Menekali  Just another IT Blog.

A while back, I purchased a Napster membership. At $14.95 a month I could download all the MP3 files I could find, and listen to them as much as I wanted. No restrictions right? Wrong. Unless you use their proprietary MP3 player to play the music, then you can’t listen it on any other device. IE… the Ipod. I couldn’t believe it. What an utter crock of shit. I didn’t particularly like iTunes soley on the fact, I wanted free reign to all the music I could find. Sound wrong? No, I fucking paid what they wanted, now give me my fucking music!

Much to my dismay, Napster instituted a form of DRM protection on their music. This fucking sucks. What am I supposed to do? I bought this subscription purely on the intention of filling my iPod with lots of music to listen to. /sigh indeed.

So I was on a conquest to figure out how I could get this music to play on my Ipod. One method was using a winamp plugin to record the the soundcards output, and save it to a file. Apparently it took a long time to complete, and was buggy. Great, so what next? The next option, was burning all of the files to a CD, then bringing them back to the computer, thus removing the DRM protection. Wow, that’s not going to take for-fucking ever!

There HAS to be some sort of software to fix this right? At the time (this was about two years ago) there wasn’t much honestly. A few proof of concepts here, and few alphas there. Nothing. - Flash forward 6 months, and I stumbled across FairUse4WM, which worked marvelously. Albeit EVERY song was prefixed with a damn FAIRUSE4WM_ tag, which was… annoying to say the least, I dealt with it. It worked fine, and then stopped working, and I gave up. Meh…

Well apparently there is a new kid on the block, for everyone dealing with DRM issues. This will handle not only music files, but video, and even streaming files!

From the Author:

From the author - After many hours of fighting with WM-DRM protection I decided to create new tool that would allow people to remove it from from files and streams. Of course FairUse4WM is great tool and it works nice but there are few reasons why have decided to create a new one:
1) FairUse4WM is closed source. Everytime MS releases new version of IBX people have to make binary patches or start from scratch.
2) FairUse4WM doesn’t work with video streams since it wasn’t intended to. Of course it is possible to record video stream and then undrm it but this is pointless when we are talking about tv channels.
3) There is no platform independent tool for ms wm-drm. There is no point of running windows every time you want to undrm some file or stream.

FreeMe2 is the program. Based on famous freeme app created by Beale Screamer and based on viodentias (FairUse4WM) findings. It strips wm-drm protection from wmv/asf/wma files as well as video/audio streams.

Download and info at SourceForge
More Instructions and information at Stream-Recorder.com

FootNote: I canceled my Napster subscription long ago. This rendered my music unusable, and my files were removed. They billed me for another year afterwards, after repeated complaints to them, the credit company. Finally it stopped… they gave me $30 back. Fucking morons.

PHP MySQL Web Development Security Tips - 14 tips you should know when developing with PHP and MySQL

I read about many of these points in books and tutorials but I was rather lazy to think about many of them initially learned some of these lessons the hard way. Fortunately I didn't lose any major data over security issues with PHP MySQL, but my suggestion to everyone who is new to PHP is to read these tips and apply them *before* you end up with a big mess.
1.

Do not trust user input

If you are expecting an integer call intval() (or use cast) or if you don't expect a username to have a dash (-) in it, check it with strstr() and prompt the user that this username is not valid.

Here is an example:

Now $post_id will be an integer for sure

2. Validate user input on the server side

If you are validating user input with JavaScript, be sure to do it on the server side too, because for bypassing your JavaScript validation a user just needs to turn their JavaScript off.
JavaScript validation is only good to reduce the server load.

3. Do not use user input directly in your SQL queries

Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)

Then you can use it like this:

4. In your SQL queries don't put integers in quotes

For example $id is suppose to be an integer:

Note that, using intval() would fix the problem here.

5. Always escape the output

This will prevent XSS (Cross Site Scripting) attacks, imagine you receive and save some data from a user and you want to display this data on a web page later (maybe his/her bio or username) and the user puts this bit of code in the input field along with his bio:

If you display the raw user input on a web page this will be very ugly, it can even be worse if a user inputs this code instead:

With this, an attacker can steal cookies from whoever visits that certain page (containing bio etc.) and this includes session cookies with session IDs in them so the attacker can hijack your users' sessions and appear to be logged in as other users.

When displaying user input on a page use htmlentities($user_bio, ENT_QUOTES, 'UTF-8');

6. When uploading files, validate the file mime type

If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.

One quick way is to check the file extension:

Note that validating extension is a very simple way, and not the best way, to validate file uploads but it's effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.

7. If you are using 3rd party code libraries, be sure to keep them up to date

If you are using code libraries like Smarty or ADODB etc. be sure to always download the latest version.

8. Give your database users just enough permissions

If a database user is never going to drop tables, then when creating that user don't give it drop table permissions, normally just SELECT, UPDATE, DELETE, INSERT should be enough.

9. Do not allow hosts other than localhost to connect to your database

If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.

10. Your library file extensions should be PHP

.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts), users will be able to see your messy code (kidding) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:

11. Have register globals off or define your variables first

Register globals can be very dangerous, consider this bit of code:

Now with register globals on an attacker can view this page like this and bypass your authentication:
http://yourwebsite.com/admin.php?auth=1

If you have registered globals on and you can't turn it off for some reason you can fix these issues by defining your variables first:

Defining your variables first is a good programming practice that I suggest you follow anyway.

12. Keep PHP itself up to date

Just take a look at www.php.net and see release announcements and note how many security issues they fix on every release to understand why this is important.

13. Read security books

Always find new books about PHP security to read; you can start by reading the 4th book in the Learning PHP Thread, which is one of the best books on PHP security and the author is a member of the PHP team so he knows the internals very well.

14. Contribute to this list

Feel free to reply to this post and add to this list, it will be helpful for everyone!

If you find this useful, please Digg   and / or comment please!

Regardless of how long you've been programming in a language, let's face it, here and there, it'd be nice to just pick up a sheet of paper, view a simple image, click on a single link, and get a good reference table to aid you. In todays time, there are so many languages that people are trying to cram, that they sometimes lose focus, and mix and match, or just dilute them selves so heavily (think of the butter spread to evenly on the bread example), that they know a language, but sometimes just can't recall some of the functions.

Below you will find a list of as many cheat sheets as I could find on the internet. If you have one you've made, or links that you know that contain cheat sheets, let me know via comments. Thanks!

Visual Development

• Photoshop CS2 shortcuts
• Photoshop CS3 shortcuts
• Maya
• Maya
• 3D Studio max shortcuts

Web Development Cheat Sheets

• JavaScript
• CSS
• CSS
• CSS
• CSS Shorthand
• Hex Codes
• HTML
• XHTML
• HTML Entities
• XHTML / HTML
• HTML Character Entities
• RBG Color
• UMBC Semantic Web Reference Card
• DreamWeaver

Databases / SQL Cheat Sheets

• MySQL
• MySQL
• Oracle
• SQL
• Sybase
• PostgreSQL
• SQL Server
• SYSBASE IQ

Language Cheat Sheets

• ColdFusion - work in progress
• PHP
• Ruby
• Regular Expressions
• JSP
• Java
• Python
• Perl
• Perl
• ASP/VBScript
• Ruby On Rails
• AJAX
• ASP.NET
• C
• C++
• C# vs VB.NET Syntax
• WML
• JSP 2.0 XML
• LATEX
• LUA
• XSL/XPATH
• ActionScript 1.0
• ActionScript 2.0
• XML
• RUBY
• Prototype
• DOJO

Version Control Cheat Sheets

• CVS
• Subversion

Other

• Google
• Windows
• Unix
• Unix
• Unix
• Vi
• Vim
• mod_rewrite
• ASCII Character Codes
• htaccess
• Regex
• Subversion
• Debian
• UML
• Microformats
• Movable Type
• XSS (Cross Site Scripting)
• Clear Case Commands
• VI
• VM
• ANSI
• EMACS
• GNU Screen
• Smarty
• WordPress
• Drupal
• Drupal
• Digg
• Google
• SEO
• SEO
• Textpad
• RSS 2.0

Commercially Printed CheatSheets

• Visibone - javascript, browsers, colors, fonts, html.
• TechnoChallenged - web dev, programming, os, software

Be sure to favorite, backlink, pingback, and bookmark this, as I will be adding a ton more shortly.

Update:

If you're looking for some UNIX & Perl Cheat Sheets, among others such as BASH, and GAWK,  check out Peteris Krumins blog. Intersting, well developed cheat sheets.

Related to the last post. When switching to the Cricket network, you will not have web, and picture sms abilities. The post below over at howard forums will give you all of the information you need.

Link:  http://www.howardforums.com/showpost.php?p=9772640&postcount=2

A lot of people are beginning to take advantage of Cricket Mobile. It's really gaining speed here in San Diego, and has been for quite some time in the more eastern regions of the U.S. Why wouldn't it? The prices are great, there is no contract, unlimited sms, picture sms, internet, all kind of thing. Albeit, the internet from this network is a joke, but it's generally pretty limited by the phone its self. Which brings me to my next point.

With all of these great prices and deals coming out of Cricket, people often get to the store, or start doing their research. Then they find out, the phone selection for cricket is terrible. The only thing close to a 'cool' or interactive phone, is the Kyocera Lingo. The lingo has a terrible internet display, comes with no serial cable, headphones for driving, and often de-synchs from the Cricket network causing missed calls, the inability to send sms messages, and more really weird issues. It breaks very easily, and costs well above what it should ($200.00). But it's arguably the 'best' and most popular phone in their line up. What can be done about it?

Cricket works on the CDMA cellular network. That means a lot of VZW (verizon), and SNXTL(sprint) will work (granted sprint phones getting internet access is a bit trickier.) The two most common phones to be 'converted' are the Treo 600/650, and the LG enV. This guide is for the Treo 600/650. I may do one for the enV at a later date. Also, it should be said now, you may render your phone useless if caution, and patience is not exercised while doing this. But in the end, you will have a PDA on the Cricket network, even though Cricket tells you that just won't work.

Guide just after the break.

Read the rest of this entry »

If you've ever tried to flash, hack, crack, transfer, do anything with a cell phone, that you really aren't supposed to be doing, you will have heard of this tool.

QPST is a in-house cellphone manufacturer utility program that is used to edit many of the cell phone features that are not editable in any other way.

It was never meant for public consumption, so you can’t buy it anywhere, but it is in wide use. The reason it isn’t for everyone is that it is VERY powerful. You can destroy your phone at the click of a button and your cellular manufacturer will be under no obligation to fix it. If you don’t have a couple hundred dollars available that will allow you to replace your phone at full retail cost, don’t run this program.

You can do most things you might want, like uploading MP3’s to your phone or downloading pictures, through the somewhat safer program BitPIM. That program is available for download from SourceForge at the site http://www.bitpim.org/.

Direct Download (rapidshare): http://rapidshare.com/files/9279799/QPST_2.7_B215.zip

Torrent Download: http://thepiratebay.org/tor/3516150/QPST_2.7_Build_215

If you've ever come across code from a previous PHP programmer, and want to make change but can't because it's been Zend encoded, you know how frustrating that can be. Programmers can hide back doors, shell code, anything they like, as the code has been fully obfuscated with the Zend encoder.

 W4k1ng.net has released an online De-Zending script. Simple submit your Zend encoded files, wait for the file to be decoded, and download your decoded PHP script in a .ZIP file.

Check it out. I've tested it, and it works!

W4k1ng De-Zender 

This is an interesting and apparently "critical" live exploit for remote code execution through Safari. Below is the Metasploit file.

Exploit code just after the break.

Read the rest of this entry »