Yahoo India SMS

At first when I saw this my reaction was ‘huh’ (can they afford to do this?). Then it was ‘wow’ it would be cool if they did that.

Finally when I found yesterday that my account had been upgraded to their RC (Release Candidate version), I couldn’t help but try sending an SMS and guess what ISDN (it still doesn’t work!).

Look what I found!

OK, so in the last post I talked about Atlanta being a city where people travel in cars. But day before while going to college, I saw this…

Scooters!

Hmmm, so they do exist in this part of the world. The next thing I wanted to know was the name of the company who made it and guess what! It was “Hamara Bajaj”, the humble Chetak. It seems that there’s a company in Atlanta that gives them out for hire.

Where people don’t walk, but drive…

I have been wanting to write a post after coming to US but hadn’t got the time to do that. Now that I am in the middle of the semester, I finally got the urge to write about it. partly because there is this Labo( u )r day weekend, when I have almost nothing to do but go through my study notes. A picture that I took just now will tell, how empty the area really looks!

The first thing that struck me about this country was that it is huge. No, wait, everything is huge; buildings, roads, cars, supermarkets, vegetables, Internet connection speeds (yes Europe has more, but they are getting here with fibre-optics) - USA is the place where supersizing started.

Georgia Tech is fine, don’t ask me much about it. I have taken up a course in Computer Graphics (seems a little advanced which is good), course about GPU programming and Multi-core processor programming (cool!, but have yet to start with the fun, I mean, tough part), Software Engineering (yes, I still need to learn how we make software, Microsoft wasn’t good enough ) and High Performance Computer Architecture (similar to ACA in NSIT but more current). No heavy special projects for me yet, am trying to see how this goes and will definitely work on one next semester.

Found two of my relatives living around Atlanta, have been to their place and enjoyed it! Both have young kids and they got along with me pretty well (or did I get along with them well, dunno).

About the title, yes, you would hardly find anyone walking on the streets except perhaps in the morning when they are out for jogging or when they need to reach their car; rest of the time people drive. Now gas (petrol for Indians ) is no longer what one would call cheap here but I guess that people have become so used to driving that they cannot seem to do without it. There is a mini public transport system in Atlanta called MARTA but its so small that it would look like a toy train in front of the Delhi Metro. But then Delhi has n times the population of Atlanta and 1/n times the area of the city. So I guess that such a small train would be OK for the city, especially when half the people live miles away from the downtown area where most of the offices are. 

Oh yes, I got a new laptop. A Dell Vostro 1500 with GeForce 8400 graphics card (OK so its not a good as the 8800, but I don’t have fat pockets you know!). I got the card just for DirectX 10 support (which I learnt has a programmable graphics pipeline) and I plan to keep the laptop for a pretty long time, at least 3 years if not more.

Will stop here or my post, else it will start looking like an article. Will add more later, till then, I hope this blog will stay alive!

Au Revoir, Microsoft EPG

Last year, I arrived in Hyderabad to work for Microsoft, without even knowing what group I would be working for. I was assigned to the Education Products Group and I had no inkling about what I would be working on. Thus was my demeanour when I came here.

Now after having spent a year here, I can only marvel at what I have been through. I was involved in the development of a CTP for a V1 product, researching new ways to add value to the product and finally the release of the Windows MultiPoint SDK. What could be a more awesome start to one’s career? Not only this, I came across brilliant people, not only in my team, but in various others and admittedly learnt a lot from them (and made friends with them too )

But life has to go on… and with a deep regret I have to put this behind me for pursuing my Masters at Gatech. Let’s see what life has in store for me.

AOL MyeAddress, completely non-functional; Tech support, completely incompetent

I have been an avid fan of new services offered by companies, to compare different ones and find the best to use. So for my domain I have been using Google Apps for e-mail and it has been working flawlessly. Needless to say I have been very happy with them (kudos!). Support was quite non-existent but never really had a serious issue with them.

Then Microsoft came with their Windows Live Custom Domains. Even though the package was not as good as Google, a sense of loyalty to my company drove me towards using it. Using it was a no-brainer. Sign up with your Live ID and register your domains. Since I was already happy with Google Apps, I gave it a miss. But when they introduced support for sub-domains I was more than happy to try it out and my mail.smart-techie.com is hosted on it. Not a problem with that ever, yay Microsoft. BTW their support was just great!

Now enter AOL. Famous for its terrible ways (and how it was made to make everything on its site free!). For sometime, they didn’t even have free customer support. When they came with one, it was pathetic. Now, I registered my primary domain with them for their myeAddress service expecting it… to work. Big surprise, it didn’t (actually it wasn’t that much of surprise).

Finally I found a link to contact their live customer care. Live… must be able to solve problems quickly.

Continue Reading >>

Inspecting Web Interfaces

(Continued from Secure Web Interfaces)

OK, I had a tremendous urge to call this post “Hacking Web Interfaces”. But due to some uneducated folks who believe hacking is a bad word, I think I will stick to its euphemism.

The most direct way to feed random data to a web-service is in a raw format. Use telnet for absolute low level communications or tools like Fiddler, for communications at a higher level like HTTP. But with sites hosting hundreds of script files and html pages on their server, this approach has become more and more impractical. But there are other means to mess with the client side code.

DOM Inspector

If you use Firefox, you will notice there’s a utility called DOM Inspector that is included with it. As the name suggests, it allows you to see the DOM of the rendered HTML page. But, it also allows you to modify that DOM. You can modify the values of the properties of different DOM objects in the tree and even insert new objects.

Let’s try this technique on a product of one of the largest software companies, Google Calendar. I will use no other software than Firefox and DOM inspector.

Let’s go to the Settings screen. They have a setting for the “Custom View” property for the calendar.

Now I am a guy who wants to know what he would be doing in next 2 months but there is no option for that kind of view. Hmm, lets see if the DOM can help us. Firing the DOM Inspector, we see that the logic is quite simple.

The value of the ComboBox determines how the duration for which the custom view display the calendar. The value in the ComboBox is simply translated to the number of days. So I change the value to 42 (which is 6 weeks) and save my Settings. Et voilà, I get a custom view with 6 weeks Cool!

Using Visual Studio with IE

IE has a script debugger built in, but it is worthwhile to go in for Visual Studio as the debugger of choice. There’s a free version of the Visual Studio suite called the Express edition available which you can download and use.

Now to make it work…

1. Enable Script debugging in Internet Explorer.

   

2. Create a New Solution with an Empty Website (File > New > Web Site…)

   

3. Go to Property Pages for the new Website in Solution Explorer and enter the URL you want to debug. Don’t worry if you don’t know the URL, just enter any URL and fire the breakpoints only when you hit the required URL.

   

4. You might get a dialog asking you to include the web.config file. Answer Yes and continue. Now you will be surfing with the debugger attached to Internet Explorer. You can hit pause, set breakpoints and even skip those functions that don’t interest you

Using Venkman with Firefox

I would have loved it if Visual Studio also worked with Firefox. There’s a solution called Venkman. I won’t go through the complete detail of how to go about using it, you can read it up here.

I haven’t found a way to skip code (a la Visual Studio) using this yet.

You can change variable values by directly typing the JavaScript code for it.

The interface doesn’t have all the bells and whistles but should be able to get most of your work done.

Secure Web Interfaces

On the Internet, security is overrated. Every third site you visit talks about it. But still, not many sites take steps to implement it. This has been the complaint of people all these years and is still true today. Unless it is a site that is dealing with financial transactions, most interfaces provided by these sites are non-secure and prone to client side attacks. I believe it is a false assumption that unless your site is processing a credit card payments, it doesn’t need security. Security is not just about protecting ‘monetary transactions’. It is more than that, it involves protecting your computational resources (bandwidth, CPU usage), intellectual resources (JS files, web services) and of course, the services that the site is providing (like acting as a SMS gateway).

In this post I take a look at some ridiculously simple security blunders committed by popular sites. These might not always be critical but provide an interesting insight into the design quality metrics followed at these companies.

While surfing the Net, whenever I see a website offering a cool service, my natural instinct is to find out how they are doing it. For example, Rediff used to have this ActiveX based multilingual mail composition feature, which they replaced with a JavaScript based one. Cool! So now I could work on Firefox and still send my mail in Hindi! How (naively?) were they doing this? Create an IFrame and put the entire composition feature in it. Hmmm, OK, but couldn’t someone just rip off the JS files and create, say, a multilingual composition plugin for WordPress using their code. Access to the .js files doesn’t even require a login to the Rediff servers and using them is as easy as pointing the URL to http://f1mail.rediff.com/quill/QuillPadWeb.html. I am not sure what their testing team (if they have one) thought of this, but this allows someone to use the cool text entry interface by just copying 4 files off the Rediff site.

The easiest way to thwart leechers is to deny access to the scripts unless you are logged on. That would take care of direct linking (protecting computational resources). But there’s no easy solution if someone just copies the files off the server and hosts them on his website (protecting intellectual resources). What do you do then? Probably obfuscate the code enough so that he never knows what file he has to copy. Yahoo mail does an excellent job of the obfuscation. Even their images are protected (in a loose way) by referring them through their MD5 hashes; enough to deter a casual hacker.

Another flaw is doing all (and I mean ALL) the validation at the client side using JavaScript. Client side validation is a nice way to reduce load at the server end. But sometimes, this solution is implemented without safeguards.

While designing any API, there is a golden rule that has to be followed…


All input is evil

Agreed, you have JS to check and ensure that the user input is correct. But what if I inject code through your web service using a simple script debugger like Visual Studio for IE and Venkman for Firefox. Even if I am not able to inject code, I will certainly be able to inject syntactically valid input data which is still invalid. To illustrate, imagine a banking service where the amount that can be withdrawn is checked against current balance using JavaScript. I could very well skip the function, overwrite the function which gets the current balance and a lot more. Unless the server is checking the validity of the transaction itself, I would be able to make any kind of transaction.

In my next post I will discuss, some techniques that can be misused to thwart JavaScript based validations. The purpose of the post will be to further educate software designers about the pitfalls of client side validation which is not backed by robust server side validation.

Garfield and Odie

Being such a big fan of these guys, I couldn’t resist putting this up for the cute factor

Shimla Visit 2007

I had been wanting to write about my Shimla visit but due to the general laziness that has crept upon me of late, I was unable to do so. The reason for visiting Shimla was my cousin brother’s (Montoo’s) wedding. This was the first Himachali wedding I have seen and so I was excited about it.

I arrived at Delhi on Friday night and the wedding was on Sunday. So we left as soon as it was Saturday morning. The journey through the plains was pretty uninteresting, except that numerous flyovers and highways were being built throughout the route. Was really heartening to see that the country is actually thinking about infrastructure as a major focus area and spending time, money and effort on it

Things I noticed about the place (some of which I had noticed before too)

• Entering the hilly region, the first thing that took me by surprise was a hoarding at Pinjore which announced “McDonalds, 15 km ahead”. Hmm, this was something that was not there when I had gone to Shimla in 2003. Had the area become so commercialized?

  So, finally at Jabli, we saw this outlet with the characteristic  sign and we instantly knew we were there. The outlet was part of some resort chain, but was quite big; probably to handle the tourist rush that would swamp the hill stations in the summers.

  

• There is an absolute dearth of parking in the city! The number of cars has grown exponentially in the past years, I have been observing that through all the time I have come here for my summer vacations, but hardly any effort has been made to provide more space for parking. We parked near the Railway Station (you can see the tracks in the background of the pic) I can imagine the traffic snarls that would occur in the tourist season. The traffic policewallahs are cool though. They allow you a reasonable amount of time to unload your stuff and then firmly tell you to move on, good!

  

• The ubiquitous footbridges around the main road. I don’t know if I used to imagine this, but when I was younger, I think they used to be made of wood, at places. But when I finally walked on one it was made of solid concrete. But, I still shied from walking towards the edge, one slip and you would be off the path

  

• The “Church” below the District Court and above the ARTRAC (Army Training Command). I think there used to be a school earlier at this place.

  

• Rain shelters on the roads. I remember how once I was stuck in the rains with my Masi (aunt) while returning home. These things are really a boon, especially in areas where there is not a place in sight where one can take shelter from the rains

   

Nice One!!!

 Pun Intended!