I Have a Dream

by Rashmi Bansal
Who is an entrepreneur?. is it only individuals who have built big corporate’s? No, there are many social entrepreneurs whom we do not know about.

Author has provided details of 20 social entrepreneurs who have done exceptional work for the good of society. There are so individuals around us with selfless motive serving for the betterment of society. I was really surprised with the commitment of these individuals. I think, if these individuals were in politics, our society would have improved to a great extent.
Most of them have built organizations/NGOs which serve for betterment of backward class citizens with their time, effort and money. These social entrepreneurs have studied in IIT and IIM’s and have taken up the task of serving the society which is really surprising. If they would have taken up a corporate job, i am sure they would have earned better name and fame. This boils down to, whatever it may be “follow your dream”.
I am sure, with the help of these organizations many individuals would have reached greater heights or are having a better standard of leaving. Thanks to all the social entrepreneurs.

Personally i appreciate all the work these individuals have done and will try to keep my social commitment too.

This is definitely a book to read.

Advertisements
Posted in General Books | Leave a comment

Distributed System

I have viewed all 24 lectures (link below) of “Distributed Systems” by Prof. Keshav, Waterloo University and would recommend all who are interested in the system to listen too. Each of the lecture comes with bundle of information. Prof co-relates most of the use cases with real life scenarios which makes it easy to understand and remember. I am sure, listening to the lecture will definitely enhance the knowledge on the subject.

Posted in Unix and Unix Internals | Leave a comment

Java Collections comparision

If you are looking for comparing various java collections, here it goes

Source:
https://zeroturnaround.com/rebellabs/java-collections-cheat-sheet/

Posted in Java | Leave a comment

RPO and RTO

Recovery Point Objective (RPO)
refers to the amount of data at risk. It’s determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. The metric is an indication of the amount of data at risk of being lost.
Recovery Time Objective (RTO)
is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. RTO refers then to the amount of time the system’s data is unavailable or inaccessible preventing normal service.

Source
http://wikibon.org/wiki/v/Defining_RPO_and_RTO

Posted in Backup and Recovery | Leave a comment

God’s Own Kitchen by Rashmi Bansal

I had read two other books from Rashmi Bansal which i had liked. Based on my opinion about previous books, read this book too and i was not disappointed. Book is about “Akshaya Patra” program by ISCON temple. For all who have not heard about Akshaya Patra, it’s a program which sponsors meal in government schools and places near factories throughout India. It was started in Bangalore for 1000+ school children and has reached 1.5 million meals a day spread across India. Author has explained about the program from day 1 when it was started in year 2000 for about 1000+ children’s and how it could scale to 1.5 million meals per day till now. There will be social and financial problems for any organization and Akshaya Patra has also gone through this. Serving thousands of meals everyday with only money raised from charity is a challenge and Akshaya Patra has gone through financial crisis at times. In one such circumstance, instead of stopping the meal program, they have taken a brave effort to take loan and continue the program which is notable. After initial struggle, state governments recognized the effort of the organization and are contributing to the program by providing raw material/ingredients for meals which has reduced the cost per meal. With the money raised from charity and support from state governments, Akshaya Patra is able to continue serving meals day after day without a break.

Serving 1.5 million meals a day is a remarkable achievement. Surprisingly, each meal cost is 6 Rs/- only inclusive of transportation cost of taking the meal to schools and other locations. Most of the people working in ISCON are volunteers and do not take any salary for the job. This also contributes for low cost of meals. To sponsor a child meal for an entire year it cost’s around 1000 Rs/-. Government of Karnataka and Tamilnadu have started Amma Canteen and Indira Canteen which serve meals at low cost couple of years back. But Akshaya Patra is doing it from year 2000. This is something which all state governments can replicate to provide good food at low cost.

I am very much impressed with the program and it’s mission. I will be doing my part my contributing to Akshaya Patra. I urge others also to contribute for the program too with this writing. If you are convinced about the program, you can contribute to the mission of Akshaya Patra at click of a mouse @ https://www.akshayapatra.org/ .

Posted in General Books | Leave a comment

OS command injection/remote command execution

Following are few examples of OS command injection/remote command execution
Eg#1
/* following program mimics cat command in unix which prints the content of file */
#include
#include
#include
#include

int main(int argc, char **argv) {
char cat[] = “cat “;
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength – strlen(cat)) );

system(command);
return (0);
}

/* compile and execute the program */
// contents of the directory are printed

$ ./catWrapper Story.txt
When last we left our heroes…

/* now execute, with following command line agrument */
$ ./catWrapper “Story.txt; ls”
When last we left our heroes…
Story.txt doubFree.c nullpointer.c
unstosig.c www* a.out*

$ ./catWrapper “Story.txt;rm -rf *”
When last we left our heroes…
// all files files and folders under current directory are deleted

$ ./catWrapper “Story.txt & rm -rf /tmp/1” /* deletes content under directoy/files /tmp/1 */
$ ./catWrapper “Story.txt && rm -rf /tmp/1” /* deletes content under directoy/files /tmp/1 */
$ ./catWrapper “Story.txt | rm -rf /tmp/1” /* deletes content under directoy/files /tmp/1 */

EG#2
Consider the following program

#include
#include
#include
#include

int main(int argc, char **argv) {

char* home=getenv(“APPHOME”);
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}

}

In this example, the attacker can modify the environment variable $APPHOME to specify a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, by controlling the environment variable, the attacker can fool the application into running malicious code.

Eg#3
/* Following PHP code is vulnerable to command injection */
<?php
print("Please specify the name of the file to delete");
print("

“);
$file=$_GET[‘filename’];
system(“rm $file”);
?>

If user provides the following input
http://127.0.0.1/delete.php?filename=bob.txt;id

Along with deleting the file, id command is also executed and the output is displayed to user.’id’ command can be replaced by any other command also.

Remediation:
One of the methods to avoid OS command injection is to sanitize the input provided by user before executing them i.e validate the argument provided by user by checking against only allowed character making sure, user argument does not contain any invalid characters.

Following are few of the characters which can be used in command injection
&,&&,|,||,;,^,>,>>,<,<<, enviornment variables

cmd1|cmd2 : Uses of | will make command 2 to be executed weather command 1 execution is successful or not.
cmd1;cmd2 : Uses of ; will make command 2 to be executed weather command 1 execution is successful or not
cmd1||cmd2 : Command 2 will only be executed if command 1 execution fails
cmd1&&cmd2 : Command 2 will only be executed if command 1 execution succeeds

OS command injection can be done in 'C' with system and exec system calls

References and more information can also be found below
1. https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
2. https://www.owasp.org/index.php/Command_Injection
3. https://www.thesecurityfactory.be/command-injection-windows.html

Posted in C Section, General Tech Discussion | Leave a comment

Application Security

Application security
Applications deployed are vulnerable to various kind of attacks from hackers. As such when applications are designed/coded, care should be taken to avoid any such attacks. QA team should also consider writing test cases to validate for any such known attacks. Following are the most common type of attacks

1. OS command injection/remote command execution
In this type of attack, arbitrary commands are executed in remote host. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
2. Code injection
In this type of attack, code specific to programming language is interpreted/executed by the application and as such is limited to programming language used.
3. SQL injection
This type of attack consists of insertion of SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system.
4. Cross site scripting XSS
In this type of attacks malicious scripts are injected into trusted or legitimate web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

More on each above topics to follow soon.

Posted in C Section, General Tech Discussion | Leave a comment