Bypassing Cloudflare

I use to automate many tasks in the web (such as triggering news and sorting them according to my interests) and some times I hit with Cloudflare’s DDoS protection, I mean client-side, I guess they will have some real DDoS protection server-side, as the client-side is very easy to break.
They use to change their algorithms from time to time, but the basics are always the same:

1. curl the protected page and you will get an invisible form which auto-sends itself after making some client-side calculations. Currently this form is called challenge-form and has three hidden fields called jschl_vc, pass and jschl_answer.
2. Compute the javascript you find in the curl-ed page and send the form (the results of the calculations will be populated to the jschl_answer field). You can emulate these calculations in your favorite language (Python, AppleScript, PHP, whatever) or have a JS engine to execute the scripts. I’ve used node for this, which is available as a command-line tool you can install and execute easilly.
3. If everything is OK, you will have now two cookies: __cfduid and cf_clearance. Using that cookies, you can now surf freely the website.

The details may change from time to time, as Cloudflare updates their methods, but it’s been very similar across the years. Just take a look in your regular browser/developer tools and find the magic under the hoods.

eBay endorses fraud

Steps to reproduce the issue:

1. Crash your graphics card and try to find a replacement in eBay => https://www.ebay.es/itm/382559592650?ViewItem=&item=382559592650&ssPageName=ADME:X:COCE:ES:3160

2. Contact a seller which lists such item as New, which according to https://www.ebay.com/pages/help/sell/contextual/condition_1.html means “A brand-new, unused, unopened, undamaged item in its original packaging (where packaging is applicable). Packaging should be the same as what is found in a retail store, unless the item is handmade or was packaged by the manufacturer in non-retail packaging, such as an unprinted box or plastic bag. See the seller’s listing for full details.”:

3. When you go to the details, you can read in a tiny bullet inside a long list: “Used! 90% New”.

4. Contact the seller and ask for a clarification. What does it mean 90% new???

OK, not so difficult to understand: 90% new means 90% new, like renewed (???), so it’s more than new. It’s new renewed. However, that doesn’t sound like brand-new, unused, unopened, undamaged.

However, this isn’t the part related to the apparent endorsement of fraud from the point of view of eBay. Just read the same message focusing on certain keywords:

Also, I’ve reviewed the contact/help pages on eBay, and there is no apparent decent way to contact and REPORT FRAUD. My only chance was calling to an international? phone number, after waiting for (estimate) 34 minutes. No mail, no easy way to report a FRAUDULENT item.

The programmers or the CEO @ eBay, though, seems to suggest that the default behaviour is asking the buyer to buy whatever. Endorsement messages, a mechanism to include a special offers (2% discount)… Very smart.

Insolvable and slow recaptchas fixed (jDownloader Mac)

Launching jDownloader captcha’s solver in a Chrome incognito window (easilly adaptable to other browser?). Look in Advanced prefs for “BrowseCaptchaSolver: Browser Commandline” and enter the following =>

[ "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", "-incognito", "%s" ]

This will fix the issue of insolvable and slow recaptchas (maybe some kind of conflict between your google id and the process of solving captchas).

The same should work without jDownloader: just solve your captcha in a incognito window.

Qilania is opened!

Qilania is now opened… Enjoy as much as we did making it real 😉

Qilania.com

Qilania opened in beta

For those about to rock, I salute you. You are invited to the official beta phase of Qilania. In spanish, sorry, the english version will come later!

http://www.qilania.com/

Quick update!

We are so close to the open beta. Stay tuned!

AppleScript, mother tongue of Mac’rs

Before you were a Codewarrior addict, later Carbon libraries consumer, then Cocoa, then Obj-c, then iPhone developer, then what!

If you are a Mac user (not developer, being old or new to the business), AppleScript is your friend. In fact, any OSA-based language or “dialect” if I can call it so (such as appscript by Has or some handmade experiments by Phillip Aker). Apple Events. Application Intercommunication. Sounds like simple, but it’s the marmalade (not to talk about glue) of the daily workflow of hundreds of thousands of Mac users.

Come to mind other “experiments”, like “basic” (being Real or MS) or JavaScript for apps (such as Adobe’s apps or Air), but that is just System/App communication. It’s fine, but not in any way a checkpoint.

Although Qilania lives in a Ubuntu-driven server, many automation tasks are done in various “slave” machines, and many of them are driven by AppleScript, specially mirroring and db integration. For example, you can make tiny changes to a SWF file, and see them live in a few seconds. First, on the local server. Then, in the live server. And also changes are propagated to backup disks and so on. Magic under a double-click. Lots of technology involved: network connections, remote servers via ssh or sftp or scp, various desktop applications, etc. And one scripting language to rule them all: AppleScript.

I can ensure today, Sep 10th 2010, there is not programming language to acomplish most of these tasks we solve in a few seconds in Qilania, not in Mac nor in Win or *nix.

AppleScript, the marmalade and mother tongue of all Mac users.

Accessories

Hey! Aren’t our accessories so cute?

ActionScript 3 madness

Many people in the big corporations thinks now it’s time to move to AS 3 their oldies (I heard of people still using AS 1 code). But seems they are only interested in quick transcodings (concept which isn’t possible, at all, unless we are talking about 10 lines of code).

In Pescados Software we use AS only as a tool, so we moved to AS 3 when we needed it, but allways for new projects. Re-usable AS 2 code was finally thrown, as most of times we found it wasn’t so “re-usable” at all. I think AS 3 is a good starting point to make new “solid” stuff. Although I’m not specially satisfied with the performance and “features” of the newer versions of Flash Player, I think AS 3 is a pretty decent language which many people coming from other programming languages (such as Java or PHP) adopted easilly, and others like us (more in the “design side of Flash”) can adapt-to, coming from the background usages of AS 1 and 2.

Still, from the end-user point of view, I don’t see many advances (watching silly HD videos in Youtube is no more than watching silly videos at all, only to mention one of the best new features of the latest FP versions, quite unrelated to AS 3 at all). If we spend the new power of AS 3 creating special effects (which aren’t so special at all), I will feel like a monkey with a gun. We must evolve and create the web 2.0, before the web 3.0 arrives so soon.

AAA (Adobe Attacks Again) and bugs

CS5, which we could as well call C$5 or C$$. I will take a look to the trials, but I don’t think I will find something interesting for me. I didn’t with CS4.

I’m so much concerned with the performance of the free Flash Player plugin that I’m not interested at all with any new products concerning IDEs, while they support ActionScript 3 (which means CS3).

Now, after years working fine, seems I can’t input my own language’s characters in a Flash text field. I can’t type “cáspita” in Safari or Chrome. Which is a dramatic issue. Now our users can’t play anymore the “Game of Wishes”, where everyone can (could) type their wishes. Not, unless they use plain ASCII in their native language or we rotate 180º and use a different programming language (!).

Also, seems there is some issue with layers (DIV) and Flash, as many sites stopped working fine in both Safari and Chrome (not to mention other browsers with less impact), including King of Kungfu (Facebook) and even Adobe’s own site.

While this isn’t solved (I hope it will), we won’t consider taking a look to CS5, not to talk about the previous CS4.

Certain issues (every app and platform has its own issues) affect so much one’s daily work that, being an old-time believer, you may consider certain alternatives which are doing their own way, such as Silverlight. It’s not that you love one or another. It’s just matters of daily tasks and production. I can’t spend months for Adobe to restore Unicode support or wmode in certain browsers (a long reported issue and still active!), as well as my customers won’t wait for me.