Category Archives: Google

John Smith’s younger brother, Adam

Update: Youtube has revived my video. you can now watch Webcam Clickjacking as much as you like. —

Remember ClickJacking? The generic flaw in web browsers and HTML. Remember Webcam Clickjacking? My PoC showing how this flaw can be used to take control over a victim webcam and mic.

Well, my PoC, to my surprise, created a lot of buzz when I published it and the related youtube video got 1,220,966 views – most of it from its first day.

view_count

Yesterday I got an email from youtube titled “Video removed – Copyright Infringement”. At first I thought it’s just another spam mail, but looking inside it and than trying to watch my video gave me an alarming red webpage, with the bold text “This video is no longer available due to a copyright claim by Adam Smith.

WTF, what copyright shmopiright, my video has no sound and barley a screen capture of my mouse. In-fact I sometime claim it to be the most dull video with the most views.

My immediate suspect was Adobe, but it made no sense, if they wanted to, they should have done it when it was hot. Than again sense and Adobe legal dept’ doesn’t always go together. flashObject anyone?

Googleing for such a generic name as “Adam Smith” gives about 3,570,000 results, apparently it’s more generic than “John Doe”. Googleing for “Professor Adam Smith” from adobe gives some possible options but it’s still not informative enough and too vague.

So who is this MR. Generic claiming I’ve stole his precious copyrights. Maybe he’s just a fake dude trying to annoy. Even if he’s real, I guess when you have such a generic name you don’t care to be hated, nobody is gonna correlate your face with your name anyway.

Anyhow, I’ve filed a counter-notification and hopefully the video will be up again soon. Even if it won’t, I’m sure it’ll appear in some other places.

There is a lot of info regarding “my video was removed from youtube” just google it, if you need to.

There is a lesson to be learned here, one should never trust google, and alike with their important assets. It can get shut-down in an instance. Personally I don’t care much about this video, I didn’t get a dime out of it and its heydays are long gone. But, there are cases where people lost all of their income one day since google removed their blogspot hosted blog, for example.

If you want full control over your videos and such, you should be hosting it yourself, and on some remote island. Than again, they still be able to cut your cable.

I just wonder where the hell is the decentralized web?! Too few people are controlling too much stuff.

Encode and Decode URLs in Python for Google Appengine

While developing in Python for Google Appengine you’ll might want to encode or decode URLs. Sounds like a simple task, as it is in many other languages. Somehow in Python 2.5.x which is the version supported by appengine, it’s not as straight forward, at least it wasn’t for me. There are tones solutions, suggestions and examples out there, not all work as expected.

After some trial and error it finally worked:

import urllib

text = 'some text'

#decodeURI
text = urllib.unquote(text.encode('ascii')).decode('utf-8')

#encodeURI
text = urllib.quote(text.encode('utf-8'))

Might spare you some time.

If your gonna work with unicode on your appengine app than your in for some other troubles. This presentation, and this article (and its comments) might help a bit.

Now the world is gone, Nexus one

My Nexus has finally reached it’s final destination. It travel all over the US and some other countries switched 5 hands, before ending at it’s new home, and into my arms :)

It was a lengthy and cumbersome process for one to order a Nexus one. I wouldn’t have imagined it will take so much. Special thanx goes to the special girl that coordinated the delivery.

In order to order the Nexus I had to use a proxy, as described in here. proxz.com seemed good enough. On my machine I had an issue with an anti-virus blocking proxies. Shutting down or uninstalling the AV required a password, so I had to tweak the registry in order to remove it.

I’ve paid for a 1 month US proxy from proxz, to go on the safe side. I didn’t care so much for my credit card to be stolen, anyway it’s insured. But for my google account I’ve changed the password, just in case. Loosing my gmail seems much more dangerous than loosing my CC.

I’ve pimped my Nexus with some ASCII art:

my_nexus_ascii

Beside a few tiny glitches it seems great so far. The new software update is immediately installed so I don’t have to suffer from a missing multitouch.

Many things to do now, need to play with openplug, though their best sample TweetMWC looks only OK. And where is that Flash 10.1 I was promised?

Flash vs HTML5 vs Adobe vs Apple

Disclaimer: I’ve written this post a few days weeks ago when I was a bit pissed, so it has some ranting-ness in it. I do have a soft side for Flash, but, as I said before – technologies never cry, and I will use whatever is the best for the job.

The last buzz about “Flash is dead” really came out of proposition. All of these blind followers, blood-thirsty, warmongers that never seen an HTML tag or know what each these technologies can do, worshiping their new king HTML5, and are just shouting “we conquer video”, “kill kill”…

The fact that the colorful-kindle /slash/ enlarged-and-disabled-iPhone doesn’t have Flash, is important, but the reactions are completely exaggerated. I think Adobe should have stayed nonchalant about it which could might have lowered the flames. Anyhow, it’s easier to say in retrospect.

(Flash) Power to the people:

If you look at the short history. Flash enabled utterly amazing things on the web in times when static-ness and ugliness ruled. The problem is that it was too easy to create. All of a sudden un-capable people could have created “amazing” things. The fact that Flash could be abused so easily is part of what make some people hate it.

You can expect for HTML5 to be abused if it’ll be as accessible as Flash. That means, if tools like the Flash IDE and others will enable publishing to HTML5. Than again you can expect it to abuse either way.

RT @iainlobb “Flash developers of the world: unite and make terrible HTML5 banner ads that grind CPUs and crash, just to show that the grass isn’t greener”

The fact that things can be done differently doesn’t necessary mean it will. Most of what Flash can do, can be done long ago using Javascript and HTML (old buzzwords omitted). Actually Flash and Javascript developers can relatively easy switch, since the languages were almost the same on the older versions of Actionscript. Even the glitches were copied from JS. And anyway the main thing that matter is thinking interactively, like a Flasher do. With HTML5, the capabilities of the two technologies are even closer. But, the challenges of developing complex Javascript application are sill far greater, It’s still  the same old language, more error prone and more difficult to architect. I don’t see how an online game developer, for example, will want to develop her games using HTML5. In fact I’ve yet seen a decent, non experimental, online game written in Javascript.

To think that all of a sudden Flash will disappear, is nonsense.

RT @leebrimelow “You all better head immediately over to the FWA and check out your favorite Flash work. It may all be converted to HTML 5 by the morning.”

Even if we declare Flash as dead today, it’ll be a very lengthy process measured in years at best. And since, yet again, Flash isn’t dead yet. It has all this time to reinvent itself, Adobe should use this time wisely.

If you tell me you don’t use Flash, you’re basically telling me that you have never seen a video or played a game online?!
How about a nice colorful animation, or maybe neatly looking fonts done in sIFR, than you must install Flash and start experiencing the web.

Apple and the sealed garden:

There is something annoying about Apple arrogance, but, I have to say that what almost killed Apple in the past, is what making it so successful right now. More than 20 years ago when apple wanted to control everything on her PC (yeah right it’s called Mac) most users were savvy users who wanted full power. Usability, reliability and all of these great things Apple invented weren’t as important. Today is the grandpa era where consistent quality is a key.

Steve Jobs is so convincing that I almost believed him that he disallow Flash on the iPad to protect grandpa from a crashed browser – but I don’t. No one will deny that Flash has some issues, but it’s an integral part of the current web and wouldn’t be as such if it was just causing the browser to crash. Click-to-active could have been used to solve all of the real and unreal Flash issues.

Robert N. Lee “If somebody wants you to give up what you’ve got now in exchange for the promise of something way, way better later, you’re being screwed and not in a good way. This is pretty basic.”

Flash on the iPhone, for example, would enable full VOIP applications to run from the web-browser (i.e. ribbit). Google voice iPhone application , could have leverage it instead of just allowing cheap callbacks. Allowing this kind of freedom is unthinkable for Apple.

But Apple might be loosing it, again they want too much. Apple moved from making computers for a very small niche market of mainly tree huggers. To a very powerful and successful company reinventing the smart phone market completely. Again it might blow in her face, Google might come and bite you with her don’t be evil bullshit ;)

BTW, grandpa don’t want multitasking either, thumbs-up for that as well, Apple (no pun intended).

Adobe is evil too:

I still remember how many many years ago Adobe asked you to snitch on your friends that uses pirated software, and by doing so, to become Robin Hood. Yeah you heard it, this was their fight on pirated software. It’s OK to fight piracy but, how is that comply with the original story?! After reading the article about the old management I can see where it might came from.

RT @aral: “Remember that Adobe was on the edge of irrelevancy on the web and non-existent in mobile when they bought Macromedia.”

The question, “should we support Adobe and her proprietary Flash instead of the open standards?”, is somewhat misleading. Adobe is a big girl she should take care of her own. The question is – can they really make it? can they really reinvent Flash and the web yet again?

The idea that everything that is open is immediately good, is also misleading. There’re a lot of financial interests in openness. Many companies base their business model over open-source and openness. Preaching for open standards doesn’t immediately make you a saint.

Adobe might be an heavy/old corp, after our hard earn money. But, I can tell you, it does seems like they do have some nice, talented and community aware people when it comes to Flash. And compared to Apple, Adobe is like the Shangri-La of openness.

The last  bash against Flash might help to push Adobe to polish the player, if Adobe can afford putting even more resource on it. Either way it won’t be on the iStuff.

Yeah, but, HTML 5 is a standard and not a proprietary black box like Flash:

We all know users don’t care about the format, they just want the experience. Believe it or not, developers don’t care much either, they just want the power to get the best result, in our case power is IDE and runtime. The pain of delivering a truly cross-browser HTML is not something to be desired. Flash is still the best way to deliver rich interactive ubiquity.

And besides, HTML 5 may be a standard, but you’ll still be running it in a proprietary runtime, the browser.

The browser wasn’t chosen to be the ultimate way to deliver new and cool applications because of it’s wonderful capabilities. It became as such because it’s the lowest common denominator. Maybe it’s time for a better lowest common, Flash was a step in the right direction, maybe we’ll be better with something more powerful like Steam. Actually the browser was also “chosen” because it’s very easy to create content for it.

For the developers, I don’t think it really matter which technology to use. All these idiots developers who couldn’t handle Flash and are now gloating and think they will be able to easily create beautiful interactive content – all will be disappointed. (you know who you are, yeah I meant you personally ;) )

Thing are prone to change relatively quickly in our times. The only fact that I can squeeze out of this, is that Flash is still the prominent force of interactive-ness on the web and will remain as such in the foreseeable future for sure.

Pitfalls to avoid when installing Magento on XAMP

Magento is a PHP open-source online shop platform built to scale, so they say.
XAMP is the best way to develop PHP locally on your machine. It gives you an easy to run and configure Apache, MySQL and few other stuff.

The new Magento (1.3.2.4) doesn’t completely support PHP5.3 and above. The last version of XAMP 1.7.3 comes with PHP 5.3.1. Because of that the installation might have some errors. Luckily there are some workarounds.

Generally the Magento on XAMP installation manual is fine, but, here are some of the common problems that might occur:

If you get this error:
Fatal error: Method Varien_Object::__tostring() cannot take arguments in /magento/lib/Varien/Object.php
Go here.

If you get this error:
Parse error: parse error, expecting `’&” or `T_VARIABLE’ in C:libVarienObject.php on line 498
Its because you copy and pasted the code from the previous link and "an apostrophe is used in the end of the lines instead of the single quote"
(From comment 13 in the previous link)

If you get this error:
Unknown error (8192): Function split() is deprecated in ….
in the frontend or
Unknown error (8192): Assigning the return value of new by reference is deprecated in …
in the connectManager.

Follow the instruction in here. (part of it is the same as the afford mentioned)

If installation goes fine but you can’t login into your admin: (It’s a cookie issue)
Add this to your c:windowssystem32driversetchosts file
127.0.0.1        magento.localhost.com www.localhost.com
Browsing to magento.localhost.com/magento worked for me.
More info

just in case –> to edit the hosts file on vista/win7 -> right-click on notepad –> run as admin… –> open the file.

Generally there is a chance that the installation won’t be smooth,
but don’t give up cause it seems that every issue has already been solved by someone out there.

Just google it!

Has my blog got hacked again?!

I was checking my email when all of a sudden I saw this email “New WordPress Blog”. I didn’t remembered adding, updating or doing anything with my blog. I thought about it yesterday though. Could it be that WordPress is so smart and read my mind.

Something was fishy, I’ve already experienced the fact the WP can be hack-able sometimes. I rushed to backup and remove the blog, before the hackers will start messing with me and my visitors.

I was already FTPing when it came to me, even if it was really hacked no need to rush about it, I’ll try to find out what happened.

And indeed google gave the quick answer that if the option database table get corrupted, somehow it gets, WP behave as a new install.  You only need to repair it from the phpMyAdmin, that’s it %)

Anyway it’s time to redo things in my blog, but without the rush.

The moral is always “google it” before you jump to any assumptions.

Google Hackathon was hacked

Two days ago, the first Israeli Google Developer Day was held. It was a colorful and interesting event, to the best of google tradition.

Yesterday, all attendees got an email saying that an unauthorized network activity was detected.

“We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet.”

Beside the interesting lectures there were two code-labs or hackathons going on. The first thing that came to my mind when I saw everyone are connecting their laptops, wirelly and wirelessly, is that someone will abuse this for some king of Man in the middle attack. But for some reason I thought that since it’s google, they won’t let something like this to happen.

Just minutes before, I asked the google experts over there, which are very nice and professional in there own fields, about the GMail Frame Injection issue. I wasn’t accusing anyone just trying to raise a discussion about it. It seemed that no one knew about it and no one really cared. The suggestion I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I protested.

I should have understood by this, that security isn’t the first priority of these uber geeks.

Maybe we’re expecting too much from google, they’re just the greatest company they’re not gods.

Anyhow I wasn’t hurt by this since I don’t transfer sensitive non encrypted data in these kind of places. And it might be that google is just covering themselves just in case someone got hurt. And most users weren’t really affected.

On a side note, I’ve allowed myself to “analyze” the google dev crowd, I’d expected them to be in higher level then, for example, the Microsoft crowd.

Indeed, in a rough inclusion, the google crowd is much geekier and also much more nerdish, as opposed to the Microsoft crowd, especially here in Israel :D. It can be said that MS is much more approachable and that they create tools that anyone can use, or that MS is aiming to the lowest common denominator, or that everything is political. I don’t care. All I know is that I don’t feel belonging to any of these. The google crowd is too smart nerdish and MS crowd is too… how to say it politely… too stupid common.

I’m somewhere in the creative outskirt, I’m in the Flash crowd :)

P.C. Not that it’s anything wrong about it to be a common .Net developer, a lot of my best friends are .Net developers ;)

Adobe fight fire with fire

Recently Adobe has been needing to deal with a massive force attacking its main domain of dominance, we can call this domain – the highly interactive web or RIA. I don’t refer to Microsoft SilverLight which is supposed to compete with Adobe Flash on the same ground, but to the brutal MS marketing machine. This machine can make every boy and girl blindly recite fallacious facts and numbly say things like “Yeah, but, SilverLight is search engine optimized”.

It took Adobe some time to understand what it is dealing with, and I think I’ve noticed a change in their PR brutality lately, generating big PR out of small things.

This last SEO announcement from Adobe, which claim that Flash will be more searchable by search engines, might have some substance in it, as opposed to the similar one from Microsoft, but, it’s still mainly a marketing battle. I just hope it doesn’t take too many resources out of the real development of the products.

Google were probably working on their own humanoid crawler that has a broader vision then just the Flash Player and can work with any RIA applications even if its written in AJAX or SilverLight. Apparently searching and indexing RIA is not an easy thing to achieve, and it doesn’t seem that even google has managed to do it yet.

The main problem of indexing Flash websites or any other RIA website, is to understand the context of the data and then link to it directly, aka deep linking. The fact that google can now read the text from within Flash even better then it did before, don’t yet solve that problem.

Even so, it doesn’t mean that we shouldn’t be optimistic, and there is a possibility that this will improved the indexing of Flash content. We’ll have to wait and see.

My blog has been hacked

The first part of an hacker’s job would be to gather some information about her target, server, technology and software that runs on the desired target. With Worpress all is needed is viewing the html source to see the “<meta>” tag that describes what version of WordPress is currently running and how vulnerable it is. Attackers scan/google this automatically along with other parameters to see what blogs they likely want to hack.

I have always saw the updates in the Worpress dashboard and always stupidly ignored it, thinking, who would want to hack my blog?! I should have known that a PR of 7 is very appealing to the spammers. But even if you don’t have any PR or have very low traffic it doesn’t mean that you’re safe from being hacked and it’s been reported that very new and unpopular blogs has been hacked as well.

The attackers have managed to use an old exploit in my blog, a very old one, and polluted my blog with thousands of spamming pages, all hidden in some obscure folders. One of the first things I’ve noticed was some strange traffic is going into my blog, mostly from unrelated blogs which showed no indication of linking to me. Only when looking inside their HTML source I saw its hidden links to me. I’ve realized that I’m part of a zombie network of hacked blogs and splogs all for the sake of generating spam money. I’ve informed some websites that they were probably hacked as well, and I still found new websites that have hidden links to my blog and probably been controlled as part of this spammer network. This is an indication that the attackers work is far from perfect and probably not fully automatic, as they still don’t know I’m out of it, and still link to me.

Servers these days have become (relatively) very secure, securing it has become mostly a plug and play, you plug your firewall, you plug your security software suit and your almost done. (I don’t wanna disregard any IT and their hard work, but you get the point). Attacks vectors needed to be changed into exploiting the developer’s code and the end user, as these are the most error prone areas these days. As such, it became the developers responsibility to not only write a compiling code but also write a secure code. As for the users, they still shouldn’t be expected much and allowed to be very dumb. Its not sure yet if developers can be expected to always produce a safe code, WordPress is created by highly talented developers and still all of it’s security flaws were due to insecure coding. I’ve heard this being compared with an old development problem, which is, producing optimized code, that problem was never completely solved. Currently developers don’t have sufficient tools and resource to overcome these problems. One can only hope that in the same way that viruses has lost their strength over the years this will be the same for these kind of attacks. We can only wonder what will be the next generation of attackers, maybe the end users will become the only reasonable target.

The first lesson here is to always upgrade your blog. Although this can be tiring process, with updates coming all the time, it is must be done. The WordPress update process itself is very easy and fast and I really encourage you to do it the minute a new version is available. You might want to be assisted by this auto upgrade plug-in.

What is described here is mostly about the WordPress blog platform but this is far from being the only massively used and attacked open-source web application.

Finally I would like to try and coin a new phrase. The same way we were introduced by the developer who can also be a designer named – Devinger. I think it time to introduce the Safeloper. The Safeloper is a developer that has the tools and knowledge to produce secure programs. ;)

I guess we should always expect to be hacked and always backup.

How to find out if you’ve been hacked:

As opposed to old school Internet hacking, where the attacker main goal was to make a name for herself and that the attack would be known and published. In this new kind of hacking the attackers main goal is to make money through spam, and as such their last intention is that the owner of the hacked website will have any clue that she’s been compromised. You might get weird increase or decrease in traffic and the google PR might drop a bit, but, you won’t see anything completely different unless you’ll look for it.

Simple as that, view source and search for spam words like cars, montage, pharmaceutical, etc’.

look at traffic to your blog – If you see some strangely unrelated blogs linking to you there is a good chance you’ve been hacked and used as a splog. Go to the suspect blog and view its source for hidden spam links to you.

Look at the google search traffic to your blog – The latest exploit, also known as the anyresult.net hack, is a way to steal google result of your blog. Clean all cookies, search yourself in google, if a link to your blog is redirecting to another web-site then you’ve been hacked. Clean your cookie again and do this a few times to be sure.

Make Sure Your WordPress is Not Hacked – some more info.

What to do if you’ve been hacked

I would suggest to backup everything from your blog including all the file folders and database and then do a fresh install of the new WordPress (Currently 2.5.1). To backup the folders use an FTP client, the DB backup is generally done from the website’s control panel or from the WP admin. Only after the fresh install, start adding all the customized stuff like themes and plug-ins checking each and every one as you add it, you should even check the images. When it comes to the plug-ins your better off re-downloading it.

Change your blog password and all of the blog registered users passwords, make sure all the users are valid and not some hacker created. It’s better not to use WP for user registration as this is a source for a lot of the previous exploits.

How to prevent your blog from future hacks

Always install updates – It’s fast and easy

Remove the Generator Meta tag – WP shows its version number inside the HTML. If existed it’ll help the hacker to know how vulnerable you are.

Put empty index.html files inside the WP pligins folder and any other folder that don’t have an index file. it won’t stop anyone, but, will give the attacker a harder time understanding the structure of your blog and what plug-ins you have installed.

Monitor your files for changes or use some kind of script firewalls

Install only trusted plug-ins

More Resources:

Did your WordPress site get hacked? – More info about the structure of the Wrdpress attacks and how to prevent them, written by one of the WordPress people.

Patching the WordPress AnyResults.Net Hack – Describes how to fix the latest WordPress exploit, which is found on WP 2.5 or earlier, it was fixed on WP 2.5.1 but, updated blogs aren’t automatically fixed if it were already exploited. This exploit redirect search engine results of your website to anyresult.net. More, more and more.

File change notifications for your WordPress blog on Linux – A good explanation on how to monitor files changes on your blog. This way you’ll know when a hacker have managed to change or add files. The problem with it, is that it’s recommended not to monitor the cache folder, because it’s constantly being written by WordPress. Hackers are also aware that this folder is difficult to monitor and it’s where they put their malicious files.

Firewallscript WordPress Firewall – Commercial (85$) firewall that runs on the php script level without the need of installing it on the server itself, and hence good for shared hosting. It’ll monitor files for changes and more.

Munin A PHP application firewall – The same as above just free and open-source.

WordPress exploit: we been hit by hidden spam link injection – More information on how to deal with hidden spam link injection

Won’t publish posts anymore – A less common hack that prevent you from publishing into your own blog.

How to Protect Your WordPress Site

9 easy ways to secure your WordPress blog

10 Ways to Secure your WordPress Install

Almost Perfect htaccess File for WordPress Blogs

When Patches are the Problem – Apparently automatic security updates isn’t a perfect solution either.

Security through visibility: The secrets of open source security – WordPress is open source, is it really make it less secure?

RIA on the mobile phones and small devices

Flash, SilverLight, Android, JavaFX, QT and the iPhone. Seems that everyone wants to redefine our mobile phone, the ultimate device/gadget of all time. I’ve written a summary of the latest advancement in the area of rich mobile applications.

Read it here.