bckurera's thoughts

Just another WordPress.com site

The Soptail

Recently I have came across a lavish cocktail mixture, of course I am writing this while enjoying a glass of the newly crafted beauty.

Ingredients:

  • whiskey – used Johnnie Walker Red Label
  • soursop juice
  • mango juice
  • and ice

Method:

Prepare raw soursop juice and raw mango juice. Blend those two together. Feel free to research the right portions. I am satisfied with soursop:mango to 5:1. Shake the juice base with some whiskey. Then fill the glass with ice and pour the mixture on top of it. Again it is upto you to decide the right portions. I settled with 3:1 to Juice base:whiskey.

I tested another version of this with a slight change. Instead shaking, add the juice base and whiskey to the glass and stir. This is having a good punch and a vibrant taste.

Feel free to check this and let me know your ideas !!!!

–composed with WordPress android app–
Leave a comment »

CAPTCHA with no $_SESSION

Due to the nature of the stateless behavior of HTTP, managing the current state of a connected user is a tricky scenario to handle in web site development or rather in web application development.

Few solutions are in place already and $_SESSION is one of the ways available in PHP. $_SESSION, the global array is not my favorite choice but it is handy. The sever based session management approach is not 100% reliable but it would do the work in most of the cases.

On the other hand, distinguishing user inputs versus inputs from malicious bots seems quite challenging these days. Simple tricks such as “honeypot” are quite old and easy to overcome, of course bots are now capable enough to skip “honeypots” without much effort. Then comes much promising solutions such as Google’s new invention, reCAPTCHA where a sophisticated techniques can identified the origin of the inputs blocking spams on your site, web application etc.

However life is not that easy, there are plenty of scenarios where we need to come up with our own strategy to deal with these inputs. If you cannot use reCAPTCHA or any other 3rd party CAPTCHA solution then the best would be implementing one of your own. This is the riskiest but there can be instances that this is the only way forward. I was in such a situation few months back and I though of sharing how I overcame it.

Avoiding $_SESSION

It is not hard to find plenty of tutorials to follow, implementing simple CAPTCHA verification in PHP. Almost every solution is based on $_SESSION, using server based sessions, a global array in PHP. This is easy and simple. Few lines of code would do the trick. As same as the way mentioned in this article. I am not a fan of server based sessions therefore I wanted to skip it.

In this post I am trying to explain how I solved the stateless issue without using server based sessions.

Breaking the Problem

The main issue that we need to solve is identifying the legitimate requests/ inputs and filter out the rest. In order to achieve this, when the relevant input form has been requested by a client, the server adds an image which is a human readable text. Bots may not be able to identify what is in it. Then the user inputs the code and sends the request to the server. As it is not possible to include the verification code in the client side request, the server doesn’t know what has been sent earlier. That is where server based sessions comes for the rescue. It is possible to store the verification code in a session variable.  Then when the user has submitted the form, the server can simply checks if the entered verification code value matches the value in the session. If so it is a human, test passes. Since we are trying to omit using server based sessions, we need to come up with a way to identify what has been sent earlier.

Solution

Step 1

Following is a typical code snippet (captcha.php) to create the CAPTCHA image. It is pretty straight forward and it can be seen that the verification code has been assigned to the session variable, $_SESSION[‘rand_code’] = $string;

<?php
session_start();

$string = '';

for ($i = 0; $i < 5; $i++) {     // this numbers refer to numbers of the ascii table (lower case)
$string .= chr(rand(97, 122)); }   
$_SESSION['rand_code'] = $string;   
$dir = 'fonts/';   
$image = imagecreatetruecolor(170, 60); 
$black = imagecolorallocate($image, 0, 0, 0); 
$color = imagecolorallocate($image, 200, 100, 90); // red 
$white = imagecolorallocate($image, 255, 255, 255);   imagefilledrectangle($image,0,0,399,99,$white); 
imagettftext ($image, 30, 0, 10, 40, $color, $dir."arial.ttf", $_SESSION['random_code']);   
header("Content-type: image/png"); 
imagepng($image); 
?>

Following shows how it has been included in the HTML, client side.

<form action="<?php echo $_SERVER['PHP_SELF']; ?>
" enctype="multipart/form-data" method="post"><input name="name" type="text" />

<input name="email" type="text" />

<textarea name="message"></textarea>

<img src="captcha.php" />

<input name="code" type="text" />

<input name="submit" type="reset" value="Send" />
</form>

When analyzing the HTML code, you will soon realize that the code can be exploited simply with a Cross Site Scripting (XSS) attack as it barely uses $_SERVER[‘PHP_SELF’] in form action. I will not be focusing on that since I am not going to use sessions here. Following is the modified prototype version.

Step 2

I have changed the client side code as follow. Notice that a hidden filed has been introduced. A randomly generated number with hash coded act as the reference id here. The reference has been passed when creating the CAPTCHA image and also it gets submitted when the user submits the form.

<?PHP
require_once 'dataBaseConnection.php';
<form action="verify.php" enctype="multipart/form-data" method="post">
Name: <input name="name" type="text" />

Email <input name="email" type="text" />

Message
<textarea name="message"></textarea>

<!--?PHP   $captchaId = sha1(rand(1000000,9999999).time());  dataBaseConnection::registerReference($captchaId);  $path='captcha.php?ref='.$captchaId;   ?--> <img src=""<?PHP" /> "/>
Enter the above code
<input name="c_id" type="hidden" value="<?PHP echo $captchaId; ?>" />

<input name="code" type="text" />

<input name="submit" type="submit" value="Send" />

and then the captcha.php has been modified too.

<?php
$string = '';
$refCode = '';

if(isset($_GET['ref']))
{
$refCode = $_GET['ref'];
}else{
die('<error>NO REF CODE FOUND !</error>');
}

for ($i = 0; $i < 8; $i++)
{
// this numbers refer to numbers of the ascii table (lower case)
$string .= chr(rand(97, 122));
}

$dir = 'fonts/';

$image = imagecreatetruecolor(170, 60);
$black = imagecolorallocate($image, 0, 0, 0);
$color = imagecolorallocate($image, 10, 10, 10); // red
$invColor = imagecolorallocate($image, 200, 200, 200); // invisible_ink
$white = imagecolorallocate($image, 255, 255, 255);

imagefilledrectangle($image,0,0,399,99,$white);
for($i=0; $i<100; $i++) 
{ 
imagettftext ($image, 20, rand(0,10), 0, $i*10, $invColor, $dir."ts.ttf", 'xxxxxxxxxxxxxxxxxxxxxxxxx'); 
} 
imagettftext ($image, 30, 2, 10, 40, $color, $dir."ts.ttf", $string);
header("Content-type: image/png"); 
imagepng($image); 
require_once 'dataBaseConnection.php'; dataBaseConnection::addVerificationCode($refCode, $string); //store the reference and the code in the database 
?>

The static methods dataBaseConnection::registerReference stores the reference code which will later be an input to captcha.php. The system automatically logs the timestamp and set the status of the record to ‘CREATED’. Then in the captcha.php file static method dataBaseConnection::addVerificationCode adds the generated verification code to the relevant reference .

Step 3

Then comes the verify.php code which validates the entered code against the code in the database.

<?php require_once 'dataBaseConnection.php'; if(isset($_POST['submit']))   {  	$enteredCode=trim($_POST['code']);  	$referenceCode=trim($_POST['c_id']);     $dataSet = dataBaseConnection::getCode($referenceCode);     $timeTaken = time() - $dataSet['pvt_created_date'];     if($timeTaken>$dataSet['pvt_life_time'] || $dataSet['pvt_captcha_status']!='CREATED')
    {
    	die('expired code');
    }

    //var_dump($referenceCode); die($enteredCode);
	if($enteredCode==$dataSet['str_verification_code'])
	{
		dataBaseConnection::updateCode($referenceCode,'VERIFIED');
		echo 'verified';//this is a human
		//Process the input as this is a legit request
	}else{
		dataBaseConnection::updateCode($referenceCode);
		echo 'not verified';//most probably not a human
	}
}
?>

If both codes match then the static method dataBaseConnection::updateCode changes the status of the verification code to ‘VERIFIED’ in the database while the status has been set to ‘USED’ for the verification code if they dont match. That expires the verification code and it will not be possible to use it again. Further there is a check to make sure that the code has not been expired too.

How secure this is

It is not difficult to train a bot to reading CAPTCHAs. Therefore to make this much stronger it is required to have an image with higher entropy.

Another weak point is, the reference code is getting exposed to the attacker. However there reference number has no relationship with the code. Therefore the attacker cannot predict the code by cracking the reference code. This is possible as we store the reference and the verification code in the database.

An attacker cannot use a brute force attack as the status of the verification code has been updated after an attempt has been made disregarding the results. So once tried the code is set to expired. Setting lifetime of the code can be used to limit the time available for the attacker to crack the image. In this case 300 seconds.

Further it is required to restrict direct access to captcha.php file from the outside, simply using .htaccess entry. Otherwise it is possible to carry out a Denial-of-service attack targeting the generation of the captcha image which in return could have lead to a database failure.

It is important to track client details but will discuss it in another post.

Conclusion

How to implement a captcha verification solution without using server based sessions has been discussed above. Complete source code can be found here. Please check it out and let me know any flaws you observe. This is a mere implementation of the concept and no other aspects were considered when developing the code and no proper testing has been carried out. Therefore if you are going to use it in your code please be careful unless you know what you are doing.

1 Comment »

Finding MAC Address (MAC Filtering cont.)

One of my friends has read the article on MAC Filtering and inquired an easy way to find out the MAC addresses of the devices. This the easiest I came across so far.

You need to log into the admin panel of the router, find the place which shows the connected/ (or history of the connected devices). It gives the list of MAC addresses along with some identification. (Eg: in my routers home page it shows the device history with MAC addresses and an identification tag, it says AA:BB:CC:DD:EE:FF and iPhone, so I figured out it is my wife’s. The dumbest thing in my home, ohhh no not the wife I meant, but the iPhone)

Get the list and add it to the MAC filter. It is simple.

Any better idea? Please comment !

Leave a comment »

Wifi Security: Enable MAC Filtering

Some months back I wrote an article regarding the Wifi security and in this article I am trying to explain MAC Filtering on Dialog 4G router. I updated this list in my router few days back and though of sharing.

What is MAC Filtering?

It is easy to understand. It is a list with MAC addresses of physical devices. If your device MAC address is in the list, the access granted (given that you enter the password correctly if the hotspot is password protected).

Analogy: You got a ticket(password) for a VIP Club party but unfortunately someone has stolen it. The person who stole it then go to the part and present the ticket at the reception. No MAC Filtering enabled: He is in the party. But if the MAC Filtering is enabled, then he is asked for the NIC to verify the authenticity of the person who holds the ticket. As his NIC number (MAC Address) is not in the list, unfortunately no partying this time. I hope you got the point. This is how exactly MAC Filtering works. But you see the flaw here. If the person who stole the ticket is wise enough to forge the NIC (given that he knows the NIC number of the legitimate ticket holder) then most probably he will be taken into the club. Simple, isnt it? So make sure you keep tickets for parties safe 😛

Is MAC filtering safer?

Not really, it is not the strongest security feature to nag hackers or intruders. BUT something is better than nothing.

When MAC Filtering can be used?

If you know the MAC address of the devices which are used to access your wifi router (legitimate users) then this feature can be used. What should be done is maintain a ledger of MAC Addresses against the devices.

How to break this feature?

Breaking this is simple.

  1. Get the password of the router. Find it, that is also not difficult.
  2. Use a network sniffing tool and find out a MAC address which has the access.
  3. Then forge the MAC address and pretend that you are a legit user.
  4. And connect, enjoy free internet !!

** There is other ways of bypassing the MAC filtering feature, please google if you are interested.

How to set up this feature?

Following is a step by step guide. (Please note the interfaces shown below can be different/ or may not be the exact as below)

Access your route and login as the admin. It is simple as browsing the default IP of the router which is 192.168.8.1

Then enter admin credentials and you are in.

First of all you need to enable MAC filtering.

Enable_MAC_Filtering

Then you need to add MAC addresses to the MAC Filter list.

Allow_list_MAC_Filtering

MAC address is some string like this AA:BB:CC:DD:EE:FF

You need to find it in your device and add it accordingly.

MAC_Filtering_list

SO using MAC Filtering is simple.

Recommendation

This is a small security feature that works well with your home wifi router if you keen on blocking unwanted access. All you have to do is find out MAC address of the devices and add it. I really recommend this if you are living in an apartment, shared houses and etc…

Remember, door locks are not 100% safe. Even though you lock the door when you leave home. And if the intruder is motivated enough, a door lock cannot stop him. But it gives a basic security over others. MAC Filtering is as same as this anology.

Enjoy MAC Filtering………

 

Leave a comment »

Google abandoning “Google Code”

It is Googles’ fashion to shutdown services which are not popular enough. The latest victim was Google Code project [1] which was started in 2006. Google was very frank on the press release I suppose. I would like to quote the following.

When we started the Google Code project hosting service in 2006, the world of project hosting was limited. We were worried about reliability and stagnation, so we took action by giving the open source community another option to choose from. Since then, we’ve seen a wide variety of better project hosting services such as GitHub and Bitbucket bloom. Many projects moved away from Google Code to those other systems.

It is true that GitHub gained increase popularity among developers for code hosting and many developers are comfortable with it too. However as Google claimed it was true that in 2006 the choices were limited, even GitHub started in 2008 [1]. However the large picture is quite astonishing. In 2006, Google was a giant company and Google Code was one of the projects they have started. They could have done something better than GitHub, I believe.

However it is good to see the dynamics of Google, other than few, most of their interests never seems fixed. It quite sounds like the open source way too.

I worked closely with Google Code repositories few years back and it is quite sad to hear that it is getting shutdown. But I think it is the right decision they took. Need to move forward with new interests and causes.

Good Bye, Google Code for the support hosting open source projects through the decade of service.

Reference

[1] http://google-opensource.blogspot.com/2015/03/farewell-to-google-code.html

[2] https://en.wikipedia.org/wiki/GitHub

Leave a comment »

Inevitable destiny of Sri Lanka with South Africa in quarter finals ?

In ICC world cup 2015, most matches in Pool A and B are already come to an end. Most of the teams are waiting for their final match while Sri Lanka completed all 6 matches in first round and got qualified for quarter finals.

Though Sri Lanka played in Pool A, there is a quite interest towards Pool B, because of the quarter final opponents will be decided by their standings. Sri Lanka would end up being at the third place with the collapse for Australia. Therefore there should be a keen interest on the Pool B 2nd place, whatever the team securing the 2nd place will play against Sri Lanka in quarter final match.

In Pool B, India undoubtedly secured the first place and they will be playing against Bangladesh.

The next match, South Africa is playing against UAE and will secure 8 points.

West Indies is playing against UAE and will secure 6 points.

The only doubt comes on who wins the match, Pakistan vs Ireland. The winning team will secure 8 points and would be competing for the 2nd and 3rd places (net run rate decides the winner) and the loosing team has to compete for the 4th place with West Indies again. It sounds quite interesting, isn’t it?

However since South Africa and West Indies are playing against UAE there is a high possibility of gaining of their net run rate compared to Pakistan and Ireland. If it is assumed that Pakistan blow out Ireland, then based on the net run rate South Africa will be 2nd, Pakistan will be 3rd and 4th place will be securing by the West Indies.

It seems like, most of the time Sri Lanka will be played against South Africa on 18th March, the first Quarter final match. Wish Sri Lanka good luck !!

Leave a comment »

Birth Control – Introduction

Recently I participated for a pre-marriage counselling program and physical relationship after marriage was discussed as a topic of the program. However there was no enough time to cover the everything and as a result I started reading on the topic, focusing on the birth control techniques. Then I decided to share my findings with my readers hoping it would be helpful.

Birth controlling has started since many couples are not eager to except what god gives them as it is. The main idea behind is to avoid unexpected pregnancy.

However to achieve that goal there are two methods available, one is natural birth control and the other is artificial  methods.

Pills, condoms, surgeries fall under artificial methods. Other than wearing condoms, the other artificial methods are having side effects more or less and may be directly cause for infertility. Therefore it is good to keep those methods away as much as possible.

However it is good to know some theory behind.

Ovary, in female reproductive system releases eggs at a rate of nearly once a month (menstrual cycle). A female has two  ovarys where eggs releases alternately. Then the egg is traveled through the Fallopian tube to womb. The approximated travel time is 1-2 days through the Fallopian tube from the time the egg is released. For a successful pregnancy, a sperm should meet the egg while the egg is in the Fallopian tube. If such happened then the reproductive system generates hormones that signal the brain and command to ready for a pregnancy. The brain adopt the changes and stops releasing eggs since the message has been already delivered about the pregnancy.

When using pills the above natural process is simulated with the help of chemicals. Therefore with no eggs the chance of getting pregnant get low. However there is no easy and fast recovery when taking pills is terminated. That is why those pills can be lead to permanent infertility or disorders.

Following video explains well about release of the egg

https://www.youtube.com/watch?v=nLmg4wSHdxQ

While the pills changes the hormone structure, surgeries block eggs and sperm contacting each other. Like blocking the Fallopian tube and etc. Condoms and other wearing protections do the same but they do not interfere internally or chemically.

Therefore when artificial methods are concerned, there are two folds. What is the safest and side effect free method. There is a scale for it. Known as Pearl Index [1].

While my preference is always lies with wearing condoms as the one and only artificial birth control method you can refer to the “Comparison of birth control methods”[2] and get to know more.

** Please bear mind that I am not a medical practitioner and this is no any medical advice, please refer to family planning consultant for more reliable information.

Reference

[1] https://en.wikipedia.org/wiki/Pearl_Index

[2] https://en.wikipedia.org/wiki/Comparison_of_birth_control_methods

Leave a comment »

Bangladesh in ICC 2015

Bangladesh has been qualified for the quarter final match of the ICC 2015 world cup. It was remarkable but was not a surprise. Bangladesh is in Pool A, and there was a high possibility that they could be securing 5th place over Afghanistan and Scotland {if Bangladesh win those 2 matches it gives 4 points where other two countries could win maximum 1 match (unless something very extraordinary happens) which gives 2 points only}. However today, the Bangladesh team stands at the 4th place with 7 points.

The next match versus New Zealand would be most probably in favor of New Zealand and at last Bangladesh would remain in the 4th place and advances to quarter final match with India. Unless nothing extraordinary happens, Bangladesh would be terminating 2015 world cup career after the match with India. However it should be noted that their achievement is quite remarkable through out the past few years.

Further Bangladesh was awarded 1 point due to the match with Australia got cancelled due to rain. That point however made no difference even England blew out the Bangladesh team.

Wishing all the best for Bangladesh at their quarter finals and in the next match with New Zealand. It is so good that all Asian teams advanced to quarter finals in the world cup.

 

 

Leave a comment »

Pre-Cana seminar – Report

There are few criterion, a roman catholic couple should complete before they stand in front of the altar for exchange of their marriage vows. One of them is obtaining the certificate by completing the pre-cana seminar. According to wikipedia pre-cana is described as “Pre-Cana is a course or consultation couples must undergo before they can be married in a Catholic church. The name is derived from John 2:1–12, the wedding feast at Cana in Galilee, where Jesus performed the miracle of turning water into wine.”[1]

As mentioned the intention was to consult couples before they get married and educate them regarding the aspects of the marriage life.

Recently my fiance and myself got the chance to attend such seminar to earn the eligibility. It was held in one of the centers in Colombo Diocese[2] on Sunday. The seminar was a one day program, 0830 to 1730 hrs.

The process of attending to such seminar is quite easy. A letter from the priest of the grooms’ church would be required and then the priest of the brides’ church would issue the form (or vice-verse) that is mandatory to attend the seminar. That form should be filled with care since only one form is being issued and try to make it accurate as much as possible since the certificate would carry those information. All instructions are on the form itself and it is required to register before hand.  We were asked to present at the place before 30 minutes. A valid identification document (NIC, Passport or Driving License) was required to register at the venue.

0830 hrs the registration was started and then followed by a introductory address by one of the volunteer.

The first section was about the views of the marriage based on the perspectives of the Holy Bible. It was discussed along with five points extracting some phrases from the Holy Bible.  The five points are

  1. Integrity and sustainability of the marriage
  2. Equal respect
  3. Marriage bond based on love
  4. Sexual side of the marriage life
  5. Divorce

The first session lasted around 2 hours where the voluntary couple (Upali and Nelishiya, a married couple for 35 years) shared their experience along with the perspectives of the Holy Bible covering above mentioned five points.

After the tea break the second section has begun by another voluntary couple (married for 16 years and having 5 sons and daughters, remarkably quite surprising). The main topic of the discussion was the physiological aspects of the marriage.  It was a good sessions where again 5 stages of the marriage was explained with examples and sharing of their experiences. It was an interesting discussion where the participants were interacted with the presenters. Fice stages discussed are;

  1. Romantic stage
  2. Disappointment and Disillusionment stage
  3. Differentiation and Acceptance stage
  4. Modulation and integration stage
  5. Mature love stage

Once the second session was concluded the seminar was paused for the lunch.

After the lunch break the third section was started which was about the physical relationship between the couple after marriage. Another voluntary couple directed the session.  How sex relates with the beliefs of the Catholic church was discussed first and then followed by the topics on issues faced by new couples in their sex lives, natural birth control techniques and abortions. It was good info specially they discussed a lot more technical aspects on natural birth control techniques (The Catholic church refuses artificial birth control techniques including condoms to LRT and etc..).

The last section was started right after the evening tea break. This session was organized in small groups (consisting 8 members in each group) where the voluntary couples separately addressed the small groups (male partner of the couple addressed the males and female partner addressed the girls in separate locations). Groups were formed separating males and females, it was regarding the social aspects of the marriage life. It covers how to cope with the new parents and siblings after the marriage and how to manage the financial requirements.

There were two questions per session (different questions) to be answered from what has been learnt and it was collected at the end of the seminar. Before concluding the event, two attendees addressed the participants and shared their views on the program. Certificates were distributed at the end of the seminar to all the participants.

Frankly I believe the program filled a gap and strengthened the knowledge that is really necessary for couples who are starting their lives as husband and wife. A humble thank with respect should be extend to all the volunteer couples (specially their dedication and commitment to make the program success and important), the priest in-charge of this program at the center and all the stakeholders.

May the blessing of the Jesus always with them and strengthen them to delivery much more to direct the lives of new couple into right direction.

References

[1] http://en.wikipedia.org/wiki/Pre-Cana
[2] http://www.dioceseofcolombo.lk/

Leave a comment »

Confession of Love

I did decide …
Many said, I was wrong …
I giggled …
time passed …

I lived in a dream …
Enjoying every moment of it…
Without knowing it was a dream,
time passed …

It took a long time …
and cost a life time …
To realize …
Pie in the sky …

Now it is certain …
They are Right …
and I was Wrong …
No more dreams …

I did something …

which is …

Rightly Wrong & Wrongly Right.

Leave a comment »