Thoda sa main...(A little bit of me)

What keeping me busy these days?

2011-08-30T03:37:00.000-07:00

Have heard this question so many times from many friends & well wishers lately.

Where are you absconding these days?
What projects are you doing these days?
What keeps you busy these days?

Se here's the answer.

Friends, I'm taking a lean time in my career as of now to spend more time with Sanay.

I'm still active on facebook but almost inactive on twitter and other places.

Work wise gone into a safe zone so that I can keep earning enough and still enjoy Sanay's daily growth.

I plan to be in this phase for sometime now and then relook at other stuff later.

Till that time, here're a few e-activities with Sanay for you

His website: http://sanay.in

His videos: http://vimeo.com/sanay

Someone is trying to hack me!

2011-02-24T06:38:00.000-08:00

Yeah! You read it right. Someone is trying to hack me!

While you'll be reading it as "HACK me", I'm still thinking "hack ME".

----------------------------

Dear Attacker,
I don't have anything interesting enough for you to break into my machine and steal it.

a) I don't have anything related to national security on my laptop which you can make use of
b) I'm not a billionaire that you can scoop off something, rather people know I'm as broke as any other average guy :)

c) Info about my clients & future plans goes somewhere else & no traces of that will be found on my laptop/phone/home network

----------------------------

Although I used to get gmail password reset request atleast twice a week, but this is a real good one & the attacker deserves a round of applause for it. The amount of time & knowledge he has put in here, I can offer him a very lucrative job with handsome salary (are you listening Mr AV?, we got a candidate). And with this much dedication he can break into corporate or even more secure networks.

For the knowledge & food for thought of my readers, this is how it all looks like.
As far as I know/understand, this started in the beginning of Feb 2011. My personal laptop has enough protective layers (antivirus, patches, firewall, blah blah) and as anybody would guess I keep it more up-to-date compared to many people out there.

So the attack (when I detected) was done using Metasploit, a wonderful attack/security testing framework by @hdmoore and the attacker caught me on CVE-2010-0840 which is a Java runtime vulnerability allowing remote code execution. It was sent to me via some malicious web page which I might have stumbled somehow. (I'm pretty much into exploring lot of garbage online). I know my JRE was 2 subversions older which made this attack possible.

I felt something fishy when on my home broadband (not a shared LAN) I started getting
SSL errors. Thanks to stubbornness of Google Chrome, it didn't allowed me to ignore it & made me think twice. When scanned my RAM, I found "meterpreter" running in my explorer.exe (pretty neat dude). This was the time when I knew someone is deliberately trying to get into my machine & it can't be a work of a malware.

Damn you attacker, you forced me to change 83 passwords in total.

Moving ahead I started keeping a (more) vigil eye on my machine for the attack to re-occur, I also created a honeypot with a lot of legitimate looking traffic to lure him. But seems like the attacker understood that I have found his meterpreter trick & have killed the session once. So now his attack strategy changed and looking at the strategy used further, I'm not sure if it is work of a single guy or bunch of them together or even individually. If it's by a single guy, I seriously have a good job for him waiting.

This time the attacker seems to have got access to the firmware of my home router or wifi access point (I'm still to investigate my firmware). I started getting SSL warnings even on my phone when connected to wifi at home but not on my GPRS. Now this can't be done with access to my machine only, for this the attacker needs access to the network infrastructure. More interestingly the SSL warnings are only for some specific sites (gmail/twitter/facebook).

The attacker presented me a fake SSL certificate for api.twitter.com and this is what he did wrong. He created a fake certificate with validity of 10 years. In no good senses , twitter will buy a certificate from verisign (twitter actually uses equifax) for 10 years in one go. This fake certificate was encountered on my phone, when I rechecked actual certificate of api.twitter.com (this time using my USB internet dongle) it is issued by equifax and for one year only. See images below & click them for enlarged view.

There are few more screenshots & reverse trace reports but I'm not posting online for legal reasons. I'd need them to be produced as evidence.

I've spent enough time on this attack, reported it to appropriate authority & want to keep my hunt on to find my well wisher. The only problem is I have a life to live & a lot of work to do, which seems like the attacker doesn't have.

----------------------------

So dear attacker,

Go and get a life, you won't find anything more juicy on my machine/phone/network. If you wanted to prove it to the world that you can "Hack Rohit", I think I have done your work easy with this blog post.

----------------------------

An open letter to all my friends, family & followers,

If you receive some garbage mail or tweet from my side (@rohit11, @_rohit11, @clubhack) be assured that it wasn't me. You can still expect garbage videos shared on my facebook wall & you know that I keep sharing those stupid videos there :)

Wish me good luck & good life to the attacker(s)

PS - If this can happen to me, this can happen to you too. I'd again request you all to be little more careful online. As in "brand new days" song, STING said "It could happen to you - just like it happened to me. There's simply no immunity - there's no guarantee"

PS - I have used "he", "his", "him" to address the attacker but I'm not being gender biased. I don't think I have a "my super ex-girlfriend" kind of ex who would take so much of pain to attack me. Having said that, I'm still not under estimating the skills of female attackers.

PS - I used word "hack" cause that's what 90% of this world understand :)

Misty Rhythms - What a music band

2011-02-19T03:19:00.000-08:00

I remember in good old days when I was in school & I heard this music band called "Misty Rhythms".

The album was called as "Aye Laila" & had one song with a music video which got somewhat popular due to fresh born MTV in India those days. (Can anyone point me to the actual music video of that song?)

I had the "cassette" of this album but slowly with death of tapes, I lost this album. I searched online many times to buy a CD/DVD version but never got one till date.

Finally today I searched again and found that someone has uploaded the mp3s on rapidshare. I know its a crime to listen to this MP3 version but I'm ready to pay (double or more) if anyone can get me the legitimate CD/DVD

I found the songs & my day is made.

Now you must be thinking what's SO great about this album which has this crazy song & why does it deserves a blog post. So let me tell you this is one of the finest music I have loved. If possible go ahead and listen to other songs of this album. "Aye Laila" is the only one which is funky, rest all are so melodious & wonderfully written that I'm sure many of you would love it.

Its a wonderful fusion of Classical + Reggae + African + God knows what. Its really a hypnotic music album. I'm not a music expert or have sat for any session of music appreciation but still this whole album is very close to my heart.

# Songs like "Big Blue Eyes", "Far far away", "Cuckoo" & "Voice from Stone" has magical lyrics.

# Songs like "Dancing raindrops" & "Dance of Shiva" have the wonderful Indian classical music touch

# Song "Hand in Hand" always reminds me of Bombay theme music

That's not all, there are interesting facts about the band members

Ramana Gogula - Was MD of Sybase India & Co-founder of Liqwid Krystal, an IT startup in bangalore. Then moved to South Indian film industry as music director

http://en.wikipedia.org/wiki/Ramana_Gogula

Kush Khanna - is a BS graduate and CEO of Bazaar of India Imports, the largest importer of ayurvedic product and musical instruments into the USA.

Ramana Gogula and Kush Khanna, both were based in the US and had formed a musical collaboration and named their band as Misty Rhythms

Sources - http://www.expressindia.com/ie/daily/19980626/17750734.html

Before I end this post, another song @ youtube which you can enjoy

Ramana, Kush

Wherever you are, my best wishes to you & would love to get more of such music.

A dream come true

2010-12-05T06:30:00.000-08:00

You all know my passion behind ClubHack. It started with a passion of creating a platform for information security enthusiast to come under one roof & share knowledge.

While this was my passion I had a dream too. My dream was to have the international fame information security guru Bruce Schneier as a guest in my event. In this 4th year of ClubHack, the Keynote address was delivered by my idol.

Bruce Schneier delivering his keynote address @ ClubHack2010

Yeah I was excited as well as proud to have him here in ClubHack2010. It was indeed a dream come true for me. We welcomed him in a traditional way by tying a pheta on his head and he loved it too

That's Bruce Schneier in Indian Pagri

He also brought me his latest book "Schneier on security" with his typical autograph which is a tiny crypt in itself.

Book "Schneier on Security" & typical autograph of Bruce Schneier

If your read it correctly it reads as "ENJOYTHEBOOK" if you read from top left corner going one character down and then following the string. Pretty Cool.

Finally I met my guru Dronacharya & I'm on my cloud number 9 for that :)

Free or Cheap Google TV alternatives

2010-10-04T22:36:00.000-07:00

Google announced launch of http://google.com/tv and everybody including me is very excited about the whole concept as well as the product.

But for a lot of those geeks who don't want to bleed from their pockets for the same

Those geeks who can't wait for GoogleTV to come to their country have 2 nice options

Remember, these are opensource products hence free for personal use but might need some hardware, hence calling them as "cheaper options"

1) Myth TV http://www.mythtv.org/

MythTV is a Free Open Source software digital video recorder (DVR) project distributed under the terms of the GNU GPL. It has been under heavy development since 2002, and now contains most features one would expect from a good DVR (and many new ones that you soon won't be able to live without)

Myth Today has gone beyond a simple DVR and has almost all the features of GoogleTV.

Watch and record analog and/or digital TV, including HDTV.
Pause, skip, and rewind live TV shows.
Completely automatic commercial detection/skipping, with manual correction via an intuitive cutlist editor.
Intelligently schedules recordings to avoid conflicts.
Parental controls to keep your kids out of the good shows.
Watch youtube directly
Watch and archive DVDs and other video files.
Listen to your digital music collection.
Schedule and administer many functions remotely via a web browser.
Share your TV/Media library in different rooms over UPnP.
You can add browser to this and do a normal surfing too.
Many more...

Moreover a complete distro called Mythbuntu is available today which as the name specifies, is Myth over Ubuntu. No installation hassles, no config worries. As simple as it can be :)

Here are some screenshots

Personal Note - I have tried it & found it working very fine on my atom machine with 1G RAM. I was not able to find a correct TV tuner card which supports the cable. Rest everything including a web browser makes it a perfect home entertainment library. You get a lot of themes to change the look and feel too. It can even fetch info on demand from IMDB including details, images, plot etc about movie collection you have.

2) LinuxMCE http://linuxmce.com

LinuxMCE is much beyond a entertainment setup. It even includes home automation wherein you can do

Lighting control - Turn on/off lights
Climate control - Manage AC, window blinds
Security - Alarm management, CCTV feature using normal webcam
Telecom - Home EPABX with bundled asterisk
& Media - Play your Media Files, DVDs, CDs, TV whereever you are

As per the website, the media part of LinuxMCE can

Organize media with special metadata tags
View/Listen to media in any room
Media automatically follows you through your home
New media is automatically detected - even if it's on other devices like another computer on your network or Network Attached Storage (NAS)
Control all your A/V gear through LinuxMCE (using IR, USB, Ethernet, or RS-232) including automatically powering everything on and setting the proper inputs on each device
Together with the lighting part of LinuxMCE, lights in the room where video is being watched are dimmed when you start the movie.
Together with the Telecom part of LinuxMCE, the media is paused, when a call comes in, and continued when you hang up.

As you might have guessed by now, to exploit real power of LinuxMCE, you need to be a geekhead. But once you do it, its a great product to live with. Here are some screenshots

Personal Note - Haven't dived deeper into LinuxMCE. Have tried only camera and media setup which works like charm again on an atom machine with 1G RAM

Interested, ping me if you need any help in setting this up. Once you do it I'm sure you'll love it. If you know or have been using some other product for same, do let me know.

am I your ssladmin ?

2010-04-30T22:47:00.000-07:00

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.

Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.

Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.

Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.

So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@

1. indiatimes.com

2. rediff.com

3. india.com

4. sify.com

Here are my findings

1. Indiatimes.com - the account creation interface gave an error saying the account is already in use

2. rediff.com - denied saying this username is not allowed

3. india.com - denied saying the username is forbidden

4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.

I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.

Happy & Safe Browsing

How to setup twitter anywhere

2010-04-15T12:30:00.000-07:00

Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm

STEPS:

1. Go to the dev site of twitter anywhere

2. Login using your twitter account & go ahead to create an application

3. All inputs asked are pretty much intuitive

4. Go to you APP detail page & take a not of your API key

5. On your website simply add the code snippet preferably at the end just before


<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
 twitter.hovercards();
 twitter(".post").linkifyUsers();
});
</script>

6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun

7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.

8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)

Mouseover these twitter handles to see @anywhere in action

My Twitter handles:

Technical tweets - @rohit11

General fun & casual tweets - @_rohit11

ClubHack - @clubhack

The world with a new look

2010-04-04T12:37:00.000-07:00

The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world

As per Byte Level

Each ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.

[click image to enlarge]

Free WebApp Security Testing Tools

2010-02-23T20:04:00.000-08:00

A lot of tweets today informed me about launch of Damn Vulnerable Web App (DVWA) which is basically an aid for security professionals to test their skills and tools and help web developers better understand the processes of securing web applications.

I had an old list of tools/plug-ins/utilities etc which can be helpful while playing with DVWA and I'd like to share the same for you to learn WebApp Security better.

Proxy Servers:
WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Injection Tools:
SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Some other HACKMEs:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Foundstone Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp

While doing webapp security testing, how can someone forget rsnake. Check out http://ha.ckers.org/ & specially his list of jailfree hacking sites @ http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime

Happy Hacking

Prefetch files (.pf) - How to view them

2010-01-09T01:10:00.000-08:00

Every time you run an application on Windows box, a prefetch file is created in "c:\WINDOWS\Prefetch". This file with extension .pf keeps information for optimizing the load time of the application (as the name suggests).

I always wanted to see what's there in the .pf file. Recently NirSoft has released a tool called WinPrefetchView which can be used to see the content of these files.

image source : nirsoft.net

Note: This website http://nirsoft.net is a wonderful resource for nice tiny utilities for many system & password plays.

The year 2009

2009-12-31T06:25:00.000-08:00

On the brighter side :)
# Shifted to Delhi from Pune.
# Bought another car.
# Worked for Commonwealth Games 2010.
# Finally got married to Stuti.
# Went to Puri & then Nainital for honeymoon.
# Delivered talks/lectures in IIM Ahmedabad & IIT Madras.
# Tajmahal & Delhi tourism with Stuti along with few more places in north.
# Decided to quit Commonwealth Games 2010.
# Organized ClubHack2009.
# Organized Indo-UK cyber security roundtable conference in ClubHack2009.
# Did wardriving in Pune again
# Worked for some serious national security projects.
# & right now baking a cake for the new year :)

On the down side :(
# No bike rides this year. Need to get back there.
# No more girlfriends, those were the days...
# Very less parties, need to party more
# Didn't organized even a single BarCamp, just attended one.

In total a very happening year. Hope to have 2010 a better one

Wish you all the readers a very happy & prosperous new year.

Smartphone Security Tips

2009-12-23T07:59:00.000-08:00

image: wikipedia

Christmas & New year is here and its the time many people buy/exchange gifts. So if the next shiny gift in your hand is a smartphone, then remember following tips to be safe & secure your data.

1. Don't loose track of your phone.
This one goes non-technical. Don't loose the sight of your smartphone. Keep you eyes on it when you leave it anywhere, especially at the airport security checkin. The nature of data stored on phone makes it more important now

2. Turn off Wifi & Bluetooth
Keep wifi & bluetooth turned off when not in use. I'm sure you are smart enough by now not to accept unknown bluetooth connections but what about wifi. When you use wifi, always remember to use encrypted connections. BTW turning these off will also conserve your battery.

3. Do not sync everything
Its the first thing everyone tries to do after getting a smartphone, sync it up with your PC. Though it comes very handy, but avoid the temptation of syncing your password and very critical information which you often store in notes of outlook or similar apps. If the phone gets stolen, just remember you might be giving away everything.

4. Do not click on links in emails/sms.
SPAM has also gone smartphone way, now and then you might get an SMS/MMS for some offer and link to click. DONOT click any such link unless you have verified it in depth. Same goes for mails on phone, follow the similar rule of your PC.

5. Download apps with care.
The first thing anyone would love to do after getting a shiny new phone is download & install applications, that too loads of them. Always make sure you are downloading them from trusted sources. Sometime common apps are rebundled with malwares and kept for download at different websites. If you know an application, download it from its parent website only.

6. Backup your data.
Most importantly keep a backup of our data. A regular sync with PC will ensure this but still make sure you have copies of the phone data on your PC which I hope is regularly getting backed up.

Smartphones are actually the best gadget to digitise your life and really are very helpful. All you need to do is take little extra care and make it safe.

Merry Christmas & Happy New Year

two one za two

2009-12-16T06:28:00.000-08:00

two one za two
two two za four
two three za six

many of us have grown up mugging this and I always wondered what is this ZA, is it a synonym of "equals to" ??

Just a casual browsing today answered this long pending query of mine

its actually

two 1s are two
two 2s are four
two 3s are six

Thanks to the anonymous who clarified this thing to me today.

If we divide the whole table in columns, I always thought that its the "1st column" being counted "2nd column" times gives you the result in "3rd column". Its actually the "2nd column" counted "1st column" time gives you the result in "3rd column".

Confused? Have fun....

Download the Google Chrome OS Virtual Machine

2009-11-20T19:02:00.000-08:00

Last week, Techcrunch reported rumors of the release of the Google Chrome OS. They stated that the info came from a reliable source, and indeed that source was reliable. Google had an event at their headquarters, and indeed provided new details and a demo of the Chrome OS. The Chromium Blog has some great videos that provide some additional information about Chrome OS as well.

The Chromium OS source code is available for download (Chromium OS is the open-source version of Google Chrome OS), and you can compile and build it. It took some time, but I did manage to do this on my 64-bit Ubuntu 9.04 (Jaunty Jackalope) machine. I also managed to put together a VirtualBox virtual appliance that is all ready to go. I built a torrent for it, so feel free to download it here:

Download the Chromium OS VirtualBox Appliance Torrent

Please continue to seed, as I’m sure there will be many people out there wanting to try it out.

To use it, just start up VirtualBox, click File and then Import. Navigate to the chromiumos.ovf file and select it. The virtual appliance will be imported into VirtualBox and you should be good to go.

I also included a txt file that more or less has the commands I used to build it. You may be able to run it as a script, although I haven’t confirmed that it will work. I guess you could say I more or less took “script-like notes” as I was building Chromium OS.

If you hit Ctrl+Alt+T when you first log in, you’ll get a shell prompt. You can run “sudo su” (no quotes) to log in as root, and I’ve set the password to “password” (no quotes). If you use this machine for anything serious (although I doubt you would), be sure to change the password.

You should be running VirtualBox 3.0.12, and when you import the virtual appliance everything should be configured properly. If you get an error that says “network not connected and offline login fail” when you try to log in, be sure that the virtual network adapter is set to Intel Pro/1000 MT Desktop (82540EM).

If the network adapter is already properly configured but you are still seeing the error, try logging in with the user “chronos” with the password “password” (no quotes). This should log you in and bring up the chrome browser window. If you don’t see a Google Accounts login screen, try hitting the refresh button. That should bring up the Google Accounts login screen.

It is absolutely astounding how fast it boots. It really is nearly instant-on and takes a mere few seconds to bring up the login screen.

Once you log in with your Gmail account, it launches and you’ll see the Chromium interface open up to your Gmail. There is also a Google Calendar tab and a New Tab tab. The little chrome sphere appears in the upper left corner, but when you click on it you don’t get a menu as you see in some of the Chrome OS videos. Instead, you get a Google.com account login page.

As you can see, it looks very much like the Chrome OS screenshots that had surfaced last month. Of course, being that this is running on a virtual machine without any decent video drivers on the operating system, the resolution is quite low (800×600). Your dear old granddad may be the only one that actually finds it visually appealing at this resolution.

Right now the most impressive thing is how fast this operating system loads. Of course, it should load fast because there really is hardly anything there. In any case, it is rather neat to see an early release in action. The fact that it actually works on a virtual machine is quite promising. Eventually as drivers for more hardware are incorporated into it, it should be possible to run it your own real hardware.

I just went into the Chrome OS Wave I found with the link to the VMWare disk image, and apparently the poor guy that posted that file to Amazon Web Services ran up a $380 bill so he took the file down. Here’s the torrent of the same file posted up on Pirate Bay:

Download the Chromium OS VMWare Virtual Disk Image Torrent

However, I haven’t tried using it, so I can’t confirm that it will run on VMWare without issue. Enjoy your Google Chrome OS virtual machines!

[Via GeekLad]

Mind it, this is a simple copy of the blog entry, I was quite busy in preps of http://clubhack.com/2009 and no time to test this or re-write this :)

No responsibilities if this torrent/VM doesn't work ;)

Sunday fun blogging: Is that how twins are made...

2009-10-31T22:18:00.000-07:00

I thought you had to do it twice in a row ;)

Windows lovers' way

mac fanboys' way

What way will a Linux geek use? cp or ctrl+yy or something else???

Source: http://www.geeksaresexy.net/

Password analysis from 10,000 leaked Hotmail passwords

2009-10-07T22:44:00.000-07:00

On 5th October theregister reported more than 10,000 password were leaked mysteriously on pastebin.com. See this tweet

As a followup study "Acunetix Web Application Security Blog" did an analysis on the kind of password people use.

Some interesting findings are as follows-

Statistics:
The list initially contained 10,028 entries.
There are 8931 (90%) unique passwords in the list.

The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
The shortest password was 1 char long : )

Top 20 most common passwords:

123456 - 64 times
123456789 - 18 times
alejandra - 11 times
111111 - 10 times
alberto - 9 times
tequiero - 9 times
alejandro - 9 times
12345678 - 9 times
1234567 - 8 times
estrella - 7 times
iloveyou - 7 times
daniel - 7 times
000000 - 7 times
roberto - 7 times
654321 - 6 times
bonita - 6 times
sebastian - 6 times
beatriz - 6 times
mariposa - 5 times
america - 5 times

Password length distribution:
1 chars – 2 – 0 %
2 chars – 4 – 0 %
3 chars – 4 – 0 %
4 chars – 31 – 0 %
5 chars – 49 – 1 %
6 chars – 1946 – 22 %
7 chars – 1254 – 14 %
8 chars – 1838 – 21 %
9 chars – 1091 – 12 %
10 chars – 772 – 9 %
11 chars – 527 – 6 %
12 chars – 431 – 5 %
13 chars – 290 – 3 %
14 chars – 219 – 2 %
15 chars – 157 – 2 %
16 chars – 190 – 2 %
17 chars – 56 – 1 %
18 chars – 17 – 0 %
19 chars – 7 – 0 %
20 chars – 14 – 0 %
21 chars – 10 – 0 %
22 chars – 8 – 0 %
23 chars – 3 – 0 %
24 chars – 3 – 0 %
25 chars – 3 – 0 %
26 chars – 0 – 0 %
27 chars – 3 – 0 %
28 chars – 0 – 0 %
29 chars – 1 – 0 %
30 chars – 1 – 0 %

What kind of passwords were in the list? :

3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
Example : iloveyou
291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
Example: ILoveYou
1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′)
Example: 123456
2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-'z’, ‘A’-'Z’ and ‘0′-’9′.
Example: Iloveyou12
565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@

Really wonderful analysis. Loved the way people think & care about their passwords

How to find the order in which drivers are loaded in Windows

2009-09-22T02:22:00.000-07:00

If you want to know the order in which Windows drivers are loaded during boot up you can see that. I'm not sure why would you like to know that but if you have time to kill you can try this.

C:\> wmic loadorder list full

The output will look something like this


DriverEnabled  GroupOrder  Name                                Status
TRUE           1           System Reserved                     OK
TRUE           2           Boot Bus Extender                   OK
TRUE           3           System Bus Extender                 OK
TRUE           4           SCSI miniport                       OK
TRUE           5           Port                                OK
TRUE           6           Primary Disk                        OK
TRUE           7           SCSI Class                          OK
TRUE           8           SCSI CDROM Class                    OK
TRUE           9           FSFilter Infrastructure             OK
TRUE           10          FSFilter System                     OK
TRUE           11          FSFilter Bottom                     OK
TRUE           12          FSFilter Copy Protection            OK
TRUE           13          FSFilter Security Enhancer          OK
TRUE           14          FSFilter Open File                  OK
TRUE           15          FSFilter Physical Quota Management  OK
TRUE           16          FSFilter Encryption                 OK
TRUE           17          FSFilter Compression                OK
TRUE           18          FSFilter HSM                        OK
TRUE           19          FSFilter Cluster File System        OK
TRUE           20          FSFilter System Recovery            OK
TRUE           21          FSFilter Quota Management           OK
TRUE           22          FSFilter Content Screener           OK
TRUE           23          FSFilter Continuous Backup          OK
TRUE           24          FSFilter Replication                OK
TRUE           25          FSFilter Anti-Virus                 OK
TRUE           26          FSFilter Undelete                   OK
TRUE           27          FSFilter Activity Monitor           OK
TRUE           28          FSFilter Top                        OK
TRUE           29          Filter                              OK
TRUE           30          Boot File System                    OK
TRUE           31          Base                                OK
TRUE           32          Pointer Port                        OK
TRUE           33          Keyboard Port                       OK
TRUE           34          Pointer Class                       OK
TRUE           35          Keyboard Class                      OK
TRUE           36          Video Init                          OK
TRUE           37          Video                               OK
TRUE           38          Video Save                          OK
TRUE           39          File System                         OK
TRUE           40          Event Log                           OK
TRUE           41          Streams Drivers                     OK
TRUE           42          NDIS Wrapper                        OK
TRUE           43          COM Infrastructure                  OK
TRUE           44          UIGroup                             OK
TRUE           45          LocalValidation                     OK
TRUE           46          PlugPlay                            OK
TRUE           47          PNP_TDI                             OK
TRUE           48          NDIS                                OK
TRUE           49          TDI                                 OK
TRUE           50          NetBIOSGroup                        OK
TRUE           51          ShellSvcGroup                       OK
TRUE           52          SchedulerGroup                      OK
TRUE           53          SpoolerGroup                        OK
TRUE           54          AudioGroup                          OK
TRUE           55          SmartCardGroup                      OK
TRUE           56          NetworkProvider                     OK
TRUE           57          RemoteValidation                    OK
TRUE           58          NetDDEGroup                         OK
TRUE           59          Parallel arbitrator                 OK
TRUE           60          Extended Base                       OK
TRUE           61          PCI Configuration                   OK
TRUE           62          MS Transactions                     OK
FALSE          63          Network                             OK
FALSE          64          Pnp Filter                          OK
FALSE          65          MMC                                 OK
FALSE          66          MemoryStick                         OK
FALSE          67          SmartMedia/XD                       OK
FALSE          68          ExtendedBase                        OK
FALSE          69          WdfLoadGroup                        OK

This will show you the order in which drivers are loaded on your windows box.

Note to self: stop posting if see that you haven't posted anything since long ;)

First cut preview of Firefox 3.5 in Hindi

2009-06-30T10:40:00.000-07:00

While downloading Firefox 3.5 I just noticed the new version was available in Hindi too. So I tried my hands on the Hindi locale of the Firefox 3.5 & here are some sneak previews

Main Window

File Menu

They tried translating everything

Tools > Options

But seems like were not able to succeed

An open Wedding Invitation to all my friends and followers online

2009-04-13T01:32:00.000-07:00

Wedding Website: http://shaadi.rohit11.com
Date: 27th April 2009
Place: Territorial Army Institute, Maidan, Kolkata
Time: 7pm Onwards

I'm TRYING to do a online streaming of the celebration with help of few friends for those who can't make it to the event. Details on the website.

All you need to do is RSVP in time if you can come so that I can make necessary arrangements.

Indian IT act made little easy for common man

2009-03-11T23:46:00.000-07:00

Understanding Indian IT act (& amendments) made little easy for common man

Crime: A mobile phone or computer or any electric device is stolen.
Section to be applied: 66B.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: Data owned by you or your company in any form is stolen.
Section to be applied: 66B.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: Data or computer or mobile phone owned by you is found in the hands of someone else.
Section to be applied: 66B.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: A password is stolen or used by someone else.
Section to be applied: 66C.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: An e-mail is read by someone else.
Section to be applied: 66C.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: A biometric thumb impression is misused.
Section to be applied: 66C.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: An electronic signature or digital signature is misused.
Section to be applied: 66C.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: A web page is created in your name and you have not authorized it.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: A Phishing e-mail is sent out in your name, say maligning someone or asking for donations.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: An Orkut profile is created in your name.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: An e-mail id is created on a website like hotmail or yahoo in your name.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: On an Internet chat site a false nickname is used.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: SMS’s are sent out in your name.
Section to be applied: 66D.
Punishment: Jail term up to 3 years and/or fine up to 1 lakh.

Crime: Clicking of an obscene photograph without a person’s consent or knowledge.
Section to be applied: 66E.
Punishment: Jail term up to 3 years and/or fine up to 2 lakh.

Crime: Transmitting of an obscene photo of a person unknowingly.
Section to be applied: 66E.
Punishment: Jail term up to 3 years and/or fine up to 2 lakh.

Crime: Placing a person’s obscene photo on a web site.
Section to be applied: 66E.
Punishment: Jail term up to 3 years and/or fine up to 2 lakh.

Crime: Sending a terror email.
Section to be applied: 66F.
Punishment: Jail term up to life.

Crime: Misusing a Wi-Fi connection for acting against the state.
Section to be applied: 66F.
Punishment: Jail term up to life.

Crime: Planting a computer virus that acts against the state.
Section to be applied: 66F.
Punishment: Jail term up to life.

Crime: Conducting a denial of service attack against a government computer.
Section to be applied: 66F.
Punishment: Jail term up to life.

Crime: Stealing data from a government computer.
Section to be applied: 66F.
Punishment: Jail term up to life.

Crime: Tampering with certain computer source code.
Section to be applied: 65.
Punishment: Jail term up to 3 years and/or fine up to 2 lakh.

Crime: Wrongful loss or damage caused by the use of technology by anyone.
Section to be applied: 66.
Punishment: Jail term up to 3 years and/or fine up to 2 lakh.

Crime: All activity relating to pornography in general.
Section to be applied: 67.
Punishment: Jail term up to 10 years and/or fine up to 1 lakh.

Crime: Any activity relating to child pornography.
Section to be applied: 67B.
Punishment: Jail term up to 5 years and fine up to 10 lakhs.

Crime: Every technology user must maintain logs of all e-activity that takes place.
Section to be applied: 67C.
Punishment: Jail term up to 3 years and/or fine.

Crime: You must allow the state to install software on your computers or mobile phone that will monitor all e-activity.
Section to be applied: 69.
Punishment: Jail term up to 7 years.

Crime: You must allow the state to decrypt all communication that passes through your computer or network.
Section to be applied: 69.
Punishment: Jail term up to 7 years.

Crime: You must provide access to everything stored on your computer or mobile phone to the relevant authorities.
Section to be applied: 69.
Punishment: Jail term up to 7 years.

Crime: You must block access to sites that the state decides.
Section to be applied: 69A.
Punishment: Jail term up to 7 years.

Crime: In a sense all computer users are ISP’s. We must allow the state to monitor and decrypt all traffic that passes though our home grown networks.
Section to be applied: 69B.
Punishment: Jail term up to 3 years and a fine.

Crime: Service providers like Blackberry and others must hand over the decryption master keys to the state.
Section to be applied: 69.
Punishment: Jail term up to 7 years.

Got this via email, source not very clear. This is a suggestive list, advised to recheck; DON’T take these as final verdict of supreme court ;)

UPDATE (24th Mar 09') : Ministry of IT has finally published the amendment online on the website http://mit.gov.in
Direct Link: http://mit.gov.in/download/it_amendment_act2008.pdf
Now its _more_ official now

Punetech is...

2009-03-05T23:41:00.000-08:00

I was thinking of writing a blog on the first B'day of PuneTech and tried some online tricks

Google: "PuneTech is..."

# PuneTech is a free, non-commercial website run by volunteers to disseminate information about information technology and software engineering in Pune.

# punetech is of course a great service

# PuneTech is a service co-ordinated by the people who run punetech.com

# Punetech is worth USD $8 Million in #pulling-a-leg-or-then-maybe-not

# PuneTech is managed by Navin Kabra.

# PuneTech is a non-commercial site that collects information about all interesting technology in Pune. PuneTech makes no profits on PuneTech merchandise.

# PuneTech is a non-commercial, by the community, for the community site.

# punetech is using Twitter

# PuneTech is a community portal exclusively focused on the innovative IT companies and startups in Pune.

# Punetech is a blog started by highly experienced fellow technology enthu, Navin Kabra and he is being supported by excellent team like Amit Paranjape, Manas and others

And once upon a time I twitted the
# @punetech is a boon to Pune tech community. A real good source for all the geeks info. @ngkabra I'm missing such a good stuff in Delhi man. (twit)

Happy Bday PuneTech, its indeed a Boon.

chat protocol

2009-02-25T08:48:00.000-08:00

Scenario 1: You forgot(or don't want) to go offline and you are projecting your screen on projector with some serious discussion in a busy conference room and bang! an old friend messages you on messenger "Hi Sexy"

Scenario 2: You are sitting with someone say Mr. A and another friend say Mr. B sends you a message about Mr. A. You know what kind of message I'm talking about

These kind of sudden and uninvited chat messages can disturbing at times. So in one of my previous organization we had a protocol for chatting. I found it very helpful and slowly many of my friends have started following it.

Here's how it goes, PLEASE try to follow the same when chatting with me and may be others too. This will make the online life bit comfortable for you and your friends

[?] To start a conversation, send a question mark only. Yes a simple " ? " only. This can mean anything as per your understanding like "Can we chat?" or "are you there?".

Now the answer to this question can be yes no or later

[Y] So if the answer is YES, the person replies " y ". Which means "I'm comfortable chatting with you at this moment, tell me"

[N] If the answer is NO for reasons like "I'm busy", or "Can't chat" or whatever, the person replies " n ". If you get a " n " DO NOT send any more message, not even "OK, I'll ping you later" It like saying DO NOT DISTURB

[5] or for that matter any number like " 10 " - "15 " means busy right now, lets talk after 5 (or 10-15) minutes. This comes very handy when you want to chat but because you are preoccupied in something which you can't leave in between.

[ ] If in case there is no reply from the other side, there can be 2 reasons. Too busy to say a " n " or not near the computer. The best option in this case is treat it as " n " and DO NOT disturb

Looking at so many shortcuts, we devised another shortcut. It was " b " this time which means BYE that comes at the end of conversation.

I strongly recommend all my friends to use this protocol while starting a chat with me. Share the protocol with your friends and see the difference.

How far you are from Obama...

2009-01-21T23:23:00.000-08:00

I was just going through my LinkedIn account and noticed that Barack Obama is just 2nd degeree away from me :))

I know this might not make a lot of sense but still...

How far is he from you???

Cheat Sheets: Networking, Hacking, Security, Administration, Tools

2009-01-13T17:41:00.000-08:00

Here is a bunch of CheatSheets which might be useful from time to time to use as a reference:
# TCP/IP and tcpdump Cheat Sheet - SANS.org
# Google Hacking and Defense Cheat Sheet - SANS.org
# Intrusion Discovery Cheat Sheet Windows - SANS.org
# Intrusion Discovery Cheat Sheet Linux - SANS.org
# SQL Injection Cheat Sheet - ha.ckers.org
# Cross Site Scripting Cheat Sheet - ha.ckers.org
# Web application Cheat Sheet - secguru.com
# Linux Security Quick Reference Guide - Linuxsecurity.com
# LINUX Administrator’s Quick Reference Card - cheat-sheets.org
# Oracle Security Cheat Sheet - red-database-security.com
# Nmap & Nessus Cheat Sheet - secguru.com
# Security Incident Survey Cheat Sheet - zeltser.com
# Initial Security Incident Questionnaire for Responder - zeltser.com
# BGP, EIGRP, First Hop Redundancy, 802.1X, IPsec, IPv4 Multicast, IPv6, IS-IS, OSPF , STP, tcpdump, Wireshark, Common Ports, IP Access Lists, Subnetting, Markdown, MediaWiki, MPLS,QoS, VLANs, Cisco IOS, Physical Terminations Cheat Sheets - packetlife.net

If you have more, post them in comments & I'll update the list :)

Life in (Delhi)metro !!!

2009-01-10T05:34:00.000-08:00

I came to Delhi 2 weeks back. Wanted to write a lot but not getting enough time.
Actually not getting enough time to write a blog post, twittering is still on at full speed (@rohit11)

Lets divide the post into sections
WINTER:
Freak, Don't even talk about that. I have spent my 3 years in Meerut which is some 70km from here. Have tasted this north Indian winter, but in last 6+ years Pune weather has pampered me and now this is feeling at extreme. What Delhi winter (or north Indian winter) is like
# Tip of your nose will be chilled like anything
# Toes will be cold even after they are locked in shoes for hours together
# Hands will be cold even inside gloves. Best option is sit on them to keep them warm.
# You'll be wearing those "body warmers". Till now I used to see them TV commercials only, but now I bought them too.
# One quilt/blanket is never sufficient

FOG:
# Your morning/late evening flights will be delayed
# Your not so late evening flights will also be delayed(ref: my trip to Ahmedabad)
# Driving with parking indicator on
# Special fog lamps on cars, and in some cases yellow cellophane sheets on the car headlamp ;)

METRO:
# Delhi metro is nothing different from Mumbai's local. Just this one has AC ;)
# Same kind of rushing/pushing/struggling crowd
# The only good is that the doors get closed
# On Rajiv Chowk (CP), there are barriers and security officials to assist you to board the train.
# If too much crowded, then they will assist the door closer too by pushing passengers inside and for the automatic doors to close, that was a funny scene

FOOD:
# Delhi is a place for foody like me ;)
# Don't bother about the dripping butter on our paratha
# Delhi-cious food, no doubt
# Wonderful non-veg, ultimate cooks live in North India only
# Yummy road side snacks
# Don't miss "Thank God Its Friday" @ CP

CITY:
# Is more green than last time I saw it
# Infrastructure is developing very fast, some people thank commonwealth games for it.
# Metro (as discussed) is a wonderful public transport, very decent & serious service
# Roads are very nice & wide, atleast as compared to Pune
# Houses, (metro syndrome) less space and people have tuned to live with it.
# Cars, not even a single one is without a scratch or a dent, not even a new one. Some people put small dent as soon as they buy a new car. some kind of shagun (lucky charm). I have seen this myself.
# Pollution, yes it is there, more of suspended particle than smoke. City full of dust.

That's enough about Delhi now, I might post a few updates in this series, not very sure though ;)