UPDATE: We (ozzeh, joshua, shadowmite and I) just put the teaser site together for the EVO root. More info coming soon:

I ended up with a Sprint HTC EVO 4G after Google I/O. It’s a pretty fantastic phone, even though it’s something of a kitchen sink. By a happy coincidence, I ended up reconnecting with some of my buddies from the old mobile hacking days who were looking to root it. With a few hours effort and a three person team (credit to ozzeh and Joshua Wise!), we managed to get the standard su tool installed.

This sort of disassembly and hacking really brought back memories. Shadowmite introduced me to mobile phone hacking back in the day. Back then we were doing stuff like porting Linux to the device and hacking the bootloader.

In any case, here’s some screenshots. We’re not releasing any details on the root hack yet:

At this time, we believe that this specific exploit cannot be applied to Incredible.

You can find me on twitter as @mmastrac

Read full post

UPDATE (July 7, 2010) Daniel Herding sent me a story about his adventures with Avira’s latest version. Looks like they’ve just paved over the problem.

We’ve been seeing a number of reports that our DotSpots Chrome extension is being reported as infected with the HTML/Crypted.Gen malware. There’s not a lot of information on Avira’s site about this malware, except that it’s a ‘trojan’ with ‘low damage potential’.

I previously submitted a sample of the false positive which solved the problem until we pushed out a new version of our code. Since we can’t submit each of our builds ahead of time to Avira for approval, I had to spend some time figuring out exactly what was causing them to think our code was malicious.

I started by downloading a trial version of their anti-virus product. Immediately after restart, it detected the HTML/Crypted.Gen malware in the Chrome extension that was already installed. I extracted the script from the extension to my desktop and it continued to pop up infection warnings on the file. Now that I had a reliable reproduction case, I could start working on narrowing down what triggered the alert.

I loaded up the file in my trusty analysis tool, Notepad. Starting from the original file, I deleted large swaths of code until it was no longer detected as a virus, then restored those pieces and deleted smalled chunks. Eventually I reduced it down to a couple of lines, which were then reduced down to a few strings of characters. At the end, a file with only a few hundred characters would trigger the signature:


Aside: my original set of pattern strings included “nodeValue” rather than “eval”. The patterns are all case-insensitive and don’t ensure matches happen on JS token boundaries. When I went character-by-character to simplify the triggers further, I discovered that it was the ‘eVal’ in ‘nodeValue’ causing issues.

When I create a file with those six strings in it on a website, Avira will attempt to block the download. This appeared to be the most specific components of the signature. Putting those keywords into Google, I found a few references to the malware it detected. The malicious script seems to construct an iframe from an array of characters, then inserts it into the document to download malware from a third-party site.

Unfortunately, these keywords also end up in the compiled Javascript of nearly every Google Web Toolkit application, giving Avira anti-virus users false-positives when viewing many of these applications.

I posted a report to the GWT contributor Google Group with my findings. I had expected that since I posted the offending signature in the message, Avira would warn me that the web page I was reading was malicious. It didn’t.

I ran the message page through the same process that I used to figure out what triggered the signature, this time looking for the smallest piece of text that disables detection of the virus. It turns out that this text is the phrase google. So, the heuristic looks for the presence of the six character strings above, but also the absence of the word Google.

It’s a little disappointing to see how poorly this anti-virus product implements heuristic detection of this particular scripting pattern. It was trivial for me to figure out the pattern. I could have worked around any number of ways- by adding whitespace to the array of zeros, using Math['min'], or String['from' + 'CharCode'], all of which breaks this pattern recognition. Having the phrase ‘google’ disable detection of the virus made my job even easier. It’s possible that there are a set of other safewords that do the same thing. If I were writing malware or viruses, I’d definitely spend time altering it to work around this sort of heuristic.

Considering that the risk of false positives is so high (and users might be trained to ignore other, potentially valid virus warnings), I’d say that users are worse off with this virus definition than they are without.

You can find me on twitter as @mmastrac

Read full post

Looking back through the history of, I realized that I’ve used three off-the-shelf products to blog over the last decade: CityDesk, Typo (a Ruby blog engine) and Wordpress.

My favorite of the three was CityDesk. It was a very simple CMS with a decent custom scripting engine. Its big disadvantages were 1) that its data was stored in a Microsoft Access database 2) its data was basically a big binary blob that didn’t work well at all with source control, 3) I couldn’t push stuff into it from the command-line (ie: various testing snippets that I like to save) and 4) the scripting language was too limited at times to do what I wanted.

Typo was a great engine, but terribly slow on my webhost, 1&1. A few years in I managed to accidentally delete the .htaccess file that configured the Ruby magic and couldn’t get it working again.

Wordpress is both fast and stable, but I find that it’s near-impossible to customize it as I like, not being terribly experienced with PHP.

I’ll probably be migrating off Wordpress to something a little more custom in the next few weeks. I’d like to go through my entire blog history (from 1998 to present) and put it into a single, source-controlled repository that I can use going forward.

I reserve the right to remove some of the more embarrassing posts from the Internet entirely, however.

Read full post

I’ve been searching for a complete EBNF for XML 1.1 without much success. I found one for XML 1.0, but I was hoping to avoid manually patching it for the XML 1.1 changes.

In the end, I decided that it would be easiest to just parse the EBNF directly out of the specification. Here it is, for reference:

Read full post

I was surprised a few days ago with a new layout for Google News on one of the machines I use. I haven’t seen it reported anywhere yet. I came across it tonight while testing and grabbed a few screen captures in case it disappears.

The biggest change is that each story now has a bordered box around it and the stars introduced recently have been moved to the right-hand side of the story. Each story has a drop-down menu associated with it, but the only option in there is “Email”. This drop-down has the class “share-icons” - possibly a new location for a “share in reader/buzz” option.

Looking through the DOM, it appears that this is called the new “blended” story style.

Here’s a couple of screenshots:

Read full post