Archive for the ‘Uncategorized’ Category

Piiano Data Protection – My Startup

Tuesday, July 18th, 2023

Hey everybody,
As much as I love writing, I’ve been moving to write for my own startup Piiano.

Piiano celebrates 2 years this month, and we build incredible infrastructure for backend developers to build their apps securely around sensitive data and complying with regulations like GDPR/CCPA and others at the software level.

Piiano’s name is based on the privacy acronym PII, and we pronounce it just as ‘Piano’ the great musical instrument. PII stands for personal identifiable information – aka our identifiers like full name, email, phone number, address, etc.

At Piiano, we help businesses protect their sensitive data (normally, customer data) with APIs for data encryption and tokenization. So for the first time, backend developers can continue to use their own databases, each team with whatever tech stack they like, and using our APIs they can encrypt the sensitive fields on top of it.

In addition, to the backend developers, the security teams will be happy, for a few reasons:
1. Encrypting data in a robust way over different database requires different skills and expertise.
2. Given that each R&D team has different database, it will require lots of different people supporting securing it, which is hard to do in scale, practically.
3. The security team always chases the R&D teams to fix stuff, and when things get broken, it’s sometimes too late, already in production.

With our approach, at Piiano, security teams ask the backend application developers to use our APIs for encrypting data and decrypting data. Friendly APIs that are designed from scratch to be used by developers with simplicity at mind, thus RESTful APIs for example. This way R&D teams streamline securing the sensitive data. In return, the security teams get to control who can access the data, when, why, etc. And everything gets to a unified control center that lets them manage everything at scale.

Building an encryption system is a very hard task, and require real expertise that most technologists aren’t aware to the complicates of implementing them, unfortunately. “Don’t roll your own crypto”, they say, but most don’t even listen or know it. We try to take away this pain and complication. We also try to provide the developers with privacy-aware infrastructure, so upon decryption, we can do data masking, data expiration, data transformation, and providing even more support for privacy compliance.
And we have lots of other innovations there… Cool stuff really. Like IDOR protection, mitigation for SQL injections, object level security, and many more features. Cause we’re tired of seeing stupid bugs in serious applications, lol.

So that’s my current endeavor for the last couple of years, and the next few years for sure.

As someone who loves security engineering and vulnerability research, starting Piiano was a must. Our dream is to move the needle in the data security industry and help businesses really protect their customer data – eventually our own data, as netizens, for whatever apps we use on the internet.

We want to solve this data breaches problem at the source code level, at the core of where data is being stored and accessed. This is where real data security takes place, with all due respect to more firewalls and WAFs that people like myself just sit down for a few hours and manage to bypass eventually…

Wish us like in protecting the data against the bad guys :)

Appfront

Saturday, December 17th, 2011

Hey everyone,
as you can see I am pretty occupied with other projects and I don’t have time for the blog, but I promise I will come back with lots of good stuff.

Anyway, in the last few months I’ve been working hard on Appfront, that’s a tweak for the jailbroken Iphones, which let you use Skype, Viber and Whatsapp directly from the original phone application by adding fast buttons. Or a better explanation can be found at Redmond Pie. :)

Let me know what you think, cause I’ve done the technical part, reversing, hooking, coding, etc…
And now I’m working on supporting Ios5, many private symbols were changed in the phone application, and so I have to do some more research and fix the broken code to work with the new stuff too.

JavaScript Once Again

Friday, April 22nd, 2011

I stumbled upon this JavaScript Garden page.
It’s one of the best resources about in-depth JS knowledge IMHO. And if you wanna be a JS guru it’s a must read. It shows all the more why JS sucks though :) So many fugly syntax problems, non-intuitive language. Weird scope management. And what not… Just read it anyway.

RSS Feeder

Saturday, January 2nd, 2010

Hey guys,
apparently RSS was broken for this blog, since I redirected it to feedburner. But now everything seems to work once again. I appareciate that anonymous fellow’s comment ;)
Gil

Arkon Under the Woods

Saturday, May 2nd, 2009

Yeah, I am not alright, I am even an ass, leaving you all (my dear readers, are there any left?) without saying a word for the second time. At the end of last year I was in South East Asia for 3 months, and now I am in South America for 3 months and counting… It is just that I really wish to keep this blog totally technological, but I guess we are all human after all. So yeah, I have been trekking alot in Chile and Argentina (mostly in Patagonia) and having a great time here, now in Buenos Aires. Good steaks and wines, ohhh and the girls. Say no more.

It is really cool that almost every shitty hostel you go, you will find a WiFi available for free use. So carrying an Ipod touch with me I can actually be online, but apparently not many web developers think about Mobile web pages and thus I couldnt write blog posts with Safari, because there is some problem with the text area object. For some reason, I guess some JS code, doesnt run well on the Ipod and I dont get that keyboard thingy up and cannot type in anything, wordpress…

I am always surprised again to see how many computers here, in coffee-shops or just Internet shops, are not really secured. You run as admin some of the times. And there are not anti virus, which I think are good for the average users. And if you plug in your camera to upload some pictures, the next time you will see some stupid new files on it, named: desktop.ini and autorun.inf, sounds familiar? And then I read some MS blog post about disabling AutoRun for removable storage devices..yipi, about time. What I am also trying to say, that one can easily create a zombies army so easily with all those computers… the ease of access and no protection drives me mad.

Anyhow, I had some free time, of course, I am on a vacation, sort of, after all. And I accidentally reached some amazing blog that I couldnt stopped reading for a few days. Meet NO EXECUTE! If you are low level freaks like me, you will really like it too, although Darek begins with hardware stuff, which will fill some gaps for most people I believe, he talks about virtualizations and emulators (his obsession), and I just read it like some fantasies book, eager to get already to the next chapter everytime. I learnt tons of stuff there, and I really like to see that even today some few people still measure and check optimizations in cycles per instructions rather than seconds or MS. One of the stuff I really liked there was a trick he pulled when the guest OS runs on little endian, for instance, and the host OS runs on big endian. Thus every access to memory has to be swapped when the size of the access is more than 2 bytes, of course. Therefore, in order to eliminate the byte swaps, which is expensive, he kinda turned all the memory of the guest OS upside down, and therefore the endianity changed as well. Now it might sound as a simple matter, but this is awesome, and the way he describes it, you can really feel the excitment behind the invention… He also talks about how lame Intel and AMD are to come up with new instruction sets every Monday, which I already mentioned also in the past.

Regarding diStorm now, I decided that I will discontinue the development of the current diStorm64 version. But hey, dont worry. I am going to open source diStorm3 and I still consider making it dual licensed. The benefits of diStorm3 are structure output, and believe me, the speed is amazing and like the good old days, the structure per instruction is unbelieable tiny in size (relative to other disassemblers I saw out there), and you guys are gonna like it.

Thing is, I have no idea when I am getting home…Now with this Swine Flu spreading like hell, I dont know where I will end up. The only great thing about this Swine Flu, so to speak, is that you can see the Evolution in Progress.

Salud

Can’t Stand it When…

Saturday, January 31st, 2009

1) … when people say they write code in Assembler. Now, if that sentence didn’t vibe you, then probably you shouldn’t read any futher. It’s like I will tell someone that I know to code in Compiler. And that’s wrong, you don’t code in compiler, you use a compiler in order to compile your code in whatever language you really write in. So the proper word would be “Assembly”. And I encounter too many people, who knows some Assembly too, that say it incorrectly and it freaks me out. The next thing I reply is “you write in compiler, ohhh wow, very nice”, but they don’t get it.

2) … when you think you’re cool and you don’t use goto’s because most people think it’s a bad habit and yet you do it indirectly and you are cooler now. I will just show some code snippet and say no more than – your code should be readable, not making you a cool haxor guy (well maybe that too), and using goto for cleaning resources is legitimate !!!!

status = success;

do {
  p = (char*)malloc(1000);
  if (p == NULL) {
  status = fail;
   break; // <— oh yeah biatch.
  }
 } while (FALSE); // <— oh no, so lame.
 if (status != success) {
  if (p) free(p);
  if (bla) free(bla);
  return status;
 }

 status = do_more_stuff(…);
 return status;
}

3) … when something wrong happens internally in some function and you don’t bubble up the return code up to the caller and you pretend “business as usual” when something is seriously wrong. Then some guy like me needs to come in and debug the flow control to find out what went wrong.

4) … when you cannot disassemble any address you want in Visual Studio debugger (under Platform Builder) and you need to change the PC (IP on ARM) to whatever value and go to “Show Current Statement” and only then set a breakpoint there and view the Assembly code and then fix back the PC to the original’s value.

Got some more? Share them with us.

Welcome Back

Saturday, December 20th, 2008

Hey you guys again, I’m back from South East Asia after 3 months of traveling all around. Was awesome :)

So here’s some potentially cool real story: What happened is that while I was walking with a few friends in Vietnam (Nha Trang to be accurate) on the beach a friend found a pouch with credit cards and driving license, etc. The only thing we knew about that pouch was the owner’s name and that she was Irish. That didn’t really help us to get to her, unforetunately no cellphone number was attached anywhere in the pouch. The next thing we thought was to look her up on FaceBook, but she wasn’t listed (who doesn’t have FB nowadays? :) ). So, we had to give it to the Vietnamese local police station, but probably that poor girl continued traveling and didn’t find it…

 Anyways, I just realized something very nice, suppose you have somebody’s email. Whether someone left a comment with only his email on this blog, or whatever. And you wish to find that email or who he/she is. So usually we fire up google and looking for that email and we can learn much from that. But sometimes we can’t find anything. And besides, even if we do find something, it might not be relevant or enough information about that person. What I realized was that you can search people using their email in FaceBook, and I really managed to find a few people who were anonymous except their emails, which is quite interesting….Finally we got some way to link a person with an email address, think about it.

So that’s it, I’m back for a couple of months, hopefully I will write some interesting posts, need to get ideas, which usually are originated from my work, stay tuned ;)

It’s JS Again

Wednesday, May 14th, 2008

More things I hate about JS. Why you give a shit about this? Well, actually you don’t, but maybe together we can find better ways to solve stuff.

So we all know that there are no associate dictionaries in JS, and it’s really a hack of the Object ‘class’. I dare to use class here, bah. Anyway, say you are passed an object as a parameter and you want to know if it’s empty before you scan it. And say the only way is the most straight-forward one:

function f(x) {
var isEmpty = true;
for (var i in x) { isEmpty = false; break; }
return isEmpty;
}

You really have to iterate the items in order to find out if the dictionary is empty or not. Things like x == {}, didn’t work, but was worth trying. And you cannot access anything like children,nodes,child or whatever to see how to iterate the keys on your own.

If you know any shorter and correct way to do it, I would really like to hear it.

Now there’s thing ugliness with the values you put in the dictionary for example:

f({bla:0}) will call f with a dictionary that contains a key “bla” with a value of 0. But what if you add a line preceding that call with:
var bla = “something”;
f({bla:0})

Well, the people who really know JS well, or had fallen into this pit before will know that the dictionary will look the same as buffer. JS doesn’t care if you put any kind of quotes, if at all, surrouding the name of the key. Now if you want to pass a dictionary as a parameter inline, you must declare the whole dictionary before the call and pass it as a parameter.

var tmp = {}’
var bla = “something”;
tmp[bla] = 0;
f(tmp);

Another thing I really didn’t like about JS is that you can start a regexp out of the blue. /bla/.exec … Now stop and think about this. This is not PERL, which regexps are really part of the language. This is a ugly way to create a regexp, and to think that you get an object from that thing and you can execute it.

Now I see this thing often: var myRE = new RegExp(/bla/);

Which is a bit better, but then why you need the slashes to denote a regexp? You went that far for free. Sucker ;) But yes, it makes the code more readable, I agree to that.

Oh why, another so lovely thing happened to me today when I was using some SOAP library written in JS to send a request to my server, back at work. There was some function which tried to serialize the parameters you pass to it automagically without knowing the types into SOAP. Of course, as JS is a scripting language we can know the types of the parameters passed to us easily, right? That’s what I thought, until I saw that Safari doesn’t declare a constructor for its Array’s as some people expect it to (or as some other browsers do). The code to get the type of a parameter:

(/function\s+(\w*)\s*\(/ig).exec(o[p].constructor.toString());

Again, my favorite regexp out of the blues. Leave that aside. See the way it gets the constructor (yes objects apparently have those) and tries to get its string. Well, beat me why Safari returns an Object here where all others return Array (in my specific case). But kill me why this fugly hack and not an elegant safe:

instanceof (o[p]). toString();

Ok, I lied, this doesn’t really work, and I’ve wished it would. Unforetunately instanceof can be used only as a boolean operator kind of stuff. Therefoer,

if o[p] instanceof Array
if o[p] instanceof Object
and etc, date, string, whatever.

So maybe, there lies the answer it’s a piece of a few lines rather than one. But if you ask me, I would prefer latter.
One more catch, if you test instance of Object first, all types will return true to that one :)
Another point is that ‘new Array’  and ‘[]’ are of the same type…Strong types, nay.
I forgot to mention that typeof return ‘object’ almost for everything.

Overall, I really don’t understand how web-apps work. There are so many pits to fall into. It’s really amazing how the world work with Standards Suggestions! Now don’t get me started on CSS.

JavaScript Sucks

Tuesday, April 29th, 2008

I really know many languages pretty well, but this language is really ugly or stupid or what not. So many features are only “hacks”, browsers do whatever they want with the code differently from each other and there’s chaos about JS everywhere you go.

For example, what we call a ‘dictionary’, which is an associate array is a big hack in the language. It is practically an object which you can set properties, and then iterate over them. There’s no formal way to remove a key from the dictionary, like you would expect in a scripting language; by doing myDict.remove(“key”). You will have to do delete myDict.key. Not mentioning how to know if you have any keys in the dictionary, because who said you have the length property? Well, if you think you have it, then you’re wrong, that’s because you used an array as a dictionary instead of creating an object using { }.

Another thing I encountered was that if you have a dictionary with the last defined element ends with a comma, then the browser (IE) will shout at you while other browsers eat it well. It reminds me the macro’s in C/C++ that you don’t know where’s the originating code which caused the problem, since it gets compiled after it’s substituted… So {a:1,} will kick.

Another ugly thing is this fake OOP, now who are you kidding? Adding a special use for the “this” keyword, but otherwise everything else is just nested function, err sorry, methods. This is another ugly hack, and some people even use inheritance. Do me a favor. The errorprone “class” that you declare will probably have memory leaks, because the methods were really defined as nested rather than using something like MyClassName.prototype.myMethodName, which will certainly work better and not get allocated per instance. Did you say private member? Oh yeah, right. That’s what you think and this time you’re right. Because they are local variables to the “class” which is really a function that gets run when you create an instance. However, you don’t have control over public/readonly, etc, which is pretty much useful. So constructor is free of charge because it’s the code in the “class” function, where you also define the private variables. And I won’t call them private members. Now you say, “of course, there’s no need for a destructor, a scripting language has a GC”. Well, that’s right, but when an element points to code, using onClick for example, and that handler has a variable that points to that same element, then you’re in a circular trouble ;) So this time you might want to have a destructor right? Or having some function that will be called on unload so you can null() a few variables to break the circular references…But yes, this problem might happen in many environments, but Java for the sake of conversation solve this one unlike Python, AFAIK.

Now why the heck browsers need to compile (yes, in a way) code??? We just all grew up into believing that’s something normal, but stop and give it a thought. I guess those guys didn’t hear about standards.

You can even open a new nested block using curly braces, but all the variables you declare there are become globals. So you end up deleting some objects you have to manually. Now don’t start with why you wanna delete a variable, there are good reasons for that sometime and that’s another story.

Did you know about javascript compiler time machine? Ahh of course not, let me show you:

var a = “DEFINED”;

function f() {
 alert(a);
 var a = 5;
}

Will this code snippet open an alert with a text of “DEFINED”? No, now keep on reading.

If you run that code snippet above you will get an exception with “a is undefined”, now the compiler or whatever freak under there sees the a, which is really defined in the global scope, right? Yes, it is, seriously. But then it sees later on that the ‘a’ variable is being defined in the scope of the function ‘f’ and decided to make the first one undefined. Make an experiment and remove the ‘var’ from the definition of the ‘var a = 5;’ and see for yourself the results.

And there are more and more quirks in this language that I will leave for another time. So what do you think, is Silverlight the best next thing?

Never Trust Your Input – A WordPress Case

Friday, December 7th, 2007

 Although this post isn’t about Security, the title still holds true about everything you do with input, but whatever you do, never trust it. :)

While I was manually editting the last post about SQL I encountered a bug in WordPress. This is not a big deal, probably because it’s not a security bug, but it’s really annoying when the browser freezes while you’re trying to edit your post. So I switched to FireFox and the same bug happened again. In the beginning I thought something was wrong in the internals of the browsers, but both browsers have the same internal bug? That doesn’t make much sense. Looking at the Task Manager I saw that both IE and FF chew up memory and CPU at 50% (this is because I have two cores, otherwise it would be 100% on a single processor…). So immediately I understood that there’s an infinite loop running, hence the 50% CPU usage and it allocates memory in a way (eventually by strings). Next thing I did was to isolate the code of WordPress somehow, I wasn’t even sure what caused this bug to surface in the beginning. All I knew was that it has something to do with my post. Therefore I needed to take a look at my raw post’s text, since it contained some HTML tags. So eventually I saw that I had an unbalanced PRE tag. Unbalanced means that I add an opener tag but didn’t close it. So left only a “<pre>” in my post and saw that the browsers freeze. Now what? Digging into WordPress code I understood there is a special class for a textarea input. I realized I have to search for a “pre” string in the JS files (which originated from .php files). And eventually after a few trials and errors of uncommenting code I found this chunk:

var startPos = -1;
while ((startPos = content.indexOf(‘<pre’, startPos+1)) != -1) {
    var endPos = content.indexOf(‘</pre>’, startPos+1);
    var innerPos = content.indexOf(‘>’, startPos+1);
    var chunkBefore = content.substring(0, innerPos);
    var chunkAfter = content.substring(endPos);
    var innards = content.substring(innerPos, endPos);

   innards = innards.replace(/\n/g, ‘<br />’);
   content = chunkBefore + innards + chunkAfter;
  }

This is ripped from the tiny_mce_gzip.php file. The ‘content’ variable holds the text of my post, which is “<pre>”. Now notice the first line in the block:

var endPos = content.indexOf(‘</pre>’, startPos+1);

Which renders endPos to be -1, since there’s no close tag. And more over, there is no check for the return value, the programmer assumed it will always find a match. :(
Now let’s analyze the block to see why it becomes an infinite loop that chews up memory:

endPos = -1, innerPos = 4, chunkBefore = “<pre”, chunkAfter = “<pre>”, innards = “<pre>”;

Notice that ‘innards’ contain the whole content, since evaluating a substring with an input of -1 returns the input untouched… We can ignore the replace, which doesn’t really affect the loop in any way here. And be hold, ‘content’ is being reassigned to hold the whole new string but now it looks like: “<pre<pre><pre>”.

And the loop stop condition of ‘startPos’ returns true and again endPos gets -1… And bam, you’re browser is frozen.

The fix is pretty straight forward. It’s a shame they have a stupid bug like this. What I had to do at my end was to use phpMyAdmin to edit the SQL tables and change the post so it won’t lock my browser yet again. Although I could have fixed this bug on the server, for some reason I didn’t do it…

Anyway I sent an email to WordPress and hopefully they will fix it immediately, though it’s nothing urgent.