Time flies! I didn't realize it had been 10 days since my last blog post. I guess it happens when you are trying to enjoy holidays. *Such* a lovely holiday it has been thus far I tell you. :S

The (company) work laid out for the holidays has been going on as planned. We've taken on board a dedicated designer to help us with the influx of projects. A few of the projects have reached a conclusion while more new stuff has come our way. The work has been erratic though and going forward in short, sudden bursts. It is quite a wonder how we make progress but that is not to say we are useless and inefficient. The time differences and frequent travel schedules of our group has been the annoying culprits. We continue to face major obstacles in ridding ourselves of the problems of having the team geographically separated and spread. We are working on implementing automation and work flow management systems at Technova to help organize ourselves and the work for more coherence. The efficiency and through-put of the company is expected to rise once we get the systems into use.

Meanwhile, my romantic pursuit has resulted in zilch. I met this girl about a month ago and immediately developed an intense attraction to her. I had a genuine interest in her as a person and that was further cemented as I got to know her better. I dared to ask her out recently for a movie date but ended up getting turned down point-blank, cold and emotionless! Getting turned down when you are pumped with excitement and brimming with confidence surely delivers the equivalent of an agonizing kick to the nuts. Unsurprisingly, I still am very much interested in her but I think I shall let fate play the cards the way it wants for the time being. In any case, it maybe time I brush up on dating basics and tune-up my wooing talents...

Toodles.

Oh boy Oh boy Oh boy! I've got a four week break away from the university starting yesterday. I am so glad I don?t have to wake up early morning and I could even numb my mind from the usual bombardment of information that I subject my poor brain to everyday. Anyway, a timeout from studies to settle other matters queuing up in my life seems to be an essential step right now.

There seems to be a gazillion projects Technova needs to handle and finish now. We are currently working on several projects including websites for National Center for Information Technology and Miadhu Daily newspaper. I also have one project lingering from the days I was freelancing earlier this year after I resigned from Itek Pvt Ltd (a business I had co-founded and worked under since 1999). The holidays have given me time to dive back into programming.

I can now spare chunks of time to work on my pet projects as well. There are quite a few technical experiments I have wanted to undertake over the past few months - like I could finally take out that PIC chip I've had stashed in my cupboard and get on with experimenting with microcontroller programming. I think my electronics course covers PIC programming next semester so this hopefully will be beneficial for then too. This year has also seen the coming of what has been named "Web 2.0" and other new technologies that am just dying to read up on and familiarize myself towards fluency. The science book I am trying to write can also begin with new vigor and maybe reach a conclusion.

The winter holidays coincides with the beginning of a period that my horoscope calls an excellent time for love and relationships. So hoping that the astrologer is right, I?ve decided to head out to acquire new female companionship ( that's ?female companionship? as in "girlfriend"!). This concludes a period of conscious aversion to females. Hehe.

I came back from shopping this evening to find that my brother had messaged me on MSN Messenger saying he wanted to talk to me about something quite urgently. I called him up only to find him answering on the first ring and then unloading a megaton worth of speech in under a minute. He sounded excited and mostly illegible so I took my time digesting what he was saying. Basically what he said was that he had been checking the monthly call details of our home line when he got curious and took a look at the Dhiraagu E-Bill system to see what goes on under the skin. What he found was more than intriguing and he wanted me to investigate it further. (My brother has a bit of what he found out on his blog.) Now, here's my take on it.

Overview
The flaw Jaheen stumbled across lies in the online phone records viewing facility called E-Bill provided by Dhiraagu. Specifically, the flaw exists in the bill downloading section of this online application that allows registered users to download the call records for their line. The lapse in appropriate security measures and the utmost trusting of the data provided by the user seem to let a (malicious?) user view the call details for ANY account number of a Dhiraagu customer.

Walk-through
First, I should note that in order to access and execute the flaw, you need to be a registered user of the E-Bill facility. You need to log in and have a valid session underway to access the required bill downloading facility.

That said, viewing the bill of a specific user is not that trivial a task either. The account number of the desired customer needs to be provided to the system instead of merely providing the customer's telephone number. The account number is printed on the monthly bills that Dhiraagu sends out. The account number is printed in the format XX/XXXXXX/XXXX, where the Xs represent digits. Individual user targeting is thus limited greatly but this is not to say that the consequences of this bug are thus insignificant. It is always possible to mess around and generate a combination of digits which in turn will quite likely correspond with a valid account number of some random customer. A very possible scenario could be an attacker generating all the combinations of the numbers and asking for the bills for each of these generated account numbers!

I duplicated the execution of the flaw using the same "tools" my brother used; i.e. using the Live HTTP Header extension for Mozilla Firefox. This extension is quite handy for these sorts of uses and misc. other debugging purposes.

Forging ahead, first up the E-Bill interface is accessed and login process completed. This gives a cheesy interface that looks like this.


The bills download feature is accessed by clicking on the "Download bills" link from the left menu. The page that comes up next differs depending on the E-Bill account type and the number of telephone numbers combined into the E-Bill account that was logged in with. Skipping ahead, the E-Bill system throws up a page that looks like this:


Now this is where the magic begins. Enter the time duration for which the call records are desired. The select the appropriate links to get to a download page where you are asked to click a button to start the downloading. HTTP Live Header (HLH) extension comes into play at this point. HLH is set to capture the traffic. Then the download button is clicked and soon enough Firefox happily displays the download save dialog for the file being received. The file is saved but there is nothing abnormal till this point still.

Now to execute the amazing rabbit-out-of-hat magic of the E-Bill system, a bit of sleight-of-hand is added the process. The button click in the above mentioned download process creates a HTTP POST request which shows up among the last on the status window of HLH. This request is selected and the "Replay" button clicked to replay the download process with a few changes for the final effect.


As shown above, the highlighted "account=xxxxxxxxx" bit tells the E-Bill system which account number to generate the call records for! This is where our opportunity comes. This number is then changed to a known account number or any random number and the HTTP "replay" continues as normal. Soon as the modified request is replayed, the E-Bill system again spits out a call records file for download. The difference this time? It is no longer the call records for the logged in account but for the account number furnished in the modified replay.


Conclusion
Simply by manipulating a single 12 digit number that the E-Bill system trusts the user?s browser with, we can extract the phone records of ANY Dhiraagu customer. This is a serious flaw and the resulting breach of privacy is a major concern for customers who no doubt would want their phone usage records to be kept safe and confidential.

I recently stumbled across an interesting website called "Undergroundfilm". This site contains a growing collection of indie movie productions. You can find a variety of movie types there, ranging from cheesy advertisements to documentaries on topics you will not find on public TV channels. The "Highly rated" and the "Featured films" section on the site may provide a good starting point to locate some interesting movies to cater for your liking.

The movies are in Apple QuicktTime format and you can grab the videos using your favourite download manager for later viewing. In most cases, they offer a high quality as well as a lower quality video download. The size of the high movies is still manageable in most cases, with the average size lurking around 20MB thus making it quite accessible for people on slower connections as well. I do recommend choosing the higher quality versions even though they take a bit longer to download.

I came across the site when I had followed a link to a documentary on the "Cult of the Dead Cow" hacker organisation who became extremely famous around 1998 after their release of the BackOrifice remote system administration software for the Microsoft Windows environment. It is an interesting selection and I suggest you view it even if you are not interested in the computer hacking scene. Here is the link to it, incase you are interested.

Other interesting movies I found include "Latex" (hilarious!), "A Normal Life" (interesting, artistic) and "New Testament" (must see!).

Have fun!

I was rummaging through my backup disks when I stumbled across this PDF document that I produced in 2003. It is called "Dhivehinnaai Portugeesun" and is a digitized version of a similarly titled series of articles that was featured in the "Faiythoora" journal published by the National Center for Linguistic and Historical Research (NCLHR). It was authored by "Khaassa Musheer" Naseema Mohamed from the Center and details the interactions between the Portuguese and the Maldivians through the years 1479 to 1650 in Maldivian history. I thought I'd share it since this undoubtedly would be of much use to anyone looking for such material.

This series was contributed for distribution at the Book Fair 2003, organized by the NCLHR. It was part of a presentation I made at the fair and was used to demo how even old Dhivehi MLS documents maybe converted to modern formats. Adobe Acrobat (PDF) format was chosen to show how Dhivehi can be used and displayed in this (mostly) universal format to be used for distribution as a step in embracing the digital revolution. I was hoping that this would encourage production of Dhivehi e-books and e-documents. The document was converted from the original MLS format to Rich Text format using a converter application that I had released on my then technology playground at bichoo.net. The Rich Text format file that was produced was then imported into Acrobat and the necessary pictures scanned in and inserted to prepare the final document. The font(s) used were embedded into the PDF document so that viewers do not need to have any special Dhivehi fonts installed.

Anyway, I hope someone finds this useful!

- Click here to download DhivehinaaiPortugesun1-3.zip (3.5 MB, Zip file).

I *am* alive and kicking. The lack of blog updates is a direct reflection of the effects the onset of winter is having on me. Winter has brought in that dreaded cold and gloom over the skies and has kicked the sunshine out of me. I prefer to hibernate than move about the slightest.

Most of the past week is up in a blur except for the last weekend, when I got myself to go visit my uncle and his family in Bristol. The trip from Reading to Bristol was quite memorable. The trip took a good two and half hours on the train with me having to switch in between due to a cancelled train route. I spent an additional two hours waiting for trains and another hour waiting for a bus in Bristol. The bus would have taken me right next to my uncle's place had I not been dumb enough to prematurely get off the bus in the middle of nowhere. I offered myself consolation by telling myself that it was dark and that anyone may easily loose bearings on an empty stomach. Luckily, my navigational abilities landed me at their doorstep with another half an hour of walking - which I wouldn't have minded were it not for the chilly air, the laptop and miscellaneous heavy scrap I had in my backpack. I was drained by the time I reached the warm coziness of their home and ended up falling asleep on their large comfy couch a few minutes later.

Despite the hassles in getting there, I had a fun weekend in Bristol. Being at the behest of a family and being smothered by their hospitality cheered me up (not to say that I was depressed prior to that). The little kids injected much needed energy into the environment ? especially the youngest one who seemed to be on a constant high on Speed all day around. I wish I had that much energy to burn. Hehe.

Here is another of my pet projects brought back from the land of the deceased.

This one is called "JavaScript Dhivehi Character Recognition". It was created early 2003 (or maybe late 2002) and made available on bichoo.net. Basically, it lets you draw a Thaana character using your mouse and then it "recognizes" what you have drawn. The purpose was mostly to satisfy my curiosity into artificial intelligence and pattern recognition at the time, however it also showed promises of the beginnings of a future where Dhivehi documents maybe scanned in and processed by a computer to convert it to text just as Optical Character Recognition technology has been doing for English documents. I think this rudimentary application was the first ever Dhivehi character recognition implementation released to the public. More interestingly, this seems to be the only character recognition implementation programmed in JavaScript floating around on the Internet even now.

I spent a bit of time tonight reworking some bits of the code for clarity. The entire implementation is done using JavaScript and DHTML. You are welcome to study the code to see how it works. The code is well commented and maybe a good starter into AI and pattern recognition basics. It uses a single layer single Perceptron model to really simplify things however it is a good enough practical implementation to work for characters drawn on a 10x10 grid. The grid makes up the input data to the neural network. The neural network is hard-coded into the page and has definitions for each character in the alphabet. I do hope you are surprised by the accurateness of the recognition of this little application.

Have a look at it HERE. Let me know if you find it amusing... or not.

My company - Technova Pvt Ltd - is currently working on bringing a full fledged Dhivehi OCR software to the Maldivian public. It will probably be made available early 2006, as a service for customers requiring bulk OCR processing. We shall be releasing Windows, Linux and Mac versions of the software for home and business use around mid 2006.