UPDATE 20101012

By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!

Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…

PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:

• input like “1E+3″ which gets translated into “1000″
• “round-to-nearest, ties away from zero” for 3rd decimal, i.e. “0,004″ gets translated to “0,00″ and “0,007″ gets translated to “0,01″

Happy hacking…

Money

When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.

Some people (including me sometime ) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…

Read more! »

26C3 - “Look ma’ , I am on TV”

26C3 is over… It was a fun experience however !

Some key points:

Lightning talks

Together with Pavol Luptak (from Nethemba team in Slovakia), had a lightning talk about the MFCUK

Online video / Downloadable video (our talk starts around 00:09:50)

Slides 26C3 Lightning Talk Day2 MFCUK Mifare Classic Toolkit

Open digital radio

Also, I have attended a very nice and neat workshop put up by Mathias Coinchon from OpenDigitalRadio.org

The workshop link is here.

Mathias also have kindly provided the GNU Radio Companion files used in “26C3 Radio Broadcasting Workshop”.

DYI Book scanner

Ever wondered how the thousand pages books are scanned and put online? I was wondering that too.

A nice lecture and slides are here:

How to build your own Book Scanner [in 4 min]

iPhone OpenGL Demo

UPDATE 20100102: As there seem to appear some unsatisfied fuckup-folks, read this first:

• code is provided AS IS, no warranties
• got no time to sort things out? don’t lose your time checking out the code then
• lazy enough/looser-programmer and looking for spoon-feeding solutions only? don’t lose your time checking out the code then
• don’t like my code? write better one instead and let me see you give it for free before you comment
• for those whoever is “fuck you"-ing me for whatever frustration reason they got - you are free to leave the blog - this blog is not for you

UPDATE 20090921: ZIP with sources is NOT corrupted. Please use 7-Zip archiver (ver >= 1.59)

UPDATE: Sources iPhone OpenGL ES Cube 3D with texture (Some reported archive corruption. Seems to work well with 7-Zip 4.5x, 4.6x for Windows)

This is a demo video showing my humble achievements in the direction of OpenGL ES 1.1 for iPhone, using some texture and light experiments. It is of course not intended as a working program, it’s rather a demo concept snippet of code.

The binary:
- source written in objective-c
- compiled as native application with iPhone toolchain under cygwin
- ran on iPhone 1.1.2 OOB

The acknowledgements go to:
- AJW - for great iPhone OpenGL startups
- ZeusCMD - for great OpenGL ES tutorials
- nullriver - for posts and links

Here is the binary available for download:
iPhone OpenGL ES Demo binary

Instructions:
- GLTextureCube to be put into /Applications and given proper permissions (755 to dirs and files will suffice)
- zveriu.raw to be put into /private/var and given at least read permission (444 will suffice)
- you can replace zveriu.raw with your own image data, given you follow the constraints:
– 128 by 128 pixel - sorry, had to hard-code to speed-up the working demo
– raw data, i.e. no headers, compression, etc -
– 1 (one) byte per color, color scheme RGB
– basically it is a 24bit BMP, with no header, just raw data
_________
- to obtain such a raw file, you can:
– get a 128 by 128 24 bits BMP file with your texture
– open it with IrfanView
– make sure you have IrfanView plugin named Formats
– save as the BMP with RAW file type, instructing irfan view to make it 24 bits RGB (not BGR!) and interleaved, meaning bytes follow as RGBRGB…RGBRGB and not RRRRRR…GGGGGG…BBBBBB
_________
- basically, to check that zveriu.raw (case sensitive!) you have created is right, file size should be 128 (width) * 128 (height) * 3 (bytes for RGB ) = 49152 bytes exactly

Hope you enjoyed this post.

I have some more ideas to test on iPhone - hope to overcome all the limitations (including time-constraint ). And by the way - the USRP is solved, need to get GNUradio working on one of the boxes (cygwin refuses to get me wxPython right for GNUradio - will stick to Ubuntu for the moment!)

Tags: iPhone OpenGL OpenGL ES OpenGLES Demo Cube Cube3D Texture USRP GNUradio

It is sometimes interesting and amusing to see how even big players steal from each other

I was very surprised to see that a flash ad for Yahoo! Music has a video screenshot resembling… YouTube video… When clicking the Video section of the mentioned ad, I was redirected to Yahoo! Music

Maybe I am mistaken, but from what I understand even the flash player design is a matter of design copyright. Maybe I am wrong - then please correct me in comments.

Yahoo!Music Ad Initial - Check the player frame

Yahoo!Music Ad After Click- Check the player frame

Yahoo!Music Typical player frame

YouTube Typical player frame

Player frames compared to the one in Yahoo! Ad

Few questions arise:

• Is Yahoo!Music together with YouTube?
• Is Yahoo!Music trying subliminal user driving from YouTube to Yahoo!Music
• Is YouTube licensing somehow it’s player design to other market players?

Thoughts are welcome, as always.

PS: the link which displayed the mentioned ad was found here

Copyright disclaimer: all the trademarks mentioned here are owned by the respective owners. The same applies to the graphical designs depicted in the screenshots.

Tags: yahoo music, yahoo, youtube, copyright

eJobs.ro security hacked screwed again - execution with cool-blooded SQL injection

Yes boyz and pretty girlz, eJobs.ro gets it again into the face and gives away 1.3 Mln resumes and personal information! More - passwords in clear, not at least hashed…

My two cents on this:

1. Nice work from the guys here - HackersBlog.org

2. Some of my early whistle-blowers to the ejobs.ro here (ejobs XSS1) and here (ejobs XSS2) - seems like they have either deaf or inexistent security assesment team… Too pitty for them…

3. It seems that the method used by the guys was in one of my earliest attack methods which I left asside for some dumb reasons. eJobs.ro Attack Vectors file

The below is what I was exercising back then, and the similar attack vector is what the guys really used to SQL-inject (the below is not working already for obvious reasons… )

Code:

4. Also, if you go specifically to http://ejobs.ejobs.ro (yes, double times ejobs, it is not a typo!) you will see an internal eJobs position posting. The interesting details I have highlighted below:

eJobs job posting - hahaha

Till next time, enhance your

Knowledge of Secure Programming Best Practices

Tags: ejobs, ejobs.ro, ejobs ro, ejobs.ro sql injection, ejobs.ro sqli, ejobs.ro hacked, ejobs.ro hackuit, ejobs.ro security, ejobs.ro spart, ejobs.ro database, ejobs.ro baza de date, ejobs.ro CVuri