29 July 2015

The Android Stagefright vulnerability frightens the actors and the audience!

Android's BroadAnywhere threat was mistaken by many, and NRecursions clarified it for them. Now there's a surprising new bug called "Stagefright". Here are the details that matter:

Why is Stagefright dangerous?
Normally, if your computer or phone gets infected or hacked, it happens when you perform an action. Inserting an infected pen drive or clicking on a phishing link or visiting malicious websites.
Stagefright on the other hand, needs you to do nothing. A hacker just has to know your mobile number, and they can send you an MMS which will deliver a media file to your phone, which will also contain a mechanism through which the hacker can execute software code remotely. All this happens automatically. Even without you touching your phone. The hacker can then compromise your phone's security (allowing them to cause integer overflows, underflows, access files in the phone's external storage, access the phone's camera, audio and even execute the hackers code) and then delete the MMS. So you won't even know that your phone has been hacked.

Could your phone have been attacked already?
Unlikely. The bug was found by Joshua J Drake, a person at Zimperium mobile security, while he was searching for potential bugs. Zimperium informed Google about the bug and gave Google patches too.
News about the bug was made public on 21st July 2015, and now that people know of the bug, it's better to protect your phone ASAP. Full details of the bug will be revealed only on August 5th and 7th 2015 at the US Computer Security Conference and Defcon respectively.
Android versions 2.2 to version 5.1.1 are vulnerable. Cyanogen too.
Zimperium zLabs VP of Platform Research and Exploitation - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.5SWieNLS.dpuf
Zimperium zLabs VP of Platform Research and Exploitation - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.5SWieNLS.dpuf
Zimperium zLabs VP of Platform Research and Exploitation - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.5SWieNLS.dpuf
Zimperium zLabs VP of Platform Research and Exploitation - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.5SWieNLS.dpuf

How to protect your phone?
Open up your messaging service (the one you send SMS'es with), go to the Settings, scroll to the "Multimedia message (MMS) settings" and un-select the Auto-retrieve option and the Roaming auto-retrieve option. Do the same for Google Hangouts.
This will prevent the malicious MMS from getting automatically retrieved and loaded into Android's Stagefright module.
Of course the other way to protect yourself is to receive Google's Android updates.

Why is it called Stagefright?
Ever since version 2.2 (Froyo), Android has a native media playback engine called "Stagefright". The bug happens to exist in a few places in this software module.
This is a screenshot from Stagefright's page:



For programmers: 
Would you have been able to spot such a bug?
See the patches for Stagefright below:

The integer underflow patch:
     if (streamDependenceFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;
     }
@@ -145,11 +147,15 @@
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
+        if (URLlength >= size)
+            return ERROR_MALFORMED;
         offset += URLlength + 1;
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;
 
The integer overflow patch:
     mTimeToSampleCount = U32_AT(&header[4]);
-    uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t);
+    uint64_t allocSize = mTimeToSampleCount * 2 * (uint64_t)sizeof(uint32_t);
     if (allocSize > SIZE_MAX) {
         return ERROR_OUT_OF_RANGE;
     }
@@ -376,7 +376,7 @@
     }
 
     mNumCompositionTimeDeltaEntries = numEntries;
-    uint64_t allocSize = numEntries * 2 * sizeof(uint32_t);
+    uint64_t allocSize = numEntries * 2 * (uint64_t)sizeof(uint32_t);
     if (allocSize > SIZE_MAX) {
         return ERROR_OUT_OF_RANGE;
     }
@@ -426,7 +426,7 @@
         ALOGV("Table of sync samples is empty or has only a single entry!");
     }
 
-    uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t);
+    uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t);
     if (allocSize > SIZE_MAX) {
         return ERROR_OUT_OF_RANGE;
     }
  
 

Bounty

Google offers a bounty of upto $20000 (which is less, in my opinion) to people who find and report vulnerabilities in Google's codebase.

___________________________________________


Update: In response to the comment below, I had created some code that I uploaded on Coliru Viewer. Am making that code available below just in case Coliru later decides to remove content that's too old.

#include <stdint.h>
#include <iostream>
int main()
{
    uint64_t v = 2*sizeof(uint32_t);
    uint64_t vv = 2*(uint64_t)sizeof(uint32_t);
  
    if (v == vv) {std::cout<<"v and vv are equal\n";} else {std::cout<<"v and vv are not equal\n";}
  
    std::cout<<"v = "<<v<<" vv = "<<vv<<"\n";
  
    uint64_t lli = 18446744073709551615;
    uint32_t li =  4294967295;
    uint32_t li2 =  4294967295*2;
    uint64_t li2_64 =  4294967295*2;
    std::cout<<"long long int = "<<lli<<"\n";
    std::cout<<"long int = "<<li<<"\n";
    std::cout<<"long int * 2 = "<<li2<<"\n";
    std::cout<<"long int * 2 in long long int = "<<li2_64<<"\n";
  
    uint64_t li3_64 = li * 2 * 4;
    uint64_t li4_64 = li * 2;
    std::cout<<"li = "<<li<<"\n";
    std::cout<<"li4_64 when at li*2 = "<<li4_64<<"\n";
    li4_64 = li4_64 * 4;
    std::cout<<"li4_64 when at li*2*4 = "<<li4_64<<"\n";
    uint64_t li5_64 = li * 2 * (uint64_t)4;
    std::cout<< "li3_64 = " << li3_64 << " li4_64 = "<<li4_64<<"\n";
    if (li3_64 == li4_64) {std::cout<<"they are equal\n";} else {std::cout<<"they are not equal\n";}
    std::cout<<"li5 = "<<li5_64<<"\n";
}

15 July 2015

Configuring NTP between two linux machines

I have two virtual boxes at home. One that maintains system time accurately and another that always shows the time of some other country. I let the one with the correct time be considered the server and the other one be the client which polls the server using NTP (which is installed by default in Linux).

On the server side, use "su" to become the root user.

vi /etc/ntp.conf

Set these values in the ntp.conf file:
server 127.127.1.0
fudge 127.127.1.0 stratum 10

Save and exit the vi editor.

service ntpd start

The 127.127.1.0 basically refers to the same computer. Something like the localhost URL.
Stratum is the level of confidence you have in the time of your server. Stratum 0 would mean you have the highest confidence in it. So here we set it to 10, just-like-that. After you configure the client system, you'll see that the stratum of the client will be 11. i.e. lower than the trust you have on the server time.

On the client side:
Get into root mode.

vi /etc/ntp.conf

Comment out all other server address lines and add your server systems address.

server 192.20.220.220

Save and exit vi.

service ntpd restart

ntpq -p will show you a table of the network jitter, polling time, server address and other useful data. If you see an asterisk just before the server address, it means that the server is synchronized with your client machine. The offset value shown is the difference in time between the client and server. To convert the value to seconds, shift the decimal thrice to the left.

You can also use ntpdate -d 192.20.220.220 to debug and see what is going on. This command will also show you the time difference between client and server.

Configuring polling time

Well frankly, don't try to configure it.
NTP will automatically choose between a polling value of 64 seconds to 1024 seconds. So don't be surprised if it takes 17 minutes for time to be synchronised. As time elapses, the clock time will drift away from the correct time and NTP will set it right. You have to allow a few days for NTP to select the right polling value based on network jitter and other parameters. NTP does not immediately trust the time it receives from the server. If you set a low polling time using the minpoll command, the scope for erroneous synchronization increases. So the best thing to do is to just ensure your configuration settings have synchronized the client and server and leave it at that. NTP will handle the polling automatically and optimally.



Say thank you or donate

13 July 2015

Recursions

This is the hundredth post of NRecursions and is a little moment of celebration for me, as not only has NRecursions grown to help people worldwide (the mutex tutorial, d3.js tutorial, Jenkins tutorial, Broadanywhere clarification), it has also brought a welcome burst of fun and sunshine via the monthly LOL pages.

More than ten thousand unique visitors and more than thirty thousand 'non-unique' visitors :-) (bots included). An audience from across the globe, but primarily from USA and India.




This blog was named as such because these are Nav's Recursions and also because it is one among the N number of recursions happening in this universe. Similar to recursive functions in computer programming.

The real question is not why we exist. The real question is why are we allowed to contemplate our existence 
- Nav

Everything in the universe follows a pattern. Even when all you see is chaos, there is a pattern when you see the bigger picture. This pattern is part of a very similar or exactly similar pattern happening elsewhere. Like a Mandelbrot. We very well know how tiny we are in the universe. A spec on a spec on a spec on a spec and so on. The galaxy we live in, may just be a small dot in a Mandelbrot of galaxies just like ours...with some minor tweaks. Perhaps home to humans who live life exactly like us.

We exist pretty much like protozoans in a drop of water. They don't have a clue why they exist. But we know they perform an important ecological function. Given the way society and the ecosystem itself is built for a balance of creation and dissipation, it is obvious we exist for a purpose. Individuals by themselves might have lesser meaning than a collective society. Of course, given that the universe consists of majorly vacuum than anything else, it is a matter of wonder why Earth exists as a patch of life in an ocean of void. If you look at it as a recursion, You could see us as being like a cluster of organisms found to be thriving in some pocket of life in a far away area of earth surrounded by kilometers of lifelessness.
Using the concept of recursions, one can deduce that if we travel far enough into the universe, we might not just find planets like ours, but also find unimaginably huge areas of organic existence and varied life forms instead of the vacuum of space. So massive and so vast that we would scold ourselves for not having ventured out of our tiny planet sooner.

Until then, fulfill your purpose in life, for it is why you exist in a society. Search for patterns. Look for Recursions. They are the key to many answers. The gateways to knowledge. But most importantly, think of why we look for recursions. Why patterns? It is in itself a recursion which holds the answer to why we exist.



01 July 2015

How to start volunteering or how to start a volunteering team?

If you are a person who does not have much patience or does not like going into details or wants to achieve fame or have been forced to volunteer or been ordered/forced to setup a team by someone, then stop. Do not become a volunteer. Do not start a volunteering team. Not yet. Not until you are aware of some facts.

Why? 
Because volunteering is not pure fun and entertainment. It takes hard-work, knowledge building, cooperation and coordination with people who are already volunteering. Most importantly, it requires the willingness to do all this happily without hopes of becoming a hero and without hopes of receiving appreciation for what you did.

If you've seen people volunteering and feel it's fun and easy, you either missed out on a lot of details or you found a team of people who are actually non-volunteers.




Now, if you have what it takes to be a volunteer...

Step 1: Identify what you want to do and for how long you want to do it. Also, about how much time you will be able to dedicate for it in a month. Avoid the temptation to do what everyone else is doing. Most of them don't have a clue of what and why they are doing it. Instead, look around you. What social problems do you see? Write it down on a piece of paper.

Instead of doing something on your own, if you want to help someone who is already doing something worthwhile, use an internet search engine to search for volunteering opportunities near your house. Take a bike and go around your neighborhood and beyond, to find places. Once you find one place where people usually volunteer, you can ask those people if they know of any other opportunities. One hint will lead you to another and you'll finally find what you want.

Another way is to email CSR teams and ask them what they know. Search for blogs or social networking or professional networking websites where people have written about the volunteering they do, and contact them. Some of them will actually take the time to help. Else you can also contact NGO's who are into the particular field of work. People are generally very helpful.

If you don't know what you want to do, but have spare time to volunteer, use an internet search engine to know about the various volunteering opportunities. OR, see this post on Mr.Somebody Else. Be careful to not choose something you're not really interested in. Don't choose to do something just for the namesake or to become a hero. Choose it because you really want to improve the situation.

Step 2: You need knowledge. Record the information you gather. You have 2 options:
Option expert: Search for an expert who is already volunteering. Eg: If you want to teach children, you first need to learn how to teach them. There are people who can teach you. If you want to plant saplings, contact the forest department. If you want to do blood donation, contact an NGO which does it. If you see a destitute on the road, contact the Missonaries of Charity. Don't worry, it's perfectly ok to search for them on the internet, get their contact number or email from there and get in touch with them. The advantage of contacting an expert is that they will already know what mistakes not to commit; they will know exactly what areas need improvement and they will be able to address all your questions. It's very important at this stage to avoid the temptation to become a hero and try doing everything by yourself (a very immature thing to do) instead of consulting with an expert. If the expert needs helping hands, then you can inform them about your timings and comfort level and they will be happy to accomodate you. If it doesn't work out, find someone else.

Option self: If there are no experts or if the experts are not solving exactly the kind of social problem that you are trying to address, then start again, with the internet. Find out as much as you can about the subject matter. You will need to use your imagination to vary your search terms a lot for this.
The more knowledge you gain, the more confidence you will have. Sad part is, many volunteers do not take that extra step in educating themselves.

Step 3: Understand the root cause of the problem. If you are trying to address homelessness, then first find out why homelessness exists. Instead of individualizing a homeless person and theorizing why 'this person is like this', why don't you go out on the streets and live as a homeless person for a few days? See how you'd be able to survive without a credit card and keys to a warm home. The Ugly Indian group did something similar; they spent a night and a morning near a garbage dump, wrapped up in blankets, just because they wanted to find out exactly who was littering the place everyday.

Don't jump into a problem and try to solve it because it's cool. Take the time to understand it with your stomach. Find out more about it. Talk to people to get information about the problem. Ask about what anyone else has already tried to solve it. Write to people, get in touch with authorities who can help. Don't worry if some people won't help. Persistence will ensure that you find people who will help.

Step 4: Make a plan. One of the biggest reasons people stop volunteering too early or give up is because they didn't feel it was necessary to create a plan. A plan is not just about what you are going to do and how long it will take. The plan should have...

  • What creates most value to the person or area of society you are trying to help?
  • What are the main activities you will do to create that value?
  • What are the main resources you will need?
  • Which people will partner with you?
  • What kind of a relationship will you have with the people or area of society you are helping? Personal assistance? Self-service? Automated services? Community creation? Co-creation?
  • Channels of help? How will you raise awareness? How will you deliver the help?
  • Target group? Are you targeting a small area or is it more widespread or do you intend to start small and scale up once you've built a certain level of quality?
  • What are your costs going to be?
  • If you are creating products, what is your revenue going to be?
  • How will you handle disruptive volunteers?
  • How often are you going to take some rest from volunteering?


Step 5: Be the first one measure and critically evaluate your work. You have to maintain data of what you did, so that you will be able to measure what you achieved, what is remaining to be achieved and how far you have progressed. One small example is what a team did for evaluating data on blood donation. Ask others to evaluate your work too. If there are experts who can do it for you for free, you're even more lucky. Once you evaluate, you either go to step 3 or to step 6.

Step 6: Hibernate. You need rest once in a while or you'll burn out.


It is of course possible to volunteer without going into so much detail. You won't achieve much by doing that, but if you choose to do so, then at least have the decency to do it with a basic sense of responsibility.

Also, do check what you score on the Nav test < click

Happy volunteering! :-)


___________________________________



More on Volunteering


Say thank you or donate