Monday, 22 May 2017

The Next Big Brother - Amazon

This my rant on Amazon and how it sucks big time. An interesting episode is going on between Amazon and me. I have an AWS EC2 instance and related services running with the same account that I use for purchases and Amazon Prime Video. A big mistake. Now they have locked the account. All of it is locked. No AWS, no prime video and no purchases with the account possible. Luckily I do not have any serious business in AWS. Just for personal VPN and stuffs like that. So I have this IKEv2 VPN setup at EU (London) region which I am using and I am connected to this account with IP 52.56.56.129 and made a purchase on Amazon as usual, but this time with the VPN, which I forgot to disconnect (or why should I even disconnect? Still pondering). Then, my bank called me asking that have you made a purchase using the credit card and some authorisation details and such which I confirmed. The bank authorised the payment. After a while, I got the below message from Amazon.

Hello,

We have removed your access to this account because we could not confirm your payment information. You will not be able to access your account or place orders with us until we confirm your information.

To resolve this matter, please send the information below to our secure fax line:

-- A copy of your statement for your MASTER CARD ending in 31, including the billing address
-- Your name, phone number, and the email address registered to your Amazon account

You can find our fax number on the Amazon.in Help page:
www.amazon.in/help/addressverification

We will convert your fax to a secure electronic image. To protect your information, we restrict access to your payment information to a team of account specialists.

Our Customer Service team can confirm that we sent this email, but they cannot view your fax or share more information about this matter.

You can expect a response from us within 24 hours of sending your fax.

We ask that you not open new accounts because any new order that you place may be delayed.

Sincerely,

Faizan Shariff
Account Specialist
http://www.amazon.in
=========================


What business does Amazon have to peek into my credit card transactions? Now this is what fraud looks like! So I asked what information are they not able to verify and I have no reply. Considering these drama, I have mentioned my IPs used to make purchase, sent emails during this period to them. Not sure they grok any of these. Another thing is I have yandex.ru as the mail Id and then the webmail sends mails from yandex.com an alias, which leads to another source of confusion for these idiots. It's like Russia? Oh, fraud. Suckers. Now I am like, you want to verify my identity, come to my address given in the website or send me an encrypted email using the PGP key and I am not sending my card statements, not going to happen. I am pissed and called my bank and asked to mark the transaction as invalid and block the card, which they did. But I use this as my backup card, but hey my bank is awesome! Now Amazon is obliged to refund. It is as if I have purchased the whole world from their website. If the bank, the payment gateway, the OTP from MasterCard, the phone call from banker and all passes and verifies, think about the Amazon's fraud detection algorithm in place. IP address check? Gosh! So lame. And I even have 2FA with TOTP in my account. Did not think Amazon is running on such flaky algorithm and idiots verifying these. I was considering about moving all my stuffs to AWS, which would have been a disaster, considering how they handle matters.

Updates
23.05.17
• Amount reversed by Amazon back to the card.
• Password reset mail received, but after reset, the system does not accept the login as it says wrong password and I can no longer access AWS from UI
• Account termination requested (no response, yet)

24.05.17
My main card is also linked (as a backup) with AWS billing and Amazon is not terminating my account or providing me access to my account. They are like, we won't give you access unless you give me your card statement to us. Nice! Now they can bill me, even if I stop the instance. Blocked that card as well. Now Amazon is forced to shutdown the account or else, I got free EC2 instance. Not exciting anymore for me anyway. I still have remote access to the server. Thinking what to do with it now as I assume it will be monitored after this incident.

But finally, some peace and no more business with Amazon ever again in my life.

Friday, 12 May 2017

BlackBerry Passport MicroSDXC Card Support

BlackBerry Passport supports microSD cards upto 128GB. microSDXC cards can also be used with it. However, BlackBerry 10 recognises only FAT formatted external partitions and these cards comes mostly with ExFAT. So the device will show that the media card is not supported and is downloading drivers, but it will fail with an error. To fix this, erase the card and choose FAT as the partition format. Then the OS will recognise the microSDXC card.

Monday, 8 May 2017

Get RSA PublicKey from XML Key Format

Here is a script (prototype) in Groovy to get RSA PublicKey from XML public key. You might encounter such XML keys, say during .NET interop.
import javax.xml.parsers.DocumentBuilder
import javax.xml.parsers.DocumentBuilderFactory
import org.w3c.dom.Document
import java.nio.charset.StandardCharsets
import java.security.spec.RSAPublicKeySpec
import java.security.KeyFactory
import java.security.PublicKey

def rsaPubXML = "ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9VAQAB"
def docBuilderFactory = DocumentBuilderFactory.newInstance()
def docBuilder = docBuilderFactory.newDocumentBuilder()

def b64Decode(enc) {
    Base64.getDecoder().decode(enc)
}

Document xmlDoc = docBuilder.parse(new ByteArrayInputStream(rsaPubXML.getBytes(StandardCharsets.UTF_8)))

def modulus = xmlDoc.getElementsByTagName("Modulus").item(0).textContent
def exponent = xmlDoc.getElementsByTagName("Exponent").item(0).textContent
println "modulus: ${modulus}\nexponent: ${exponent}"

RSAPublicKeySpec keySpec = new RSAPublicKeySpec(new BigInteger(b64Decode(modulus)), new BigInteger(b64Decode(exponent)));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey key = keyFactory.generatePublic(keySpec);

println "key: ${key}"
This gives the following output.
modulus: ANxn+vSe8nIdRSy0gHkGoJQnUIIJ3WfOV7hsSk9An9LRafuZXYUMB6H5RxtWFm72f7nPKlg2N5kpqk+oEuhPx4IrnXIqnN5vwu4Sbc/w8rjE3XxcGsgXUams3wgiBJ0r1/lLCd6a61xRGtj4+Vae+Ps3mz/TdGUkDf80dVek9b9V
exponent: AQAB
key: Sun RSA public key, 1024 bits
  modulus: 154774478177095248394968828543369801032226937226535865231262824893513573019304152154974259955740337204606655133945162319470662684517274530901497375379716962851415879364453962123395223899051919634994929603613704222239797911292193776910691509004328773391280872757318122152217457361921195935350223751896771182421
  public exponent: 65537
Note that the modulus must be a positive integer. If you are working with other JVM languages and are getting a negative integer value, specify the signum as 1 in the BigInteger(1, b64Decode(modulus)) function call. The exponent must always be 65537 as of now because that is the largest Fermat's Prime known today.