Category / Featured Title

by Nirupam Biswas

Hack sbicapsec.com to run on Firefox

`AG_BACKQUOTE_TURN_ON`

www.sbicapsec.com is State Bank of India’s online share trading portal. This is a good portal but their site’s code quality is amazingly of low quality, dare I say, crappy. SBI being a public sector government institute, we can rest assured that the code quality or bugs in it would not get fixed soon, if ever.

Anyway as of now if you try using this portal in Firefox or Chrome, then maybe you will endup with a screen like this.

sbicapsec.com after login in Firefox. Notice no applet running, instead we have weird “:10”.

Notice the weird “:10” character in the screenshot, instead of the Java Applet.

Fixing sbicapsec.com to run in Firefox

Don’t worry the “hack” here is not illegal. This is used merely as an expression for making things work the way you want it which requires a lot of technical trickery to get it right.

The following has been tested in Firefox 13 and 14 in Mac OSX and Windows XP. You are free to try this as you may want it though. Also this should work in Chrome too.

Now let’s get into fixing this in few simple steps:-

  1. For your sake, open this blog page in your Firefox browser.
  2. Install GreaseMonkey browser extension. You may need to restart your browser.
  3. Install my GreaseMonkey user script by clicking on the link here – AppVersion Patch for SBICAPSEC.
  4. Click on Install button in the dialog box that you get.

That is it! You should now get the applet after login.

Fixed sbicapsec.com, after login.

How the fix works (for the technically inclined)

This section is for geeks, who would like to know how the script works. Also it is better to understand this, so that you understand, there is no malicious code in my script.

What is wrong in sbicapsec.com’s site? (Root cause)

The portal’s JS code assumes that `navigator.appVersion` will always return a string which will have a semi-colon (;). In fact that is true for IE and Chrome (in Mac OSX version only), but not for others. After this failure everything goes down like dominoes.

The popup we get after login has a `frameset` with three frames. The second one is the one which is supposed to present the Java applet. The layout of that page is roughly as below:-

[code lang=”html”]
<body>

<applet>
<param>
<param>
<param>

</applet>
</body>
[/code]

It seems the devs there had a requirement to set the `width` and `height` of the `applet` based on user screen’s dimension. For this they modified the code to use JS to dynamically generate the upper `applet` tag.

[code lang=”html”]
<body>

<script>
// This script will generate the upper applet tag with appropriate width and height.
</script>
<param>
<param>
:10
<param>

</applet>
</body>
[/code]

It is in the above `script` tag where it reads `navigator.appVersion` and tries to split it by `;` and then read the other part. When that errors out, so does the code following it. That code is supposed to write the upper `applet` tag. So, at the end we are left with many `param` tags and a dangling `</applet>` tag. The weird `:10` characters are written between two `param` tags.

From the way they have written the JS code, it seems the devs did not visualize the html page as a tree of blocks, instead for them it was a file stream; like the kind when you use your Java or C++ file output stream. The `script` block above uses `document.write()` to write the opening `applet` tag, instead of using JS to directly manipulate the DOM objects. I wonder how these devs can layout a page, who visualize it as a stream of characters? And, this is just a fraction of the real code, who knows what else is inside. It seems SBI needs to seriously train its devs. All this makes me loose faith over the security and reliability of their site.

Anyway, enough of the rant, back to the topic. The patch script I wrote will, simply try to do what there code was meant to do, add the `applet` tag. Because of the dangling `applet` end tag, I was unable to wrap my `applet` around the existing `param` tags. So, instead I detached all the `param` tags, emptied the parent (this reference was stored before detaching `param`), then added `param` tags inside the newly create `applet` tag and finally added the `applet` inside the previous parent of `param` tags.

I also tried using other techniques but they did not work. The first one was directly modifying `navigator.appVersion` to return a string with `;`, but it seems you cannot modify them. The second options was to replace existing `String.split()` function with my own version. In my version I would always return an array of at least length two, so that the code does not error out. Anyway this too did not work out since GreaseMonkey scripts are ran after the page is executed. GreaseMonkey does provide an option to run our scripts at the beginning too, but according to docs that is not supported inside frames.

Anyway, all’s well that ends well. 🙂

by Nirupam Biswas

SplitBill: IOU manager for and by Geeks

There are hundreds of IOU software on the net. What makes SplitBill different is that it has no UI. Yes, you read that right – No UI. Now the more surprising part. It is a breeze to use and setup. In fact all you need is a sever with Python and MySql installed to host this, and then simply run the code after setting up the DB and it is ready. You might be wondering now, how do we access the system? Easy; just send a mail to a pre-configured mail box. Suppose John owes you 100 bucks then simply send a mail to SplitBill with John in CC or To fields. In subject write Loan 100 For Pizza. Now just send the mail. You are done. Moments later SplitBill will reply to your mail, confirming that your transaction has been recorded. So, SplitBill is like a command-line program, where your mail box is the Terminal window. We already have mail clients for pretty much every device hooked to the net. So, SplitBill is accessible to you from practically from everywhere. When you want to checkout who owes you or you owe whom, simply mail to SplitBill with Get in the mail’s subject. The response mail will have all the summary along with list of all last hundred transactions.

SplitBill Architecture

SplitBill Architecture

Because of the above design, SplitBill is inherently scalable. Many users can simultaneously send mails to SplitBill’s mail box without affecting it at all. It polls the mail server every five seconds (configurable) via IMAP connection and processes the mails in the order they were received. This way spikes in requests are eased out at mail server end. Mail server acts like a very large buffer for SplitBill system. Also if for some reason SplitBill crashes, the users can still file transaction, which will get processed when it is back online.

SplitBill System Design Assumptions

SplitBill is a simple product. To keep it simple to use, and light, it has only basic abuse protection facility. For example, suppose you filed a transaction that John owes you 100 bucks. Now John can command SplitBill to simply delete that transaction. SplitBill will honour that and will purge that transaction without the possibility for a rollback. However, when John is notified that his request has been fulfilled, you too will be CCed in that response mail. From the response mail you will come to know what exact transaction has been deleted. You can then use that info to refile the transaction, and give a nice little trashing to John. SplitBill has no mechanism for explicitly registering users. Whenever you send a mail to SplitBill, it will quietly register all new mail ids in it.

SplitBill recognizes a person by there mail id, so if you happen to own multiple mail ids then each one would be treated as separate user. Currently there is no way to combine them together. This is something which can be addressed in future.

SplitBill Error Handling

In spite of its simplicity it does not trade off reliability. Most of the stuffs you can checkout in its code, but there is one part you need to be aware of. When it errors out five consecutive times (configurable), then it auto shuts down. This is because if on consecutive tries if the command fails then it is assumed that something bad, like a DB crash, has happened which might take quite sometime or forever to be fixed.

It does not mark a mail as read unless and until the transaction has been successfully recorded in the database. However, if it is unable to mark the mail as read (even after retrying), then it shuts itself down to prevent recording the same transaction again. Unfortunately currently the mail UID is not recorded in database, preventing it from identifying if the current transaction has already been processed.

Whenever it shuts itself down, it sends mail to all registered owners, notifying the problem. The owners also receive mails with stack traces when they happen. Me and my friends have been using this for couple of months over two years now, and we have hardly faced any issues till now.

SplitBill Command Reference

There is already a separate page on this. Please see it here.

Get SplitBill

Get or fork SplitBill on GitHub – https://github.com/applegrew/splitbill.

Setting up SplitBill

  1. Make sure you have Python 2.6 or up installed on your server.
  2. Download and extract the splitbill sub-folder into your server.
  3. Install pytz package.
  4. Install MySql and MySql connector for Python.
  5. Run setup_db.sql script to setup your database. If you  want your schema to be named something other than splitbill, then modify this sql file.
  6. In splitbill folder you will find settings.ini. Set the DB and mail credentials and other settings as required.
  7. Finally! Run SplitBill. You can run it from the parent folder of splitbill using command nohup python -m splitbill.main &.

A Little History

SplitBill was envisioned not by me, but my friend Rohit. He designed the original system and coded that in C#. Later when we wanted to move the system to my (Linux) server, I decided to recode it in Python. This version of SplitBill is only couple of months a year old and was coded by both of us. We had used the original version for almost a year, during which time the SplitBill architecture evolved to its current state.

by Nirupam Biswas

iFlickr PHP Script: Create mRSS feed of interesting pictures on Flickr.com

Did you notice the “Flickr Gallery” on top right corner of the home page of this blog? The picture slide show is provided by Google’s Ajax Slide Show, but this post is not about that. Google’s Slide Show needs a mRSS feed, which it parses to get the list of thumbnails it wants to present. mRSS is just a normal RSS feed particularly tailored for presenting media. It gets its ‘m’ from media. In this case it is picture media. For my blog’s “Flickr Gallery”, I have scheduled a cron job which runs every day at 5.30 am UTC. This way every day my blog gets fresh set of interesting pictures to present. You can get a good example of mRSS feed on my site at http://www.applegrew.com/util/if.xml. Safari and Firefox will use their own styling rules to style this XML. If you want to check it out the way I want it, then view it in Google Chrome.

The Script

This PHP script spits out mRSS feed of the interesting pictures on Flickr.com. This script can be invoked from web or directly from command line. When invoked it connects to Flickr using its API and gets the list and all related infos from there. Flickr likes to call this list – Flickr Interestigness.

Download package (License GPL v2)

How to use this script

This scripts accepts a number of parameters:-

  • api_key (Default: NoKeyGiven) – The Flickr API key. Get it from here.
  • pg (Default: 1) – Which page to fetch. This is to help you paginate if that makes sense for you.
  • per_pg (Default: 10) – How many pictures you want per page. So, if you want 11th to 20th most interesting pictures then set pg to 2 and per_pg to 10.
  • thumbnail_type (Default: , i.e. not set) – Possible values are – SquareThumbnail, Small, Medium or *Large. *The picture of the type set here is set as thumbnail picture. If the type specified is not available then no thumbnail is mentioned. If this is not set then all possible picture sizes would be listed as thumbnails in the feed, with the bigger pics at the top.
  • min_size (Default: 0, i.e. not set) – If set (i.e. it is not set to zero) then the pic which is equal or just larger than this dimension will be chosen as thumbnail.

This script can be run from command line as shown below:-

$ /usr/bin/php iflickr.php --api_key=key_here --min_size=240 > mrss.xml

When run from web:-

http://example.com/iflickr.php?api_key=key_here&min_size=240

Please note: To be able to run this from web, you need to set $bind_address variable in the script as empty string.

by Nirupam Biswas

Digit Math Application: Proving the correctness of shortcut method to squaring numbers ending with 5

Please read Digit Math: Introduction before you continue.

The problem

Someday, somewhere I came to know that any number which ends with the digit 5 can be easily squared. The trick can be easily demonstrate using an example. Suppose we want to find the square of 25.

Trick is to take the number before 5 (which will be 2 here), add one to it (2 + 1 = 3) and then multiply them together (2 x 3 = 6). Now the final answer would be the product followed by the number 25, i.e. 625 in this case.

Now let’s try it out yo find \(215^2\).

$$
\begin{align}
215^2 &= (21 \times (21 + 1)) \omega 25\\
&= (21 \times 22) \omega 25\\
&= 462\omega25\\
&= 46225\tag{Answer}
\end{align}
$$

This always seemed to work out very well. The problem was, can I trust this trick? Will this always hold true? I didn’t have answers to those questions, until I proved it myself using Digit Math. Good news is that this trick will always hold true.

The proof

Let the number be \(x = a\omega 5\).  \(a\) can have any number of digits.

Case 1:

\(a\) has exactly one digit. So, \(]a[ = ]5[ = 1\).

$$
\begin{align}
\therefore (a\omega 5)^2 &= aa\omega (5a+5a) \omega 5.5\tag{Using Bimultiplication formula}\\
&= a^2 \omega 10a \omega \underline{2}5\\
&= a^2 \omega (a\omega0) \omega \underline{2}5\\
&= a^2 \omega (a\omega2) \omega 5\\
&= (a^2 + a) \omega 2 \omega 5\\
&= \big(a(a+1)\big) \omega 25\tag{Proved}
\end{align}
$$

Case 2:

\(a\) has more than one digits. So, \(]a[ > (]5[ = 1)\).

But to apply Bimultiplication formula \(a\) must have the same number of digits in \(5\), which is obviously not the case here. So, we will use one trick. We will pad \(5\) with some number of zeroes on the right, so that, \(]a[ = ]5\omega c[\), where, \(c\) is all zeroes and \(]c[ = ]a[ – 1\). So, if \(a = 123 \Rightarrow c = 00\).

$$
\begin{align}
\therefore (a\omega 5)^2 &= \big(a \omega ]5 \omega c[^{]a[}\big)^2\\
&= a^2 \omega \big(a(5\omega c) + a(5\omega c)\big) \omega (5\omega c)^2\tag{Using Bimultiplication}\\
&= a^2 \omega 2a(5\omega c) \omega (5\omega c)^2\\
&= a^2 \omega (10a \omega 2ac) \omega (5\omega c)^2\\
&= a^2 \omega (10a \omega c) \omega (5\omega c)^2\tag{Since, c is all zeroes}\\
&= a^2 \omega (a \omega 0 \omega c) \omega (5\omega c)^2\\
&= a^2 \omega (a \omega 0 \omega c) \omega (25 \omega 10c \omega c^2)\\
&= a^2 \omega (a \omega 0 \omega c) \omega (25 \omega c \omega c)\tag{1}
\end{align}
$$

Since each digit group must have \(]a[\) digits, so let us move one zero from the middle \(c\) in \(25 \omega c \omega c\) to the rightmost \(c\). So, now that group becomes \(25\omega d\omega e\), where \(]d[ = ]c[ – 1\) and \(]e[ = ]c[ + 1\).

$$
\begin{align}
\therefore (1) &= a^2 \omega \big( (a \omega 0 \omega c) + (25 \omega d)\big) \omega e\\
&= a^2 \omega \big( a \omega (0+25) \omega (c+d) \big) \omega e\\
&= a^2 \omega ( a \omega 25 \omega d ) \omega e\tag{2}
\end{align}
$$

Now,

$$
\begin{align}
]25 \omega d[ &= ]25[ + ]d[\\
&= 2 + (]c[ – 1)\\
&= 2 + \big((]a[ – 1) – 1\big)\\
&= ]a[
\end{align}
$$

So, in the group \(a \omega 25 \omega d\), \(a\) is excess.

$$
\begin{align}
\therefore (2) &= (a^2 + a) \omega (25 \omega d) \omega e\\
&= a(a+1) \omega 25 \omega d \omega e\\
&= a(a+1) \omega 25 \omega c \omega c\tag{Shifting a zero from e to d}\\
\end{align}
$$

So finally,

$$
\begin{align}
&(a\omega 5 \omega c)^2 = a(a+1) \omega 25 \omega c \omega c\\
&\Rightarrow \big((a\omega 5) \times 10^c\big)^2 = \big(a(a+1) \omega 25 \omega c\big) \times 10^c\\
&\Rightarrow (a\omega 5)^2 \times 10^{2c} = \big(a(a+1) \omega 25\big) \times 10^{2c}\\
&\Rightarrow (a\omega 5)^2 = a(a+1) \omega 25\tag{Proved}
\end{align}
$$

So, we see that this trick is applicable for all kinds of whole numbers that end with 5. 

Check out other applications of Digit Math

Link to list of other applications of Digit Math.

by Nirupam Biswas

Access Ext3/Ext2 file system on Mac OSX Lion (10.7)

On Mac if you want to access ext3/etx2 filesystems, which are used by Linux systems, you will find lots of links on net but all are pretty outdate and they don’t work for Lion. So, here is the updated version, which works. At least for me. 😉

You will need two softwares:-

  1. OSXFuseDownload link
  2. Fuse-ext2Download link

Download and install them in the sequence shown above.

Fuse-ext2 needs MacFuse to run, but this is no longer maintained and does not work on Lion. OSXFuse is the next generation MacFuse, but Fuse-ext2 is not meant to work with this. Fortunately OSXFuse includes “MacFUSE Compatibility Layer”. Just make sure to select this option when installing OSXFuse and you are good to go.

When both of them are installed, then try plugging in ext3 or etx2 partitioned disk and they should get automatically mounted, just like any other disk. Note, after installing them you may or may not need to restart your system.

PS. You will be able to read the disks but not write to it. As of now write option is not reliable.

Download a copy link (Screen shot)
by Nirupam Biswas

You can download all your data from Facebook.

I don’t know how long its been up, but today I noticed that Facebook allows you to download all your data.

The download archive will have:-

  • Any photos or videos you’ve shared on Facebook.
  • Your Wall posts, messages and chat conversations.
  • Your friends’ names and their email addresses (if they have shared it).

What the archive won’t have are:-

  • Your friends’ photos and status updates.
  • Other people’s personal info.
  • Comments you’ve made on other people’s posts.

To download your own archive goto Account Settings and click on the link “Download a copy”. This is shown with a red box around it in the screen shot below.  (Click on the image to get the bigger picture.)

Download a copy link (Screen shot)

Clicking this link will take you to a page where need to click the “Start Archive” button. Since archiving takes time, so FB will mail you when archiving is complete.