[OT] The Rant of a “Republic” Indian Hacker

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

How about a Better & Cheaper MacBook Air!

Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.

Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. πŸ™‚

1. YAWN [Yet Another Worm, Nanny]


Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo VΓ­rus do Orkut at http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please πŸ™‚ ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service πŸ™‚

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday πŸ˜‰

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

Stay away from social networking sites. Trust me, they are not worth the price.

M$ WindowsXP just got a newer version of Update with new Components!

I am not sure if anyone is aware of it or not, so kindly spare me if it’s not NEW in the sense I wish to convey. (Or may b, you didn’t discover it the way I did) πŸ˜›
For no particular reason, I visited the windows update page today (using IE7) and got this message:


As you can see, the *latest version* of Windows Update requires a few components to be installed on your system. There’re also some details regarding the components, which are hidden using a javascript function.

I’d encourage you to read all the benefits that are provided by the latest version. Once you are done reading them (and figuring which of them are new and which makes sense), proceed to discover the *special component*.


Fake Steve Jobs Revealed

Arpit had a joint post on the probable revealation of FSJ (Fake Steve Jobs), along with the info on Exif Data revealations of the Harry Potter book images.

Anyways, the new news is that FSJ has been busted for real. It’s work of a New York Times reporter Brad Stone. The FSJ is Daniel Lyons, a senior editor at Forbes Magazine.


Although Daniel says that he’s surprised that it took so long for people to reveal his real identity, yet it doesn’t really seem that he’s happy about it… or even okay. He looks pretty upset with Brad though πŸ™‚

Link: http://fakesteve.blogspot.com/2007/08/damn-i-am-so-busted-yo.html

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

  1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
  2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. πŸ™‚

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. πŸ™‚ ]They presented a Paper “Vboot Kit: Compromising Windows Vista Securityat Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. πŸ˜‰

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. πŸ™‚

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. πŸ™‚

Bill Gates no more The Richest

Slashdot updated today that Billy Boy is no more the Richest man in the world. The position is, however, not official. The standard is Forbes list.

Billy Boy has been surpassed by Carlos Slim, the Mexican Telecom tycoon. Bill’s current estimated wealth is $ 59.2 billion, while slims estimated wealth is $67.8 billion.

Two of the most obvious reasons are:

  1. A surge of 27% in the stock price of Slim’s wireless company, America Movil, in the second quarter
  2. Bill reduced his net wealth by more than $30 billion, which he put in the Bill and Melinda Gates Foundation. πŸ™‚

What Next?
Nothing really. To a question asked to him at the Microsoft conference last year, whether he’d be upset if someday he wasn’t the richest creature ;), he responded, “”I wish I wasn’t. “There’s nothing good that comes out of that.”
Moreover, he’d be retiring in a year’s time and would be dedicating he’s time, energy, and money to the Bill & Melinda Gates Foundation. I wish him luck. πŸ™‚

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Bill Gates wins me!

I realized that the title of this post has a contrast with my previous post, only after I wrote the topic. Thus, I feel that it is obligatory to mention that I am still Anti-M$. I still do not support there business model. Phew!
…and yes. The contrast in the names is just a mere coincidence. I know it’s tough to believe, but then I don’t lie.

Now coming to the topic.
I have always appreciated the way Bill Gates (and, of course, his wife) has spent time and money on Melinda Foundation. I remember posting my views a few days ago on Arpit’s blog.

A few minutes ago, I read Bill Gates speech transcript that he delivered at Harvard.
He starts the speech on a light note and calls himself a “bad influence” by reminding that he made Steve Ballmer drop out of B-School (Oh! How I wish that Gates had failed in convincing Ballmer πŸ˜‰ ).
He continues his speech by talking about how ignorant he was about the socio-economic and health problems of the developing nations, when he joined Harvard (and even later.)
The thing that blew me was that for the most part of his speech, he talked about how technology can and should be used for the help of these people.

I won’t mention the details. I’d pursue you to read it. I hate to say, but Bill seems to be a bright candidate for my future plans (after he drops out of M$, of course).

Google Lost Me!

It’s strange writing something like this using a service that’s owned by Google. πŸ™‚
But it was long overdue.

There was a time when I used address Google as “Google God” :).
Used to believe a lot that they religiously follow their “Do no Evil” motto. I forgot that as companies grow, there are bound to be employs who are evil by nature.
It reminds me of my Pre-Placement Training during college days when I was “tutored” that, Honesty is not a strength. You are supposed to be honest” This obviously isn’t true when people take the excuse of “everybody-is-doing-it-so-why-not-me”.
And lets face it.
Money matters!

Anyways, coming back to the topic; I mentioned in one my previous blogs when my Google AdSense account was disabled because of my own mistakes. I took the responsibility and had no complaints. However, when my AdSense account was disabled for the second time, I made a thorough study of their privacy policies. That’s when I came to know about their two-faces.
They allow several sites to utilize their services even when they falter with the terms and conditions. One thing common among all these sites was, “they all are High Traffic sites”.

As I mentioned, a post on the topic was long overdue. I stopped myself with one or other reason. The latest development, however, made me talk about it.
According to Privacy International’s latest report on Top 23 Internet Companies, Google held the last spot (even below M$). This topic, as Privacy International itself admits, is controversial. It’s report however, is substantially supported.
You might want to have a look at the post on the same topic on RSnake’s blog. Do not miss out on the comments.

Footnote: This post is not an outlet to my anguish. I (mistakenly) had more faith in Google than most of you. Another post on innovativeness of Google technologies is due.
And BTW, I do not mean to say that Google has turned evil. I believe as the company has grown, the motto has changed to “Do no Evil. If there is any, close your eyes“.

Dreams… and (huh!) Reality.

Disclaimer: The post may give you a notion that the author has surpassed all the heights of patheticism; which actually is sort of true πŸ˜€

Have I ever posted that I am a *crazy* person?
Probably a number of times.
This post is another proof; which I am shamelessly sharing with a hope that my *unconscious* realizes the heights of pathetic-ism it has reached. I refer to my Unconscious mind because *the proof* is related to some of my dreams.

To build the foundation, let me take you back to my school days- class 10th.
That was when I was introduced to programming for the first time. Language was BASIC.
Might I boast that I was good.
I remember to be the fastest coder around and to have coded sound and graphics programs in BASIC. That was the time when I wrote my first (and the only game).
Where did I get the inspiration from?
A dream.
No kidding. I saw the algorithm in a dream πŸ™

Scene 2:
I was kind of frustrated during my B.Tech. days when I wrote *factorial* and *Fibonacci* codes in C. The most frustrating event was when my teacher blamed me for *wasting* my time coding a Solar eclipse in C instead of what he asked for; a DDA algorithm. You can find the glimpses of those days here and here.
I do not deny the fact that I could have channelized my frustration and anger; something that I did a little later. I wasted my first 3 years.. (this, however, is not really relevant to this topic.)
During these B.Tech. days, I spent my first summer training (and consequently the second too) learning Java. I somehow fell in love with the language. (Off-Topic: If I don’t wish to be thrashed, I must mention that Raga helped me with most of my Java codes (and C codes, and C++ codes, and…) back then. It doesn’t mean that I was ignorant though πŸ˜‰ )
There was a time during the training days when Abhu bhaiya tried waking me from sleep and I spoke something in sleep.
I was explaining Java concepts to him :((
…and if I am not wrong, Priyo (my roommate) too *lived* a similar experience.

Several other such events happened in past, which I don’t feel like mentioning. I’d rather speak about present.

Dream 1
A few days ago… no weeks ago, I saw a dream
I was coding a cross platform desktop applications in Qt4.

You know what’s weird about it?
The fact that I had just *heard* of Qt4 and knew that it was somehow related to KDE. (I am more of a GNOME guy)
That’s it.
Nothing less, nothing more.

I scribbled about the dream on my mini-diary, that I use as a portable “To-Do list”, and forgot about it.
A few minutes ago, I stumbled across this link:
How To Create a Linux Desktop App In 14 Minutes For Beginners (Using QDevelop and Qt4)

Dream 2
A few days ago, I saw a dream that I am *purchasing* a book on Wireless Security.
It was priced somewhere between 390/- and 400/- (Don’t ask me how I remember the price)
Today I bought a book on Wireless hacking… :((
Don’t ask me either the price or why I bought it. The price’s is anyways not really the concern here.
I really wonder if these dreams are some sort of sign.

Dream 3
You CAN go crazy on the wilderness of my other dream, mentioned below. So you can discontinue the rest part of the article.

Still reading?
Okay! Read at your own risk.

I am appearing an exam.
The syllabus is…… Amir Khusro’s composition, “Chhap Tilak sab Chhini ray” πŸ˜€
I am wondering what sign does this dream carry :(( :(( :(( :((

You cannot even imagine how I feel after writing it here and realizing the fact that this post will not only be read by a number of random people but will also be indexed by bots.

Anyways, now the wish-list part.
If the dreams have to finally turn into reality (in one or other form); then why don’t I ever see something good… something romantic. πŸ˜€
Hey wait!
Does the reverse count? I mean other people seeing me in their dreams… πŸ˜€ [Huge-Grin]

Footnote: The author would like to apologize to all who have are experiencing anger and/or depression . He would also like to thank GOD for what he mentioned in the last line. πŸ˜€

"COLUKABKI – AOL – MSN – YAHOO – RED CROSS"….. aaah Comm’n Gimme a break.

It’s really interesting that even enginieering students, who are supposed to have a very ANALYTIC are least bothered in verifying anything before believing it…… and that too when they have access to GOOGLE.

This blog of mine is in response to the hundreds and thousands of mails that are forwarded so that somewhere, somebody’s LIFE COULD BE SAVED BY FORWARDING THE BLOODY MAIL.
AOL, Yahoo, Red Cross, MSN etc. etc .etc. donated certain amount of money FOR EACH TIME THE MAIL IS FORWARDED (generally 1 cent).
Isn’t that interesting???? I mean what these sites could do generously (if they wished to), do it when some BIG HEARTED person forwards the mail.
And guess what??? They do it without attaching any kind of tracker in the mail… Not to mention that doing any thing even near to attaching a tracker would be a threat to an individuals privacy… πŸ™‚

I cannot stop myself from sharing one other similar interesting mail. The mail said that an INDIAN BOY HAS CHALLENGED BILL GATES BY DEVELOPING AN O/S CALLED “O! YES”, which very Robust, Secure, blah blah blah… And HP has proposed to purchase it.
Now, the first thing… making such an O/S is no joke. This has nothing to do with the crappy nature of WINDOWS (hehehhe), it’s just means that it’s very difficult for a young child to do so.
Secondly, if someone succeeds in doing so, this news would be the hottest one around…. not one which has to be informed via email. πŸ˜› And the most interesting part….. This mail has been doing rounds since 5 years (at least) :))

These mails are generally used for two reasons:

  1. For fun…. or to make mockery of someone.
  2. For stealing your mail id for spamming……. I know this is strange, but it’s true. If you have any such mail in your mail box, just try to count the number of email ids in it…. and then imagine what would you do with them if you were a spammer. These mails are infact sent by spammers so that they can have a reasonably beautiful number of such mail ids.

JUNTA, please don’t feel bad if you have been forwarding such mails.
Obviously, nobody knows everything… but you can be a little careful when you recieve such mails.

  1. Ignore such mails.
  2. If you really feel that the mail is genuine and need to be forwarded, GOOGLE some keywords contained in the mail,
  3. or forward it after removing all the previous email addresses.