K World

No !!! I’m not going to talk about RSA algorithm for signing and encryption, but about Republic of South Africa. And its about South African cricket team.

Even though I’m not a hardcore fan of cricket I follow the results of almost all the matches. As an Indian, Team India is the team which I always want to win. But, if the match is not RSA Vs India, then my obvious favorite is RSA.

They always start great, but most of the times, they end up coming out in * Finals. They’ve won only two big trophies - ICC Champions and Commonwealth Games in 1998 even though they deserve many more wins.

Coming to 2007, First ICC Twenty20 World Cup, they started great with a good win on West Indies over a mammoth score of 205. Then, decent wins on Bangladesh and England booked their spot in Super Eights. Another decent win on New Zealand. By the last match in Super Eights, South Africa is the only team which didn’t lose a single match. As usual, their bad luck followed them, and they lost a crucial match.

One single match - One loss in the total tournament - Their dreams shattered - They are out of race - Not even in the final four.

On the other hand, in the deeper parts of my biased brain, there is a team which I always hated. I hated them not because they are no. 1, but because of the reasons I never knew. I hated them even before they were the champions. The team is none other than the Mighty Oz. They were very lucky in this particular tournament. They lost to Zimbabwe in their first match. They lost to Pakistan in Super Eights. I’m completely biased in calling their emphatic win over Sri Lanka as a lucky win as I felt like it was very unlucky day for the Lankans as they hardly play that pathetic.

On the optimist side of my brain, I sense a very much awaited final in the history of cricket - World Cup Final between India and Pak. Lets see, what’s going to happen. Good luck Team India. My biased heart loves you without Sachin and Sourav.

I deal with little PHP at my work. Some of my teamies also deal with php. One of my teamies who left for some other company, created a great application which is a shopping cart with certain _damn_cool_ features. He used php do some stuff.

Someone else wanted to see that tool again, and another teamie tried installing it on a laptop. He was reading Installation Manual for the application, where I saw one point as .. “Set register_globals to ON”

As a security enthusiast, I always read about “how not to do” a lot. I still remember that most controversial change in php of setting default value for register_globals was changed to ON from OFF. When I came back to the scene, I can smell one thing. One possible security breach. Registering Globals can really go fatal for the application sometimes when the logic is bad.

Consider the following code snippet

<?php
if (authenticated_user()) {
$authorized = true;
}
if ($authorized) {
    include “/highly/sensitive/data.php”;
}
?>

In the above snippet (from php.net) if you can see that if the user is authenticated, a variable $authorized is defined with value “true”. If value of variable $authorized is true, highly sensitive data is included.

The logic doesn’t look flawed from the exoskeleton of the code. But, it is very bad logic to code such kind of application … especially when register_globals are on.

When register_global are set to on, one can create a variable through a request. Now, if we call the above code as

access.php?authorized=1

What’s going to happen now ? If I’m authenticated_user(), fine. I’ve every right to access the data. If I’m not, $authorized is created with value 1 as we are creating it using our GET request and this gives me access to the sensitive data which I’m not allowed to access. Here, this can be avoided by creating $authorized with value false on top of the code.

You can know more about this security issue at php.net If you are using php << 4.2.0, Don’t forget to change the directive register_globals to OFF or take proper care to secure your code. If you are using php >> 4.2.0, you need not worry much about this as the default value is OFF. This directive is going to be removed from php 6 onwards. 

Wondering what’s that L.. word in the title ? You guys are supposed to use Google search engine once in a while.

…

…

Okay, okay. You really don’t want to search now and find what the hell is that. What if I give you a couple of hints ?

1. Julius Caesar was a great Roman political leader.
2. Julius Caesar was one of The Nine Worthies

Still no idea what’s happening here ? Great. That’s what this science was developed. This science is considered to be a branch of Mathematics and Computer Science and it is called Cryptography

The Hints were Caesar and Nine. The Crypto I used is Caesar Shift and the shift magnitude is 9. That converts  “Cryptography” into ”Lahycxpajyqh”. Caesar shift is one of the simplest and most widely known encryption techniques.

Now, coming to Alice and Bob. Those names are first used by Ron Rivest while presenting one of the most famous encryption algorithms RSA. Well, about RSA, its an encryption algorithm which uses two big Prime Numbers to encrypt as well as decrypt data. The bigger the primes the more secure it is against attacks.

All crap apart. Coming to daily life usage of encryption and decryption. You guys might be sending some mails. Some of them would be very personal. You might be knowing that mails go thru several servers and some server admin can just read your mail. How do you make sure that your mails are read only by the person who is intended to read it ? Well, The process is easy but it has to be mutual. Both the sender and reader must know about the process.

What’s the best/easiest method of doing this ? (a.k.a method I use)

• Download GPG (GNU Privacy Guard)
• If you are scared of command-line then GPG4Win would be a better option
• Create a new keypair
  • Private Key for yourself
  • Public Key for everyone else
• Generate a revocation certificate for your public key (If you forget your password or if your private key is lost, this certificate is used to tell people that your public key is no longer been used. It can also be used to verify your signature)
• Give your public key to people who mail you (so that they can encrypt their mails)
• Use your private key to decrypt the encrypted messages.
• You can also use your private key to sign your messages and readers can verify that the message is sent by you.

With all those GUIs and plugins for the browser (FF) which are available, the entire process is made so simple. Just right now, I’m not doing anything of very high confidentiality and I really don’t want others to think that I’m paranoid about security by forcing them to verify my signature or encrypt their mails.

PS: If you are sending a love letter, I know that you really don’t want any one else to read your email .. even then, DO NOT ENCRYPT the mail even if you find girl’s public key in a key server. Not every girl is Alice to prefer decrypt a mail before reading it

BTW, a public key server is a server where people upload/publish their Public Keys.

Life is good. It’s so good that I’m happy with everything that’s happening around me. I’m happy for clouds showering on my head as soon as I enter heavy traffic where I can’t stop or find a shelter. I’m happy for my boring life to think about silly things. One of those silly things is one silly bug that crept into one advanced application in a Great Company.

It’s not about ‘a’ project among thousands of projects. It’s about one project that actually is common to every person of our company. A web application for which you get access even before you get access to your company email-id. In fact, your email-id selection can be done only through that application.

What’s good about that application ? Well, it’s cool. It’s complicated. It’s advanced. It makes my work easy (almost :P, atleast I don’t have to run around carrying papers)

What’s bad about that application ? Silly messages. Yes. Very silly messages. If you press “ctrl” or “alt”, you will get a message box telling you “You are not allowed to press that button” .. What .. WTF ?? I’m not allowed to press a button on my keyboard ??? Come on dude. It’s heights of “being secure”. Well, yeah. A person who just started using computer can certainly think that the application is so secure that it even detects my key presses.

Yeah, As a person who uses computers little more than an average computer engineer, I found that .. exoskeleton of the application is so weak that any kid can break it. There are some basic principles in coding a web application. I’ve no clue whether they’ve followed every principle or not .. but they missed principle Numero Uno.

What is that ? They send password back to my browser. WTF ??? Yep. They send password back to my browser, unaltered, unencrypted. Just plain 0xPassword, thinking that no user will press other buttons when they tell that he can’t press certain buttons.

So, that’s the only bug that has crept into ? Well, the answer is no. There is a whole family of bugs inside that application.

They use one 32 letter word (*cough*  *cough* its a hash) to login to certain place of the application. Guess, what’s funny ? That word is same for you through out your time. It’s not changed even if you change your password of that application. Someone grabs it, you can never help it.

If the above one was funny, this one will make you laugh even more. They transmit your username and password as variables using HTTP GET. Which in other words mean, If you use a proxy and you access this application, even though, they use SSL, the proxy admin can see your password as URLs themselves are not encrypted. WTF, in our company we use proxy all the time !!! Which means, my admin can see my “secret” password if he wishes !!!

Application coders can fight with me, come on dude, we’ve implemented sessions so well that if you don’t do anything on the application for sometime, your session will expire and we take you to login page automatically. My response to that would be .. Wow, I’m speechless. Many users. Yes, I do mean, many users of the application forget to logoff and leave the browser window open and leave. Which means that their session is expired, but window is just showing the dead “session” there on the browser. But, our coders forgot Rule Zero that any browser on hitting refresh button will resend the HTTP query. I just pressed shift button and refreshed the browser. Tada !!! My browser asks me whether to resend that data. Here DATA is my username and password. If I click on Yes. My dead session will get renewed and using bug one, I can find the password.

Well, there is one fact. After you join the company, they give you some guidelines for using the application. If you follow them, you are safe. But, our guys forgot one basic thing that “Applications can be patched, but not human brains”

I know how to fix those bugs. I’ve told them how to fix those bugs. For two times, they’ve fixed bugs after couple of months. The other times, they dint even read.