Weekly Random links of Interest – ITaaS, Weiner’s downfall, LulzSec and BitCoins

Here are the random links of interest for this week. Have a good weekend.

IT as a Service – A stateless infrastructure architecture model.

Another great post by Lori MacVittie. Cloud is all about shifting to “service” mindset. “Service” is also the foundational concept behind SOA. Every cloud service model (IaaS, PaaS, SaaS) abstracts and decouples certain aspects from the layers below, resulting in a flexibility never seen before. Take the case of IaaS. By abstracting and virtualizing compute, storage and network, we are decoupling applications from underneath physical resources. This ultimately results in the unprecedented flexibility to move applications/workloads (VMWare’s vMotion, Cisco’s OTV etc) across machines in data center and across data centers – for load balancing, availability etc. However, this shouldn’t affect how the services (applications) are consumed. SOA’s way of achieving this is via WSDLs and service registries. At the code level, programmers would immediately recall  Martin Fowler’s Dependency Injection and Inversion of Control principles achieving similar objectives.

By looking at applications as “services” and adopting SOA principles, ITaaS can achieve benefits beyond IaaS.

Twitter & Anthony Weiner’s downfall

Must read. This articles ends with the following quote 🙂

“The details of web product design had led to the pants being pulled down on a promising political career.”

To me, the interesting part of the story is not how a promising politician’s career was put to an abrupt ending but the key product decisions that twitter team made early in the process and how those decisions changed lives of everyone in the last few years.

While twitter has more issues (here are some I face in my daily use of twitter) to solve, clearly the ability to follow someone without requiring his explicit permission has been the winner from the day one.

via @timoreilly

We screw each other over for a jolt of satisfaction

That’s a cheesy title, but one should read it. I have been following the @LulzSec twitter stream for the last one week as they are hacking sites (Sony, CIA, etc) and posting plain text user ids and passwords extracted from site’s internal databases for everyone to see.  In the beginning, I thought hacking sites that ignore basic security mechanisms (SQL Injection, Stronger passwords, Not storing plain text passwords of users in the DB etc) would send a messages to companies and IT organizations across to re-look at their web applications.  And to some extent, @LulzSec may have achieved this purpose. In the recent past, we have not seen such consistent and systematic hacking of sites and it got everyone’s attention about the continued ignorance of basic security practices in web applications.

But the subsequent act of @LulzSec posting the extracted usernames and passwords on public sites for everyone to see and download is a disastrous step. You cannot blame and punish naive internet users for having simple and same passwords across several sites when the so called “expert” application and system developers are not doing a good job in applying basic security practices to begin with. Look at what is happening now: These publicly available usernames and passwords are tempting many normal folks to try and access the same username and passwords on several other sites (facebook, paypal, gmail etc) and see if it just works.

Here is another who user went one step ahead and created a script to automate this process and posted the script itself on the github for everyone to use and try. Too bad.

Given that @LulzSec is so active on twitter, how long is it before they get caught ?

BitCoin, The New Money

If you haven’t heard of BitCoin, here is your hance to mint your own money, virtual money for free 🙂 Read more about here, here,  wikipedia link and of course yours truly quora link, answers for all your questions.

I came across BitCoin on the hackernews.com. After that so many people are posting links to news about bitcoin, one impatient guy couldn’t bear it any longer and wrote a safari extension to hide all bitcoin news on hackernews.com 🙂



Samsung TV hacking & Snooping on WiFi Traffic in Windows 7

When working with a new software product/system, I am one of those guys who is not satisfied just knowing the external interface. I need to know what is going on “under the hood” as well.

Couple of months back, I bought a Samsung LED TV that has cool Internet features. With couple of fun TV app ideas in mind, I wanted to get down to do some coding during the weekends. So, I finally spent some time reading up the documentation and started coding.

In the meantime, I was playing around with some apps that come with TV. It has some nice apps like Skype, Google Maps, Twitter, Facebook etc. The functionality offered in twitter and facebook apps is so limited that one cannot even navigate to the links.  While there is no app store for Samsung India, there seem to be one for Samsung USA. It is so disappointing to see that there is lot more content and apps for USA customers and Samsung India has no clue when they will be made available here. Samsung India customer support is not even aware of an app store or tv apps – I had fun time talking to them though 🙂

I didn’t think that this logic of what apps to be made available is embedded in the firmware. It must be some pre-set region code or something like that set in the TV that the software  further uses to restrict or extend the features. Since the list of apps are not hard-wired into the TV, the software must be talking to some Samsung servers out there. So, I thought I will find out what is going on by looking into the traffic as I turn on the TV.

I had my TV connected to Internet via WiFi to the Linksys WiFi router. Since my windows laptop is also connected to the WiFi in the same network, I thought I could easily snoop on the traffic by firing up Wireshark in promiscuous mode. Apparently not so easy in windows. Unlike linux, it seems that Windows doesn’t allow or has limited support for promiscuous mode with WiFi adaptors. I learnt this hard way though.  Thanks to my former colleagues on LinkedIn Abhijit and MikeB, it seems that  this apparently works on linux and that there are some commercial solutions like AirPcap, I didn’t want to go that far. Plus, I didn’t have access to a linux machine readily.

But with some more time and help from google, I came to know that windows 7 has this cool feature called virtual WiFi adapter using which the windows laptop itself could act as an AccessPoint. That means, TV could now connect to the access point provided by laptop instead of the router. My laptop instead connected to the router via Ethernet.

With this setup, I was able to combine another of windows feature called ICS (Internet Connection Sharing) and configure internet sharing between Ethernet and virtual WiFi adapters. Now, I could snoop on the TV traffic by using promiscuous mode on the Ethernet adapter.  I also found that snooping works perfectly fine on virtual WiFi adapter too.

Next few hours was pure hacking delight looking at all the API calls the TV was making. TV is running on Linux. Luckily, only the initial authentication calls are on HTTPS. Once an auth token is retrieved, subsequent calls are made over HTTP itself.

  • authenticating to samsung servers in Korea
  • getting details of capabilities(like paid apps) to be exposed,
  • catalog calls to retrieve list of apps,
  • get list of installed apps,
  • retrieve service notifications etc.

Not sure if it is a serious privacy issue, TV also logs several user actions to the server including how many times an app is launched etc.

While doing this, I also came across a project on sourceforge called SamyGo. These guys have been hacking Samsung TVs for a while – including enabling telnet/ftp support, hidden PVR functionality and even modifying the firmware in some cases. Check it out here. While I haven’t rooted my TV yet, I was able to gain lot more insights using their tools.

Anyway, here are the instructions on how to snoop on WiFi traffic on windows, if you ever want to do. You can  use this approach to snoop on your mobile phone app traffic too.

  • Start a command window in administrative mode. You can do this by right-clicking on the “Command prompt” menu item in Start | All Programs | Accessories

  • Run the following two commands to setup a virtual WiFi adpater

c:>netsh wlan set hostednetwork mode=allow ssid=ssid1 key=password

This creates a virtual WiFi adapter acting as an AccessPoint. Replace ssid1 and password with your own. You can get more help on this command by running “netsh wlan set hostednetwork ?”

c:>netsh wlan start hostednetwork

This actually starts the access point. You may need to re-run this command if you reboot the laptop.

  • Enable internet connection sharing

Go to Control Panel | Network & Sharing Center | Change Adapter Settings and right-click on your Ethernet adapter (or any adapter with internet connection) and bring up properties. Change to “Sharing” tab and enable the check box “Allow other network users …”. In the combo box below, select the newly created virtual WiFi adapter.

  • Now, go back to the device (TV or mobile) and refresh WiFi access points. You should see the newly created access point ssid1 that the device can connect to.
  • That’s it. Have fun with the hacking.

PS: btw, there are some free tools like Vritual Router and Connectify that simplify the steps above into simple UI, but I had little success in snooping on WiFi traffic with them.

Push to TV

Snapstick takes on Apple TV, Google TV —  Snapstick in action in CNET headquarters on an iPhone 4 and TV monitor.  —  A startup called Snapstick is introducing its spin on Internet TV today that it hopes will compete heavily with Apple TV, Google TV, and other set-top boxes.

Sigh!! I was toying with the very same idea last few days after I recently bought Samsung TV that has internet features. Even with DLNA, sharing what is on my mobile and PC is not easy. All DLNA does is, it makes your DLNA connected device appear like a USB device on your TV. You then browse through the content much like you do with any other USB drive.

I was looking at the experience to be more like :I am sitting in front of the TV watching some program with my family. And at the same time fiddling with my “Windows mobile turned into Android phone“, I see that I received an interesting MMS and would like to share with rest of my family watching the TV (probably during a commercial). I would like to do this by selecting the MMS message and simply push a button “Send to TV”. And Voila, the MMS message appears on the TV.

Or, found a funny video on youtube and would like to share that with the folks. It doesn’t make sense to switch the TV to internet mode, select the youtube app, type in the URL using a TV remote. Instead, would like to click on “Send to TV” button that magically does all the above.

And this is not very hard to do. All it needs is a background app running on TV to receive the control and  data messages from authorized connected devices (my phone, iPad, laptop etc).

I will probably spend few cycles during the weekends anyway with Samsung TV SDK and give it a spin!!