Archive for the ‘Technology’ Category

Coding Oversight: Vodacom Security Breach

February 17, 2008

A simple coding oversight has left the Vodacom4me site vulnerable allowing access to customers private call records. The problem allows users to increment their customer number thereby accessing random customer accounts.

Here is a quick example of the problem. Say we have a call record page that displays a customer’s call records.
callrecords.php

The page accepts a customers id which it then uses to query the DB and present the returned data. i.e. callrecords.php?customerid=12345
The parameter can be accepted via a Post or a Get.

Now anyone with a little web knowledge can simply increment the id to say 12346 and thereby obtain the personal data of a random Vodacom customer.

Here is Vodacom’s response to the problem:

Vodacom spokesman Dot Field said that when the Sunday Times brought the matter to their attention, the vulnerable section of the website was “disabled with immediate effect”.

The weakness had made it possible to display random customer information from a “caching front end server” which briefly stored information. The main database of information was secure, she said.

I’m really not sure how they can say the main database remained secure. Another case of trying to throw technical terms in the air to try and cover up a blatant error.

Solution: Simple, ensure your developers have the correct security training and improve the QA process.

Advertisements

Computrainer launches Real Course Videos

February 7, 2008

Earlier this week, CompuTrainer released their latest product, interactive real course videos. They filmed 16 Ironman races as well as the Tour of California and developed new software to precisely synchronise the film speed with your speed on the Computrainer.

The software’s features are similar to the current 3D software and include SpinScan, performance recording and detailed performance data.

Each course comes on a separate DVD. I really would’ve liked the course videos to be made available via download.

I’ve personally recently opted for the Erg Video solution, placing my order a few days before the Computrainer release. I’d keen to try both products and compare how they perform against each other. Being a huge fan of the Computrainer, I know I’m going buy at least of few of their new course videos. Perhaps only in a few months thou.

The Ironman Coeur d’Alene DVD is currently available to order online. They also have a list of the upcoming releases.

Link

image002

Update:
View the CompuTrainer and the Real Course Videos on the Today Show.
Link

QTrax Broken

January 29, 2008

After a delayed launch, Qtrax is finally available for download. The only problem now is that http://music.qtrax.com is broken displaying the Welcome to Oracle Containers for J2EE page.

Not the greatest product launch ever!

2008-01-29_1356

2008-01-29_1405

Update:
News from Engadget:

The company issued a press release over the weekend saying it has (finally) signed up with Sony / BMG, Universal, EMI and Warner, but Wired did a little bit of digging and found out that Qtrax isn’t being exactly honest — spokespeople from all four labels flatly denied that any deals were in place.

Link to story

QTrax Overwhelmed

January 27, 2008

Qtrax, claiming to be the first free and legal P2P music application, was set to launch today.

The site is currently unavailable due to overwhelming demand and asks visitors to check back in 24 hours. I hope they out buying some extra infrastructure.

Due to overwhelming demand, Qtrax.com is currently unavailable. Please check back in 24 hours to download the first, free, and legal P2P music application. Thank you for your understanding.

The service offers unlimited free song downloads which can be transferred to your iPod using the Songbird-like player. Other features of the player include music video downloads, album reviews and song lyrics.

Qtrax originally had to shut down in soon after launch in 2002 to avoid legal action.

Good things come to those who wait.

Update:
Site has been updated to say that the download will be available at Midnight EST. According to Google it is just after 01:30 and still no sign of the download. (1:32 AM Monday (EST) – Time in New York, United States of America)

Update:
Download is available!

Yahoo Maps ditches Flex in favour of Ajax

December 18, 2007

Today Yahoo Maps turned off the the Flex 1.5 based maps application and launched a new version built upon AJAX.

Long story short, we have some work to do. We need to make Flex/Flash work with advertizing so that it can become the primary content not the ads. We need to get more developers trained on using Flash/Flex and especially ActionScript 3 so that teams and solutions can grow. We also need to highlight the API’s within Flash Player and make them easier to adopt. Many developers have no idea that these API’s even exist. As a medium, Flash Player still has some very large barriers to cross to see larger scale adoption and mainstream use.

From Yahoo Maps- From Flex 1.5 to AJAX

C# Pagination for Facebook iFrame Applications

December 18, 2007

The original PHP code is from Ascanio Colonna (Link)

facebook-pagination.txt

Massive href hacks MySpace

November 10, 2007

<a href=”badplace.com” style=”position: absolute; top:0; left: 0; height: 8000px; width:1000px”></a>

The above piece of HTML code inserted into several MySpaces pages allows the download and installion of malware on unexpecting user’s machines. With the href being so large, should the visitor mis-click any link, they will be redirected to the infected site. The user might not be suspicious on a media rich site such as MySpace, thinking that they need to install a codec to view a video etc.

For developers like myself, this introduces a problem. The rule is never to trust any user provided content and remove scripts, iframes etc. With this exploit, we will need to validate all external links too.

iPhone’s Core Rotten in South Africa

November 8, 2007

According to RJ van Spaandonk, chief executive of the Core group, Apple’s head office in the US decided not to distribute the iPhone in South Africa.

If a South African wants to import the gadget, the user would have to bypass the official network, but Apple already warned that unblocking the phone illegally would cause irreparable damage to the iPhone’s software.

iPhone Looks like you have to break the law, immigrate or settle for an iMate or a HTC alternative if you want an iPhone.

This is despite demand for Apple’s products growing significantly in South Africa with a growth rate of 47% in sales last year.

Link to FIN24 Article

JavaScript Closures: An Example

November 2, 2007

Here is a common problem that will face any JavaScript developer sooner or later. The code below, as simple as it looks, introduces a bug that might not be picked up by the developer during unit testing.

   for(var i = 1; i<6; i++) {
        var div = document.getElementById(‘div’ + i);       
        div.onclick = doAlert(‘Al’ + i);       
    }

The problem is that all elements that have the event attached will alert the same value. The solution is to use JavaScript Closures illustrated in the code below.

   for(var i = 1; i<6; i++) {
        var div = document.getElementById(‘div’ + i);       
        div.onclick = doAlert(‘Al’ + i);       
    }

    function doAlert(what) {
        return function() {
            alert(what);
        }
    }

Ext 2.0 beta 1

October 19, 2007

The Ext team has recently announced the availability of version 2 of their popular framework. I’ve been an Ext developer for about 12 months now and am really excited by what version 2.0 promises.

Some cool Ext related links