nullcon Hacking Challenge

I hope you had a relaxing start for this weekend because if you are reading this mail now the rest of whatever is left of it is going to be pretty busy (for that matter, your next week too). We thought it will be a good idea to get people worm-up before the nullcon, so here is your chance to Win a free pass with two days paid stay for nullcon. All you have to do is run over few trivial puzzles and challenges and the ticket is yours. In case you have already bought the ticket don't worry we'll reimburse your ticket if you win.

Hacking Challenge: http://nullcon.net/challenge/

Theme:
If you have spent anytime with puzzles like notpron or klueless, or other hacking challenges, this one should lie somewhere in between. ( We thought if you gonna pull your hair out solving the puzzle, its only fair that you learn something while doing so.)

Rules:
Ok, here you should pay more attention:
1. Each level gives you sets of clues to reach to the next level. Following these clues you should figure your way to the next level. Once you have reached the final level you'll know how to claim the booty.
2. Hints will be provided for each level through twitter or null mailing list. More details will be available shortly.
3. This challenge does NOT give participants any legal permission to exploit http://nullcon.net or its hosting partner in a destructive manner . Any attack against the site or the hosted servers will be observed under general legal framework.

Tools:
1. Armed with your favorite hacking and debugging tools is advisable. (It will be a good idea to take the new Matriux or BT4 for a ride.)

Good Luck and Have fun :)

nullcon in Making..

"DON'T PANIC" are the only golden words I could think to soothe myself as I look at the calender and oh boy!, nullcon is less than a month away. There is still a plethora of work left but I guess things aren't as bad. For instance, Murtu hasn't shouted on me since morning or send any panic mails, which could only be interpreted as a good omen.

As you would have seen in all nullcon promotions, its a first of its kind 'community' driven hacking conference in India, where 'community' being the key word. null community came into existence more than a year ago and to our happy surprise has grown leaps and bounds. At the moment over a dozen volunteers are working hard to get nullcon in shape. It will be too early to start congratulating or thanking the team, but yes would definitely take time to thank SANS and Timblo for their support, they brought the much needed financial backing apart from obvious recognition and visibility to the whole event.

As we have reiterated before, #poor #jobless hackers forms a substantial part of our target audience. The tickets have been discounted for students and null members, We'll be shortly circulating few mails and posts on poorman's survival kit for nullcon Goa. So please following @nullcon on twitter or the null mailing list.

You can use the comment section if you have any queries regarding nullcon or DM me at @hasolia

Time to get back to work :( ..

See you guys,

Cheers

Proto 2009

Long day calls for a long post I guess. I went to my first Proto.in today. It was held at the nicely concealed Persistent office at SB Road. (The Google map didn't helped much either).I knew the event was sellout but didn't knew that it was oversubscribed. At one time there weren't enough stairs left to sit on. Anyway the events started with a 'critical' debate on Intellectual Property. And critical it was. Dr. Pabuddha Ganguli offered some strategic insight into leveraging IP filed in other geographies (Did somebody said stealing?) whereas Mr Gondal offered practical advice to forgot about IP and focus on execution. Next Ganesh Natarjan gave an inspiring speech on how government and its affiliated bodies can assist startups and how his wife always manages to get all the funding she needs for her startups.

After the Tea/'Networking' break the showcase of 15 selected startup started. Teams were given 6 minutes to pitch and the moderator made sure they stick to time. In fact he just stopped short of throwing them of the stage. I mean come on dude, cut them some slack, they have so painstakingly prepared for this, and at least let them conclude properly.

Anyway here are my observations on few of the shortlists:

Vardenchi

It sounded like some cool Italian name to me but Varde explained it meant Varde-n-chi (Varde's) in marathi. Which makes the name one bit more hip? Vardenchi is into making custom bikes, an almost uncharted territory in India. They had two sexy choppers on the stage for showcase. Bikes have Royal Enfield engines and rest of the components custom made. When I went drooling to get a closer peek at the monster, I was little disappointed with the production quality. It visibly gives the appearance of something assembled in a garage. Varde wants to cater to the elite segment of bikers and has priced his bikes between 2.5 -5 lk. He makes no secret of his intentions to price his bikes. (A quote from his site "Your bike has got to be the best.Well...within realms of your budget ofcourse but then not all the best thing in life are expensive..only ours are.".

BankBazaar

It started with a long and elaborate introduction of BankBazaar team. The focus was on how totally awesome powsome they are and that they are the cream products of very ivy-league college between Trichy and Guindy. Obviously it didn't gave them enough time to talk about the product. In their own words "BankBazaar.com is the world's first neutral online marketplace that gives you instant customized rate quotes on loans and insurance products."

I took a first look at the site and it does looks promising. It gives exact interest rates including all fees. It also very easily let you try different combinations of EMI and tenure. It should become the cleartrip of bankloans. The only problem with this well laid plan I see is the buying habit of Indian consumers. I don't know how many people in India will be buying loans online. People will definitely use it like a review sites (mouthshut.com), but will they buy the loans? May be the super-smart people at BankBazaar will find a way around it.

English Seekoo (Enterux.com)

For me it stands out as probably the most ambitious product in proto.in this year. If you have seen the Idea Ad where Abhishek Bacchan got the idea to teach kids in village on Mobile phones, well these guys are doing it for real. For a minimal fees of 5-20Rs you can learn to speak "Hi", "Good Morning" and "How are you", of course in clear Indian accent. If they could attain mass with this service and get the delivery mechanism in place, then I feel they are on to something big here. I wish them all the best and hope they pull it off.

HyCa Technologies

It probably was the most underrated yet most technologically potent product this year. In their own words "HyCa Technologies, is an emerging technology cleantech company. Our patent pending reactor, HyCator™, uses energy dissipated by collapsing cavitation bubbles to modulate physical, chemical & biological processes." Serious Stuff man. It's the technology that Hollywood used to make cold fusion and world peace. According to Mr Mukherjee it can be implement to any field of technology under the sun. And the best part is he had this matter-of-fact attitude towards the whole presentation. ‘Yes Sir, that's rocket science, just something we do for living. ‘

Vrixx

Now some intelligent man must have told you sometime in your life to take a path no man has taken before. Vrixx has found just that. They make portals for education institute. They look reasonably bright; I guess they would have done a good job at it too.

TouchMagix

TouchMagix was the main highlight of this year’s proto.in. It was so important to proto.in that the orgarnizer did the most incredible thing. They gave TouchMagix one extra minute to setup it's demo :O. I know other participant would have been crying fowl, but again they didn't had the magix. So before I talk about product let me talk a little about its founder Mr. Anup Tapadia. For those ignorant few who don't know about him, Mr. Anup falls under the league of extra ordinary gentlemen of the likes of him and Ankit Phadia, A true prodigy who has innumerable accolades under his belt. Well coming back to the product. The technology makes digital content displayed on projected image interactive. Now if you have never seen a Microsoft Surface or few similar things , then it would have had the expected effect on you at proto. Actually dancing on the interactive surface they had for demo was fun.

I believe most of the products in this space are still in nascent or proto typing stage. At least in India we are not going to see any of them coming any time soon. That should give TouchMagix quite a run.

The second half of the day had a Q&A with Mumbai Angels regarding Angel investment. The panel was very open and patient in answering all the queries people had for them. Mr Sasha was the rock-star of the show. Next in line was a senior sales manager from Microsoft. As was expected from him, the session was lively, spontaneous and enlightening. In fact Mr. Vij succeeded in doing what no other speaker could manage in the day; He charged up participants to go out and get their brainstorming, networking in action. For the first time in the day there were actually enough seats available for all people to sit. Unfortunately while I was outside absorbing all the wisdom gathered with a coffee, I missed the major part of the next talk. It was by Mahesh Murthy. Those of you who know him from his days-of-Business-World would agree that he is the ultimate lord of common sense. If you have not read his articles before I would strongly recommend reading them. As he told me (Yeap I talked with him and he even liked my T-shirt :), he will probably publish those articles in a book. So yes he is the lord of all street wisdom, you won't get more high-octane-no-bs-100%-pure gyan from anyone else. It was a delight to meet him face to face.

Next was Ruchi Sangvi from Facebook. Boy she must be rich, she didn't look that old either. Anyway she continued in what could be how-Indians-speak-in-American-accent and covered millions of stats about how facebook make difference to millions of other stats in the world. On asked about revenue model of facebook she stood her ground and ward all attempts to get anything useful out of her.

All in all it was a long and amusing day, As most of the coordination was done by volunteers, hats of to them it was reasonably well organized. proto.in has done an awesome job sustaining the momentum and are becoming a key element to the whole startup ecosystem in India. Although I am little disappointed was the lack of technologies companies at the event. There were only two tech companies: Aerosoft went out of their way to emphasize what they do is just matching L.H.S to R.H.S in few files and is no brainer somebody had to do so they did it. Pebbletalk looks to be few years too late for their product.

I was expecting to meet few people/startups interested in Cloud Computing, social networking and Web 2.0 ideas. I couldn’t find many. In the morning the moderator told how there are only 2 tech startup this year and concluded with a condescending remark "I guess it's time for reality check". I wish that's not true.

PS: Has anyone checked the message on the T-shirt?

HEY! I’M A STARTUP…

AND I LIKE TO

THINK OUTSIDE

THE QUADRILATERAL

PARALLELOGRAM.

Who come up with that: D

Image credit: Siddharth Menon

Web threats ..a new wave!

Today the omnipresence of internet makes your browser the favorite attack vector for bad guys. Initially content filtering solutions (think websense) looked effective in curbing malicious website, but of recent there has been a new revival in the malicious websites and what is interesting is more and more legitimate websites are getting infected(msn canda , nitie ,Bank-of-India). Once a legitimate site starts distributing malware or is compromised, there is very little your web filtering solution or firewall could do about it. To add to injury attackers have now turned to obfuscate the attack payload to evade any security apparatus like IPS in place. Javascript looks like to be the tool of choice, its universally supported in all browsers (and in pdfs too..but that's again a long story). Known attacks like Gumbler have started leveraging obfuscation an excellent description is here. These obfuscations make it very hard for signature based security engine to confidently detect and attack.

I have never been a fan of signature matching solutions, they are dumb, reactive and would always do more false positive than a DPI based solution. Robert Graham does a nice analysis here .

And things are only gonna get more interesting from here. Think of a payload which do a Javascript ->VbScript -> Javascript transformation. JavaScript are just the beginning, browsers are becoming the next platforms, with every universal plugin will brings newer threats with it ( Java Applets, Flash, third party plugin).

The need of the hour is to develop more heuristic and context aware engines. Solving this problem at the network is gonna be a challenge , instead of perimeter; proxy could be a more suitable carrier (as latency is only to the web requests, in case of IPS the latency is added to the whole network). but nothing could do it faster than a end point solution (And please I am not talking the stupid Anti Virus!)