Monday, June 10, 2013

just about a month in the new company..........

On May 15th, I had completed one month with Lister. I was going to write a post at that time but I hadn't done anything substantial apart from attending day long inductions and spending time getting to know things. Now that I've started checking in code on a regular basis, I feel now's the best time to share my experiences and to pause and reflect on my days so far.

I am not doing anything different.

To begin with, I am not doing anything different from what I've been doing in my previous companies [1, 2]. In my previous roles, I was more of an individual contributor who takes up a requirement, codes and commits the changes against the said tasks. Even now, I am doing the same thing but within the confines of a team.

The team here uses a number of open source tools and frameworks [1, 2, 3] and I get to play around with them. Learning my way out. This part of my job is the most exciting to say the least.

Small Company

Like I had mentioned here, it's a small company. Everybody knows everybody kind of an environment. Its been just over a month and within this span of time, I'd come to know about many teams (at least in my bay) where they'd studied, where they'd worked previously without me having to put any extra effort. Feels good to get to know people.

Commute is grueling

I spend 4 hours on a daily basis commuting. And by the time I reach home, I think about nothing but hitting the sack so that I can get some sleep before starting it all over again. But the good part – I am able to spend time reading books. I have read 2 books [1, 2] this month and I am gonna finish another one. If you look at it, it might appear as if I've been given the gift of time. :) Time almost comes to a standstill when I'm traveling. ;-)

To sum up

Apart from the work, I have been keeping myself busy reading stuff and trying out things that are out of my comfort zone and documenting things here. Things are pretty nascent at this stage and once they take shape, I'll share the more with you guys.
Over all, I wouldn't say that I am disappointed but at the same time, I have started worrying about this - What if I get a comfortable hold of the open source frameworks and tools I use? What next? Will it become monotonous? How am I going to keep myself engaged and psyched?

But at the moment all I can do is to hope for the best.

See you soon. :)

~ cheers.!

Thursday, June 6, 2013

tneb - js vulnerability



This morning, I stumbled upon this link via FirstPost. It got me thinking how vulnerable sites are and how we, as the users are at risk. A few months ago, I happened to find out a similar vulnerability in TNEB's online payment portal.

Disclaimer: I am not a hacker and I don't go around snooping HTTP requests. I don't spend my time trying to break firewalls. All I do is, I look around. I observe how people build sites. I make a mental note of what I would do if I were asked to build the same site. That is all I do. More than anything, I am bored and these are the things that keeps my boat afloat. ;-)

Anyways, here are my findings.

- Easy access to the script which validates user login. Right click + view source + look for login_validate.js. I don't see any reason for NOT minifying resources. Markups, I can understand. But .js and .css can be minified right?

- On submit, if you look at the form closely, you’ll find that the password is encrypted before its been sent over the wire.You'll see the increase in the no. of characters.

- Pretty naïve way to encrypt the password. Very old school.

/* 
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */ 
// I don't know what the heck this comment means. 
 function encryptPassword(){
    var password = new String(document.getElementById("password").value);
    var length = password.length;
    var encyPassword = new String("");
    for(var i=0;i<length;i++){
        // add 74 to char code
 var temp = parseInt(password.charCodeAt(i))+74; 
        // pad zero of the no. of digits is < 4 which is true for almost all keyboard characters
 encyPassword = encyPassword + pad(temp,4); 
  
    }
    //<input id="password" type="password" name="j_password"></input>
   // set it back so that user will see a visible change in password field in the UI.
 document.getElementById("password").value = encyPassword;
    return password;
}
function pad(num, size) {
    var s = num+"";
    while (s.length < size) 
 s = "0" + s;
    return s;
}
 

- Even worse, sending the password as a plain text in the post request. Although, the HTTPS secures the communication to an extent, leaving the encryption logic open makes it kind of moot.


- This piece of code works for most of the passwords. And it took under 10 mins. A professional hacker might even crack this just by taking a look. 

function decrypt(password)
{
 var pwdArr = password.split("0");
 var c = "";
 for(var i=1;i<pwdArr.length;i++)
 {
  var code = pwdArr[i] - 74;
  var n = String.fromCharCode(code);
  c= c+n;
 }
 alert(c);
}

What do you think? I would love to hear from you guys?
Happy Coding :)
~ cheers.!

Monday, June 3, 2013

Shutting down Live Score Card Android App

Last year, out of boredom I wrote a Live Wallpaper (Android) which would display the live scorecard. I scrapped data from a very popular site.

Wait, allow me to explain. I'd no intentions to steal data. Or, I didn't have any intentions to create something like this.

In my opinion, I followed a proper way

- I tried contacting several teams (sites) asking if they offer any APIs. Many didn't respond and few replied stating that they offer only paid solutions which start at a minimum of 5K per month (* Refer attached mail chain).

- The other URLs that I got from Stackoverflow spoke nothing about restricted access (even their robots.txt said nothing). At the same time, the data that they provided weren't enough to build a fully featured app.

At that point, I thought, "Why let trivial things such as access and data bother app development? Let me finish building it and then I'll decide whether to continue it or not. Anyhow, I'm not going to make money."

All things said, the scraper was pretty light weight and given the scale of the website, a cron accessing the site and scraping a single page is no big deal (Technically, of course. ;-) ). So, I went ahead and scraped their URL. Apart from a handful of my friends who helped me out with testing app in their devices, I extensively used it for 3-4 months, totally forgot about it until recently when I was asked about the app in one of interviews :D

Now, out of sheer guilt I have disabled the api which pulled data from their site. :'(

Sorry guys.
Nothing personal.

Happy coding :)
~ cheers.!

---
* mail chain

---------- Forwarded message ----------
From: Pankaj Chhaparwal 
Date: Mon, Sep 3, 2012 at 5:51 PM
Subject: RE: RSS Feeds to get live scores
To: karthick r 

The smallest pkg we have is for rs 5000 per month. 

Regards,
Pankaj
 

From: karthick r [xxxx] 
Sent: Monday, September 03, 2012 5:35 PM
To: Pankaj Chhaparwal
Subject: Re: RSS Feeds to get live scores
 
Hi, 
Thanks for the prompt reply.
Please let me know the applicable rates. It'll help me decide. 

Regards,
Karthick.R

On Mon, Sep 3, 2012 at 5:14 PM, Pankaj Chhaparwal  wrote:

Hi Karthick, 
We can provide you this content, but we only offer a paid solution. 
Let me know if you would be interested. 

Regards,
Pankaj Chhaparwal



From: xx@gmail.com
Sent: Monday, September 03, 2012 2:36 PM
To: xxxxxxxxxx
Subject: RSS Feeds to get live scores
 
Hi, I am working on an android app to display live scores. Just want to know if you are providing any API to pull the match/score data. Once developed, this app will be available for others to download from Google Play for Free. Please let me know if you provide any such APIs. Thanks, Karthick Website: http://about.me/r.karthick 
Company: Developer
-- 
regards,
r.karthick