The *nix family of operating systems has a very rich syntax. So I figured, why not write a comprehensive guide to life using *nix syntax.
As a humble beginning, here is the first page that summarizes the “moral of the story” of the game called life:
The English version
You are a prisoner of your yesterday, you cannot escape it
You are a slave to your tomorrow, you will always fear it
But today, my friend, is yours, enjoy it
- Rohas Nagpal aka Poorman
The *nix version:
(No flames for errors, this code is not supposed to run..its just for fun 
finger you
yesterday
tomorrow
today
nslookup yesterday
prisoner .bash_history
logout
ERROR: Cannot escape
nslookup tomorrow
slave
ls tomorrow
fear
fear1
fear2
nslookup today
en.jo.y
- Rohas Nagpal aka Poorman
My first “real” experience with computers was on a Windows 3.1 machine. (Of course I had tinkered around with a lot of “non-GUI” operating systems as a kid, but let’s get real – that’s ancient history).
Windows (in its myriad variations) is a great set of operating systems (except maybe Windows Millennium Edition). Its ease of use and massive popularity also makes it the most (successfully) attacked.
Linux (with its wide range of flavors) is a great open source choice – saves you money and gives you a great and secure product. But after years of working with different operating systems, I have come to one conclusion – BSD rocks!!
BSD (Berkeley Software Distribution) is the name of distributions of source code from the University of California, Berkeley, which were originally extensions to AT&T’s Research UNIX operating system.
BSD comes in many flavors, notably -
FreeBSD – currently the most popular version, it is easy to use and very high on performance. (btw Yahoo runs on FreeBSD)
NetBSD is considered a particularly good choice for running on old non-Intel hardware. Its main aim is maximum portability. It runs on almost everything – from palmtops to large servers.
OpenBSD is the popular choice for aims for banks, stock exchanges and Government departments. Its core guiding principle is code purity – derived from a brilliant combination of open source and rigorous code reviews.
As of 27th September 2007 – yes!
A malicious hacker can misuse Cross-site request forgery (CSRF) to redirect a copy of all your incoming emails to his account! CSRF is also referred to as “one click attack” or “session riding”.
[Before you read any further please understand gmail filters by logging into your gmail account and going to Settings – Filters.]
CSRF is a malicious attack that transmits unauthorized commands to a website from a trusted user. Lets take a simple example to understand this:
- Pooja is checking her email on a very safe computer (totally patched, fire-walled, with the latest updated antivirus etc etc) using a very safe browser.
- Because she is logged in to gmail, the gmail authentication cookie is present on her machine.
- She receives an email from Priyanka containing a really funny joke. The email contains a link to a site which promises her lots more funny stuff. She clicks on the link and is very happy with the site that opens up.
- What she does not realize is that this joke site has forged a POST request to the gmail “Create Filter” wizard. This creates a filter that forwards a copy of all emails coming into Pooja’s account to Priyanka!
- Gmail accepts the request to create the filter because the genuine gmail account holder (Pooja) is authenticated and logged in at the moment and her session cookie is passed along with the forged request.
- This new gmail filter will keep stealing Pooja’s emails till she manually checks her filters and realizes that there is an unauthorized one.
I carried out a small experiment wherein I requested for a filter to forward all emails to a particular account. On analyzing the data trasnfer between my browser and gmail (using Tamper Data extension for Firefox) I found that the relevant GET parameter is cf2_email.
See the following for more information on this -
Many thanks to Giorgio Maone for his post on this issue. As Georgio says – this exploit is “Very clever and very dangerous.”
There was a nice article about me in Citadel some time back. It can be downloaded from:
http://www.rohasnagpal.com/school-of-thought.jpg
I recently tried out DriveSentry, a personal data firewall that works on a PC as well as a removable drive.
According to DriveSentry.com…..”DriveSentry complements your existing anti-virus tool by detecting threats to your system using a patent-pending technology. DriveSentry is an intelligent firewall for your drives that works by allowing only applications that you authorize to write to your files. An example is that you can grant access to Microsoft Word to write to a document, but a virus attempting to do the same would trigger a warning”.
The most interesting claim made by the company is that DriveSentry can be used to “enhance your conventional anti-virus software by protecting against zero day attacks. If DriveSentry can actually achieve this, then it would solve a lot of security issues.
Test on WinXP machine
I performed a simple test to try out DriveSentry on my local machine. This test was performed on a Win XP SP2 machine running an updated AVG antivirus.
1. First I wrote a simple js code that can modify the hosts file of a Windows machine.
2. When I ran this js file, the AVG antivirus did not give any alert. The code changed my hosts file!
3. I then installed DriveSentry on my machine and configured it to protect the c:\\windows\\system32\\drivers\\etc\\ folder.
4. I then again ran the js code. DriveSentry blocked it and showed a medium risk level.
5. However the “online advice” option recommended that I “ALLOW write access“.
Conclusion: Drive Sentry seems to have a lot of potential. The product is still in beta so there are lots of improvements expected. The “online advice” system will to grow with the user base. The database of user “advice” is currently too small to trust.
A major security concern for users of online banking / share trading is keylogging.
Simply put, a keylogger installed on your computer could pass on your login credentials (credit card information etc etc) to a cyber criminal. What the criminal could do with this information is anybody’s guess and your worst nightmare.
A recent BBC investigation revealed how a six-year-old British girl hacked into the highly sensitive computer system at the House of Commons using keyloggers. Click here for the detailed story.
The issue is compounded if you use a public computer (e.g. at a cyber cafe, airport lounge, library, hotel etc) to log into your email / banking account.
There are some simple methods that can be used to beat a keylogger (no guarantees !!):
1. Carry a portable version of Firefox with the KeyScrambler Personal add-on. (KeyScrambler Personal “encrypts your keystrokes at the kernel driver level to protect your login information from keyloggers”). You can carry this on a USB drive. Whenever you need to use a public computer, connect your USB stick and use your private secure Firefox browser.
2. Carry your passwords in a randomized manner on a USB stick. e.g. if your password is Priyanka_$_chopRA, all you have to do is carry a text file with the words Priya, ankarra, chop and RAM somewhere in a whole lot of meaningful text. While logging in, copy and paste the said words onto the password input box. A little tedious, but very effective against text keyloggers… WARNING!! – may fail against screen shot capturing keyloggers.
3. Carry a portable antivirus on your USB stick and run it on the public computer. Note: Not very effective and not very easy to do.
Times of India has profiled me as part of their “Lead India” initiative coverage.
“Pune has had its fair share of applicants for the Lead India initiative which gives ordinary citizens with extraordinary leadership qualities a chance to change the political and social situation around them. One such person is Rohas Nagpal, cyber crime specialist.”
Click here for the scanned version of this article.
Some other Times of India articles featuring my comments / interviews:
Chain emails have netizens in a bind
Cyber crime not just about credit cards
Hi-tech voyeurism not covered under IT Act!
Look who’s watching!
Clicking porn and viewing it no legal offence
Cyber criminals are just too smart
Confusion prevails over tackling cyber crime
Cyber crime fighters seek Indian expertise
The new phony crime: SMS spoofing
Way back in 2002, I had proposed an Internet Draft “Biometric based Digital Signature scheme”. It did not make it to the status of an RFC, but I hope someone somewhere can build on the concept.
Abstract:
Digital Signatures are fast emerging as a viable information security
solution, satiating the objectives of data integrity, entity
authentication, privacy, non-repudiation and certification.
The technique, as it stands today, faces the problem of the
maintenance of the secrecy of the private key. This document provides
a conceptual framework for the establishment of a biometric-based key
generation scheme.
In this scheme, the private key is generated each
time a document or record requires to be signed. Such generation is
based upon a combination of biometric traits.
View the complete document
Although this citrus fruit has a major hand in some of the world’s most delicious foods, why, one asks, is the lemon associated with lemon laws – American laws relating to predominantly faulty vehicles? One expert guess is that both, lemons and problematic vehicles, leave a sour taste in the mouth, in one case literally.
In the early 19th century, the term lemon symbolized an unfriendly person – a sour puss. Consequently, a lemon came to describe anything that was faulty or had a defect. This association can be retraced to 1909 when American slang gave it the connotation of a person who can be taken for a ride. British slang also used “to hand someone a lemon” to refer to cheating someone by passing off a low quality product as a good one.
The Ford Edsel, introduced in 1957, also came to be called a lemon due to its failure to keep customers happy. Another reason for this was the horsecollar grill that the car was identified with. Customers believed that the grill made the car look like a Mercedes-Benz sucking on a lemon.
The word may have originated anywhere, however, the lemon is now legally related to faulty or defective vehicles (and in some US states – anything mechanical).
A general rule for identifying a lemon is that it should have been given for the same repairs at least four times or should not function for a total of thirty days out of the period of coverage. Often this period is one year from the delivery of the vehicle or the term of the written warranty, whichever is shorter.
For more visit -
http://www.asianlaws.org/library/general-laws/lemon-laws/index.htm
In today’s hi-tech world, where every T, D and H owns a laptop and more, a fully equipped pen drive still makes a lot of sense.
Top 5 scenarios where a pen drive loaded with the rights apps makes great sense are:
1. You regularly work on a set of files on different computers (one at the office, one at home, one on the go blah blah blah…).
2. The “friendly” neighborhood sysadmin has forbidden installation of software on the office machines.
3. You are going on a well deserved vacation (and you obviously don’t want to lug the laptop around) …. but you need to carry important files in case there is an emergency and you need to work from a cyber cafe.
4. You need to backup files (pen drives are smaller than CDs and DVDs).
5. You want to carry some great videos / movies around.
