Archive

Posts Tagged ‘Security’

Twitter #bot or not? Posing as Automation/AI specialist & Python guru

I just came across this strange thing on twitter:

Received a notification that some “Virginia A. Osborn” liked a tweet of mine that was a) in Greek b) totally of a subset of Greek residents interest, highly unlikely it would have meant anything to a person with a foreign name. Then I saw that twitter account started following me immediately after that action.

image

It smelled bot to me, so I took a look at that account’s profile. She seems to have joined twitter long ago (back in 2010), so I should have probably checked her very first tweets to see what that account was about (wonder if there is an archive of what the profile details were saying back then in case that was a dormant bot).

image

It seems that account has quite some followers and several people that post AI-related stuff that I follow, plus it didn’t seem to post unrelated stuff:

image

However, I decided to look her name up on Google. I didn’t find much. So I used Google Image Search to look up her profile photo and bingo, it came up at a stock photo collection, together with other shots of that model posing on the same business-related stock photo theme: https://www.istockphoto.com/search/stack/694124043?assettype=image

image

So, is this a personna account of some real person or are bots ruling twitter (wonder what the ratio of real persons to bots is currently) and preparing for a future bot-a-gedon? (similar to infected zombie machines that is – wonder if such accounts are already pushing malware links or something).

Of course there’s always the chance that person did a deal with some photographer to pose for him and then used one of those photos in their profile, but I find it highly unlikely.

Advertisements

Fix: How to remove Trovigo.com, SearchProtect, restore Internet Options

Trovigo.com is an unwanted search engine hijacker that renders Internet Options of Windows / Internet Explorer inaccessible. To restore them on an older Windows XP installation, one way that I’ve found to work is to update Internet Explorer to a newer version, aka IE 8 (say via the embedded Windows Update facility or Microsoft Update website – http://update.microsoft.com)

The software is also probably related to a software (at least on the machine I was fixing) called "Search Protect", that is running a service and two other processes that one launches, that tries to stop you from killing it and from changing search engine option in the web browser. To remove that you can use Process Explorer from http://www.sysinternals.com:

  1. Right-click the SearchProtect service and select Suspend (do the same for the two other processes it uses) to freeze it (breaks into the process with the debugger).
  2. Right click the service node (that has the other two processes shown as children under it in the process tree) and select "Kill process tree".
  3. Go to %ProgramFiles% (usually C:\Program Files) using Windows Explorer address bar (or type this in Start/Run… dialog and press OK) and remove the folder "SearchProtect"
  4. Use free software like CCleaner (http://www.piriform.com) free edition (it has a tool to edit startup entries) or the really powerful Autoruns one to remove the now broken (since you deleted the software at step #3 references in various Windows settings that try to launch the SearchProtect software (Autoruns shows in yellow startup references to missing files, can right click and delete those entries).

HowTo: Remove invalid filename characters in .NET

In ClipFlair Studio I use DotNetZip (Ionic.Zip) library for storing components (like the activity and its nested child components) to ZIP archives (.clipflair or .clipflair.zip files). Inside the ZIP archive its child components have their own .clipflair.zip file and so on (so that you could even nest activities at any depth) which construct their filename based on the component’s Title and ID (a GUID)

However, when the component Title used characters like " (double-quote) which are not allowed in filenames, then although Ionic.Zip created the archive with the double-quotes in the nested .clipflair.zip filenames, when trying to load those ZipEntries into a memory stream it failed. Obviously I had to filter those invalid filename characters (I opted to remove them to make those ZipEntry filenames a bit more readable/smaller).

So I added one more extension method for string type at StringExtensions static class (Utils.Silverlight project), based on info gathered from the links from related stackoverflow question. To calculated version of a string s without invalid file name characters, one can do s.ReplaceInvalidFileNameChars() or optionally pass a replacement token parameter (a string) to insert at the position of each char removed.

public static string ReplaceInvalidFileNameChars(this string s,
string replacement = "") { return Regex.Replace(s, "[" + Regex.Escape(new String(System.IO.Path.GetInvalidPathChars())) + "]", replacement, //can even use a replacement string of any length RegexOptions.IgnoreCase); //not using System.IO.Path.InvalidPathChars (deprecated insecure API) }

For more info on Regular Expressions see http://www.regular-expressions.info/ and http://msdn.microsoft.com/en-us/library/hs600312.aspx


BTW, note that to convert the char[] returned by System.IO.Path.GetInvalidPathChars() to string we use new String(System.IO.Path.GetInvalidPathChars()).

It’s unfortunate that one can’t use ToString() method of char[] (using Visual Studio to go to definition of char[].ToString() takes us to Object.ToString() which means the array types don’t overload the virtual ToString() method of Object class to return something useful).


Another thing to note is that we don’t use System.IO.Path.InvalidPathChars field which is deprecated for security reasons, but use System.IO.Path.GetInvalidPathChars() method instead. MSDN explains the security issue, so better avoid that insecure API to be safe:

Do not use InvalidPathChars if you think your code might execute in the same application domain as untrusted code. InvalidPathChars is an array, so its elements can be overwritten. If untrusted code overwrites elements of InvalidPathChars, it might cause your code to malfunction in ways that could be exploited.

Gotcha: Image component not loading remote URLs during debugging

At ClipFlair’s Image component I use the following XAML to make it show an image from a URL that its ViewModel holds at a property named “Source”, of type Uri (URI = Uniform or Universal Resource Identifier in W3C parlance, something like a superset of the old classic URLs).

<Image Name="imgContent"
       HorizontalAlignment="Stretch" VerticalAlignment="Stretch"
       Source="{Binding Source, Mode=OneWay}"
       Stretch="{Binding Stretch, Mode=OneWay}"
       >

I’ve had issues in the past with that component not loading an image, a tricky issue was when I had used Mode=TwoWay when data-binding to Source property – that was disastrous, since the Source property expects an ImageSource and just “plays it clever” internally, also accepting a conversion from a Uri. So when doing reverse binding too, you’d end up getting a null value at respective the ViewModel property.

So when it recently started not showing the test image (from a remote URL) that I had been using, I started wondering if it was some regression of that older bug, but couldn’t find some change in the respective code, plus in the Visual Studio XAML designer the component would load and display the remote image fine.

It turned out to be an issue with Silverlight’s security policy regarding cross-site access. The Image control is supposed to be able to load images from any remote URL (without the remote web server needing to have a ClientAccessPolicy.xml file for example to allow it, as is the case with the WebClient class), however I had recently found out that if at your Silverlight project you have selected at the “Debug”  tab the “Dynamically generate a test page” option, the Image control wouldn’t load remote images.

What I didn’t know was that even the “Out-of-browser application option there won’t let the Image control load remote images if you don’t select the web project that goes with your Silverlight project (supposing you have them in the same Visual Studio solution), but you happen to select your Silverlight project instead from the dropdown list.

I had changed that option without thinking it might cause an issue while doing other changes in the project. That’s why one should try to do a minimal set of related changes only and test again thoroughly each time (if only they had the time available to do it), so that they can spot such issues early and be able to relate newly introduced bugs to the recent small set of changes, helping to track down the exact change that caused the unwanted behaviour.

image

Can’t step-through Silverlight file dialogs with Visual Studio debugger

While stepping through “ShowDialog()” method of OpenFileDialog with Visual Studio 2010 debugger, at the Silverlight code pictured below (for loading a ClipFlair window’s stored options), I got a “Dialogs must be user-initiated” exception. Same behaviour will be shown with SaveFileDialog too, every time you try to step through the “ShowDialog()” method.

This is because of Silverlight’s security model, which doesn’t allow source code to programmatically show a file dialog when an app is running in its default security sandbox (app is not signed with certificate and user hasn’t given consent for it to run in elevated rights mode), unless that code is called from an event handler that handles some user action on the UI (e.g. some button has been clicked by the user).

Obviously, when stepping through with the debugger it loses the user-initiated-action context somehow and considers the debugger as the initiator of the action, thus not allowing the file dialog to be shown when you try to step-through the “ShowDialog()” method of OpenFileDialog or SaveFileDialog.

The only solution I can suggest is to put a breakpoint right after the “ShowDialog()” returns (e.g. at “using” statement in the code below). If you place a breakpoint at any source code row above or at the “ShowDialog” inside the event handler method (“btnLoad_Click” in the code below) it will fail when the debugger tries to go through the “ShowDialog” method, even if you press “Run” after that breakpoint fires to continue.

image

HowTo: Check your web browser and plugins for needed updates

Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues. You can install it at https://browsercheck.qualys.com/

image

 

Another useful quick online tool (needs no installation) for checking that you do have the latest in web browser technology is Browse Happy, at http://www.BrowseHappy.com

%d bloggers like this: