; not just because I have never been a javascript fan, but also because it’ll hopefully reduce the dangers of XSS, which according to Jeremiah Grossman is the next Buffer Overflow (and Javascript, the new ShellCode 🙂 ).

Footnotes: Hopefully, I’ll get some time from my official work to play with JavaFX and update on the same.
…and by the way, if it turns out to be an AJAX killer; will we rename it to AJilla??? [For the uninformed, Mozilla = Mosaic + killer 🙂 ]

A program called "3~" (Om)

I was returning back to my room at around 6:30 in the morning after spending the whole night, as usual, in office. Suddenly this though struck me.
I always talk about codes and related stuff and ask people to map their algorithms to real life while coding, especially in OOP languages.
I asked myself, what would it be like to describe myself as a code, a script… a program.
So I (climbed two my cabin, which is on the second floor) and here is my honest attempt. 🙂

Om, unlike other programs, wasn’t really planned. There were no plans usually made back then in the early eighties; at least not in India. He was an additional functionality (a small script back then) of two programs, M & R.

However, since M & R were pretty solid codes in themselves, Om inherited most of the good features and was pretty healthy (I mean robust 😀 ) even as a tiny script.
So far so good. But it could never rely on conventional ways of compilation and execution. It was a rebel. Some people call such programs as “malfunctioning programs” :). Programs that do not do what they are meant to do.

Time passed on.
It received formal education that helped him access various code repositories to incorporate other functionalities. It gathered data about various modes and environment of operation. It also learnt efficient memory and execution-time management.
However, these all came at the price of dependencies on various libraries, viz., friends, relatives, emotions, money, etc.

Microsoft has some strange reason for assuming that all human beings use IE and are on a windows box. This assumption makes most of their products, even the web applications, dependent on these assumptions.

Dependencies are bad.
Bad were they for Om as well…

It gradually got frustrated (a human emotion).
It got frustrated at lots of things… at almost everything.
It got frustrated on the formal way of code development, the conventional way of execution, the hypocritical nature of the IDEs that are supposed to facilitate development, and lot more.

There’s an unwritten law, which says that all rebels become an outlaw sooner or later.
So did Om.
Most of the libraries on which it was dependent had grown up to be pretty matured libraries and the outlaw was no more supported.
Dependencies are bad…

…but some codes die hard.
Since most of the libraries on which Om was dependent were under GPL, it simply incorporated the required code snippets instead of referencing the libraries. This has made it a pretty complex and buggy code… but hey that’s why the saying goes:
There is code in my bug” 🙂

Grabbing Video from Youtube.

Update: This hack doesn’t work any more. I’ll post the latest pretty soon. Hopefully. 🙂

I loved this performance by Tina & Hussain. It left me breathless, and wet-ted my eyes :D.

I wanted it s badly. Did a l’ill research, found a hack, and here I am, sharing [& open sourcing it 😉 ].
You can find various sites and ‘n’ number of tools to grab your favorite video from Youtube.
There are definitely simpler ways, including a javascript. However, I liked this manual way of doing the job. It let’s me see where’s what… 🙂

1. Goto the page containing the video.
2. View page source. [Ctrl+U in firefox] 3. Search [Ctrl+F] for “player2.swf?“. It’d be something like “/player2.swf?video_id=jksdjs….“.
4. Copy the part after “?“, i.e., “video_id=jksdjs….“.
5. Append it after “www.youtube.com/get_video.php?“. It’d look something like “www.youtube.com/get_video.php?video_id=jksdjs….“.
6. Paste your string in the address bar of your browser and hit enter.
7. Please note that the video that we download is an flv file [and needs “.flv” to be manually added.] 8. If you don’t have an flv player, get it from HERE.

I hope it helps you get what you want I am not sure as to how long it’d work as the YouTube guys do not like people to download the videos and keep changing the settings. [ I am still wondering why!!!] If the above mentioned steps do not help, please leave comments.

Psst.: I am planning to write a script to do it automatically. However, I am not sure if I want to do it in Perl or Java. [Perhaps, I’ll code in perl and ask my students to do it in Java 🙂 ]