Wednesday, 31 May 2017

Slide - SAML, Variants, Functors, Monads and Exceptions

A presentation I gave at work (SAP Concur) on SAML, using variants and exception handling in Clojure, functors, applicative functors and monads in Haskell and how Maybe and Either monads short circuits during exception and such. Removed some internal code and links.


The variant C code can be downloaded from Github.
Download this slide from Github.

Monday, 22 May 2017

The Next Big Brother - Amazon

This my rant on Amazon and how it sucks big time. An interesting episode is going on between Amazon and me. I have an AWS EC2 instance and related services running with the same account that I use for purchases and Amazon Prime Video. A big mistake. Now they have locked the account. All of it is locked. No AWS, no prime video and no purchases with the account possible. Luckily I do not have any serious stuffs in AWS. Just for personal VPN and stuffs like that. So I have this IKEv2 VPN setup at EU (London) region which I am using and I am connected to this account with IP 52.56.56.129 and made a purchase on Amazon as usual, but this time with the VPN, which I forgot to disconnect (or why should I even disconnect? Still pondering). Then, my bank called me asking that have you made a purchase using the credit card and some authorisation details and such which I confirmed. The bank authorised the payment. After a while, I got the below message from Amazon.
Hello,

We have removed your access to this account because we could not confirm your payment information. You will not be able to access your account or place orders with us until we confirm your information.

To resolve this matter, please send the information below to our secure fax line:

-- A copy of your statement for your MASTER CARD ending in 31, including the billing address
-- Your name, phone number, and the email address registered to your Amazon account

You can find our fax number on the Amazon.in Help page:
www.amazon.in/help/addressverification

We will convert your fax to a secure electronic image. To protect your information, we restrict access to your payment information to a team of account specialists.

Our Customer Service team can confirm that we sent this email, but they cannot view your fax or share more information about this matter.

You can expect a response from us within 24 hours of sending your fax.

We ask that you not open new accounts because any new order that you place may be delayed.

Sincerely,

Faizan Shariff
Account Specialist
http://www.amazon.in
=========================

What business does Amazon have to peek into my credit card transactions? Now this is what fraud looks like! So I asked what information are they not able to verify and I have no reply. Considering these drama, I have mentioned my IPs used to make purchase, sent emails during this period to them. Not sure they grok any of these. Another thing is I have yandex.ru as the mail Id and then the webmail sends mails from yandex.com an alias, which leads to another source of confusion. Now I am like, you want to verify my identity, come to my address given in the website or send me an encrypted email using the PGP key and I am not sending my card statements, not going to happen. I am pissed and called my bank and asked to mark the transaction as invalid and block the card, which they did. But I use this as my backup card, but hey my bank is awesome! Now Amazon is obliged to refund. It is as if I have purchased the whole world from their website. If the bank, the payment gateway, the OTP from MasterCard, the phone call from banker and all passes and verifies, think about the Amazon's fraud detection algorithm in place. IP address check? Gosh! So lame. And I even have 2FA with TOTP in my account with the authenticator app on my phone and the purchase is made to the same address I purchase before, no address change, no phone number change. Just think about it for a moment. Did not think Amazon is running on such flaky algorithm and idiots verifying these. I was considering about moving all my stuffs to AWS, my domain, DNS with Route 53, email, which would have been a disaster, considering how they handle matters.

Updates
23.05.17
• Amount reversed by Amazon back to the card.
• Password reset mail received, but after reset, the system does not accept the login as it says wrong password and I can no longer access AWS from UI
• Account termination requested (no response, yet)

24.05.17
My main card is also linked (as a backup) with AWS billing and Amazon is not terminating my account or providing me access to my account. They are like, we won't give you access unless you give me your card statement to us. Nice! Now they can bill me, even if I stop the instance. Blocked that card as well. Now Amazon is forced to shutdown the account or else, I got free EC2 instance. Not exciting anymore for me anyway. I still have remote access to the server. Thinking what to do with it now as I assume it will be monitored after this incident.

But finally, some peace and no more business with Amazon ever again in my life.

• Reply from Amazon, which says my user account associated with the original email ending in yandex.ru is not found. True, when trying to login using that Id, the UI shows the same message. Now I am thinking whether I should make the credentials public to this zombie VPN which I still have remote access to. So very disgusting to deal with these people.

Final
Me (with typo corrected, and some info masked):
.. snip (the whole story reiterated) ..
If the account is not found, then I will assume that it is terminated or no longer accessible from my perspective. I won't be contacting you anymore regarding this. And I don't care if the instance is up or used or abused. The onus is not on me now as I am making this very clear to you folks.

Mobile numbers added with the account are two of them.
REMOVED
REMOVED

Current IP: ‎REMOVED
ISP: REMOVED

If you still think the information is not sufficient to verify, then you are in serious trouble.

++ cs-reply@amazon.in‎ (useless chaps, anyway).

And yes, I understand that Amazon will be happy if I hand out my MasterCard statement. I can if you have a court order, but else I don't see any reason to as the problem is with Amazon. Sorry, I feel very disgusted to deal with such pestering.
Amazon (me removed email for privacy reasons):
.. snip ..
I'm sorry but I couldn't find an Amazon.co.uk account under the e-mail address REMOVED@yandex.ru
.. snip (rest of the email template) ..
Deduction
So from this you can infer that Amazon does not care and same goes for me as well. So the VPN credentials to the box follows. But you are warned.
IPSec/IKEv2 VPN
PSK: rjSEi74Y3e95TNuX
username: amazonsucks
password: =r#@<F&xT+n6jfj~

chap-secrets L2TPD
username: amazonsucks
password: n2A7ZN4kj9KqXfTu
OS X Configuration example using IPSec
VPN->Cisco IPSec
Server Address: 52.56.56.129
Account Name: amazonsucks
Password: <Above IPSec Password>
Authentication Settings->Shared Secret: <Above IPSec PSK>

VPN DNS (Yandex Family)
77.88.8.7
77.88.8.3

Chapter closed.

25.05.17
Oops, this thing never ends.
Greetings from Amazon.

We have reinstated your Amazon.in account.

Order (#407-6873123-xxxxxxx) was cancelled for your security. If you would like to receive the items in this order, please feel free to place a new order.

Thank you for your patience and cooperation with our security measures.


Warmest regards,

Joshua
Account Specialist
http://www.amazon.in
=========================
This mail is sent to my gmail account that I mentioned in my previous email to them, which was used when I signed up with Amazon ages ago. Okay, I asked for account termination and I get it reinstated. I don't care. I lost my trust with their security systems, which is a joke, and there is no going back. Hopefully this ends here, or will it?

PS: Excuse my language.

Friday, 12 May 2017

BlackBerry Passport MicroSDXC Card Support

BlackBerry Passport supports microSD cards upto 128GB. microSDXC cards can also be used with it. However, BlackBerry 10 recognises only FAT formatted external partitions and these cards comes mostly with ExFAT. So the device will show that the media card is not supported and is downloading drivers, but it will fail with an error. To fix this, erase the card and choose FAT as the partition format. Then the OS will recognise the microSDXC card.

Monday, 8 May 2017

Get RSA PublicKey from XML Key Format

Here is a script (prototype) in Groovy to get RSA PublicKey from XML public key. You might encounter such XML keys, say during .NET interop.
import javax.xml.parsers.DocumentBuilder
import javax.xml.parsers.DocumentBuilderFactory
import org.w3c.dom.Document
import java.nio.charset.StandardCharsets
import java.security.spec.RSAPublicKeySpec
import java.security.KeyFactory
import java.security.PublicKey

def rsaPubXML = "ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9VAQAB"
def docBuilderFactory = DocumentBuilderFactory.newInstance()
def docBuilder = docBuilderFactory.newDocumentBuilder()

def b64Decode(enc) {
    Base64.getDecoder().decode(enc)
}

Document xmlDoc = docBuilder.parse(new ByteArrayInputStream(rsaPubXML.getBytes(StandardCharsets.UTF_8)))

def modulus = xmlDoc.getElementsByTagName("Modulus").item(0).textContent
def exponent = xmlDoc.getElementsByTagName("Exponent").item(0).textContent
println "modulus: ${modulus}\nexponent: ${exponent}"

RSAPublicKeySpec keySpec = new RSAPublicKeySpec(new BigInteger(b64Decode(modulus)), new BigInteger(b64Decode(exponent)));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey key = keyFactory.generatePublic(keySpec);

println "key: ${key}"
This gives the following output.
modulus: ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9V
exponent: AQAB
key: Sun RSA public key, 1024 bits
  modulus: 154774478177095248394968828543369801032226937226535865231262824893513573019304152154974259955740337204606655133945162319470662684517274530901497375379716962851415879364453962123395223899051919634994929603613704222239797911292193776910691509004328773391280872757318122152217457361921195935350223751896771182421
  public exponent: 65537
Note that the modulus must be a positive integer. If you are working with other JVM languages and are getting a negative integer value, specify the signum as 1 in the BigInteger(1, b64Decode(modulus)) function call. The exponent must always be 65537 as of now because that is the largest Fermat's Prime known today.