Demolishing Ankit Fadia v 0.01 Service Pack 1

This is a continuation of the Ankit Fadia Demolition drive. Seems like it has become my most widely read post. Part of me is happy that I have been able to open the eyes of a few people. Part of me is surprised that among all the other awesome (yes they are) posts on my blog, people largely choose to read the one that tries to expose someone, seems like people love controversy more than anything. That said, I guess its largely because Ankit, and people like him, have hoodwinked the media and the people for far too long and such a piece is bound to generate interest. Thanks to all readers and others who have talked about it all over the internet.

So yes, coming back to the recent happenings, Ankit now anchors What the Hack! where he teaches the common man (rather should I say “the MTV loving, totally-ignorant-about-tech and very easily impressed 15-20 somethings” [Hey nothing against MTV or its viewers, I watched it too when I was a kid, though I don't get the time or opportunity to watch TV any more]) the nuances of hacking and such complicated and technically intense stuff how to select a good password, use Google Labs features etc ;-) But, no, we aren’t gonna talk about that.

Rather look at this interview of Fradui on Hyderabad Times . Lets discuss it a bit. Its fun

Hyderabad Times:Do you think like a criminal …?

Ankit Fadia:Yes, I do. If I don’t, I can’t hack their websites or decode their messages. It’s important for me to understand what is important for them and how far they will go in achieving whatever they undertake. I have to surpass their understanding and then think beyond to stop them from being successful in their plans.

Really. Why would you like to hack anyone’s website? Why would you want to deface sites? Is that supposed to be what he calls “ethical” hacking. As for defacing a website, I am not sure understanding “what is important for them and how far they will go in achieving whatever they undertake” will help you in breaking into a site. If I am not wrong, you gotta find security loopholes, learn about their systems, what version of which software they are running, may be launch a well crafted buffer overflow etc. This is not some hide and seek, Bond type game. And who exactly has asked him to get information about “their plans”. And who are they they? Why is he making it all seem like some vigilante style action.

HT:Having decoded an Al-Qaeda message and challenges thrown at you from Pakistani hackers, don’t you fear for your life?

AF:I have received threat calls. Just before a trip to Australia a few years back, I was told that I would not come back to India alive…..There are these three girls who have been continuously stalking me.

Haha. Even our movie starts, sports stars and ministers won’t openly say such things though many of them have probably got threats.And now he is also suggesting that 3 girls are stalking him. What? They will seduce him and then kill him. Naked Weapon style? ;-) And whatever, the so-called challenges were thrown at him by Pakistani hackers, he failed all of them miserably.

HT:What makes you hack?

AF:I want to know everything about controversial people. I’d love to hack Rahul Mahajan or Rakhi Sawant’s mail IDs.

Really. What is he? A stalker, a voyeur? Only such people want to read others’ emails. I am sure neither Rahul Mahajan nor Rakhi Sawant are a threat to national security that the great “ethical” hacker and saviour of Indians, Ankit Fadia, has to read their emails.

HT:Do you hack your girlfriend’s and your friends’ IDs?

AF:Yes. Very often. I do that to see what’s happening in their lives. It’s for fun . But they get annoyed. So, after hacking, I tell them.

Poor girl. That is, if there is one. Seems like, Fadia does not understand the meaning of the word “privacy”.

HT:Are you open to acting?

AF:Well, yes…if there is a good offer, I am game.

What can I say? Judge yourself.
And also do take a look at Fake Ankit Fadia on Twitter http://twitter.com/FakeAnkitFadia This guy is awesome.

And finally for all those people who admonished me for doubting the credentials of Gujarat’s…nah..India’s pride and world reknowned “ethical” hacker, Sunny Vaghela, here’s a little something. Under the “Research” section in Sunny’s website you will find “Orkut Hacking” (though I am not sure how any of that qualifies as Research, wanna see real research, read up stuff on acm.org or ieee.org). Here he has mentioned about a Orkut vulnerability where the session cookie does not expire and therefore can be reused to gain access to someone’s Orkut account. Now, if you see this advisory you will find that this very vulnerability was reported by them already in 22nd June 2007. Not just that, as that advisory mentions, it was Netsquare that first found this vulnerability back in 10th Feb 2006. Susam and his colleagues republished it because the vulnerability was apparently not fixed by then.

Now I don’t know when Sunny went to the media with this vulnerability, but from this it seems this was sometime around October 2007 (Also after reading the post, it seems Sunny may have authored it in a fake name). So whatever it is, it wasn’t discovered by him first, if at all he did discover it independently(which itself sound implausible). Also in this article at Techgoss Sunny claims that people from Orkut visited him when they learnt about his discovery. Now lets set one thing straight, if representatives of large software companies like Microsoft, Google, Oracle, Sun etc would visit each and every person who found a bug/flaw in their software, they would have to dedicate quite a large number of people for just that. No one does that. Also when someone discovers a vulnerability, they prepare a proper report/advisory (like the one done by Susam or NetSquare) and publish it either on their site or on sites/lists like Bugtraq or on the mailing list of the particular project. They DONT write a small paragraph on their site and go to the media with it. Have you ever seen anyone reporting Windows vulnerabilities on the daily news? No, that does NOT happen.

So that’s all for now. Will get back to learning Go now. I guess this post should be titled “Demolishing Ankit Fadia v 0.01 Service Pack 1 with Sunny Vaghela Vulnerability Critical Update”. What say?

Creative Commons License
Demolishing Ankit Fadia v 0.01 Service Pack 1 by Sandip Dev is licensed under a Creative Commons Attribution-Share Alike 2.5 India License.

The author of this blog does not bear any responsibility for any comments made by visitors on this blog.

About these ads

25 thoughts on “Demolishing Ankit Fadia v 0.01 Service Pack 1

  1. this is y i say freedom of speech shud have some asterix(*) somewhere arnd it , telling people to keep quiet in case they dont know stuff , and not to go abut making huge baseless claims :P …..

    another nice article from sandy…. man u really like ankit fadia :P. Also that service pack 1 idea is cool.

    as far as mr. fadia is concerned , i guess he’s not a real world “hacker”, but someone who plays games like hacker evolution ( http://www.exosyphen.com/page_hacker-evolution.html ) :P . Tell him to wake up from his dream world , and join some turbo C++ classes

  2. Good blog with good title of post..

    As far as mr.fadia is concerned, i guess you are right but i do not agree with sunny’s part..

    i attended one of his event “hackintosh” at chennai..he showed exploits & vulnerabilities in many big websites..

    He even discussed real cases which were solved by him..case studies of savitabhabhi & ebay fraud are two main attraction of his workshop..

    I was also thinking him as FADIA part 2 before i met him, but when i asked him about exploits ,he even knows metasploit meterpreter scripts & using it with backtrack which ankit cant even think of..

    • if u see a comment made by Jonny Boy above, you will find that Sunny copied verbatim from the other mentioned site. Secondly, metasploit is a *very* noob friendly way to launch exploits, no need of compiling exploits downloaded from the net and fixing linker and compiler errors..Metasploit is the ultimate “point and click” exploit tool. Hence knowing how to use it isnt a big deal. I would give him credit if he has contributed code to the Metasploit project which he hasnt (i checked contributions on their site).

      As for hackintosh, it too was largely (not entirely)a noob event (where else would you have a live hacking contest). That said, there are some such hacking contest where security companies challenge hackers/crackers to break their software. But hackintosh wasnt one of those
      :)

    • well the point is there are a lot of sites which provide a list of sites with vulnerabilities…also they provide exploits to be used against them…. so you need to look beyond these websites hack…

      I believe to call yourself a hacker..you need to do something on your own….using metasploit, nesus or any other framewok dosent make you a hacker…

      Btw it would be interesting to know the number of zero day exploits if any he has found..lemme know if you come across something..and hey can you send me the links of his case studies..

  3. sorry to say but that event has attracted over 60 people with different backgrounds, from students to experts from Google, Yahoo!, Microsoft, Cyber crime branches, ISACA , K7 Antivirus, TCS , infosys etc..

    They organized CTF(capture the flag) competition for the first time at chennai..k7 antivirus did the task..

    As far as my knowledge is concerned,even your colllege has invited infysec experts to conduct hacking workshop in Mindbend(http://www.mindbend.in/) & now you are making comments on those experts.

    • @vasnath: I wasnt at Hacintosh and hence I do not know who attended it. But I will say this, just because Sunny spoke at that event does not make him a security expert. As a matter of fact, Ankit Fadia has spoken at many more events than Sunny. And yet, my view on Fadia is that he is a fake.

      Also whatever comments I am making about Sunny are on the basis of facts as mentioned in my post and later in Jonny Boy’s comments.

  4. I was just reading sunny’s story in sandesh today about vulnerabilities in govt websites…he has found vulnerabilities in many guj govt websites in one go..

    would suggest you to attend one of his seminar or workshop before making comments.

    • @vasanth: Once again dude, he says he found vulnerabilities in govt websites. And where is the proof. Newspapers and magazines reporters are hardly capable of understanding tech talk, forget about verifying the veracity of Sunny’s claims. So really I am not very impressed.

      Secondly most government sites arent that well protected. And there are off the shelf tools which can detect vulnerabilities in various services. So we can only give proper judgement if we know the nature of the vulnerabilities he found out. Also finding vulnerabilities is one thing, fixing them is quite another. Has he done any of that? He has ever posted bug fixes on any software? Also any zero day exploits? None.

  5. Hi Sandip,

    Thank you very much for publishing this blog and its an eye opener for every one including me.

    So far I use to believe Ankit Fadia so blindly and bought some few stupid books like ‘hacking mobile phones’ where he “hacked” some outdated mobiles which are not even sold in the market nowadays and the procedures which he told never ever worked even on the phone which he refers.

    I strongly your blog should be widely made aware of its existence.
    Even MTV Ticker (Blue color band on the TV) once referred that all he knows to use Google in a most effective way. Initially I thought its a “teaser” on him. But this blog made me to clear off the remaining doubts.

    Thanks once again even helping my career.

  6. Dude! Lol u sure he said all that? i would not expect even a fake person to be this stupid about saying such things in public……he might be fake i dunno but he def is cunning if he’s been able to hoodwink! somehow i doubt he’d say stuff like that in HT!! maybe u ought to check the crrdentials of that HT paper lol I can remember some weird things printed in papers sometime haha take Gujarat samachar for one!!

  7. Pingback: 2010 in review « Sandip's Blog
  8. Pingback: The Sunny Vaghela critical patch « Sandip's Blog
  9. Pingback: START HACK - Sunny Vaghela: Claims of Orkut Vulnerability Research
  10. there is another top fake hacker Mr Rahul Tyagi
    baseless gay of fake hackers,claims to be top n best hacker of india.fucker

    • A few months ago i had seen an article on rediff.com and saved it in my Evernote account. I had no idea about him and was reading for the first time. Today, after seeing an article on IBNLive.com, i was shocked. I googled and got your blog link.

      I think Fadia can be a competition for Dr.Prof.Arindham Chaudhary for shameless self promotion.

Let me know what you think

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s