Wednesday, 31 May 2017

Slide - SAML, Variants, Functors, Monads and Exceptions

A presentation I gave at work (SAP Concur) on SAML, using variants and exception handling in Clojure, functors, applicative functors and monads in Haskell and how Maybe and Either monads short circuits during exception and such. Removed some internal code and links.

The variant C code can be downloaded from Github.
Download this slide from Github.

Monday, 22 May 2017

The Next Big Brother - Amazon

This my rant on Amazon and how it sucks big time. An interesting episode is going on between Amazon and me. I have an AWS EC2 instance and related services running with the same account that I use for purchases and Amazon Prime Video. A big mistake. Now they have locked the account. All of it is locked. No AWS, no prime video and no purchases with the account possible. Luckily I do not have any serious stuffs in AWS. Just for personal VPN and stuffs like that. So I have this IKEv2 VPN setup at EU (London) region which I am using and I am connected to this account with IP and made a purchase on Amazon as usual, but this time with the VPN, which I forgot to disconnect (or why should I even disconnect? Still pondering). Then, my bank called me asking that have you made a purchase using the credit card and some authorisation details and such which I confirmed. The bank authorised the payment. After a while, I got the below message from Amazon.

We have removed your access to this account because we could not confirm your payment information. You will not be able to access your account or place orders with us until we confirm your information.

To resolve this matter, please send the information below to our secure fax line:

-- A copy of your statement for your MASTER CARD ending in 31, including the billing address
-- Your name, phone number, and the email address registered to your Amazon account

You can find our fax number on the Help page:

We will convert your fax to a secure electronic image. To protect your information, we restrict access to your payment information to a team of account specialists.

Our Customer Service team can confirm that we sent this email, but they cannot view your fax or share more information about this matter.

You can expect a response from us within 24 hours of sending your fax.

We ask that you not open new accounts because any new order that you place may be delayed.


Faizan Shariff
Account Specialist

What business does Amazon have to peek into my credit card transactions? Now this is what fraud looks like! So I asked what information are they not able to verify and I have no reply. Considering these drama, I have mentioned my IPs used to make purchase, sent emails during this period to them. Not sure they grok any of these. Another thing is I have as the mail Id and then the webmail sends mails from an alias, which leads to another source of confusion. Now I am like, you want to verify my identity, come to my address given in the website or send me an encrypted email using the PGP key and I am not sending my card statements, not going to happen. I am pissed and called my bank and asked to mark the transaction as invalid and block the card, which they did. But I use this as my backup card, but hey my bank is awesome! Now Amazon is obliged to refund. It is as if I have purchased the whole world from their website. If the bank, the payment gateway, the OTP from MasterCard, the phone call from banker and all passes and verifies, think about the Amazon's fraud detection algorithm in place. IP address check? Gosh! So lame. And I even have 2FA with TOTP in my account with the authenticator app on my phone and the purchase is made to the same address I purchase before, no address change, no phone number change. Just think about it for a moment. Did not think Amazon is running on such flaky algorithm and idiots verifying these. I was considering about moving all my stuffs to AWS, my domain, DNS with Route 53, email, which would have been a disaster, considering how they handle matters.

• Amount reversed by Amazon back to the card.
• Password reset mail received, but after reset, the system does not accept the login as it says wrong password and I can no longer access AWS from UI
• Account termination requested (no response, yet)

My main card is also linked (as a backup) with AWS billing and Amazon is not terminating my account or providing me access to my account. They are like, we won't give you access unless you give me your card statement to us. Nice! Now they can bill me, even if I stop the instance. Blocked that card as well. Now Amazon is forced to shutdown the account or else, I got free EC2 instance. Not exciting anymore for me anyway. I still have remote access to the server. Thinking what to do with it now as I assume it will be monitored after this incident.

But finally, some peace and no more business with Amazon ever again in my life.

• Reply from Amazon, which says my user account associated with the original email ending in is not found. True, when trying to login using that Id, the UI shows the same message. Now I am thinking whether I should make the credentials public to this zombie VPN which I still have remote access to. So very disgusting to deal with these people.

Me (with typo corrected, and some info masked):
.. snip (the whole story reiterated) ..
If the account is not found, then I will assume that it is terminated or no longer accessible from my perspective. I won't be contacting you anymore regarding this. And I don't care if the instance is up or used or abused. The onus is not on me now as I am making this very clear to you folks.

Mobile numbers added with the account are two of them.

Current IP: ‎REMOVED

If you still think the information is not sufficient to verify, then you are in serious trouble.

++‎ (useless chaps, anyway).

And yes, I understand that Amazon will be happy if I hand out my MasterCard statement. I can if you have a court order, but else I don't see any reason to as the problem is with Amazon. Sorry, I feel very disgusted to deal with such pestering.
Amazon (me removed email for privacy reasons):
.. snip ..
I'm sorry but I couldn't find an account under the e-mail address
.. snip (rest of the email template) ..
So from this you can infer that Amazon does not care and same goes for me as well. So the VPN credentials to the box follows. But you are warned.
PSK: rjSEi74Y3e95TNuX
username: amazonsucks
password: =r#@<F&xT+n6jfj~

chap-secrets L2TPD
username: amazonsucks
password: n2A7ZN4kj9KqXfTu
OS X Configuration example using IPSec
VPN->Cisco IPSec
Server Address:
Account Name: amazonsucks
Password: <Above IPSec Password>
Authentication Settings->Shared Secret: <Above IPSec PSK>

VPN DNS (Yandex Family)

Chapter closed.

Oops, this thing never ends.
Greetings from Amazon.

We have reinstated your account.

Order (#407-6873123-xxxxxxx) was cancelled for your security. If you would like to receive the items in this order, please feel free to place a new order.

Thank you for your patience and cooperation with our security measures.

Warmest regards,

Account Specialist
This mail is sent to my gmail account that I mentioned in my previous email to them, which was used when I signed up with Amazon ages ago. Okay, I asked for account termination and I get it reinstated. I don't care. I lost my trust with their security systems, which is a joke, and there is no going back. Hopefully this ends here, or will it?

PS: Excuse my language.

Friday, 12 May 2017

BlackBerry Passport MicroSDXC Card Support

BlackBerry Passport supports microSD cards upto 128GB. microSDXC cards can also be used with it. However, BlackBerry 10 recognises only FAT formatted external partitions and these cards comes mostly with ExFAT. So the device will show that the media card is not supported and is downloading drivers, but it will fail with an error. To fix this, erase the card and choose FAT as the partition format. Then the OS will recognise the microSDXC card.

Monday, 8 May 2017

Get RSA PublicKey from XML Key Format

Here is a script (prototype) in Groovy to get RSA PublicKey from XML public key. You might encounter such XML keys, say during .NET interop.
import javax.xml.parsers.DocumentBuilder
import javax.xml.parsers.DocumentBuilderFactory
import org.w3c.dom.Document
import java.nio.charset.StandardCharsets

def rsaPubXML = "ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9VAQAB"
def docBuilderFactory = DocumentBuilderFactory.newInstance()
def docBuilder = docBuilderFactory.newDocumentBuilder()

def b64Decode(enc) {

Document xmlDoc = docBuilder.parse(new ByteArrayInputStream(rsaPubXML.getBytes(StandardCharsets.UTF_8)))

def modulus = xmlDoc.getElementsByTagName("Modulus").item(0).textContent
def exponent = xmlDoc.getElementsByTagName("Exponent").item(0).textContent
println "modulus: ${modulus}\nexponent: ${exponent}"

RSAPublicKeySpec keySpec = new RSAPublicKeySpec(new BigInteger(b64Decode(modulus)), new BigInteger(b64Decode(exponent)));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey key = keyFactory.generatePublic(keySpec);

println "key: ${key}"
This gives the following output.
modulus: ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9V
exponent: AQAB
key: Sun RSA public key, 1024 bits
  modulus: 154774478177095248394968828543369801032226937226535865231262824893513573019304152154974259955740337204606655133945162319470662684517274530901497375379716962851415879364453962123395223899051919634994929603613704222239797911292193776910691509004328773391280872757318122152217457361921195935350223751896771182421
  public exponent: 65537
Note that the modulus must be a positive integer. If you are working with other JVM languages and are getting a negative integer value, specify the signum as 1 in the BigInteger(1, b64Decode(modulus)) function call. The exponent must always be 65537 as of now because that is the largest Fermat's Prime known today.

Sunday, 30 April 2017

Base64 macOS App Release

Released v1.0 of Base64 macOS app. It is a simple app for encoding and decoding base64 texts. It will encode texts as we type or paste. This program does not access any files or network and works offline. It is sandboxed as well.

Encode screen

Decode screen

Source code at GitHub. For downloads, check the release folder.

Saturday, 29 April 2017

Working with AppKit Delegates

Delegates are responders that acts to events that occurs in a program. AppKit delegates often work with Cocoa UI events. Here we will see two examples of handling events, one for NSTextField and another for NSTextView in conjunction with Interface Builder, rather than programatically.

1. Create a macOS Cocoa project from Xcode which will generate an AppDelegate and a ViewController as usual.
2. We will make the ViewController as the delegate to respond to events. For that we need to declare that the ViewController adopts the formal protocol defined by the delegates.
@interface ViewController : NSViewController<NSTextViewDelegate, NSTextFieldDelegate> {
3. Choose the Main.storyboard and choose the View Controller Scene, drag and drop Text View and Text Field components.
4. Choose the Text View from the Document Outline of the View Controller Scene, option click, and in the popup, connect the delegate outlet to the View Controller. Same for Text Field.

5. Now, in the ViewController.h header, declare two IBOutlets which will connect the components in the storyboard to the code.
@interface ViewController : NSViewController<NSTextViewDelegate, NSTextFieldDelegate> {
    IBOutlet NSTextView *textView;
    IBOutlet NSTextField *textField;
Since these interface builder outlets are not connected yet, the radio box is in unchecked state.
6. Go back to the interface builder (the storyboard file), choose Text View, option click, drag and connect the New Referencing Outlet to View Controller which brings the above IBOutlets. Choose textView to make the connection. Do the same for Text Field, but here we should choose textField as the referencing outlet.

7. Back to code, open ViewController.m implementation file and implement any of the delegated methods.
#pragma mark - delegates

/* NSTextView */
- (void)textDidChange:(NSNotification *)notification {
    NSLog(@"text did change");
    textView = [notification object];
    NSLog(@"string: %@", [textView string]);

/* NSTextField */
- (void)controlTextDidChange:(NSNotification *)obj {
    NSLog(@"control text did changed");
    textField = [obj object];
    NSLog(@"text: %@", [textField stringValue]);
The above methods are invoked when the text in a text view or text field changes. The same concept extends to Cocoa Touch and iOS development.

The sample project can be downloaded from github.

Wednesday, 26 April 2017

Call blocking in BlackBerry 10 for a known number

We do not need fancy app to block calls. By default, BB10 has option to block all incoming calls or none. Not individually. But there is a better way. Ideally, we should not be blocking calls, because the caller can identify that a call has been blocked or not. It will ring once and then get busy or some other tones. Better way is to just disable all notifications for a number. For that, first save the annoying number to your contacts and in the "Ringtones and Notifications" option for that contact, choose "Phone Calls" and turn off "All Notifications". That is all there is. Now the call gets received, but you would not know unless you look at the phone. No disturbance.