Maumoon Abdul Gayyoom: The astrological portrait

Today is supposed to be the birthday of Maumoon Abdul Gayyoom, who happens to be known by many popular aliases such as The President of Maldives, The President, His Excellency, Zaeemu, Al-Usthaaz (or rather *the*usthaaz), MAG, Maanu, Maumoonu and lately more famous under the monikers The Dictator, The Oppressor and Golhaaboa. I am sure you all know him. First and foremost, let me wish him: happy birthday Maumoon!

I have to admit that Maumoon is probably one of the most interesting figures in Maldivian history. I am impressed by what he has achieved - though I shall take liberty in not being too specific in what I think he actually achieved. He has suppressed (and thus defeated) all opponents for 27 years. He has ruled (and manipulated) the populace of a country for longer than I have been alive. His oratory and literary abilities have captivated much of the population. His presence is respected by many. He has maintained a solid image to the world. He even managed to get a writer to immortalize him by beautifully sculpting a impressive image of himself in a book titled "A Man for all Islands". The name of the book, chosen by him of course, goes a long way in hinting at the sort of person he is. All in all, he seems to have played most cards right. :-P

Anyway, to celebrate the day I decided to share the horoscope of the man himself. I do not know the accuracy of the birth details used to generate the report and thus I do not claim this to be a valid astrological representation of him. All I can vouch for is that this is a professional software-generated astrological report in its original form and that it makes for a very interesting reading. Jump to page 29 of the document to begin reading the chart interpretation texts.

Click here to download the horoscope report for Maumoon Abdul Gayyoom.

Trippy photos

These photos were taken a few nights back when I went around Bristol city with a few mates. They looked so trippy that I just had to share them. If only real life looked as colorful as this, always (sigh). :-)


Outside Bristol Industrial Museum


Orange light has a mysterious allure (well, to me atleast!).


I love thisssssss.


Across the river.


Another random blurry photo.


The city - as seen from high afar.


Water fountains.


Water jump: water frozen in air!

WebSMS for phpBB

In the wee hours of this morning, in a moment of boredom, I wrote up (yet another) little script to send SMS via the Dhiraagu WebSMS facility. This particular one integrates into phpBB forums. I have been bugged for quite some time by several people to write them such a script, so finally here it is!

The script is the result of a quick and dirty job but is decent enough to be used without any problems. There are no configuration options that need to be setup and the script creates the necessary database tables upon first run. The user interface and back-end code has been mixed up into one file to make matters simpler. I may add features in the future to let it be skinned using separate phpBB style templates.

The installation is as simple as placing it in the root phpBB folder and accessing it via a browser. Refer to the "readme.txt" file included for step-by-step install and setup instructions. The script is free for use on your forums/portals. Please keep the credits intact or alternatively add a link to my blog on your site. Enjoy!

Download WebSMS 4 phpBB Version 0.1 (5Kb Zip file)

Work and rejections...

Time flies! I didn't realize it had been 10 days since my last blog post. I guess it happens when you are trying to enjoy holidays. *Such* a lovely holiday it has been thus far I tell you. :S

The (company) work laid out for the holidays has been going on as planned. We've taken on board a dedicated designer to help us with the influx of projects. A few of the projects have reached a conclusion while more new stuff has come our way. The work has been erratic though and going forward in short, sudden bursts. It is quite a wonder how we make progress but that is not to say we are useless and inefficient. The time differences and frequent travel schedules of our group has been the annoying culprits. We continue to face major obstacles in ridding ourselves of the problems of having the team geographically separated and spread. We are working on implementing automation and work flow management systems at Technova to help organize ourselves and the work for more coherence. The efficiency and through-put of the company is expected to rise once we get the systems into use.

Meanwhile, my romantic pursuit has resulted in zilch. I met this girl about a month ago and immediately developed an intense attraction to her. I had a genuine interest in her as a person and that was further cemented as I got to know her better. I dared to ask her out recently for a movie date but ended up getting turned down point-blank, cold and emotionless! Getting turned down when you are pumped with excitement and brimming with confidence surely delivers the equivalent of an agonizing kick to the nuts. Unsurprisingly, I still am very much interested in her but I think I shall let fate play the cards the way it wants for the time being. In any case, it maybe time I brush up on dating basics and tune-up my wooing talents... :-)

Toodles.

Time-out

Oh boy Oh boy Oh boy! I've got a four week break away from the university starting yesterday. I am so glad I don?t have to wake up early morning and I could even numb my mind from the usual bombardment of information that I subject my poor brain to everyday. Anyway, a timeout from studies to settle other matters queuing up in my life seems to be an essential step right now.

There seems to be a gazillion projects Technova needs to handle and finish now. We are currently working on several projects including websites for National Center for Information Technology and Miadhu Daily newspaper. I also have one project lingering from the days I was freelancing earlier this year after I resigned from Itek Pvt Ltd (a business I had co-founded and worked under since 1999). The holidays have given me time to dive back into programming.

I can now spare chunks of time to work on my pet projects as well. There are quite a few technical experiments I have wanted to undertake over the past few months - like I could finally take out that PIC chip I've had stashed in my cupboard and get on with experimenting with microcontroller programming. I think my electronics course covers PIC programming next semester so this hopefully will be beneficial for then too. This year has also seen the coming of what has been named "Web 2.0" and other new technologies that am just dying to read up on and familiarize myself towards fluency. The science book I am trying to write can also begin with new vigor and maybe reach a conclusion.

The winter holidays coincides with the beginning of a period that my horoscope calls an excellent time for love and relationships. So hoping that the astrologer is right, I?ve decided to head out to acquire new female companionship ( that's ?female companionship? as in "girlfriend"!). This concludes a period of conscious aversion to females. Hehe. :-P

Dhiraagu E-Bill flaw!

I came back from shopping this evening to find that my brother had messaged me on MSN Messenger saying he wanted to talk to me about something quite urgently. I called him up only to find him answering on the first ring and then unloading a megaton worth of speech in under a minute. He sounded excited and mostly illegible so I took my time digesting what he was saying. Basically what he said was that he had been checking the monthly call details of our home line when he got curious and took a look at the Dhiraagu E-Bill system to see what goes on under the skin. What he found was more than intriguing and he wanted me to investigate it further. (My brother has a bit of what he found out on his blog.) Now, here's my take on it.

Overview
The flaw Jaheen stumbled across lies in the online phone records viewing facility called E-Bill provided by Dhiraagu. Specifically, the flaw exists in the bill downloading section of this online application that allows registered users to download the call records for their line. The lapse in appropriate security measures and the utmost trusting of the data provided by the user seem to let a (malicious?) user view the call details for ANY account number of a Dhiraagu customer.

Walk-through
First, I should note that in order to access and execute the flaw, you need to be a registered user of the E-Bill facility. You need to log in and have a valid session underway to access the required bill downloading facility.

That said, viewing the bill of a specific user is not that trivial a task either. The account number of the desired customer needs to be provided to the system instead of merely providing the customer's telephone number. The account number is printed on the monthly bills that Dhiraagu sends out. The account number is printed in the format XX/XXXXXX/XXXX, where the Xs represent digits. Individual user targeting is thus limited greatly but this is not to say that the consequences of this bug are thus insignificant. It is always possible to mess around and generate a combination of digits which in turn will quite likely correspond with a valid account number of some random customer. A very possible scenario could be an attacker generating all the combinations of the numbers and asking for the bills for each of these generated account numbers!

I duplicated the execution of the flaw using the same "tools" my brother used; i.e. using the Live HTTP Header extension for Mozilla Firefox. This extension is quite handy for these sorts of uses and misc. other debugging purposes.

Forging ahead, first up the E-Bill interface is accessed and login process completed. This gives a cheesy interface that looks like this.


The bills download feature is accessed by clicking on the "Download bills" link from the left menu. The page that comes up next differs depending on the E-Bill account type and the number of telephone numbers combined into the E-Bill account that was logged in with. Skipping ahead, the E-Bill system throws up a page that looks like this:


Now this is where the magic begins. Enter the time duration for which the call records are desired. The select the appropriate links to get to a download page where you are asked to click a button to start the downloading. HTTP Live Header (HLH) extension comes into play at this point. HLH is set to capture the traffic. Then the download button is clicked and soon enough Firefox happily displays the download save dialog for the file being received. The file is saved but there is nothing abnormal till this point still.

Now to execute the amazing rabbit-out-of-hat magic of the E-Bill system, a bit of sleight-of-hand is added the process. The button click in the above mentioned download process creates a HTTP POST request which shows up among the last on the status window of HLH. This request is selected and the "Replay" button clicked to replay the download process with a few changes for the final effect.


As shown above, the highlighted "account=xxxxxxxxx" bit tells the E-Bill system which account number to generate the call records for! This is where our opportunity comes. This number is then changed to a known account number or any random number and the HTTP "replay" continues as normal. Soon as the modified request is replayed, the E-Bill system again spits out a call records file for download. The difference this time? It is no longer the call records for the logged in account but for the account number furnished in the modified replay.


Conclusion
Simply by manipulating a single 12 digit number that the E-Bill system trusts the user?s browser with, we can extract the phone records of ANY Dhiraagu customer. This is a serious flaw and the resulting breach of privacy is a major concern for customers who no doubt would want their phone usage records to be kept safe and confidential.

Underground films

I recently stumbled across an interesting website called "Undergroundfilm". This site contains a growing collection of indie movie productions. You can find a variety of movie types there, ranging from cheesy advertisements to documentaries on topics you will not find on public TV channels. The "Highly rated" and the "Featured films" section on the site may provide a good starting point to locate some interesting movies to cater for your liking.

The movies are in Apple QuicktTime format and you can grab the videos using your favourite download manager for later viewing. In most cases, they offer a high quality as well as a lower quality video download. The size of the high movies is still manageable in most cases, with the average size lurking around 20MB thus making it quite accessible for people on slower connections as well. I do recommend choosing the higher quality versions even though they take a bit longer to download.

I came across the site when I had followed a link to a documentary on the "Cult of the Dead Cow" hacker organisation who became extremely famous around 1998 after their release of the BackOrifice remote system administration software for the Microsoft Windows environment. It is an interesting selection and I suggest you view it even if you are not interested in the computer hacking scene. Here is the link to it, incase you are interested.

Other interesting movies I found include "Latex" (hilarious!), "A Normal Life" (interesting, artistic) and "New Testament" (must see!).

Have fun!