K World

Wondering what’s that L.. word in the title ? You guys are supposed to use Google search engine once in a while.

…

…

Okay, okay. You really don’t want to search now and find what the hell is that. What if I give you a couple of hints ?

1. Julius Caesar was a great Roman political leader.
2. Julius Caesar was one of The Nine Worthies

Still no idea what’s happening here ? Great. That’s what this science was developed. This science is considered to be a branch of Mathematics and Computer Science and it is called Cryptography

The Hints were Caesar and Nine. The Crypto I used is Caesar Shift and the shift magnitude is 9. That converts  “Cryptography” into ”Lahycxpajyqh”. Caesar shift is one of the simplest and most widely known encryption techniques.

Now, coming to Alice and Bob. Those names are first used by Ron Rivest while presenting one of the most famous encryption algorithms RSA. Well, about RSA, its an encryption algorithm which uses two big Prime Numbers to encrypt as well as decrypt data. The bigger the primes the more secure it is against attacks.

All crap apart. Coming to daily life usage of encryption and decryption. You guys might be sending some mails. Some of them would be very personal. You might be knowing that mails go thru several servers and some server admin can just read your mail. How do you make sure that your mails are read only by the person who is intended to read it ? Well, The process is easy but it has to be mutual. Both the sender and reader must know about the process.

What’s the best/easiest method of doing this ? (a.k.a method I use)

• Download GPG (GNU Privacy Guard)
• If you are scared of command-line then GPG4Win would be a better option
• Create a new keypair
  • Private Key for yourself
  • Public Key for everyone else
• Generate a revocation certificate for your public key (If you forget your password or if your private key is lost, this certificate is used to tell people that your public key is no longer been used. It can also be used to verify your signature)
• Give your public key to people who mail you (so that they can encrypt their mails)
• Use your private key to decrypt the encrypted messages.
• You can also use your private key to sign your messages and readers can verify that the message is sent by you.

With all those GUIs and plugins for the browser (FF) which are available, the entire process is made so simple. Just right now, I’m not doing anything of very high confidentiality and I really don’t want others to think that I’m paranoid about security by forcing them to verify my signature or encrypt their mails.

PS: If you are sending a love letter, I know that you really don’t want any one else to read your email .. even then, DO NOT ENCRYPT the mail even if you find girl’s public key in a key server. Not every girl is Alice to prefer decrypt a mail before reading it

BTW, a public key server is a server where people upload/publish their Public Keys.

Life is good. It’s so good that I’m happy with everything that’s happening around me. I’m happy for clouds showering on my head as soon as I enter heavy traffic where I can’t stop or find a shelter. I’m happy for my boring life to think about silly things. One of those silly things is one silly bug that crept into one advanced application in a Great Company.

It’s not about ‘a’ project among thousands of projects. It’s about one project that actually is common to every person of our company. A web application for which you get access even before you get access to your company email-id. In fact, your email-id selection can be done only through that application.

What’s good about that application ? Well, it’s cool. It’s complicated. It’s advanced. It makes my work easy (almost :P, atleast I don’t have to run around carrying papers)

What’s bad about that application ? Silly messages. Yes. Very silly messages. If you press “ctrl” or “alt”, you will get a message box telling you “You are not allowed to press that button” .. What .. WTF ?? I’m not allowed to press a button on my keyboard ??? Come on dude. It’s heights of “being secure”. Well, yeah. A person who just started using computer can certainly think that the application is so secure that it even detects my key presses.

Yeah, As a person who uses computers little more than an average computer engineer, I found that .. exoskeleton of the application is so weak that any kid can break it. There are some basic principles in coding a web application. I’ve no clue whether they’ve followed every principle or not .. but they missed principle Numero Uno.

What is that ? They send password back to my browser. WTF ??? Yep. They send password back to my browser, unaltered, unencrypted. Just plain 0xPassword, thinking that no user will press other buttons when they tell that he can’t press certain buttons.

So, that’s the only bug that has crept into ? Well, the answer is no. There is a whole family of bugs inside that application.

They use one 32 letter word (*cough*  *cough* its a hash) to login to certain place of the application. Guess, what’s funny ? That word is same for you through out your time. It’s not changed even if you change your password of that application. Someone grabs it, you can never help it.

If the above one was funny, this one will make you laugh even more. They transmit your username and password as variables using HTTP GET. Which in other words mean, If you use a proxy and you access this application, even though, they use SSL, the proxy admin can see your password as URLs themselves are not encrypted. WTF, in our company we use proxy all the time !!! Which means, my admin can see my “secret” password if he wishes !!!

Application coders can fight with me, come on dude, we’ve implemented sessions so well that if you don’t do anything on the application for sometime, your session will expire and we take you to login page automatically. My response to that would be .. Wow, I’m speechless. Many users. Yes, I do mean, many users of the application forget to logoff and leave the browser window open and leave. Which means that their session is expired, but window is just showing the dead “session” there on the browser. But, our coders forgot Rule Zero that any browser on hitting refresh button will resend the HTTP query. I just pressed shift button and refreshed the browser. Tada !!! My browser asks me whether to resend that data. Here DATA is my username and password. If I click on Yes. My dead session will get renewed and using bug one, I can find the password.

Well, there is one fact. After you join the company, they give you some guidelines for using the application. If you follow them, you are safe. But, our guys forgot one basic thing that “Applications can be patched, but not human brains”

I know how to fix those bugs. I’ve told them how to fix those bugs. For two times, they’ve fixed bugs after couple of months. The other times, they dint even read.