Well, sad and true in the same time… It is an entertaining reading and one full of insights…
Maybe it’s just one of those reasons why software is getting more crappy, unreliable, insecure, etc.
By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!
Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…
PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:
Happy hacking…
When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.
Some people (including me sometime
) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…
At my previous work and here also, I and coworkers had an internal subject [AskAmit] for sharing shitty code (which we find around or even discover in inherited projects) among us.
This continued in the current company - like for example this one (not exact reproduction, but still) in Java (trully existing code at my present company
) – test if a boolean variable is true or false:
Code:
if (boolean_var.toString.length() == 4) | |
{ | |
// True, do the True actions | |
} | |
else If (boolean_var.toString.length() == 5) | |
{ | |
// False, do the False actions | |
} | |
else | |
{ | |
// Ummm, raise processor fault? | |
} |
The [AskAmit] name was coming from Sun’s JMF (Java Media Foundation) incredible naive line at those times (2002) that made the framework buggy enough (though it was a good concept):
jmf-2_1_1e-scsl-src/src/share/com/sun/media/util/Registry.java
if (file.length() == 0) { // TODO: Ask AMITH if you need this
Seems like [AskAmit] kind-of groups grow everywhere, so it reached to a critical level called GovnoKod (ShittyCode) – highly recommended reading not to step on the shitty paths of programming
Excerpts: - Enjoy!
———————————————————————
Си / Говнокод #1829
Code:
#define TRUE FALSE //Happy debugging >:P |
———————————————————————
Си / Говнокод #1317
Code:
if(true) | |
{ | |
//Code | |
} | |
else | |
{ | |
//Commented, not compiling. ^_^ | |
}; |
———————————————————————
Си / Говнокод #405
Code:
++i--; |
———————————————————————
Assembler / Говнокод #453
Code:
mov ebx, eax | |
mov eax, ebx |
———————————————————————
Assembler / Говнокод #414
Code:
... | |
jmp 0x0437 | |
jmp 0x0437 | |
... |
———————————————————————
Yes boyz and pretty girlz, eJobs.ro gets it again into the face and gives away 1.3 Mln resumes and personal information! More - passwords in clear, not at least hashed…
My two cents on this:
1. Nice work from the guys here - HackersBlog.org
2. Some of my early whistle-blowers to the ejobs.ro here (ejobs XSS1) and here (ejobs XSS2) - seems like they have either deaf or inexistent security assesment team… Too pitty for them…
3. It seems that the method used by the guys was in one of my earliest attack methods which I left asside for some dumb reasons. eJobs.ro Attack Vectors file
The below is what I was exercising back then, and the similar attack vector is what the guys really used to SQL-inject (the below is not working already for obvious reasons…
)
Code:
4. Also, if you go specifically to http://ejobs.ejobs.ro (yes, double times ejobs, it is not a typo!) you will see an internal eJobs position posting. The interesting details I have highlighted below:
Till next time, enhance your
As many might recall the Google’s glitch to tag every single site as malware site. More details are:
- @ Google Blogs (fcuk - I think someone will get pretty fudged up in the ase at Google for this human-error, since it was necessary for one of the biggest corporations VP to officially give explanations and appologies - those who worked or are working for some kind of corporations know this kind of price…)
- @ StopBadware.org
One of the most nicest things is
.
Philosophically speaking, Google being a source of trust for a wide majority of people/systems AND in the same times tagging itself as malware (even though for a very small amount of time AND by “mistake” - I would love to believe that it was a mass-social-experiment
) - doesn’t it raises the question of old classes of computer-field (and not only) problems “Chain of trust and breaking the chain of trust?!”
Here is my screenshot
:
:: Next Page >>
A deep dive into brain's curiosities
| Next >
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||