The Sunny Vaghela critical patch

Sunny Vaghela’s biggest claim to fame has been his discovery of the Orkut vulnerability that got him some airtime and his 15 seconds of fame. Some basic investigation led me to find a pre-dated advisory of the Orkut vulnerability ( Net-Square Orkut advisory)  realeased by Net Square (Pallav Khandhar and Saumil Shah) on January 31, 2007, a good 9 months ahead of Vaghela’s claim of discovery of the same. Not just that, Susam Pal and his colleague Vipul Agarwal again wrote about the same vunlerability ( Orkut Server Side Session Management Error) on June 22, 2007 , giving due credit to Net-Square.

There is of course the possibility, however small, that Sunny Vaghela did independently discover this bug well after it was found by Netsquare and he is unaware of the discovery by Netsquare. And we could give him the benefit of doubt for the same.

Sunny Vaghela’s has earned the distinction of being the third Indian to feature on attrition.org Charlatan list right after Ankit Fraudia and Sahil Khan, not a very great company to keep.

Susam Pal has also written about the same of his blog (The Orkut exploit). He has also posted the emails exchanged between him and I.

 

Demolishing Ankit Fadia Service Pack 2

The screenshot is that of Ankit Fadia’s Event Calendar page (http://www.ankitfadia.in/ankit_fadia_training_seminars.html#eventscalendar) on his website. He has listed where(city and country) he would be on various dates along with the kind of audience he is expecting for his talk. However, in most of the cases, the name (or occasion) of the event along with the precise venue isn’t mentioned. Wonder why?  😉 #random_observation

Wouldn’t it be more helpful if actual address is mentioned. That way other people could attend his talks.

Need I say more?

Demolishing Ankit Fadia v 0.01 Service Pack 1

This is a continuation of the Ankit Fadia Demolition drive. Seems like it has become my most widely read post. Part of me is happy that I have been able to open the eyes of a few people. Part of me is surprised that among all the other awesome (yes they are) posts on my blog, people largely choose to read the one that tries to expose someone, seems like people love controversy more than anything. That said, I guess its largely because Ankit, and people like him, have hoodwinked the media and the people for far too long and such a piece is bound to generate interest. Thanks to all readers and others who have talked about it all over the internet.

So yes, coming back to the recent happenings, Ankit now anchors What the Hack! where he teaches the common man (rather should I say “the MTV loving, totally-ignorant-about-tech and very easily impressed 15-20 somethings” [Hey nothing against MTV or its viewers, I watched it too when I was a kid, though I don’t get the time or opportunity to watch TV any more]) the nuances of hacking and such complicated and technically intense stuff how to select a good password, use Google Labs features etc 😉 But, no, we aren’t gonna talk about that.

Rather look at this interview of Fradui on Hyderabad Times . Lets discuss it a bit. Its fun

Hyderabad Times:Do you think like a criminal …?

Ankit Fadia:Yes, I do. If I don’t, I can’t hack their websites or decode their messages. It’s important for me to understand what is important for them and how far they will go in achieving whatever they undertake. I have to surpass their understanding and then think beyond to stop them from being successful in their plans.

Really. Why would you like to hack anyone’s website? Why would you want to deface sites? Is that supposed to be what he calls “ethical” hacking. As for defacing a website, I am not sure understanding “what is important for them and how far they will go in achieving whatever they undertake” will help you in breaking into a site. If I am not wrong, you gotta find security loopholes, learn about their systems, what version of which software they are running, may be launch a well crafted buffer overflow etc. This is not some hide and seek, Bond type game. And who exactly has asked him to get information about “their plans”. And who are they they? Why is he making it all seem like some vigilante style action.

HT:Having decoded an Al-Qaeda message and challenges thrown at you from Pakistani hackers, don’t you fear for your life?

AF:I have received threat calls. Just before a trip to Australia a few years back, I was told that I would not come back to India alive…..There are these three girls who have been continuously stalking me.

Haha. Even our movie starts, sports stars and ministers won’t openly say such things though many of them have probably got threats.And now he is also suggesting that 3 girls are stalking him. What? They will seduce him and then kill him. Naked Weapon style? 😉 And whatever, the so-called challenges were thrown at him by Pakistani hackers, he failed all of them miserably.

HT:What makes you hack?

AF:I want to know everything about controversial people. I’d love to hack Rahul Mahajan or Rakhi Sawant’s mail IDs.

Really. What is he? A stalker, a voyeur? Only such people want to read others’ emails. I am sure neither Rahul Mahajan nor Rakhi Sawant are a threat to national security that the great “ethical” hacker and saviour of Indians, Ankit Fadia, has to read their emails.

HT:Do you hack your girlfriend’s and your friends’ IDs?

AF:Yes. Very often. I do that to see what’s happening in their lives. It’s for fun . But they get annoyed. So, after hacking, I tell them.

Poor girl. That is, if there is one. Seems like, Fadia does not understand the meaning of the word “privacy”.

HT:Are you open to acting?

AF:Well, yes…if there is a good offer, I am game.

What can I say? Judge yourself.
And also do take a look at Fake Ankit Fadia on Twitter http://twitter.com/FakeAnkitFadia This guy is awesome.

And finally for all those people who admonished me for doubting the credentials of Gujarat’s…nah..India’s pride and world reknowned “ethical” hacker, Sunny Vaghela, here’s a little something. Under the “Research” section in Sunny’s website you will find “Orkut Hacking” (though I am not sure how any of that qualifies as Research, wanna see real research, read up stuff on acm.org or ieee.org). Here he has mentioned about a Orkut vulnerability where the session cookie does not expire and therefore can be reused to gain access to someone’s Orkut account. Now, if you see this advisory you will find that this very vulnerability was reported by them already in 22nd June 2007. Not just that, as that advisory mentions, it was Netsquare that first found this vulnerability back in 10th Feb 2006. Susam and his colleagues republished it because the vulnerability was apparently not fixed by then.

Now I don’t know when Sunny went to the media with this vulnerability, but from this it seems this was sometime around October 2007 (Also after reading the post, it seems Sunny may have authored it in a fake name). So whatever it is, it wasn’t discovered by him first, if at all he did discover it independently(which itself sound implausible). Also in this article at Techgoss Sunny claims that people from Orkut visited him when they learnt about his discovery. Now lets set one thing straight, if representatives of large software companies like Microsoft, Google, Oracle, Sun etc would visit each and every person who found a bug/flaw in their software, they would have to dedicate quite a large number of people for just that. No one does that. Also when someone discovers a vulnerability, they prepare a proper report/advisory (like the one done by Susam or NetSquare) and publish it either on their site or on sites/lists like Bugtraq or on the mailing list of the particular project. They DONT write a small paragraph on their site and go to the media with it. Have you ever seen anyone reporting Windows vulnerabilities on the daily news? No, that does NOT happen.

So that’s all for now. Will get back to learning Go now. I guess this post should be titled “Demolishing Ankit Fadia v 0.01 Service Pack 1 with Sunny Vaghela Vulnerability Critical Update”. What say?

Creative Commons License
Demolishing Ankit Fadia v 0.01 Service Pack 1 by Sandip Dev is licensed under a Creative Commons Attribution-Share Alike 2.5 India License.

The author of this blog does not bear any responsibility for any comments made by visitors on this blog.

Demolishing Ankit Fadia v 0.01

We all know who Ankit Fadia is. He is self proclaimed child prodigy in ‘hacking’ , a self proclaimed ‘world famous’ expert is computer security and  digital intelligence consultant (digital intelligence? Does he mean AI. I never heard this term getting used anywhere in print other than by Mr. Fadia though I agree its a perfectly meaningful amalgamation of the two official sounding words ‘digital’ and ‘intelligence’) .

However that picture of Ankit Fadia is very likely untrue and let me present a few findings so that you can decide for yourself. Please understand that the findings are either my own of collected from various websites. Wherever I have gathered info from any site, I shall mention the link so that you can find out. The information provided here is true to the best of my knowledge (and googling skills). And I request you to point out if I am wrong. The views expressed are my own and issues in public interest. I shall be constantly updating the information on this post as and when I gather more information on Mr. Fadia. Hence the v 0.0.1 at the end of the title. 🙂

So lets begin with his profile on http://www.hackingmobilephones.com/courses/about.php . I will highlight the interesting parts in blockquotes and add my view and/or proof below.

1.His profile on http://www.hackingmobilephones.com/courses/about.php

a.Milestones in Ankit Fadia’s Life
AGE 14 Published his first book titled The Unofficial Guide to Ethical Hacking which became an instant bestseller worldwide, sold 500 000 copies and was translated into 11 languages.

My opinion: Have you read that book? Here are the reasons why the book sucks

  • Most of the so-called hacks are in Windows (98). Show me one hacker/cracker who uses Windows. If you ain’t using Unix/Linux/Solaris you ain’t no hacker mate. Why? Coz Windows hasn’t got half the tools and features that one requires to do a successful system penetration. For a deeper understand read a book on the Hacking Exposed series.
  • Registry hacks and tweeks are passed off as hacking
  • At many places credit has not been given to the person who found the exploit. For that matter, most of the exploits were very very outdated by the time the book published. Even in his Certified Hacking Courses by Reliance, he shows exploits which have been patched several years ago and are therefore useless
  • Many of the exploit code given in his book have errors and some very obvious ones. :p

b.AGE 16 After the Sept. 11 th attacks, cracked an encrypted email sent by the Al-Qaeda terrorist network for a classified intelligence agency.

  • Again only Ankit Fadia says he has done that. No other sources including any intelligence agency has corroborated the statement.
  • Most intelligence agencies like NSA have expert cryptanalyst with PhDs and super fast clusters to get their job done. They wont require a 16 year old. Cryptanalysis is a serious job. Just read Applied Cryptography by Bruce Schneir or Introduction to Cryptography by Tanenbaum to get an idea how challenging it is. It would be like putting the control of India’s Moon Mission in the hands of a monkey instead of ISRO’s Madhavan Nair.

c. AGE 21 Widely recognized as an Ethical Hacker, Computer Security Expert and Cyber Terrorism guru. Written 13 bestselling books, delivered more than 1000 seminars in 25 countries, received 45 awards, provide certification courses on Computer Security, is writing a script for a movie, runs his own consulting company and is a senior at Stanford University.

  • Best selling books? By whose standards? I don’t find him anywhere inNew York Times, Book Sense, USA Today, Publisher’s Today. A sales figure of 3 million as he proclaims is nearly a third of what Mein-Kampf or Catch 22 reached  and his books did that in a fraction of the time. Sounds shaky, doesn’t it? Does to me
  • Most of his books have been published in India only. Other than The Unofficial Guide to Ethical Hacking, Network Security: A Hacker’s Perspective, Hacking Mobile Phones,Email Hacking, Windows Hacking most of his books are hard to come by. Also Windows hacking is nothing but a compendium of  Registry Hacks readily available from the Internet. Do read the comments on his books at amazon.com and you will get a clearer picture.
  • Almost all the content in his book are copy-paste work from the Internet, that would even put the laziest Computer Science student to shame.
  • The best I can say about Mr. Fadia is that he is a very good salesman because time and again he has convinced his publisher to publish his books. Thats no mean feat considering the shit that he peddles as ‘hacking’.
  • Its been mentioned time and again that he runs his own consulting company but I have never come across the name of the said company.

2. Again, as per http://www.hackingmobilephones.com/courses/about.php his clientèle includes Google, Citibank, Shell, Volvo, Thai Airways, UOB Bank, PT Cisco Systems, Bank of Thailand, Bangkok Public Bank, Amari Hotels, BlueScope Steel, Jumeirah International, Wipro, Singapore Health Promotion Board, Infosys, Satyam, Schering Ltd.

My opinion: This list seems too good to be true. It exceeds clientèle of various well know security consulting firms. Again, none of the above mentioned organizations have corroborated Fadia’s claims.

3. Widely celebrated in international media publications, Fadia is also regularly invited by BBC Radio World News, London to share the latest updates on virus outbreaks, loopholes and cyber crime trends.

My finding: I searched the BBC site to find one reference to him being on the said show. Guess what I found? Nothing. Nadda. Zilch. 😉 So if anyone can give me the link to any of his interviews on BBC, I will agree. Until then, let it hang in balance.

4. For his outstanding contributions in the field of computer security globally, Fadia has been honored with numerous awards namely: Indo-American Society Young Achiever Award 2005, IT Leader Award 2005, Person of The Year 2002, Limca Book of Records, Hall of Fame Award, Outstanding Young Achiever’s Award, Silicon India Person of the Week, Embassy State Award, Best Speaker Award (4 occasions), Student of the Year 2002-03 and many more.

My findings on his awards:

  • Microsoft Most Valuable Professional Award: A search on https://mvp.support.microsoft.com/communities/mvp.aspx?name=ankit+fadia yields nothing about Mr Ankit Fadia
  • Indo-American Society Young Achievers Award: The award exists but nowhere is it mentioned that he received it ever.
  • CNBC Young Turk : I have not been able to verify this. Tough it is probable he did come on the show.
  • Person of the Year India 2002, Limca book of records: Again a search on the site yields nothing about any Ankit Fadia
  • Gold Medal 2003 from Institute of Defense and Strategic Studies, Singapore: I could not find anything on it. So its neither proved nor disproved.
  • Asian American Outstanding Achievement Award Nominee at Stanford University: Again he claims to be a nominee which cannot be proved unless I contact Stanford and ask them. Their site only maintains list of people who have won the award or a nominee for the current year. There is no list of nominees for previous years.You are requested to kindly dig up about the other awards. I am bored now.

5. Fadia is also a consultant to many universities in India, Singapore, China and USA on the design and structure of their computer security courses.

My question: Will Mr Fadia be so kind as to provide references and/or links to universities for which he designs courses? You will find this thing occurring over and over. Fadia never provides links or references to many of his achievements. Isn’t that strange? I have gone through profiles of various researchers and they all provide links and references wherever possible.

6.According to Wendy McAuliffe at ZDNet UK, Fadia’s Hacking Truths website was judged “second best hacking site” by the FBI, though no ranked list of “hacking sites” has been published by the FBI.

7.In April 2000, Rediff.com published an interview with Ankit Fadia. Anti-India Crew (AIC), a Pakistani hacker group noted for defacing Indian Government websites, rubbished the claims that Fadia had made in the interview. Fadia had claimed that his alert to a U.S. spy agency had prevented an attack by Pakistani hackers. However, he never divulged the name of the agency, citing security reasons. AIC and another Pakistani hacker group WFD defaced an Indian Government site, epfindia.gov.in, and “dedicated” it to Fadia in mock deference to his capabilities to hack or prevent hacking. AIC also said that it would be defacing the website of the Central Board of Excise and Customs (CBEC), http://www.cbec.gov.in, within two days and challenged Fadia to prevent the attack by patching the vulnerable website. AIC maintained that Fadia should stop calling himself a hacker, if it succeeded in hacking the CBEC website. AIC kept its promise and defaced the CBEC website after two days. At another defaced website (bhelhyd.co.in), AIC termed the claims of Indian media about Ankit Fadia as “Bullshit”.

So why is he famous?  There are various reasons.Firstly, masses are computer illiterate. They see computer security as some sort of dark magic wheres it is a systematic process, a science. Hence these people can be easily fooled by the FUD campaign that are done by the likes of Ankit Fadia. They instill fear and show some nice tricks that fool everyone into a false sense of vulnerability. While I would not be so naive as to suggest that Internet is very secure but many such ‘independent’ security experts make tall claims and demonstrate their attacks in a very controlled environment on a weakened security set up that just asks for a break in.

The other aspects that contribute to such fakes getting attention is obviously shoddy journalism. They print whatever might catch readers’ attention and a child prodigy in computers does that like nothing else in a ‘idol crazy’ nation of ours. Most journalists are either too lazy or do not have the necessary competence to evaluate his credentials.

As to why Reliance does a Ankit Fadia Ethical Hacking Course. The answer is simple. It sells. And it seems the certificate given by Reliance are not recognized by the Certificate Authority of India. So basically its more like a scam. Read this http://lists.sarovar.org/pipermail/plus-discuss/2006-April/000288.html I am not sure about the current status of the certificate.

And Ankit Fadia is neither the first nor the last of these fakes. Go to http://attrition.org/errata/charlatan.html for a larger list.

You may also read this email sent to FSF mailing list http://tutorial.web4all.in/archives/fsf-tn/2006-April/000293.html

And finally, what is ‘ethical hacking’? Hacking as I know it (and what people like Richard Stallman, Eric Raymond, Dennis Ritchie, Linus Torvalds and others would tell you) is about exploring and knowing in-depth about computers. Its also about making a computer do things that it wasn’t programmed to do and it comes from in-depth knowledge about the system. Hacking is NOT cracking someone’s email password by installing a trojan (or some other lame way) or defacing websites and causing loss of any kind. Hacking is a passion to learn and explore. The ones who break into system to cause harm are called crackers. Hackers like Richard Stallman don’t steal credit card details. Crackers do. So basically there is nothing unethical about hacking. Ethical hacking is a term coined by some sales people to sell basic network security and network administration course, books and solutions to gullible customers. Once you term it ethical hacking, it attracts novice users wanting to crack their girl friend’s email password, wannabe network administrators and some people seriously interested in computer security. While many of these courses are good, the usage of the word ‘ethical hacking’ is deplorable.

Creative Commons License
Demolishing Ankit Fadia v 0.01 by Sandip Dev is licensed under a Creative Commons Attribution-Share Alike 2.5 India License.

The author of this blog does not bear any responsibility for any comments made by visitors on this blog.