Demolishing Ankit Fadia v 0.01 Service Pack 1
December 10, 2009 § 25 Comments
This is a continuation of the Ankit Fadia Demolition drive. Seems like it has become my most widely read post. Part of me is happy that I have been able to open the eyes of a few people. Part of me is surprised that among all the other awesome (yes they are) posts on my blog, people largely choose to read the one that tries to expose someone, seems like people love controversy more than anything. That said, I guess its largely because Ankit, and people like him, have hoodwinked the media and the people for far too long and such a piece is bound to generate interest. Thanks to all readers and others who have talked about it all over the internet.
So yes, coming back to the recent happenings, Ankit now anchors What the Hack! where he teaches the common man (rather should I say “the MTV loving, totally-ignorant-about-tech and very easily impressed 15-20 somethings” [Hey nothing against MTV or its viewers, I watched it too when I was a kid, though I don't get the time or opportunity to watch TV any more]) the nuances of hacking and such complicated and technically intense stuff how to select a good password, use Google Labs features etc But, no, we aren’t gonna talk about that.
Rather look at this interview of Fradui on Hyderabad Times . Lets discuss it a bit. Its fun
Hyderabad Times:Do you think like a criminal …?
Ankit Fadia:Yes, I do. If I don’t, I can’t hack their websites or decode their messages. It’s important for me to understand what is important for them and how far they will go in achieving whatever they undertake. I have to surpass their understanding and then think beyond to stop them from being successful in their plans.
Really. Why would you like to hack anyone’s website? Why would you want to deface sites? Is that supposed to be what he calls “ethical” hacking. As for defacing a website, I am not sure understanding “what is important for them and how far they will go in achieving whatever they undertake” will help you in breaking into a site. If I am not wrong, you gotta find security loopholes, learn about their systems, what version of which software they are running, may be launch a well crafted buffer overflow etc. This is not some hide and seek, Bond type game. And who exactly has asked him to get information about “their plans”. And who are they they? Why is he making it all seem like some vigilante style action.
HT:Having decoded an Al-Qaeda message and challenges thrown at you from Pakistani hackers, don’t you fear for your life?
AF:I have received threat calls. Just before a trip to Australia a few years back, I was told that I would not come back to India alive…..There are these three girls who have been continuously stalking me.
Haha. Even our movie starts, sports stars and ministers won’t openly say such things though many of them have probably got threats.And now he is also suggesting that 3 girls are stalking him. What? They will seduce him and then kill him. Naked Weapon style? And whatever, the so-called challenges were thrown at him by Pakistani hackers, he failed all of them miserably.
HT:What makes you hack?
AF:I want to know everything about controversial people. I’d love to hack Rahul Mahajan or Rakhi Sawant’s mail IDs.
Really. What is he? A stalker, a voyeur? Only such people want to read others’ emails. I am sure neither Rahul Mahajan nor Rakhi Sawant are a threat to national security that the great “ethical” hacker and saviour of Indians, Ankit Fadia, has to read their emails.
HT:Do you hack your girlfriend’s and your friends’ IDs?
AF:Yes. Very often. I do that to see what’s happening in their lives. It’s for fun . But they get annoyed. So, after hacking, I tell them.
Poor girl. That is, if there is one. Seems like, Fadia does not understand the meaning of the word “privacy”.
HT:Are you open to acting?
AF:Well, yes…if there is a good offer, I am game.
What can I say? Judge yourself.
And also do take a look at Fake Ankit Fadia on Twitter http://twitter.com/FakeAnkitFadia This guy is awesome.
And finally for all those people who admonished me for doubting the credentials of Gujarat’s…nah..India’s pride and world reknowned “ethical” hacker, Sunny Vaghela, here’s a little something. Under the “Research” section in Sunny’s website you will find “Orkut Hacking” (though I am not sure how any of that qualifies as Research, wanna see real research, read up stuff on acm.org or ieee.org). Here he has mentioned about a Orkut vulnerability where the session cookie does not expire and therefore can be reused to gain access to someone’s Orkut account. Now, if you see this advisory you will find that this very vulnerability was reported by them already in 22nd June 2007. Not just that, as that advisory mentions, it was Netsquare that first found this vulnerability back in 10th Feb 2006. Susam and his colleagues republished it because the vulnerability was apparently not fixed by then.
Now I don’t know when Sunny went to the media with this vulnerability, but from this it seems this was sometime around October 2007 (Also after reading the post, it seems Sunny may have authored it in a fake name). So whatever it is, it wasn’t discovered by him first, if at all he did discover it independently(which itself sound implausible). Also in this article at Techgoss Sunny claims that people from Orkut visited him when they learnt about his discovery. Now lets set one thing straight, if representatives of large software companies like Microsoft, Google, Oracle, Sun etc would visit each and every person who found a bug/flaw in their software, they would have to dedicate quite a large number of people for just that. No one does that. Also when someone discovers a vulnerability, they prepare a proper report/advisory (like the one done by Susam or NetSquare) and publish it either on their site or on sites/lists like Bugtraq or on the mailing list of the particular project. They DONT write a small paragraph on their site and go to the media with it. Have you ever seen anyone reporting Windows vulnerabilities on the daily news? No, that does NOT happen.
So that’s all for now. Will get back to learning Go now. I guess this post should be titled “Demolishing Ankit Fadia v 0.01 Service Pack 1 with Sunny Vaghela Vulnerability Critical Update”. What say?
Demolishing Ankit Fadia v 0.01 Service Pack 1 by Sandip Dev is licensed under a Creative Commons Attribution-Share Alike 2.5 India License.
The author of this blog does not bear any responsibility for any comments made by visitors on this blog.