Coding Oversight: Vodacom Security Breach

A simple coding oversight has left the Vodacom4me site vulnerable allowing access to customers private call records. The problem allows users to increment their customer number thereby accessing random customer accounts.

Here is a quick example of the problem. Say we have a call record page that displays a customer’s call records.
callrecords.php

The page accepts a customers id which it then uses to query the DB and present the returned data. i.e. callrecords.php?customerid=12345
The parameter can be accepted via a Post or a Get.

Now anyone with a little web knowledge can simply increment the id to say 12346 and thereby obtain the personal data of a random Vodacom customer.

Here is Vodacom’s response to the problem:

Vodacom spokesman Dot Field said that when the Sunday Times brought the matter to their attention, the vulnerable section of the website was “disabled with immediate effect”.

The weakness had made it possible to display random customer information from a “caching front end server” which briefly stored information. The main database of information was secure, she said.

I’m really not sure how they can say the main database remained secure. Another case of trying to throw technical terms in the air to try and cover up a blatant error.

Solution: Simple, ensure your developers have the correct security training and improve the QA process.

Jake White Interview

In case you missed it, here are the links to the Radio 702 interview with World Cup winning Springbok coach, Jake White. The interview is in 5 parts and well worth the listen.

• Part 1
• Part 2
• Part 3
• Part 4
• Part 5

South African Humor at its Best

Here is an audio clip from Good Hope FM’s Ryan O Connor which can only make you smile. He pretends to me an Eskom representative calling a disgruntled customer about the power outages.

Link 

Computrainer launches Real Course Videos

Earlier this week, CompuTrainer released their latest product, interactive real course videos. They filmed 16 Ironman races as well as the Tour of California and developed new software to precisely synchronise the film speed with your speed on the Computrainer.

The software’s features are similar to the current 3D software and include SpinScan, performance recording and detailed performance data.

Each course comes on a separate DVD. I really would’ve liked the course videos to be made available via download.

I’ve personally recently opted for the Erg Video solution, placing my order a few days before the Computrainer release. I’d keen to try both products and compare how they perform against each other. Being a huge fan of the Computrainer, I know I’m going buy at least of few of their new course videos. Perhaps only in a few months thou.

The Ironman Coeur d’Alene DVD is currently available to order online. They also have a list of the upcoming releases.

Link

Update:
View the CompuTrainer and the Real Course Videos on the Today Show.
Link

South Africa’s Power Crisis Makes it to the New York Times

Link to the Article: Power Failures Outrage South Africa

But electricity shortages, now expected to be a fact of life for the next five years, are more than an embarrassment. They threaten continued strong growth here in a nation that accounts for a third of sub-Saharan Africa’s economic output and ranks among the world’s top 25 countries in gross domestic product.

“What can we do?” said the owner, Panos Avraamides. “We throw out all the salads, all the dips, all the antipastos, I let the employees have a one-hour break. Then they come back and stand around and do nothing.”

“Because of this situation, economic growth just stops,” said Andrew Kenny, an engineering consultant. “In that way, the problem solves itself.”

The Bandit’s morning sessions a thing of the past.

After a stellar run DEREK “TheBandit” Richardson, the man single-handedly responsible for growing the world of dance beyond South Africa’s wildest imagination is packing his record box for one last national tour

“I have had such a wonderful journey and I thank everyone that has supported me through out the years! Life is ever changing and it’s time to hang up my headphones when it comes to live performances. I will continue to produce the finest PODCASTS for the world to enjoy!”

Visit www.soundrepublic.co.za for more details and to catch the awesome dance web radio.

QTrax Broken

After a delayed launch, Qtrax is finally available for download. The only problem now is that http://music.qtrax.com is broken displaying the Welcome to Oracle Containers for J2EE page.

Not the greatest product launch ever!

Update:
News from Engadget:

The company issued a press release over the weekend saying it has (finally) signed up with Sony / BMG, Universal, EMI and Warner, but Wired did a little bit of digging and found out that Qtrax isn’t being exactly honest — spokespeople from all four labels flatly denied that any deals were in place.

Link to story

Eskom Uplugged.

Very funny.

Cool Google Logo for the 50th Anniversary of the Lego Brick

QTrax Overwhelmed

Qtrax, claiming to be the first free and legal P2P music application, was set to launch today.

The site is currently unavailable due to overwhelming demand and asks visitors to check back in 24 hours. I hope they out buying some extra infrastructure.

Due to overwhelming demand, Qtrax.com is currently unavailable. Please check back in 24 hours to download the first, free, and legal P2P music application. Thank you for your understanding.

The service offers unlimited free song downloads which can be transferred to your iPod using the Songbird-like player. Other features of the player include music video downloads, album reviews and song lyrics.

Qtrax originally had to shut down in soon after launch in 2002 to avoid legal action.

Good things come to those who wait.

Update:
Site has been updated to say that the download will be available at Midnight EST. According to Google it is just after 01:30 and still no sign of the download. (1:32 AM Monday (EST) – Time in New York, United States of America)

Update:
Download is available!