I Will Hack Food - J0L1BU6 G0t H4X0R3D! (Jollibee got hacked)

I got home early today so I could attend the meeting tomorrow and as usual I got bored... and when I get bored something phun gets posted here. Hehe.

So I recently found out about this promo-game in Facebook called "Jollibee Sulit Sarap Challenge" wherein the top scorer for the week gets a P500 Gift Certificate from Jollibee (fastfood)... and it just hits me. I will hack for food! LOL

So I visited the application page and added it to my Facebook account then figured out the kung-fu behind it. As it turns out, its so bloody easy to hack -- less than a minute!

OK First of all this is just harmless fun, I did not break any security scheme doing this.

Now I feel like a lowly script kiddy for doing this and its LAME so I won't even bother to redeem my hacked fast food. LOL.

But seriously, the guys who pitched this to Jollibee clearly wasn't thinking straight.

Guys IF I were seriously going to P4wN you I could have made my score just always above the rest and not put 73337 as a score. So take this as a free advice and better pull that game out until you fix the boboo -- but better make its good because IF I get bored again, I will come back and play to see IF you have learned the kung-fu.

Neo: I know kung fu.
Morpheus: [eyeing him, hand on chin] Show me.

PEACE. HTH.

UPDATE 2/26 - 1:33 PM

I got an email from the devs:

FROM: Jay Anthony Chiu

Good morning Mr. Filomeno!

We've read about your blog about the Jollibee Hack (link: http://corruptedpartition.blogspot.com/2009/02/i-will-hack-food-j0l1bu6-g0t-h4x0r3d.html), and we appreciate your concern. We actually have seen this when we had our internal tester hack into it, and we are currently working on a resolution for this.

But for the meantime, I hope you would be able to put down your blog entry about this matter.

We hope for your cooperation.

Thanks!

Take it down? Seriously its too late, here is my reply:

Hi Jay,

Is teamyehey = Yehey!?

I didn't realize that and would have contacted you guys straight regarding the matter, i guess i was too sleepy at 4AM in the morning to dig more about it. I could take down the post but its aggregated to 2 dozen other splogs and bots out there and it wouldn't make a difference anymore by this time. As you guys work with SEO you do realize that when the source link is taken out the, aggregating site takes the highest authority on the subject thus updates (when you guys fixed it) to the original article wont be reciprocated anymore. Such that searches to "Jollibee Hack" would show the aggregating sites as top result and not the original post with updates with the fix .

Anyway I have made sure not to disclose the exploit vector on the post and only that its possible and its just easy for my level.

Finally, im sure it would only take 15-30 mins to fix the exploit vector, let me give you guys tips.

1. Never trust user input - hash the submitted data so that if tampered the hash will invalidate it. A hash with salt plus arbitrary padding data makes it almost impossible to figure out and crack the hash.

2. Use AMF - its a native Flash communication transport, by itself its not very effective but will protect the data from prying eyes like proxies.

3. Encrypt the entire data sent - SHA1 will be good enough and very simple to implement.

Did I make sense on the reply? What do you think guys? Will a take down really help fix it or just hide the fact that it has problems without giving users warning that the system is being gamed. Surely I'm not a hypocrite enough to say I'm the only one who can do this. Send feed backs on the comment and I'll decide later this day if take a down is necessary.

Finally, my hi-score has already been taken out from the database (thank God), but I do hope they really fix it soon coz I'm getting hungry :D

Stupidest application in Facebook: My College Friends

WARNING: This app poses as a Friend Invite, the name and description was crafted to confuse the user unless you check the application page.

See the screen shot I've annotated using FireShot, it explains everything.

The most cursed programming language

Shit!

That’s the word you’ll probably hear snapping out from my corner every time I encounter a  stupid design flaw on a project I’m reviewing or when my machine crashes – a I dispense them generously too. However, did you know that the leading cause of developers swearing is due to the idiocy of the programming language itself.

Here is the top 10 according to GitHub stats as of this post:

 

• 10th place goes to Python with 29 projects where developers immortalized their frustration in Python code. Chris Hagner gave a talk why Python sucks during the PyCon 2008 held last March 14, 2008 in Chicago. The biggest downfall Chris spoke of in using Python was speed -- but hey Google use it so it can’t be that bad!
  
• The 9th place goes to HTML with 41 projects  where developers immortalized their frustration in HTML tags. I was actually surprised at that less developers curse HTML, for me writing HTML tags is already HELL! Well maybe, because there are less people who manually write HTML tags these days so that would account for the low rank.
  
• The 8th place goes to PHP with 52 projects where in developers immortalized their frustration in PHP both in CamelCase and Hungarian notation.
  
• The lucky 7th place goes to JavaScript with 61 Github projects where in developers immortalized their frustration in DOM and they need to write in different versions too, one for each browser.
  
• The 6th place (tie) goes to Java with 76 projects where in developers immortalized their frustration on explaining to users why they have to include the huge Java SDK on every installation even if Java in a multi-platform language.
  
• The 5th place (tie) goes to C++ with 76 projects where in developers immortalized their frustration why code reuse can actually creates more bloat.
  
• The 4th place goes to Perl with 81 projects where in developers immortalized their frustration why Perl Regular Expressions forces the use slashes and single characters rather a human readable one.
  
• The 3rd place goes to Text only with 89 projects. Why where else it can we freely communicate out feelings of frustration than on the documentation!
  
• The 2nd place goes to C with 290 projects, it can’t be help since the Linux kernel swear words contributed much to this.
  
  
  

Finally, the most cursed programming language according to GitHub is Ruby with 336 projects! It’s not really surprising once you read this entry from Wikipedia; Ruby was conceived on February 24, 1993 by Yukihiro Matsumoto who wished to create a new language that balanced functional programming with imperative programming. According to Matsumoto he "wanted a scripting language that was more powerful than Perl, and more object-oriented than Python. That's why I decided to design my own language” – inadvertently he also inherited twice the headache because of this combination.

First look at Microsoft’s Azure: Epic fail!

I was very excited coz I finally got my account approved for Azure but after logging in I never felt confused like this in my entire life! What the fuck is this?!!

The management page and the documentation page seem got stuck together then totally explodes into series of links from one domain to another as authentication tokens get passed over the URL. Currently I have access to 4 services which has 4 different management page with 4 different documentation page for a total of 8 different sites.

As far as i can remember I created 2 projects but after re-login in I'm am totally lost how to access them again.

So… Azure… are you really fucking sure what you’re doing?

Anyway Azure mostly supports .Net with a couple of Java and Ruby libraries to boast its support for open standards but a quick check on its web services schema says otherwise with whole new sets of conventions.

Oh well if MS is throwing this for free, then why not – good enough for some hobby site but I wouldn’t bet a dime on this service!

Looking for Tech Support To Fix a Malfunctioning Mouse

We reinstalled the drivers but the mouse is still malfunctioning, please help!




Thanks to Mark for the Video :D

PLDT Sucked Again

myDSL Plan 999? I don't think so, I'm using a Jr Biz Account with a CBR of 128kbps -- yes it;s fast but it doesn't mean its useful. The connection is intermittent especially when connecting to US based server's like Google.


For an average user, this may be acceptable for we're power users -- multiple VPN connections and Remote Desktop Access is a must. We just wasn't what we're paying for. Don't you?

This is just crazy :)

Nothing to do with mobile but its just so crazy, the hottest summer footwear cost around Php800 and... its just rubber. Oh well, I bought my girl a pair and 2 more just incase it doesn't suite her taste.






Frankly, I don't see what's so hot about it but I had to fall in line for half an hour just to get inside flip-flops, the store that sells them ^_^

Unlimited SMS promo: Telcos may get sued for price hike?

Only here in the Philippines, the 'text' capital of the world where SMS is as basic necessity as food:


Protest banner from TxtPower (emailed)

A consumer advocacy group called TxtPower, who is determined to protect the rights of Filipino SMS users, has filed a petition on the National Telecommunications Commission last Feb 5, 2007 to stop the 100-150% increase of Globe Telecom's unlimited sms promo. To give time for TxtPower to argue its position, the NTC released a price-hike suspension order but unfortunately Globe ignored the order which promptly caused TxtPower to declare in outrage a boycott against the the said telco. Finally will NTC conduct a public hearing between TxtPower and Globe tomorrow 2 PM at its office on Quezon City to resolve the issue.

Back story:

SUN Cellular was the first to be awarded by NTC and DTI a permanent permit for its unlimited SMS promo. Later on the same permit were awarded to Globe and Smart Telecoms after they pledged to offer the same unlimited SMS promos permanently.

Internet based voting is simply stupid!

This is in response to blog post Imperatives Of Electronic Voting, it details the plan to conduct Overseas Absentee Voting via the Internet. You might want to read it first before proceeding.

Reading the Scytl's "How it works", its clear the level of security is very low. Come on Scytl, web base voting over Internet? A script kiddie can do better than that!

If its running via a bootable BlueRay/HDDVD based LiveCD then there would be some hope. Why? Read more on BlueRay/HDDVD's hardware based key for disc/data encryption. From there you can achieve the minimal controlled environment for your system to run, you can even use Xbox 360 with HDDVD and it will run with a lot more security compared to any PC! Eventually secure systems only works on controlled environment and there is no way to completely secure a system once it connects to the Internet, that's the cold clear fact.

Finally, Security is just a pseudo-term for insurance companies which basically says they guarantee a certain risk-level ratio to cost. This means we cant totally blame Scytl, It seems our budget can only afford the unsecured system.

You can also follow the discussions at: http://groups.yahoo.com/group/ph-cyberview/message/30264

How not to apply for a job -- ever!

I found this story is from Digg, about an applicant who thinks he's better than the rest of the world. May this serves as a warning to all; be respectful and you will be respected, if you go on bashing other people and you will never get a job :P

[Excerpts]

From: Amir Saffar
Sent: 02 December 2006 01:22
To: Amir Saffar
Subject: multimediator/web designer position
Amir Saffar
889 Bathurst Road
Toronto, Canada


To Whom It May Concern:
I am a web developer/designer with experience in designing corporate, commercial, retail, and business web systems. With more than 6 years experience designing Internet/multimedia systems professionally in a production environment, I could be a valuable asset to your web design and multimedia team.
Managing projects, task delegation, and client relations have been necessary skills at my previous employment positions. These have always been tasks that I excel at and enjoy.
My experience in web site consultation critiquing usability, functionality, aesthetics, and search engine placement can help clients with their existing web content by introducing them to innovative and cost-effective solutions.

My enthusiasm, creativity, communication skills and ability to work without supervision are my strong points. I have extensive design experience using Flash, Dreamweaver, HTML, CSS, VB, C#, SQL, Photoshop, Illustrator, QuarkXPress, 3dsMax, and other programs. I would be able to create a dynamic company presence for you on the Internet.

I am currently on vacation for two months in the region. Since I have a Canadian passport, traveling to the UAE would not be an issue for me at all. I also have to mention that since I have lived in a multicultural country and because of my background, I have been trained to work with people who have different cultures and backgrounds. Therefore I hope my experience in this field could be a valuable asset to your company.
I would welcome an opportunity to discuss my qualifications and experience in greater detail. I am available for an interview at your convenience.

——————————————–

Mike Platts wrote:
Hi Amir
Thanks for sending us your CV - we’d certainly be interested in speaking with you. Just to clarify, are you planning to visit Dubai during your vacation? If not, perhaps we can arrange to speak over the phone.
Regards,
Mike Platts
Creative Partner, North55 Dubai

——————————————–

From: Amir Saffar
Sent: 11 December 2006 00:18
To: Mike Platts
Subject: RE: hi again
Hi again,
I guess people work for free in Dubai. Am I correct!??

take care
Amir

——————————————–

Mike Platts wrote:

Sorry, you’veveompletely lost me there…how did I imply that people ‘work for free’ in Dubai?
Mike.

——————————————–

From: Amir Saffar
To: Mike Platts
Sent: Friday, December 15, 2006 9:11 PM
Subject: RE: hi again

it’s very simple Mike. You are interested in my profile and i wanted to know how much you were able to pay. no response means: you either can’t pay that much,
or you only hire indians and pakistanis who don’t ask for a good salary.
but dude, i am neither indian or paki and i have never worked for less than
2000 usd/month. You got it now!?

Amir

——————————————–

Mike Platts wrote:

Jesus, that’s some chip you’ve gve on your shoulder there pal. Before the email I received on 11th December, I’d only gotten one from you - the first, which included your CV. As far as I can see, it didn’tdidntion money. If you sent another after that, then sorry, but I didn’t gdidnt, which is why I didn’t repdidnAnyway, it’s all worked out well. I wowouldn want a bigobigottedearseholee you working with us, and I’m sure that the Indians and Pakis Pakisork at North55 - most of whom earn more than US$2,000 a month, some by a factor of three - are glad that they won’t have to put up with your small-minded bullshit either. The Brits, South Africans and Canadians will probably be pretty cock-a-hoop too.
Best of luck finding a job in Dubai - I’m sure you’ll get exactly the kind of position you deserve.
Cheers,
Mike

——————————————–

From: Amir Saffar
To: Mike Platts
Sent: Saturday, December 16, 2006 10:39 PM
Subject: got it?

i’m sending this e-mail twice. i wanna make sure you get it this time!!

2000 USD/month is a joke bro. I got paid that much when I graduated from College/without any exp.
I’m pretty sure most of you guys work at coffee shops when you finish your work at the studio.
What doesn’t make sense to me is, why would a guy from N America or Europe want to work for that amount. Perhaps you’ve hve a low paid job back home and you are satisfied with 2000 USD!USDrewerenou a cleaner/or a security guard…Mike!?

——————————————–

From: Mike Platts
To: Amir Saffar
Sent: Sunday, December 17, 2006 1:41 AM
Subject: Fw: got it?
You really are an irritating little troll aren’t you? You can barely write English, and you seem to have a problem reading it too. So I’ll break it down for you: not. wanted. here.
Now fuck off.
All the best,
Mike.
PS - I’veveaking the liberty of copying some of my colleagues in the industry here, just in case they too should have the misfortune of hearing from you. I’m sure they’d be kind enough to forward it on to their pals, too, and with any luck you’ll be back fucking moose in time for Christmas. (Oh, and by the way, if you’re such hot shit, why the reluctance to include a link to any of your work in your CV? So you’ve got six yvers’ experience - big deal. You don’t seem to have been able to hold down a job for too long - or were they short-term cleaner/security guard contracts?)

[End excerpts]

Read the rest at The Dubai Life Blog

Now on to my personal reflections to this story.

Its January again and in a few months time it will be Job hunting season again especially for the fresh graduates. I remember the advice of my mentor well and I will dispense it to you also:

"to be successful, talent is only half of it.. the rest is about dealing with people".

That's why whenever there's an arguments, I try to be sensitive and respect other people's opinion. During discussions, there are times it seems you have an upper hand because you know more about the topic compared to others but it's not an excuse to belittle them in anyway. You may be a expert in one field but others will always be better than you in other areas.

Always remember when dispute persists, do not force your ideas unto others or think of them as inferior in anyway. They may lack the understanding but you also lack the means to communicate your ideas, this basically causes the failure in any discussions.

How SEO should not be: Bizzare Google Request

Dean Hunts Blog is taking a beating as more and more bloggers flock to his blog site after he posted a hilarious email from some company guy with a very strange request.

The Email reads as follows:

Hello Dean,

My name is [edited] and I run [edited].com

I have been running the site for over two years and we have been ranked very highly for the search term [edited].
On Thursday morning I checked our google positions and your site is now above us for this term. I haev checked your blog and it has nothing to do with [edited], so I think it would be best all round if you remove your blog from google for this search term.

Please understand that we make our living from this, and you are just writing a blog that has nothing to do with [edited].
If you do not remove yourself from google for this search, then I will call them myself and have you removed.
I expect a reply soon.

Thankyou.

Track more of this at Dean's Blog