eval is evil!

09/06/2012 Leave a comment

Last week a friend of mine got an email pretending to be from Linked-In.

It looked suspicious so she forwarded it to me for inspection.

 

A quick look at the HTML attachment showed that it contained some very fishy JavaScript.

One notable part of it was a large array of floating point numbers, positive and negative.

 

As some of you might have guessed, this array actually represented some more scrambled JavaScript.

 

Now, I am not a security expert, but I was curious what this thing did. I know there is some tool to test run JavaScript, but I did not remember what it was called, so I just run Python in interactive mode to make a quick loop and unscramble the floating point array.

 

What I found was JavaScript redirecting the browser to a very suspicious looking domain.

Downloading the content of the URL resulted in more JavaScript, this time with a very long sting (over 54000 bytes long!).

 

Again I found the unscrambling function, redone it in Python, and received what was clearly a malware injecting JavaScript that was just over 15 thousand bytes long!

The funny thing was, the malware script was not obfuscated (aside from all whitespace being removed), so I could actually see a function called “getShellcode”.

 

Despite being quite long, it was easy to see that the script used some vulnerability in Flash Player versions 10.0.40 to 10.2.159 to do it’s nasty business.

I have yet to unscramble it’s shellcode payload, so I am not sure what that business is exactly.

 

But, this package is not unique. I am sure there are thousands of variations of it in the wild.

 

Why am I bothering to write about it?

 

Because the main component used to hide the truth about what this malware does is JavaScript eval function.

In fact, it is used twice, both in the first stage JavaScript attached to an email, and in the second stage script that actually tries to inject the malware.

 

Which got me wondering: why the hell did the designers of JavaScript put it there???

 

I know JavaScript is not the only language to have such function.

I know it has some legitimate uses (though I am not sure how many).

And as a developer, the last thing I would want to encourage is reducing a programming language’s power.

 

But seriously, is the huge security risk really worth it?

After all, this is a Browser scripting language, something you might download and run without even being aware you are doing it.

 

Even the name of the function sounds almost “evil” 😛

 

So here is my rant of the day: ban eval from JavaScript.

Who is with me?

Advertisements

Get XML element value in Python using minidom

29/07/2011 Leave a comment

Finally, a “development” post for my “developer” blog.

Recently, I’ve been working on some XML processing programs in Python.

The minidom module is great if you want your XML in a tree, and want tag names and attributes easily accessible, but, what happens if you want the text content inside a tag?

DOM, does not have a “tag value” concept. Instead, every bit of text in the XML, including the indentation is a “text node”, which is parsed as a separate tree element.

That means, that if you have something like this:


<name>John Smith</name>

You will get a tree with two levels: top level for “name” element, for which nodeValue will be None. This element will have a child node (second level of the tree) which will be of type TEXT_NODE an it’s values will be the text “John Smith”.

So far, so good, but, what if the value we want has some XML markup of its own?


<text>This text has <b>bold</b> and <i>italic</i> words.</text>

Now we have a complex tree on our hands with 3 levels and multiple branches.

It will look something like this:

<text>
   |______
          |-"This text has
          |-<b>
          |  |_________
          |            -"bold"
          |-"and"
          |-<i>
          |  |_________
          |            -"italic"
          --"words."

As you can see, this is a big mess, with the text split in to multiple parts on two separate tree levels.

There is no facility in minidom, to get the value of our <text> tag directly.

There is however, a way around it, that is simple but not obvious: you need to “flatten” the desired tag in to an XML string, then strip the tag it self from the string and you will have a clean value.

Here is the code:

def get_tag_value(node):
    """retrieves value of given XML node
    parameter:
    node - node object containing the tag element produced by minidom

    return:
    content of the tag element as string
    """

    xml_str = node.toxml() # flattens the element to string

    # cut off the base tag to get clean content:
    start = xml_str.find('>')
    if start == -1:
        return ''
    end = xml_str.rfind('<')
    if end < start:
        return ''

    return xml_str[start + 1:end]

Just pass the node you want the value of to the function and it will give you back the value as a string, including any internal markup.

I place this code in the public domain, which means you can use it anywhere any way you want with no strings attached.

Solutions vs Products

04/06/2011 Leave a comment

I originally intended this blog to be about development, with programming tips, tricks, and maybe even following some open source project of mine, but for now, I just couldn’t find any suitable material of this kind to publish.

Most of the new stuff I learned recently was already well documented else were, and I did not want my blog to be a copy of a copy bringing no added value.

But I don’t want it to be strictly opinionated rants ether, so I decided to start a new series, which is something in between: technical examples (not necessarily code), that go to prove my strong opinion that Free and Open Source Software is better than closed source non free software.

I call this series: “Solution vs Products”.

In Free Software, developers always seek to provide a solution for a certain problem. Software solution that will fulfill a certain need. Very often, it is their own need, but that does not mean that others do not benefit greatly from the solution.

Companies, that build their business on Free and Open Source software like RedHat and Canonical, make money from providing solutions to their customers, not simply selling them products.

The difference, is not just a marketing slang. It is in the kinds of programs that are available, and the features these programs have. In this series, I will demonstrate my personal encounters with features of Free Software that proprietary software does not provide, and some, I believe can not provide, under its current business model.

But, rather than continuing to describe it, lets just jump to an example that will demonstrate what I am talking about:

Drivers, drivers, drivers…

One of the myths about GNU/Linux and Free operating systems in general, is that they don’t support a lot of hardware.

In plain folks talk “There ain’t no drivers for this thing…”

But reality is, that hardware support in Linux distributions is often better than in the latest version of Microsoft Windows. The myth is propagated by the fact that just about any piece of hardware you buy will have a disk with Windows drivers accompanying it, but no Linux drivers.

People don’t realize this is because such a thing is not needed.

Some time ago, I had a faithful old Pentium 4 2.8GHz computer with a simple graphics card based on Nvidia chip.

There was no driver problem for this card in Windows XP, and it was also recognized out of the box by Ubuntu 7.10, though it had to install the proprietary Nvidia driver to fully support it.

That, was actually less of a hassle than installing the driver for XP from the CD that came with the card, but since Ubuntu 7.10 is significantly newer then Windows XP, it can be forgiven.

One day, the card died (or fried, I am not sure which). Fortunately, I still had the manual for the motherboard, so I knew by the beep sounds my computer made that the fault was in the graphics card and not any other component.

I went to the nearest computer store and got a replacement card. It had the exact same Nvidia chip in it, but the card itself was from a different manufacturer then the old one.

When I plugged it in and booted up, Ubuntu worked as though nothing happened. The Nvidia driver was universal, and it didn’t care that I had a different card in, as long as it had a supported chip in it.

With XP however, the situation was not nearly as good. I had to boot up in “Safe Mode”, uninstall the old driver, then boot up in normal mode and install a different driver for the new card.

Yet another case that demonstrates this issue occurred to me when I bought a very cheap web camera as part of a bet.

The bet was simple: will it be recognized out of the box by Ubuntu? I said “yes” but some people doubted that was possible. Well, I did not have a web cam, and Office Depot were selling some dirt cheap model, so I bought it.

To be fair, I lost the bet. At the time (2008) to get a camera with that particular chip working on Ubuntu a kernel module had to be compiled.

Two years later, however, the module is now part of the official distribution, and the camera is recognized out of the box.

And what of Windows 7? Nothing. since the CD I got with the camera does not contain drivers for it, and since there is no way of identifying the cameras manufacturer (it carries no trademarks), it is useless for Windows user.

Fortunately, I am not a Windows user…

One last case of “driver issues” I keep running in to at work, is with Android devices.

These devices (mostly phones and tablets) use a system called Android Debug Bridge (ADB for short), to communicate with the PC to aid in developing software. Through ADB the developer can debug applications (duh!), read system logs, get shell access to the device and more.

When working on Windows, every individual Android device needs a special driver to be recognized for ADB connection. Even two different phones from the same manufacturer need separate drivers.

This drives a couple of Android developers I know crazy.

On Linux, on the other hand, no driver is necessary. The PC side ADB component can locate any ADB capable device connected to USB and communicate with it.

I do not know what exactly caused the driver architecture to be so drastically different between Windows and Linux. Perhaps it was a purely engineering decision.

But perhaps, it was the fact that much of the hardware support for Linux had to be achieved through reverse engineering due to lack of cooperation from the manufacturers, that brought about modules that support entire families of products and kernel that provides ease of access to peripheral hardware for user-space programs even without a kernel module.

Either way, we have here three small examples where Free Software makes life easy while proprietary software gives you a headache.

Next up: Emergency computer resurrection: a vital solution no proprietary software company could possibly provide.

Stay tuned!

It’s all about trust

02/04/2011 Leave a comment

We use computers for a lot of things today. In various forms from the desktop to the “Smartphone“.

At work, at home, for business, for pleasure, for education, for communication.

Never before has there been a single object that centered so much of our daily activity around it, intruded in to so many aspects of our life.

Yet, how many people ever stop to think: “Can I trust my computer?”

How many people even consider such a question as making sense? You trust (or don’t trust) people, but things?

Trouble is, we need to be able to trust our computers, not just to work and do what we need of them, but also to keep our secrets from strangers and protect our wealth from theft.

Most people, be they “simple” users who barely understand how to use their computer, or greatest of hackers who know precisely how everything works and how to make it do anything they want, trust their computers implicitly, to varying degrees.

But a computer is a collection of black boxes of two kinds: hardware and software.

They are “black boxes” for two reasons:

1. The people who produce them do their best to hide from us users what they do and how they work.

2. Majority of users don’t posses the knowledge to understand their workings even if they were revealed to them.

Number two is a matter for separate discussion, but as for reason number one: It can and should be avoided!

And this is why I use Free Software and open hardware whenever possible.

This way I can be as certain as possible that my computer (tablet / smartphone / thingamajig) does exactly what it promises and is under my control and not someone else’s.

The skeptics among you will probably say: “You couldn’t possibly read and evaluate every single line of code of every application you use, let alone go over schematics of your hardware.”

And that is true. But, I don’t need to. It is enough for me to know that my phone’s bootloader is not locked or encrypted which means I can update or replace my phone’s OS at any time.

It is enough for me to know that I do not have any “Treacherous computing” features in my PC which could lock me out of my own data at any moment.

Most important, I know my OS and its developers do not, and never will treat me as a thief.

I know this, because the code (and some of the specs) are out in the open. Because they are constantly inspected by thousands of eyes, and  because, people and companies that are involved in making these products are interested in making money by providing solutions, rather then just trying to extract it as best they can by providing a product which they continue to control even after you supposedly purchased it.

And, of course, I do not have to rely on this knowledge blindly. When true need arises, I can go and expect the source, or consult people I trust to look in to the guts of the thing and tell me if it’s safe and reliable.

Now, before you recommend that I put on a tin foil hat, consider this growing list of examples where people’s computers betrayed them, at the whim of their true masters:

And this list can, and probably will keep growing as long as people use closed, proprietery software running on locked devices.

As seen from the last example, even if a large part of your system is Free, as in the case of Android, a single crucial application like the Android Market which is not Free, can take your freedom away.

And next time, it may not be about a book or a feature for geeks, or some music CDs. It may be your life’s work that goes missing, a crucial report for work or school, precious family films or photographs that can not be recreated.

I am glad I found out about about free software before I suffered any such loss.

Free Software is not just about price or ideology or a way for developers to get their hands on some code. It’s about your freedom and security!

I trust the software I use, do you?

Trusted Computing from lafkon on Vimeo.

Categories: Rants Tags: , ,

Welcome back to the 70’s!

08/12/2010 Leave a comment

Google has finally started a pilot program for netbooks (mini-laptops) running the long awaited (by some) Chrome OS.

Sadly, there aren’t many details about the hardware itself, and the only 3 things we know for sure are:

  1. It has 12 inch screen
  2. It has WiFi n and 3G connectivity
  3. It weighs nearly 2kg! (3.8 pounds which is 1.72kg to be precise)

But there is more to this than just another netbook that strides the border between mini and regular laptops.

Google hails it’s Chrome OS as a new paradigm in computing where “your browser is your OS”. To quote the introduction page: “It runs web-based applications, not legacy PC software.”

To me, this statement is funny, in fact, it appears to be an oxymoron.

I was born in to the PC era. My first computer was 100MHz Pentium 586, and though it still had a turbo button by some archaic standards it might as well have been a “super computer”.

In fact, it was top of the line for home PCs at the time it was purchased.

Technology moved on quickly, so today, you are unlikely to find a smartphone which has a processor slower than 500MHz.

This was the promise of the “Age of the PC”: That any one can get his own computer powerful enough to do whatever the user needed on its own.

Play games, listen to music, watch movies, edit documents – you did not need to rely on anyone.

Most people who are not geeks probably do not know this today, but back before the personal computers hit mass market during the mid 80’s things were very different.

In the 70’s and early 80’s computers were still huge and so expansive that only large organizations such as universities and corporations could own them. To use a computer back then one would use a “terminal” – a dumb screen with a keyboard that connected to the actual computer over some sort of network.

Though several people could use the computer from different terminals at the same time, each user would still get very limited (even by standards of that time) resources allocated to his account.

Each user got certain amount of storage space for his files, certain amount of memory for his programs to use and certain amount of “cpu time” to run his programs.

For nontechnical people reading this (if there are any) think of this as the limits on your email accounts: you can only send attachments of certain size, and you can only keep so much mail in your inbox before it becomes full.

Now imagine that your computer is not really yours: other people are using it, and you have to wait for them to leave enough free resources for you to be able to use it.

This is why personal computers where such a big deal for many people – they could finally use a computer and do what they wanted or needed without “standing in line” or “asking permission” from anyone.

And now, this is the “future” Google is promising us with Chrome OS.

Return from the personal computer to the mainframe and dumb terminal architecture of the 70’s.

Of course, there are are advantages to the “cloud” approach:

  • Doesn’t matter where you are: since all of your data and programs you need are “in the cloud” (on some remote Internet server) it does not matter if you have your laptop with you or if you are at your desktop. You can access them from any suitable device as long as it has an Internet connection.
  • No maintenance – forget installing software of dealing with viruses: since your computer does virtually nothing except receive and send information to and from the net there’s nothing to do but turn it on.
  • Your data is safer – some people will argue that huge corporation like Google or Amazon has better backup facilities than the average computer user, and that their servers are better protected against hackers than your home PC, so you should trust them with all your precious files.

But looking at these supposed benefits, you can see that each of them hides several very real dangers:

  • If you can access your files from anywhere, so can anyone who happens to get their hands on your username and password. You may not care if someone gets the photos of your cat, but what about some naughty pictures from your bedroom or your company’s latest financial strategy document?
  • No control. When all your data and all the programs you use to manipulate this data are on someone else’s server they are under their control. What if the company you are relying on to provide your cloud computing account suddenly goes out of business? What if they decide not to provide service to your country due to export restrictions, or what if they just lock your account because of a clerical error or because someone decided you violated some terms of use?
    Even worse: what if they suddenly change account settings and expose documents you wanted to remain private? This has happed to Facebook users and with Google Buzz.
    And what about the applications you use? If they are in the cloud your choice is limited to what your cloud provider gives you. If your provider decides your can only use brand X of document editor, than you will be forced to use only that brand, and if the provider suddenly decides to switch to brand Y? Go with it or change providers (good luck moving all your data and keeping it intact).
  • Putting all your eggs in one basket. Yes, huge server farms that big corporations own are usually very sturdy. They have UPS, backups, dedicated technicians and all kinds of other goodies, but in the end, even they fail. Yes, even the mighty Google has outages. Also, the bigger the server (or farm) the more attractive target it is for hackers. And that means it will get hit much more and with much bigger force than some Jon Doe’s personal computer.
    If something happens to your PC and it stops working you can usually use your laptop, or your work computer or, in worst case scenario barrow your friends computer to finish whatever you need to finish urgently. But with all computing done in the cloud, once the cloud goes down, all computers go down.

To me personally, the lack of control and privacy that comes with cloud computing makes it completely unacceptable as an absolute replacement for the desktop.

There are uses of the cloud that are acceptable to me, and which I believe are unavoidable for an average person:

I trust my personal mail to gmail, because I do not know how to setup and run properly configured email server. Even if I did, I am not sure I would have the time to do a good enough job to keep it properly secure and not fall in to some spammers hands.

I also use Google docs and Picasa for images and documents I need to make publicly available. Since there is no privacy concern here, I don’t mind surrendering them.

And of course, I use worldpress.com for this blog, because I am certainly not about to setup my own installation of world press.

But all these uses are very far from the future Google and some others are planning for us.

With storage devices getting ridiculously huge in capacity and ever smaller in physical size (did you know you can get 32GB of storage on microSD the size of your thumbnail?), and the rest of computer hardware still becoming more powerful and cheaper at the same time, while Internet bandwidth continuing to be limited and expansive (in certain countries much more than in others) I hope most people will think twice before embracing this “futuristic” idea from way back in the 1970’s

Categories: Rants Tags: , , , ,

My FLOSS

13/11/2010 Leave a comment

I decided to start this blog with a post introducing all the Free Software projects I’ve published.
It’s not much, but this is the work I am most proud of.

In case you didn’t know, FLOSS (aside from string used to clean teeth) is an acronym for Free Libre Open Source Software.
Now, you might think that it would be simpler and shorter just to say “Free software”, not to mention, a lot less confusing, but this way people tend to think it is just software you can get free of charge.
Even though most people like getting things for free, surprisingly 0$ cost often has negative connotations.
Besides, its not about cost, its about freedom.

For me though, coding these projects was, first and foremost, about learning.
Implementing each feature required learning the use of a new function or a new technique. Some times even a whole new set of development tools.
Also, unlike projects I do as part of my job, these gave me the freedom to experiment – implement what I wanted in the way I wanted without deadlines, demands or the need to waste time on useless trickery in a futile attempt to protect the final product from being copied.

And there was one additional bonus: ego boost. Seeing the download count and getting comments from users directly was pretty nice, especially when those comments were praises and thanks.

 

LVMTime

This is the first project I’ve ever published. In fact, it went out even before the first commercial app I did as a professional developer hit the market.

It is a “Today screen” plugin for Windows Mobile devices. It displays time and date in various configurations.

This project started out as a way to learn how to write a “Today plugin”.
Since I did not want to do a pointless “Hello world” test, I decided to make it do something useful. At the same time I saw on the forum that people were unhappy with the way date plugin behaved in the then new Windows Mobile 5 OS.
So I made a very simple plugin that just showed date and time on a single line.
I posted it on the forum to see what happens and, to my surprise, it got popular.

So I kept developing it and adding features.
As it turns out, theres a lot more to writing a properly working plugin then MS documentation shows, so along the way I picked up a few tricks that later came in handy on my job.

Two of the neatest (from my perspective) things I’ve done on this project were implementing from scratch a SNTP client to allow synchronizing time from the Internet (just like desktop Windows does) and sticking a small window on the taskbar that looked as though it was an integral part of it.
I actually managed to put the clock display back to where it was in the previous version of the OS, using an outside utility.

At first, I did not think to release the code, though I had no intention to charge money for the software.
I did send it to a couple of people who asked for it because I believed I should share this knowledge as others shared it and allowed me to learn how to write such a plugin.
Later, when I learned about the GNU/GPL and the concept of “Free Software” I properly published the source under GPL v3 license.

Unfortunately, at the time, I was not well familiar with source hosting sites such as SourceForge and Google Code, so I just published the whole thing on the forum I knew.
The down side is, there is no version control and you have to subscribe to the forum to download it.

Some day I might fix it.
For now, the binary version was picked up by a few freeware sites, which added to that ego boost I mentioned earlier:
LVMTime on PocketPCFreeware
LVMTime on FreewarePPC
LVMTime on Softpedia

 

LVMTopBat

This project, like many other FLOSS projects, began as an attempt to “scratch an itch”.

At the time, I had an i-mate Jamin also know as HTC Prophet.
This was a nice and advanced (for those times) smartphone, but it had a very slow processor (200MHz) and little RAM memory.
I wanted a precise battery meter, but all the ones I could find had a lot of fancy features which were both unnecessary and waste of resources.
Plus, I could not find one that looked exactly the way I wanted, so I just wrote one.

It was interesting to learn how to query and interpret battery status data.
I even managed to use the system notification mechanism to avoid constantly polling for data and wasting CPU cycles.

After making a small modification to make it more general, I put this app on the same forum as LVMTime.
Despite being very simplistic with no configuration options at all, it still had some success – several thousand downloads.

Better still, this was the first time someone took my code and made a derivative application with improvements.
And this is the real power of Free Software: collaborative development and continuous improvement.
Here is one such derivative: iBattery

Though not as popular as LVMTime, LVMTopBat also made it to some freeware sites:
LVMTopBat on PocketPCFreeware
LVMTopBat on Softpedia
 

Registry Display plugin

Technically speaking this is not a project, but a part of one.

After gathering together tips and tricks for writing a properly functioning “Today plugin” from various sources on the Internet I wanted to put it all together in a skeleton plugin which could later be used as a base for real projects.
At some point, I even thought about writing an article on it for the CodeProject site.

I never gotten around to writing that article, but I did make a basic plugin.
To demonstrate how to properly implement things like user selected text size and refresh handling I decided to let the plugin display a string from the registry.

Mean while, on xda-developers forum there were people looking to add GUI components to MortScript, a simple but powerful scripting language for Windows Mobile which allowed users with no programming knowledge to automate tasks on their devices.
This plugin example turned out to be useful to them.

It is possible to write registry values using MortScript so any script could use my plugin to display information on the today screen.
It wasn’t fancy, but it worked.

Since this project was so basic I released it in to the public domain, which means anyone can use the code in any way for any purpose no string attached.
Though even something this basic falls under todays ridicules copyright laws, I do not believe in copyrighting basic examples of code, not even under the GPL or BSD style licenses.

 

scr-rotate

This was the firs project I released for GNU/Linux based OS.
Specifically SHR distribution of the OpenMoko project.

It is a graphical application to rotate the screen.

It took me a long while to learn and get used to the different development paradigm of GNU/Linux based environment.
The idea that UI toolkit was something separate from the OS core and that multiple choices were available was a complete novelty.
Programming for Win32 you had one simple API function for creating a window or a button.
Here, you had to choose a widget toolkit and learn its rules.

And before you could do that, you had to familiarize your self with gcc, make and some shell scripting for good masure.
In the end of course, it was well worth it.
And once you do understand the tools and how to use them, you realize that it is the MS way of doing things that is crooked and uncomfortable.

Since the OpenMoko platform was designed specifically for developers to play with, even its most advanced OS is still missing quite a few functions you would find in a commercial phone.
More precisely, the capability is there but the GUI is not.
So it was easy to pick a small feature which I personally was missing and code a fairly simple app to do it.

Once again, this was a learning experience.
And this time, I properly published the sources on a suitable hosting site with open access and version control. There’s even a bug tracking system which I already got to use.

Well, thats all for now.
I hope that in the future, I will have the time to write and release more Free Software projects, maybe even bigger and more useful ones.
For now I do have some bug fixes I want to do on other projects, but as usual 24 hours a day just aren’t enough.

At least, I managed to get this post out.
Thanks for reading.