Adventures With Javascript Packer

Web developers, and others who use web based technologies to build applications upon, have always been keen to prevent end users seeing the business end of their applications.  Early on in the history of the web - during JavaScript’s first boom - there were plenty of scripts which created annoying functions like stopping users left clicking (in a vein attempt to stop people ’stealing’ their code - like it was the best thing on the web, but more likely to try and cover up simple exploits in their code) or scripts that would completely scramble the HTML should a user view the page source making it unreadable to humans.  This trend seems to be coming back in a big way.

More and more I am seeing JavaScript’s which are unreadable to human eyes but which can still be understood.  In the past, scripts that scramble the code made websites bloated and ‘heavy’ for users to view - not to mention that the encryption key that had been used to scramble the HTML was readily accessible to any viewer who knew where to look.  These days however the scripts which ’scramble’ are intended (initially at least) to compact the script to help sites load faster.  It is an unexpected bonus that the code is also unreadable to humans.  Ever seen something like “eval(function(p,a,c,k,e,r){…};”?  Want to know what’s really going on?

The fundamental problem with web based applications is that the end user’s browser needs to be able to understand the data it is given.  Browsers are able to send and receive information securely, but once that information is delivered to the client it is effectively there’s to do with what they will.  Let’s face it, if the browser couldn’t understand and interpret the data then there would be no web!  So web developers write code in a way that browsers understand (and sometimes in the case of IE, they don’t understand).  JavaScript’s also need to be understandable to the browser because they are processed on the client unlike a host of other languages which are processed on the server side.  With a server side language, the script is processed and a web page is outputted and sent to the client.  With a client side language, the script is sent to the client, the script is processed and the output displayed on screen.

But wait, the script that I have is ‘packed’ like the example above!  How can that be?

Well the answer is rather logical and right in front of you.  The script that is ultimately run is sent to you inside another script.  The container script is a simple compression script which, when run by the browser, outputs the ‘real’ script which, in turn, is run by the browser.  Rather nifty!  However this script-in-a-script setup means that should the user view the page source they will only see the packed script which is unreadable to humans.  Even better!

So how do we see what the actual script is?  There are a few ways.  Firstly, it is possible in Firefox to select an area on the page and view just the selected source.  This source isn’t just a cropped section of the page source (what is downloaded from the web server) it is an output of the page actually displayed by the browser.  This means you see what the page looks like after the scripts have run.  But the catch is that most JavaScript’s are contained in the head of the page meaning they cannot be selected.

The next option is to open up the error console in Firefox (Tools>Error Console or Ctrl+Shift+J) and paste in the packed code with “eval = alert;” in front of it.  This will then pop up a dialog box which contains the code that has been packed.  The output of this code isn’t very pretty but it works in most cases.  The only issue I have run into is that when you are unpacking unusually large scripts it becomes cumbersome (if not impossible) to get the entire script.  Also, the data isn’t formatted very well.

So my quick solution to this (which I am sharing with you now) was to throw together a couple of scripts that I found online which decode the packed script passed to it and then display it in an easy to use way.  There is both a code view for easy on-screen reading and a text-box view which makes for easy copying into another application.  It does take a few seconds to finish decoding (most of that time is spent waiting to be honest) so don’t be too hasty to click Decode! again.

Hopefully this helps people out.  You can download the files to your computer and run the tool offline.  Let me know what you think.

Traditional Idea, Techno Twist

More and more secondary schools in Australia are adopting a Learning Management System to allow students to access vital information online but also providing functionality for testing and reporting and alike.  Delivering content online, as supplementary to traditional teacher-student contact, is a fantastic use of technology and screams of benefits for both teachers and students.

While thinking about this I wondered why school canteens didn’t provide an online shopping portal for making lunch orders.  This again would be an ideal usage of technology.  A student and/or parent logs on and shops, as they would any other online shop, for lunch the following day (or perhaps a few days into the future) and then they pay online through PayPal or credit card etc.  Each day then, the orders relevant for that day are delivered to the canteen operator who can prepare the lunches and deliver them to the student at the appropriate time.

The benefits to the parent are obvious.  Firstly, no need to scrounge for change on lunch order day.  Secondly, credit card payment is secure and the parent knows exactly how much is being spent on lunches.  Thirdly, the order is locked in and so the parent knows exactly what their child will have for lunch; no more changing ’salad sandwich’ for ‘pie and chips’.  Finally, the system could be established to give children access to a particular amount of credit so that students wouldn’t have to carry money with them and the parents would be billed monthly.

The benefits for the canteen operator are a little less obvious but still well worth the cost of the system.  Firstly, all orders are delivered to the operator at the same time daily in the same format.  No more deciphering handwriting on envelopes or brown paper bags.  Secondly, payment is received in a secure manner so only a smaller float is needed on site.  Thirdly, and most profoundly, the operator doesn’t need to be on site in the morning the order is placed allowing for a greater degree of outsourcing, less commuting for operators running multiple canteens and reduced overheads in terms of staffing.  Finally, costs of implementation would be low because there is already free e-commerce software available which would only need minor modification to suit this application and hosting could be handled by the school for a reduced or no fee.

With everyone relying more heavily on technology I think this idea will be implemented at some point, but it’s just a question of when.  What do they say about the simplest ideas?

Internet Filters - Protect Yourself

If you don’t know already, the Australian Government is planning on introducing a national web filter to ‘protect’ Australians from the perils of the Internet (Electronic Frontiers Australia, No Clean Feed, Whirlpool).  This is despite the negative findings of a report the government itself commissioned and despite the scathing criticism from network experts, ISP’s, end users and freedom of speech advocates.  But the issue is a sensitive one.  How can parents protect their children in  an online world they themselves do not completely understand?  The next logical question is; should government be ignoring the best advise from numerous experts to create policy based on the demands of parents who, by their own admission, are not technically savvy?

Personally I believe that the Internet should not be filtered, censored or ‘cleaned’ (as some ministers will say) and I believe that government policy should be written on the best advise possible and, therefore, the experts should not be ignored - in all matters.  But this only addresses the second question.  What about parents who still want to provide a safe online environment for their children?

Safety for children comes from supervision, rules and control.  Let’s take, for example, swimming pools which are fun but also impose significant risks.  How do we mitigate those risks?  We supervise children when in the pool, we establish rules for pool behaviour (don’t run around the pool etc.) and we control when and how children can access the pool (erecting a fence around the pool).  Hopefully this is all common sense and is practiced regularly by those households with pools.  But how many households with Internet access practice these behaviours?  I would maintain very few!  In fact in many households the children are the ones administrating Internet access which, if you consider it in terms of our pool analogy, is utterly ridiculous.

It is possible for parents to mitigate the risks of Internet usage and provide safe computing for their children by being proactive and following the same basic principles of supervision, rules and control.  All of this can be done in either a low-tech or a high-tech way (depending on the parent’s technical ability) but hopefully you will see that a high-tech option doesn’t necessarily mean a more difficult option.

I would like to say that I don’t recommend the usage of a software filter on the desktop computer (client based) for numerous reasons; the biggest being that, time after time, they have been broken or circumvented too easily thereby reducing their effectiveness.  However they can be useful tools and inexpensive (considering the Australian Government still provides one for free) and do provide a layer of protection which, if maintained properly, should at least slow down mischievous children.

My preference, and recommendation, is to have server based filtering and control software which provides the best protection and can also be inexpensive (or free).  Most households have more than one computer and more often than not one of the computers is old, redundant and considered rubbish.  Well your old PC can be revived into a network server which provides protection for your household - simply by downloading and installing ClarkConnect (an “Internet server and gateway solution”).

ClarkConnect is a Linux based operating system offering a variety of features to provide a safe Internet experience.  It contains firewall software (the best ever created) which stops unwanted access to your household computers.  It contains proxy software which; logs all the Internet traffic, caches websites and Internet content (making pages load faster - not slower like the Government’s proposed filtering solution) and also provides user authentication (users have to log in to the server before they have access to the Internet).  It contains a content filter to block inappropriate websites and is also easily configured to block other sites as desired (say youtube.com).  It contains ad-blocking software which strips out advertisements from websites making web pages load faster, uses less bandwidth and stops annoying banners and pop-ups which lead to viruses and malware.  It contains access control software which can be set up to block Internet access at particular times for particular users/computers - providing you complete control.  These are just some of the features of ClarkConnect and you can have them all for FREE!

But why is a server based solution better than a client based solution?  And isn’t it harder to manage or set-up?

A server based solution allows you to control your Internet connection completely.  You choose what comes in and what goes out.  You control which sites are blocked.  You control Internet advertising.  And you say what happens when.  Whilst client based solutions can offer many of these features they do not offer all of these features.  Then to get all the features you would need to run multiple client based solutions which may conflict and could make it easier to circumvent the protection measures.  Also, as said earlier, client based solutions are notoriously easy to break/avoid.

Set-up of a server based solution is probably more difficult than a client based solution (you are installing an operating system and not just software, and you are also configuring the software in the operating system to your desired security level) however once set up properly, maintenance is easy and in most cases unnecessary.  ClarkConnect is designed for ‘always on’ computers and so even rebooting after system upgrades is kept to an absolute minimum.

But isn’t the Government simply proposing a server based solution to be implemented at the ISP level?  And doesn’t that provide us with all these benefits without the hassle - leaving the work up to the experts?

The Australian Government’s solution is to set up an ISP level content filter only (not all the other cool features discussed).  This solution has been proven to be easier to circumvent than most client based solutions and will exclude much of the Internet traffic.  Whilst ClarkConnect can block all peer-to-peer (P2P) traffic (bittorrent, edonkey etc.) the Government filter cannot.  Surveys have shown that up to 95% of all Internet traffic is caused by P2P transmissions and yet the Australian Government completely disregards this fact.  Since P2P networks are the most anonymous networks most illegal networks operate this way (paedophiles, terrorists, all those other nasty folks).  And still the Australian Government doesn’t care.  Why abdicate your control of the Internet to a government who cannot and will not provide you with the level of control that you require?

High-tech talk aside, computers and the Internet can be made perfectly safe for children by simply following our three principles of supervision, rules and control and these can be easily implemented without technology.  The following are some ideas on how to create a safe computing environment for your children and can be implemented in either a low-tech or a high-tech manner.

Supervision:

• Get involved with your child’s computer usage
• Position the computer in a communal space which can be easily monitored even when busy
• Ask your children about what they are looking at and ’snoop’ by looking at the browser history
• Encourage children to discuss their computer usage and any issues raised by it (what is porn?  why is it there? etc.)

Rules:

• Each household member should have their own login credentials and passwords should not be shared
• Children should ask permission before accessing the Internet
• Children should be encouraged to ask for help if they discover inappropriate content (and parents should explain why it is inappropriate content and how to avoid it)
• Limits should be placed on the amount of time spent on the Internet/computer each day

Control:

• Children should be restricted to accessing the Internet only when a supervising adult is around
• Computer access should be revoked if the rules are broken
• Sites with inappropriate content should be banned or blocked