Crypto bot

Recently I’ve been following the crypto market, which is very fascinating to me. I’ve subscribed to kraken, a popular exchange and put some money in it. After a service outage in the middle of january, kraken’s team decided to cut the transactions fees for a while, thus I took the opportunity to code and test a from-scratch crypto-trader bot.

I have no time to get into details, also because they are not so much interesting or particularly complex, but I’ll say that it uses a combination of some simple and common algorithms widely used in the study of the financial market. The bot actually works, in the sense that it makes trades on some deterministic rules, but unfortunately it is not clever enough to make profit (even without the fees) and barely breaks even.

Anyway, as always, it’s been very fun and instructive to code, as I had to study and learn how the market behaves, how to handle the market data and how to try to predict trends and accordingly set sell/buy points.

Since I’m not posting the code (yet), here’s its debug window:
cryptobot_best

Who wants to be millionaire?

You probably know the tv show “Who wants to be a millionaire”. Lately I’ve been invited at the graduation party of a friend, and thought about creating a game for it.

So I decided to create a HTML5 simulation of WWTBAB, complete with webcam support, sounds and introduction video. It has been quite fun, and I’ve been releasing the code on github.

Questions are hardcoded in the index.html file, but it’s trivial to modify them. Recently I’ve added support for images in questions.

I really don’t know if someone can actually make use of it, but who knows?

Just a quick overview about the keys used to control the simulation:

  • [Left arrow] – to skip to next step (video is not skippable by now)
  • [Down arrow] – to unveil the next answer
  • [A,B,C,D] – to highlight the selected answer
  • [Y,N] – when an answer is highlighted, Y makes it correct, N makes it wrong
  • [F] – to switch between the default background or the webcam image
  • [P] – to flash the background to induce some suspance

Github.

Example-link.

A try for a 3D game

Recently I’ve been experimenting a lot with 3D in the browser with Three.js, and although this is my first post about it, there’s a lot more I’m working on about 3D in JS, but it’s involved in my professional work and it’s not time to publish it yet.

Anyway, as usual I like to keep track of my projects here, so I link to this simple game I developed as a joke for a friend some days ago. The game is here, descriptions are in italian but if you don’t understand just click and everything will be fine.

JSMol plugin vulnerability and thoughts about security

JMol is a library used to create 3D models of molecules in Java, which can be embedded into webpages using the usual applets. JSMol is a Javascript library which is used to provide the Jmol capabilities through the HTML5 technologies, relying on server side computation for some functionality.

Here’s a short story about how I discovered some pretty bad vulnerabilities in the JSMol software, and how it can affect every server which is hosting this software.

 

Using my university’s moodle installation, I discovered that the JMol/JSMol plugin for moodle was installed and probably misconfigured in some way: it had unusual permissions set in its directory tree.

This made me curious and I wanted to better understand what was going on.

I made some research, and discovered the plugin along with its source code (the project is entirely open source), and started to look at the source of the only PHP file in the JSMol package.

Looking through the code, I discovered a lot of parameters used without proper sanitizing and checks, and quickly discovered two related and pretty serious vulnerabilities.

The first one is a vulnerability which allows an attacker to read the entire filesystem with the PHP process’ privileges. The second is even worse, but it seems it had been fixed in the newer releases of the software, and was about arbitrary execution of commands on the server.

They derived from an insecure use of PHP’s file_get_contents() and exec() functions in combination with badly checked parameters coming from GET and POST variables.

I immediately contacted the developer of the plugin and reported the vulnerability, along with the curator of the JMol plugin of moodle.

As of today, the vulnerability has been fixed by the developer, and should be available in the latest version of the software.

Anyway, some research I’ve made suggests that the vulnerability was present in many websites using the plugin, which I thinks are unlikely to upgrade the software. In particular I analyzed every registered moodle installation from moodle.net (roughly 50k) and discovered that a small fraction (~100) had the plugin installed and was vulnerable.

I would not classify it as a widespread vulnerability, but I think this should remind us of the nature of websites’ security. In fact, I would say that every even small piece of software publicly accessible on a website should be cause of concern when thinking about security.

As is often said, the best thing to do about software security is to firmly believe that you don’t have any.

 

1-hour-app project and randomChan

The 1-hour-app project is something I started to force myself learn android programming. It’s not a serious effort to make vendible apps, but more a concept that should stimulate myself to produce something creative fast, with simple ideas and easy implementation.

As you expect, the idea is to program an app from scratch to Play Store publishing in just 1 hour. This means that the main functionality of the app should be running in an hour, further improvement and updates are of course allowed, especially if I like the result when I’m done with the first development.

Actually I think that’s both funny and useful, or at least has been so far, with my first one-hour-app: randomChan.

The app is available on the Play Store, and was refined after first publishing. Of course, it’s kind of nonsense app, which I guess will be common when making apps with deadlines that tight.

update: Google decided the app was infringing someone’s intellectual property. I don’t know whose. In the future, I may reupload the app on a different app store.

QuiXXX removed from the Play Store

The android app Quixxx, which me and Marco Virgolin developed 10 months ago, was removed from the Play Store due to violation of intellectual property. I really don’t understand whose property we have been supposed to violate, as Google didn’t specify it in its automated email.

That was particularly sad, because the app was doing very well, despite having been made in three days as a joke. We had something like 4k downloads per day, and we were even earning something from the ads, and the statistics were still raising.

I think that this experience made me reflect on the potential which one has by being able to create apps and submitting them to the public this way. It’s incredible how simple (lucky?) it was to produce an app which got a decent user base in just some months and no further effort.

This is why I started a little project, ‘1-hour-app’ to force myself to learn android programming. I will talk about it in a later post.