Facebook notification spam – someone ”likes” your photo

Recently, a lot of people have  been “liking” my photos.

Unfortunately, the notifications are sent out by various versions of a new form of Facebook spam application.

Clicking on “your photo” – in a hope to see which photo this person liked, takes you to a page where you’re asked to allow an application access to various parts  of your profile:

“Allowing Lika access will let it access your Profile information, photos, your friends’ info and other content that it requires to work”

This is the important part of this application – clicking on “allow” will enable the app to get access to all the information on your profile.
It then sends out notifications to ALL your friends, that you “liked” one of their photos.

Presumably, it is also sending all your information to the developer. This could be anything from your profile – work information, contact info, address, photos – anything.

One way to check if a notification you have received is genuine is to hover over “your photo”

Unless the link is something similar to: http://www.facebook.com/photo.php?pid=12345 then it’s a fake.

The names are usually something like “Like” or “Lika” or something along those lines, to fool you into thinking they are genuine, Facebook features.

Implementing DataCash 3D Secure with ASP.net

This is an article I’ve been meaning to write for a while now…

Mainly, to help others out, who are struggling with the near non-existent documentation provided by Datacash, when trying to plug 3D Secure into my ASP.net application.

I’m sure you’re already familiar with what 3D Secure is, so I won’t go in to too much detail, nor will I go into much detail with regards to the process.

The purpose of this article is to get you familiar with how to send the details to the DataCash MPI, receive a response, and display and use the 3D Secure window in an iFrame (or framed window for that matter)

Please note:
This code is for tutorial purposes only. It’s dirty, crude, buggy, and not refactored in any way shape or form.
I simplified the code down to bare bones, in order to better explain each element.
Obviously, it comes without warranty… it should work as expected, but has no logging, error trapping or any of that good stuff… and when dealing with online payments, you really should take more care!

Download

I’ve made the entire source code for this tutorial available for download.
You will need to edit the web.config to add your own VTID and Password

Donate

I don’t normally do this, but this article took me literally months to pull together, so any small contribution would be gratefully received!

Payment Page

This is the functionality that processes payment – for example, allows the customer to enter their credit card details etc…

The mark-up is fairly straight forward.

Two things to note are the body, and the form tag:

<body id="myBody" runat="server">

Note that the body tag is runat server

<form id="MainForm" runat="server">

Note that  the name is “MainForm” – we will need this later.

Since in this tutorial, I’m showing how to use an iFrame, I have this bit of code, below the payBtn:

<asp:Panel ID="ACSFramePanel" runat="server" Visible="false">
    Please verify.....<br />
    <br />
    <iframe src="" name="ACSFrame" width="450" height="400" frameborder="0" />
</asp:Panel>

Line 4 of the above is basically where the 3D Secure frame will appear.

I wrapped it in a Panel, so that we can hide it, while the customer enters their card details etc…

Now, let’s look at some of the code-behind:

private Config config;
private Agent agent;

//this would be our order id / reference in production
private string ourReference = Guid.NewGuid().ToString("n").Substring(0, 8);

protected void Page_Load(object sender, EventArgs e)
{
    config = new Config(AppDomain.CurrentDomain.BaseDirectory + "datacash.conf"); // would probably need to come from web.config
    agent = new Agent(config);
}

In the above code, Config and Agent are both DataCash objects.

In the Page_Load event, we basically set these two objects up.

config is set from an xml file (located in the project root) called datacash.conf – this can of course be located anywhere you like (and called anything you like)

agent is then set using the defined config object.

The config file looks like this:

<Configuration>
  <logfile>datacash.log</logfile>
  <logging>5</logging>
  <Obscure>
    <element>Transaction.CardTxn.Card.pan</element>
    <element>Authentication.password</element>
    <element>Transaction.CardTxn.Card.Cv2Avs.cv2</element>
  </Obscure>

  <!--this would be for the live server-->
  <!--<host>https://mars.transaction.datacash.com/Transaction</host>-->

  <host>https://testserver.datacash.com/Transaction</host>
  <port>443</port>
  <timeout>90</timeout>
  <setstrict>true</setstrict>
</Configuration>

Of course, this doesn’t have to be done in Page_Load – in “the real world” this would all be part of a payment helper class. But for demo purposes, it’s fine in the Page_Load – just means we have to repeat ourselves on other pages…

Next, we assume the user fills out the form, and presses the Pay button.

Sending the request to DataCash

protected void payBtn_Click(object sender, EventArgs e)
{
    //so they don't press the button twice.
    payBtn.Enabled = false;

    //get browser info (for 3d secure stuff)
    var browser = Request.Browser.Browser;

    var request = buildAuthDataCashDocument(
        ourReference,
        cardNumber.Text,
        expiryMonth.Text,
        expiryYear.Text,
        startMonth.Text,
        startYear.Text,
        issueNumber.Text,
        secCode.Text,
        billingAddress1.Text,
        billingAddress2.Text,
        billingAddress3.Text,
        billingAddress4.Text,
        billingAddressPostCode.Text,
        browser);

    //send the request document to the agent.
    //todo: could implement some kind of error trapping / retry here
    var authResponse = agent.send(request);

    //get the datacash transaction reference (just in case we need to try authorizing the payment without 3D Secure)
    var datacashRef = authResponse.get("Response.datacash_reference");

    //get the response code
    var responseCode = authResponse.get("Response.status");

This code basically generates a XML document with the payment authorisation request, and submits it to DataCash.

I refactored buildAuthDataCashDocument as it was pretty large, and made the code a bit too dirty, even for this demo!

Couple of bits of note within buildAuthDataCashDocument are:

request.set("Request.Authentication.client", ConfigurationManager.AppSettings["DataCashVtid"]);
request.set("Request.Authentication.password", ConfigurationManager.AppSettings["DataCashPassword"]);

This basically sets the VTID and Password from config (in our case, web.config) which looks like:

<appSettings>
   <add key="DataCashVtid" value="99******"/>
   <add key="DataCashPassword" value="bK*******"/>
</appSettings>

Also, within buildAuthDataCashDocument is:

request.set("Request.Transaction.TxnDetails.ThreeDSecure.verify", "yes");
request.set("Request.Transaction.TxnDetails.ThreeDSecure.merchant_url", "www.crocus.co.uk"); //or whatever brand??
request.set("Request.Transaction.TxnDetails.ThreeDSecure.purchase_desc", "Items from Crocus"); //or some other short sumary
request.set("Request.Transaction.TxnDetails.ThreeDSecure.purchase_datetime", DateTime.Now.ToString("yyyyMMdd HH:mm:ss"));

This is important, for 3D Secure – Fairly self explanatory.

After building our request Document, we need to send it to DataCash, and get another Document back – as a response.

To do that, it’s as simple as:

var authResponse = agent.send(request);

This sets authResponse to the response Document.

We can then use the .get() method on authResponse to retrieve elements from it.

We are most interested in Response.datacash_reference and Response.status

The datacash_reference is unique to each and every transaction processed, so it is useful for later things like refunds, reporting etc…

Response.status is the DataCash status code for this transaction.

It’s from this, that we determine how to proceed.

switch (responseCode)
{
    //handle 3DS error responses....`
    //Basically, if it's one of these, the transaction is screwed, and shouldn't proceed....
    case "151": 		//	3DS Invalid Transaction type
    case "152": 		//	3DS Manual Authorization not supported
    case "153": 		//	3DS verify element missing
    case "154": 		//	3DS Invalid verify value
    case "155": 		//	3DS field missing
    case "156": 		//	3DS Invalid Browser.device_category
    case "157": 		//	3DS Merchant not enabled
    case "159": 		//	3DS No VERes from DS
    case "160": 		//	3DS Invalid VERes from DS
    case "161": 		//	3DS call auth centre

        //log the error here
        break; //- throw them out of transaction process. Should redirec

    case "56": //speed limit - too many transactions on that card number in short space of time
        break;

    //3ds payer verification required....
    case "60":
    case "150":
        show3DSIframe(authResponse);
        Response.Clear();
        break;
}

I won’t go in to too much detail, as the comments kind of speak for themselves…

Basically, if you get a 60 or 150 then the transaction requires you to show the 3D Secure window.

Showing the 3D Secure iFrame

I’ll spend a bit of time on show3DSIframe, as this is the part that caused me the most hassle – How to actually display the ACS in an iFrame, especially in ASP.net

private void show3DSIframe(Document doc)
{
    ACSFramePanel.Visible = true;

    //this is the data cash reference number for this transaction
    var dataCashReference = doc.get("Response.datacash_reference");

    //this is the url of the ACS - the page generated by the bank, that contains the
    //boxes where the customer enters information etc...
    var acsUrl = doc.get("Response.CardTxn.ThreeDSecure.acs_url");

    //this is a long message / code that is generated for the transaction
    var pareq = doc.get("Response.CardTxn.ThreeDSecure.pareq_message");

Ok, so in the markup from Part 1, you may remember I wrapped the iFrame in a Panel, called ACSFRamePanel. Now, we need to set the visibility to true.

These first few lines are self explanatory – we need to get the dataCashReference, acsUrl (the URL of the 3D Secure page – this is usually returned by the customers issuing bank) and the pareq – this is a long string, that’s a bit like a password for the transaction.

These elements are retrieved from the passed in DataCash Document.

We then need to create our Term URL – This is basically a URL that the 3D Secure window POSTs back to:

var termUrlPrefix = Request.ServerVariables["HTTPS"] == "ON" ? "https://" : "http://";

//termUrl is where the ACS page posts back to.
var termUrl = string.Format("{0}{1}",
    termUrlPrefix,
    Request.Url.Authority + "/3DSResponse.aspx");

In our demo case, it’s just on our local host machine – this could however, for example, be something like www.myUrl.com/checkout/3DSresponse.aspx

This next part is the important part.

This set’s the required hidden fields (PaReq and TermUrl) on our form.

We then register another hidden form – “MD” – This is our order number / reference for this transaction – so we can retrieve it from our database, and update the status when we come out the other side of 3D Secure.

The next line generates a little bit of JavaScript that basically causes this form to submit itself to the acs url.

The result of this, is then output to the target (parameter 3 in our string.format) – ACSFrame.

Remember we called our form “MainForm”

Then, myBody.Attributes.Add inserts the resulting JavaScript to the onLoad function of our body tag.

Remember we made runat server earlier

//ClientScript.RegisterHiddenField adds a hidden field to the form...
ClientScript.RegisterHiddenField("PaReq", pareq);
ClientScript.RegisterHiddenField("TermUrl", termUrl);

//this is the data cash reference, and our reference -
//so we can update the order on the other side of the verification (paid, failed etc...)
ClientScript.RegisterHiddenField("MD", dataCashReference + "|" + ourReference);

var js = string.Format("javascript: document.{0}.action='{1}'; document.{2}.target=\"{3}\"; document.{4}.submit();",
    MainForm.ID,
    acsUrl,
    MainForm.ID,
    "ACSFrame",
    MainForm.ID
);

//since the body tag of this page is called myBody, and is runat=server, we can access
//it here, and inject our javascript.
myBody.Attributes.Add("onLoad", js);

And there we have it – the 3D Secure window is displayed in an iFrame

I’ll edit this post with a link to 3DSResponse.aspx when I finish that article…

Hope this helps! Feel free to

Outlook – Error with PDF Preview Handler for Vista

Up until a few moments ago, I was unable to preview PDF files in emails in Outlook using Windows 7 64bit.

The problem is that Adobe have not updated their installer of Adobe PDF reader to allow the correct values to be set in the registry.

However, there is a fix.

I came across this:

http://www.pretentiousname.com/adobe_pdf_x64_fix/index.html

It worked great!

How to view Experts Exchange answers

I’m sure anyone that’s searched for solutions in Google, has fallen victim to the search engine reuslt pollution Experts Exchange employs…

They always seem to title their results, with EXACTLY what you are looking for.

When you click on it, you’re told that to view the solution, you need to sign up. Which costs money…
Sure, there is a free trial available… but who really wants that?

Well… the answers are indeed, freely available.

This is a condition of appearing in Google search results.
However, a slight black-hat trick is, that they’re not visible to Joe Public. Only to search engines…

You can fool the site into thinking you are a search engine, by simply copying the full experts-exchange URL from your browser, for example:

http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_22634999.html

And pasting that into the Google search box:

The first search result, will be a link to that URL, via Google.

Click that, and it will show you the answers! Nothing illegal, just exposing Experts Exchange black hat techniques

Fixing – Log Reader Performance : Critical (Seen in SQL Replication Monitor)

I ran into a problem with a Transactional Publication today.

I’d moved the database from old hardware, to newer hardware, and in the process, restored the SQL 2000 database onto SQL 2008 (running in SQL 2000 compatibility mode)

I’d re-created the publication, and initialized it.

After about half an hour, I checked the Replication Monitor, and noticed that it said:

Performance : Critical

Unfortunately, I don’t have a screenshot

Latency was also somewhere in the mid 40’s

I noticed that my recovery mode was FULL.

I changed this to BULK LOGGED, re-initialized replication, and this dramatically reduced the latency – down to 0.0 in fact!

Windows XP Virtual Machine – no network adapter / missing driver?

After creating a new Windows XP Virtual Machine, on VMWare Server, I noticed it had no network adapter.
It was an “unknown device” in Device Manager!

I installed VMWare tools, to no avail.

After painstaikingly thrashing about with my settings in VMWare Server, I took a look at my vmx file (located in the same directory as my virtual hard disks etc…)

It appears I had set the guest OS as Windows XP x64, when in actual fact, I had installed x32 version.

I changed this in my vmx file, and after reading this forum thread, deleted the following line:

ethernet0.virtualDev = “e1000″

Voila! It worked!

Windows XP Virtual Machine – no network adapter / missing driver?

After creating a new Windows XP Virtual Machine, on VMWare Server, I noticed it had no network adapter.
It was an “unknown device” in Device Manager!

I installed VMWare tools, to no avail.

After painstaikingly thrashing about with my settings in VMWare Server, I took a look at my vmx file (located in the same directory as my virtual hard disks etc…)

It appears I had set the guest OS as Windows XP x64, when in actual fact, I had installed x32 version.

I changed this in my vmx file, and after reading this forum thread, deleted the following line:

ethernet0.virtualDev = "e1000"

Voila! It worked!

Fixing ‘Windows Could not determine if this computer contains a valid system volume’ when installing Windows 2008

I was trying to install Windows Server 2008 Standard x64 on one of our servers, intended to be an internal SQL database server.
It’s equipped with a 3Ware 9650SE 8LPML RAID controller. It has 8x 250gb hard drives.
I’d set up 2 units:

• RAID 0 (Stripe) – For the OS (2 drives)
• RAID 10 (6 drives)

I downloaded the drivers from the 3Ware website, and put them on a USB flash drive.
I should point out at this point, that the download is circa 50mb – the actual drivers are only about 150kb… the rest is a .exe file used for upgrading drivers on an existing system.

You then go through the setup screens, and clicked Load Drivers where you are supposed to select a drive to install on. It finds the USB drive, select the drive… all seems ok so far.

Upon selecting the smaller of the 2 units (my RAID 0 stripe) and pressing next, I got a screen saying:

Windows Could not determine if this computer contains a valid system volume

Uh oh!

After much Googling, I found the problem was in the BIOS – and that the USB drive should be de-selected as a boot device.

I restarted, pressed F2 to get into the BIOS setting, and de-activated the USB drive.

However – this did not work! I still had the same error!

Here are the steps that I used to finally get it to work:

1. Put driver files on USB floppy drive (not sure if this is significant, but it worked for me)
   Remember, the actual driver files are < 200kb – it’s just the EXE file that’s large
2. Restart machine, leaving USB (floppy) plugged in
3. Enter BIOS setup – Boot sequence.
4. Deactivate USB  from the Boot sequence
5. Make the 3ware RAID controller #1 in the sequence
6. Save & Exit
7. Enter Windows 2008 setup again, this time, it should work

I think the key is point #5 – You MUST make the RAID controller the first in the boot sequence.

What effect using the floppy drive had, I’m unsure. Probably nothing.

Ass-Kissing Blog Comment Spam

Recently, I have been receiving a large amount of a different kind of comment spam on my Wordpress blog.

In an effort to get around the Akismet spam protection, they have created several variations of the same kind of poor English, brown nosing comments… that effectively mean nothing.

The whole point of them, is to allow their URL to be posted in the “Website” field of the comment.

I recently had one on this post, to which I approved the comment, and later realised it was actually spam – so simply edited the comment, removed the URL, and left a reply underneath.

Here are the kind of comments (complete with spelling errors and bad English)

I’ll edit this post when I come across some more…

Advantageously, the post is really the freshest on this laudable topic. I fit in with your conclusions and will thirstily look forward to your incoming updates. Just saying thanks will not just be sufficient, for the exceptional lucidity in your writing. I will at once grab your rss feed to stay privy of any updates. Admirable work and much success in your business enterprise!

Considerably, the article is in reality the freshest on this worthw hile topic. I fit in with your conclusions and will eagerly look forward to your next updates. Saying thanks will not just be enough, for the great lucidity in your writing. I will right away grab your rss feed to stay privy of any updates. Fabulous work and much success in your business endeavors!

Comfortably, the post is really the sweetest on this noteworthy topic. I fit in with your conclusions and will eagerly look forward to your approaching updates. Just saying thanks will not just be adequate, for the wonderful lucidity in your writing. I will at once grab your rss feed to stay informed of any updates. De lightful work and much success in your business efforts!

Twitter User underdog100 gets 300% increase in followers – in 10 minutes

At 23:00, Jo Combs (twitter.com/underdog100) had just 37 followers
5 minutes later, Graham Norton had featured her tweets on his show, albeit poking fun at them, but, now, her followers had swelled to 110!

Every time I hit F5, her number of followers increases

By 23:10 the count had grown to 130… around a 300% increase in 10 minutes!

I got bored at about 23:20, but by then, the follower count had grown to 140!
Not bad!