Blog moved to http://karteek.selfdabba.com

Wednesday, August 29, 2007

Magician with stick in his hand

There is one Indian Portal which writes articles like ... who is the hottest item girl, Sharapova in sizzling red etc etc, but it won't write that today (Aug 29) is National Sports Day. That is why Arjun awards as well as Khel Ratna awards are given today.

Why do we celebrate Aug 29 as National Sports Day ? It is coz, its birthday of a great guy, who can be compared to Pele, Sir Don Bradman when it comes to his particular sport. To be frank, he is considered as the greatest player ever played that game. But, it is sad that we don't know him as much as we know Anna Kournikova or Sania Mirza even though they are mediocre in their game.

His game was superior that many people thought that he is magician. Tokyo officials broke his stick to search for magnet in it and tried to console themselves telling that he added some sort of glue. He was supposedly offered a place of Field Marshal in German Army by Adolf Hitler. Guess, you got it now. He is none other than Dhyan Chand. It is very sad that I can't see/hear his name on any portal or a news channel today when National Sports Day is celebrated on occasion of his birthday.

To finish, He was part of India's first three Olympics Gold winning National Hockey Team. Team India reached finals of Olympics eight times in a row and won seven Golds and one Silver. In this not-so favorite game of Indians(favorite being Cricket), India won eight Olympic Golds and Aus, with four Olympic Golds is second in the table.

Tuesday, August 28, 2007

Don't Eat My Cookie

Uhmmm, will you guys understand if start writing about XSS ??? If you understand, good, if you don't, great, as it tells that you've so many other things in your life to worry about than mere security on a web site. But, in order to understand what I'm writing here, you've to know little about XSS - Cross Site Scripting.

XSS, in simple terms is a computer security vulnerability found in web applications which allow code injection by bad guys. The bugs can be exploited to craft powerful phishing attacks including stealing credentials.

Why am I writing about this ? Yesterday, I found couple of XSSes in two big Indian web sites. Rediff and MouthShut. I've reported to MouthShut about the vulnerability, but not rediff (Sorry rediff, I hate you) The below screenshot is XSS in MouthShut. If they've fixed, you can see it here.

As I hate rediff, and I didn't report to rediff, I don't want to post about rediff's XSS. But, You can see that rediff is STUPID by giving some weird chars (hint : Vulgar fraction for ½ brained rediff) as input in its search box.

So, how do you escape from such kind of attacks ??? See my last post. Fire-up your fox with NoScript. It saves you from bad guys of this world.

Sunday, August 26, 2007

Fire-up your fox !!

Before firing up my fox, I want to write few lines about the synonym of internet - Internet Explorer

MSIE has been the most widely used browser. It had usage share of about 95% in 2004. The share was very high coz of few reasons like ... Most of the desktops run on Windows. IE is the default browser in Windows and most of the users dint give a damn about what they are using as long as it finishes their work. Opera was an alternative but wasn't free. Netscape navigator became one "buggy" product without any innovation which was a super hero among browsers in 90s.

But, in the second half of 2004, a new kid of entered the scene and started to take over the screen. Name was Phoenix, Mozilla Phoenix. Later the name was changed to Mozilla Firebird then to Mozilla Firefox coz of trademark issues. It decreased the usage share of MSIE from 95 to 86 in 2 years !!!

Firefox is considered as the best browser by many companies but not limited to Forbes, PC World. Firefox dint become a great browser all by itself, but by the features as well as the big developer community which develops plugins for it to do various tasks. Well, now we will see how to Fire UP our Firefox to do various tasks.

  • NoScript - Extra extra Java Script protection for your firefox
  • Greasemonkey - Customize the way your webpages look with thousands of free scripts from userscripts.org
  • Adblock plus - Get rid of all those ad banners
  • FoxyTunes - Control any media player and find lyrics, covers, videos with single click
  • Fasterfox - Tweak performance of Firefox
  • FireBug - Web development evolved ;)
  • Themes - Make your great browser look great ;)

You will certainly feel that Firefox is 200% better that IE6/7 with all the extra added security as well as features. BTW, take a look at new product based on Firefox, Mozilla Firefox Campus Edition

Saturday, August 25, 2007

Register ? Globals ? What ???

I deal with little PHP at my work. Some of my teamies also deal with php. One of my teamies who left for some other company, created a great application which is a shopping cart with certain _damn_cool_ features. He used php do some stuff.

Someone else wanted to see that tool again, and another teamie tried installing it on a laptop. He was reading Installation Manual for the application, where I saw one point as .. "Set register_globals to ON"

As a security enthusiast, I always read about "how not to do" a lot. I still remember that most controversial change in php of setting default value for register_globals was changed to ON from OFF. When I came back to the scene, I can smell one thing. One possible security breach. Registering Globals can really go fatal for the application sometimes when the logic is bad.

Consider the following code snippet

<?php
if (authenticated_user()) {
$authorized = true;
}
if ($authorized) {
    include "/highly/sensitive/data.php";
}

?>

In the above snippet (from php.net) if you can see that if the user is authenticated, a variable $authorized is defined with value "true". If value of variable $authorized is true, highly sensitive data is included.

The logic doesn't look flawed from the exoskeleton of the code. But, it is very bad logic to code such kind of application ... especially when register_globals are on.

When register_global are set to on, one can create a variable through a request. Now, if we call the above code as

access.php?authorized=1

What's going to happen now ? If I'm authenticated_user(), fine. I've every right to access the data. If I'm not, $authorized is created with value 1 as we are creating it using our GET request and this gives me access to the sensitive data which I'm not allowed to access. Here, this can be avoided by creating $authorized with value false on top of the code.

You can know more about this security issue at php.net If you are using php << 4.2.0, Don't forget to change the directive register_globals to OFF or take proper care to secure your code. If you are using php >> 4.2.0, you need not worry much about this as the default value is OFF. This directive is going to be removed from php 6 onwards. 

Thursday, August 23, 2007

Alice, Bob and Lahycxpajyqh

Wondering what's that L.. word in the title ? You guys are supposed to use Google search engine once in a while.

...

...

Okay, okay. You really don't want to search now and find what the hell is that. What if I give you a couple of hints ?

  1. Julius Caesar was a great Roman political leader.
  2. Julius Caesar was one of The Nine Worthies

Still no idea what's happening here ? Great. That's what this science was developed. This science is considered to be a branch of Mathematics and Computer Science and it is called Cryptography

The Hints were Caesar and Nine. The Crypto I used is Caesar Shift and the shift magnitude is 9. That converts  "Cryptography" into "Lahycxpajyqh". Caesar shift is one of the simplest and most widely known encryption techniques.

Now, coming to Alice and Bob. Those names are first used by Ron Rivest while presenting one of the most famous encryption algorithms RSA. Well, about RSA, its an encryption algorithm which uses two big Prime Numbers to encrypt as well as decrypt data. The bigger the primes the more secure it is against attacks.

All crap apart. Coming to daily life usage of encryption and decryption. You guys might be sending some mails. Some of them would be very personal. You might be knowing that mails go thru several servers and some server admin can just read your mail. How do you make sure that your mails are read only by the person who is intended to read it ? Well, The process is easy but it has to be mutual. Both the sender and reader must know about the process.

What's the best/easiest method of doing this ? (a.k.a method I use)

  • Download GPG (GNU Privacy Guard)
  • If you are scared of command-line then GPG4Win would be a better option
  • Create a new keypair
    • Private Key for yourself
    • Public Key for everyone else
  • Generate a revocation certificate for your public key (If you forget your password or if your private key is lost, this certificate is used to tell people that your public key is no longer been used. It can also be used to verify your signature)
  • Give your public key to people who mail you (so that they can encrypt their mails)
  • Use your private key to decrypt the encrypted messages.
  • You can also use your private key to sign your messages and readers can verify that the message is sent by you.

With all those GUIs and plugins for the browser (FF) which are available, the entire process is made so simple. Just right now, I'm not doing anything of very high confidentiality and I really don't want others to think that I'm paranoid about security by forcing them to verify my signature or encrypt their mails.

PS: If you are sending a love letter, I know that you really don't want any one else to read your email .. even then, DO NOT ENCRYPT the mail even if you find girl's public key in a key server. Not every girl is Alice to prefer decrypt a mail before reading it ;)

BTW, a public key server is a server where people upload/publish their Public Keys.

Tuesday, August 21, 2007

No patch for human brain

Life is good. It's so good that I'm happy with everything that's happening around me. I'm happy for clouds showering on my head as soon as I enter heavy traffic where I can't stop or find a shelter. I'm happy for my boring life to think about silly things. One of those silly things is one silly bug that crept into one advanced application in a Great Company.

It's not about 'a' project among thousands of projects. It's about one project that actually is common to every person of our company. A web application for which you get access even before you get access to your company email-id. In fact, your email-id selection can be done only through that application.

What's good about that application ? Well, it's cool. It's complicated. It's advanced. It makes my work easy (almost :P, atleast I don't have to run around carrying papers)

What's bad about that application ? Silly messages. Yes. Very silly messages. If you press "ctrl" or "alt", you will get a message box telling you "You are not allowed to press that button" .. What .. WTF ?? I'm not allowed to press a button on my keyboard ??? Come on dude. It's heights of "being secure". Well, yeah. A person who just started using computer can certainly think that the application is so secure that it even detects my key presses.

Yeah, As a person who uses computers little more than an average computer engineer, I found that .. exoskeleton of the application is so weak that any kid can break it. There are some basic principles in coding a web application. I've no clue whether they've followed every principle or not .. but they missed principle Numero Uno.

What is that ? They send password back to my browser. WTF ??? Yep. They send password back to my browser, unaltered, unencrypted. Just plain 0xPassword, thinking that no user will press other buttons when they tell that he can't press certain buttons.

So, that's the only bug that has crept into ? Well, the answer is no. There is a whole family of bugs inside that application.

They use one 32 letter word (*cough*  *cough* its a hash) to login to certain place of the application. Guess, what's funny ? That word is same for you through out your time. It's not changed even if you change your password of that application. Someone grabs it, you can never help it.

If the above one was funny, this one will make you laugh even more. They transmit your username and password as variables using HTTP GET. Which in other words mean, If you use a proxy and you access this application, even though, they use SSL, the proxy admin can see your password as URLs themselves are not encrypted. WTF, in our company we use proxy all the time !!! Which means, my admin can see my "secret" password if he wishes !!!

Application coders can fight with me, come on dude, we've implemented sessions so well that if you don't do anything on the application for sometime, your session will expire and we take you to login page automatically. My response to that would be .. Wow, I'm speechless. Many users. Yes, I do mean, many users of the application forget to logoff and leave the browser window open and leave. Which means that their session is expired, but window is just showing the dead "session" there on the browser. But, our coders forgot Rule Zero that any browser on hitting refresh button will resend the HTTP query. I just pressed shift button and refreshed the browser. Tada !!! My browser asks me whether to resend that data. Here DATA is my username and password. If I click on Yes. My dead session will get renewed and using bug one, I can find the password.

Well, there is one fact. After you join the company, they give you some guidelines for using the application. If you follow them, you are safe. But, our guys forgot one basic thing that "Applications can be patched, but not human brains"

I know how to fix those bugs. I've told them how to fix those bugs. For two times, they've fixed bugs after couple of months. The other times, they dint even read.

Sunday, August 19, 2007

Ashtasiddhi

Lord GaneshaI saw a very beautiful idol of Lord Ganesha hiding somewhere in the living room of my uncle's place. I thought to capture it and show it to you guys. I loved the photo too.

After capturing the photo, I wanted to know more about the favorite and most-worshipped Hindu God. Best place would be some old person, but, I wanted to know unbiased version. So, I jumped to Wikipedia, where a good number of topics are neutral.

While reading about Lord Ganesha, I saw a painting by Raja Ravi Varma, whose paintings are considered to be among best examples for the fusion of Indian traditions with the techniques of European academic art. In the painting, The Ashtasiddhi are shown as attendants of Lord Ganesha. As a person of higher curiosity, I read about Ashta Siddhi.

Siddhi literally means "accomplishment", "attainment" or "success". It is also used as term for spiritual power in Hinduism and Tantric Buddhism. There are nine main Siddhis, Eight primary Siddhis (two different versions - Mahabharata and Srimad Bhagavatam versions) and ten secondary Siddhis and five Siddhis of Yoga and Meditation.

After reading the classification, the only thing in my mind was .. I always thought that "Siddhi" and "Buddhi" are wives of Lord Ganesha. I was not disappointed by my "knowledge" about Lord Ganesha, as I'm not a very religious person. But, I always thought that I know "little" more than an average guy in his twenties.

To be frank, my "religious beliefs" are little complicated which I couldn't understand up to now. But, being a person who believes that there is only one God, I read about other religions to know their beliefs, their theories, their way to seeking the Supreme Power. Now, I understood that I've to read about the world's oldest extant religion, Hinduism.

Friday, August 17, 2007

MySQL db Password ?

Note: There is nothing new in the following post. Just some redundant info that can be found on web.

I'm from a project which calls itself a research lab. I've never done a serious research till I came out of the project to help a teammate who was doing some other project.

When I was in lab, I use to suggest my teamies to use MySQL rather than heavier databases from MS or Oracle. MySQL is free, lighter and PHP's best friend. We have installed MySQL in almost every desktop and every server in our control. In most of our Projects, we saved usernames and passwords in the MySQL database. What about MySQL's password ?

I remember the cases where my teamies forgot their password and ended up in reinstalling MySQL. Well, that's not at the solution for the problem. Very simple solution is to skip authorization checks and starting MySQL and resetting the password. Login as Administrator or root into the machine and then

  1. If MySQL is running, stop the server
    • Command in Linux : $ killall -9 mysqld
    • Command in Windows : C:\net stop mysql
  2. Start the MySQL server using the following command
    • Linux : /path/to/mysql/bin/safe_mysqld -- skip-grant-tables &
    • Windows : C:\path\to\mysql\bin> mysqld-nt -- skip-grant-tables
  3. Now, you don't need a password to login to MySQL as root
  4. mysql -u root
  5. Mysql> use mysql;
  6. Mysql> update user set password = password ( "newPassword") where user = "root";
  7. Mysql> flush privileges;
  8. Mysql> exit
  9. Restart MySQL server using mysqladmin command
    • mysqladmin -u root shutdown -p
  10. Start MySQL normally

Out of "What the hell is my password ?" to "Hope, I wont forget my new password"

Friday, August 10, 2007

GME - Mashups Made Easy

Note: Following content deals with computer related stuff. Reader discretion is advised.

Mashup. What is a Mashup ?

A mashup is a web page or application that integrates complementary elements from more than one source

Yes, thank you. I understand the {English} definition. But, give the definition of in Lay Man's English. Okay, here is your definition.

Mashup is a web application which takes data from more than one source and displays the integrated for better use

So, what ever takes data from more than one source and displays to me is a mashup ? So, My RSS Feed reader is also a mashup as it takes data from more than one site.

NO. NO. NO. Your RSS Feed Reader, is a web FEED reader. Nothing else. Mashup might take two or more feeds and gives you an integrated experience of those feeds.

Great, give me an example. I don't think I will understand unless you give me a very good example.

Okay master. Your wish is my command. For example, you are on a world tour. You were planning to visit USA. You want to know which cities are safe and which are not. I would take the data from a service link this one which gives me data about America's most unsafe cities. And I will take the data and display the same cities on map. On a click on the city, I will display their rank and some photos which I took from another services like flickr and some videos from a service like Youtube. This web application will help you not only see the names of the cities which are not safe, but also, show it on a map with some other details about the city which is an obvious integrated experience

Okay Okay. That's great. Can I do my own mashups ? If yes, what is the best possible method to do that ?

I know that you will ask this question. It actually depends on what kind of a person you are.

If you want a simple GUI to create a mashup and you're a fan of Mr. Bill, I suggest Popfly from Microsoft. Its very easy to use. Interface is cool. Some wicked features. Just not good enough if you want advanced customization

If you don't want anything from uncle Bill and you still want a good GUI, Yahoo Pipes is a very good alternative. It got nice GUI as well as good customization. But, something between us, I really dint feel like using Pipes. Not my type.

Well, if you are type of a "computer" person who admires what ever is done by Google. You've yet another product from Google. Its simple. It offers a lot of advanced  customization. Its for programmers. The name is Google's Mashup Editor. I'm in love with GME already. It's  for folks who love to code rather than drag and drop. It's  definitely not for weak hearts who can't code or who wants a GUI.

Hey, I'm not a programmer. I'm really interested in creating some mashups. You stay with GME, I will certainly take a look at Popfly and Yahoo Pipes. 

Thursday, August 9, 2007

Free {legal} alternatives

Note: Following content deals with computer related stuff. Reader discretion is advised.

Most of us in India use WinTel machines. WinTel as in Windows -Intel machines. Yes, you are wrong. I'm not going to campaign for Linux right now. I'm going tell more about software rather than Linux. Windows is also a cool OS to have if you can pay for it.

As far as I know many people when they use computers at their homes, they tend to use illegal/pirated software. When I was student, I never had a second thought about pirated software. But, when I became part of the IT industry where my company bill my client for the code I write, why shouldn't the guys who coded the program which I use demand the money ... just like I do. They need money for their code as much as I need money for my code.

But, there is always another version of my stories. Yeah, those programmers who code for money should get their money. But, what about poor guys like me who can't afford every software they want to use. Well, people who want the quality/fame of those commercial tools, SHOULD BUY those commercial tools or take a little time to migrate to Open Source/Free alternatives.

Yes, this is about the software. The software which I use every day for my personal use. The software which all use every day to meet their requirements. These are the type of users.

  1. Who BUY their software
  2. Who download their ILLEGAL software
  3. Who look for ALTERNATIVE

I've no comments for users of type {2}. I'm indeed a user who come under {1} and {3} I bought my OS along with my dell lappy. And about remaining tools, I tend to look for an alternative. For everyone out there, who wants grab their free {legal} software, take a look at http://www.osalt.com/ - site which is dedicated to give details about Open Source Alternatives to commercial software.

Whenever you feel guilty for using pirated software (if at all, you realize one day) before checking your pockets for money to buy the commercial software, check Opensource Alternative site. If you change your mind to be a real !windows guy, and you want to switch to Linux, the site which can help you a lot in your transformation is Linux Alternative.

Tuesday, August 7, 2007

Coding Conventions

Note: Following content deals with computer related stuff. Reader discretion is advised.

I was helping(read as 'trying to help') a teamie in coding today. That actually made me to touch "My-Bic = Easy Ajax"  for coding a web application in PHP which includes lot of Ajax. I told my teamie that use of My-Bic "framework" makes Ajax work very simple.

It's true that My-Bic makes work very simple. But, I was wrong in using one term there. Whenever I use that word with My-Bic I feel tingling in my head that I'm using a wrong term. Yeah, the term is "framework". My-Bic is a basic state of mind system rather than a frame work as per ajaxpatterns.org and also, its simple, fast and easy to use. Actually, this blog entry is not to write about My-Bic, but to write about something else. Yeah, about the title "Coding Conventions". I will come to that after telling thanks to My-Bic for my "Happily Ever After" combination of Ajax and PHP. Guys, thanks a lot for moving pain of many programmers to /dev/null

Now, coming to Coding Conventions. I had a feeling that coding convention is a same thing across all the programming languages. Yeah, I ended up as a stupid with wrong assumption. Today, I saw that there are so many conventions for each and every programming language though only one is standard. Yeah, one standard convention for one programming language.

For fellow PHP programmers reading this page out there, I just saw a set of conventions on a site which gives opensource Ajax Framework (I'm going to try it very soon as its a Framework) The name is Mouse, TigerMouse. It's considered as a very good framework available now. I will confirm whether its easy to use or not (If I can use, it MUST be easy to use) it very soon after trying that out.

Some of the conventions given are (except naming class file, all the following are same in php and Java)

  • class names in PascalCase (e.g. ClassName)
    • I do follow this convention YAY !! (+1 point)
  • methods, properties and local variables names in camelCase (e.g. methodName)
    • I follow this one too !!!! (1+1 = 2 points)
  • class files <class name>.class.php
    • I've coded a class today and I dint follow the above one. Its not same in java. (2 - 1 = 1 points)
  • only one class/interface per file
    • Yes. I do that in both java and php (1 + 1 = 2 points)
  • keep { in the same line as its respective if, for, function, class, etc.
    • Arghh, I always hated this thing. I always keep { in the next line. Duh @ this convention (2 - 1 = 1 point)
  • document your code using Doxygen tags
    • Excusez moi, did I just use the word "document" .. uhmm. //No Comments ( 1 - 1 = 0 points)

Man, being a person who actually codes (not a lot, but, I do code) with conventions in my mind, I scored 0 points for PHP and 1 point for Java. Those conventions make your fellow programmers' lives simpler if they have to hack your code. Just for my friends who follow this blog, though most of them are not into programming now .. I guess, but, if they've to code sometime (in any language, not just php/Java) please take sometime to read conventions of that specific language, and do follow them while coding and give your fellow programmers more time to hack the code rather than try to understand the code.

 


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.

I'm not a lawyer to tell this in a perfect framed sentence. Frame it by yourself if you are so concerned.
Dont think about the content of this blog. Every byte is owned by its rightful owner.
Rest © 2006-2007 Karteek