The all new Yahoo! Mail stationery rocks
I just opened Yahoo! Mail and was wondering why it’s taking time to load. Yay! Yahoo! Mail has a new update. One big feature is the stationery in compose screen. Now you can add a background to your e-mail. This is really cool feature.
I’m not a big fan of fancy html mails at work, but this looks really simple and appealing. Looks very light and elegant. Liam will be my default stationery from now.
Some time back, I remember filling a (really long) survey on Yahoo! Mail. This seems to be an outcome of that survey. I wish other features that were in the survey will also come soon.
And yeah! There is no banner advertisement in compose screen!
I’m a die-hard fan of Yahoo! Mail. Yahoo! mail rocks, keep going.
A new bot ring
I see a lot of (possibly) bots back in India chat rooms. What ever message i send them, just one reply…
nalini_f21: Hello Friend Send Email 2 Chat.Here’s My E-mail address —– nalini25f@rediffmail.com <x>
A lot of IDs are logged into messenger, I see the same pattern “_f21″, and the number differs to appeal to a lot of audience. :-p
I think these guys broke both yahoo and rediff captchas and trying to capture e-mail addresses from users who mail to that address. And even if these are reported as spam on yahoo, their rediff accounts are safe.
Missed call business
When I was a kid, having a phone at home was a luxury, which was limited to the upper middle class and rich people. Those were the days of license raj and monopoly in India. Things changed fast, everyone owns a cell phone these days; one can get a phone for INR 500/ ~ US$ 12.
I do use a cell phone, and I appreciate the measures taken by government to make phones damn cheap. But, to me, the most annoying thing is a ‘missed call’. Why do people give a missed call? Because, they don’t want to pay for petty things; types (what do I call it!) of missed calls are:
- A lazy friend: Dude, I’ll come to your apartment and give a missed call. You can come down then, I don’t want to climb the staircase.
- An affectionate friend: Once you reach home, just give me a missed call.
- A kanjoos friend: I’ll give a missed call once I reach there, you call me then.
- A kanjoos friend: (After I call back for a missed call) You have free minutes for local calls, don’t you? Shall I call you back? (Why dint you do it at the first place?)
- A water supplier: (After I call back for a missed call) Sir, I couldn’t find your address, can you tell me any landmark?
- An old friend: (After I call back for a missed call) Hey, I though you would be busy, so gave a missed call.
- A stranger: (After I call back for a missed call) I dialed your number by mistake, realized it and hung up.
- A friend: (After I call back for a missed call) Sorry yar, I don’t have enough balance, so gave a missed call, what’s up? (WT*!)
- A friend: (After I call back for a missed call) Hey, your office phone is free of cost, why dint you call from that?
- A math-aware friend: (After I call back for a missed call) You are in roaming, why should both of us pay for the call, just you pay. Yay! I’m saving money.
And people are really experts in giving missed calls which last for fraction of a second. I might not realize that I got a call, but when I look at the phone, I sometimes think that I’m thick skinned and dint feel the vibration. And there are some people who give missed calls continuously until you call them back.
This board hung on a gate caught my eye. People get free ‘No Parking’ boards from these advertisers, but this one is a different advertisement. Just give a missed call to that number and I think they will call you back and you can ask for any information in Bangalore. Yellow pages on phone. I used some services, but I had to pay for the call, now they call you!
I read in some book that US companies laid too much optical fibre thinking that growth of Internet would be exponential ever, leading to the collapse of the industry and pronouncing the start of dot-com bubble burst. I don’t think we are going to see any telecom bubble burst in India, for India is a country of billion people, and there’s lot of money in the market and the telecom people in India are smart enough. Telecom revolution in India made phone calls really cheap, but this kind of business with missed calls is an amazing idea. Yellow pages on demand.
I just gave a missed call to these guys and they called me back with in ten seconds asking what information I wanted! I asked them the address of an institute and they sent me the address by SMS.
Can this be a killer idea? Free stuff rocks!
Nadal does it again!
The czar of clay court defeats the numero uno again on his court. I’m not a great fan of Tennis, but the match between these two guys is awesome. Number one vs Number two. But, in clay courts, the order is reverse. Federer tried to come back in the second set, but he couldn’t succeed. It was all Nadal’s. The croud cheered Federer through out the match, but at the end all that went to Nadal. Would Federer come back and challenge Nadal again on clay court? Will he succeed. That a big question mark.
He does it four times in a row. Congratulations Nadal!
DoS attacks using wildcards
These days, my interest turned towards security related topics and this whitepaper caught my attention when I was browsing through some website. It’s about Dos attacks using SQL wildcards [PDF].
Wildcards is a trivial concept. Any student studying SQL knows what wildcards are. If you ask a novice programmer to write a search functionality to search records from a table, the popular answer must be “decorating” user input with wildcards on both ends. It’s just stupid. Well, I would have done the same thing if I write some code in college days.
Just look at this query:
select * from table where content like '%foo%';
This is logically perfect solution, but it doesn’t scale. Next, if the application provides an advanced search functionality that searches for all the terms, then the query would look like something like this:
select * from table where content like '%foo%' OR '%bar%';
Well, the application provides the functionality. So, you gotta live with it. This might be acceptable when the table has 200 records. What if the table has 2 million records?
Now, how can an attacker attack the application. You just get the answer by looking at the query once – using really long strings with lots of wildcards.
select * from table where content like '%foo___bar%i_am_a%{bad_boy}%do_you_want%to_be_my_friend%';
Do you feel the pinch now? Yeah, this can eat up CPU cycles and I/O. This can hang your machine up for few seconds. Oh! yeah, do you have a connection pool? How many connections? 100? 200? Just an equal number of queries at one shot can jam your server and there you go – DoS. If your code has this kind of problems, is a dial-up connection enough for a DoS attack?
Well, if you think these kind of problems can only affect database servers, you are completely wrong. Say, your web application processes all this data and shows it back to the user, and your code doesn’t check number of records that has been asked for, then your application is also affected. An application level DoS.
Now, how this can be converted to a DDoS attack?
If an application accepts search queries over GET requests then an attacker can use a “Web Spamming Tool” to auto-register to open forums, send forum posts and blog comments with the URL of this search or can send this search URL as the “src” value of an image tag. In this way attacker can use other websites visitors to attack the targeted application…
This can get really worse if the application has also SQL injection vulnerability. Attacker can do “anything” on your database.
How to protect from all this?
- Treat user input. Remove or escape wildcard characters properly from user input.
- Just thinking of a funny problem. Don’t blindly escape wildcards. Consider this string “abc\%”. It would become “abc\\%” which is definitely not what you want.
- Whitelist allowed characters.
- Set timeouts for SQL queries.
- Limit number of records that can be fetched.
- Be afraid of CSRF, use some kind of token to validate if a request is really originating from user action.
Happy coding. Remember, there is no patch for stupidity.
P.S. I like the quote “There is no patch for stupidity”, is copied from someone; don’t remember where I saw it first. Read the whitepaper for details.
Kamal’s Dasavataram
Kamal Haasan is a unique actor whose capabilities are beyond any rhetoric to explain. If you try to ask anyone in South India if they like Kamal Haasan’s acting, it should definitely sound rhetorical to them. He is the Oracle of acting. His method acting is his asset and it’s unique in the class. Always, his characters and roles have a Kamal’s touch.
I’m a great fan of his movies. When I was young, I enjoyed his Apoorva Sodarulu (అపూర్వ సోదరులు). Which kid doesn’t want to see the ’short’ Kamal? Who would forget Sagara Sangamam (సాగర సంగమం)? Is there any one who dint watch Bharatiyudu (భారతీయుడు)?
And now his latest film Dasavataram is the focal point of many controversies. After all, it’s a Kamal movie and people try to become popular by creating controversies. I’m not advocating for Kamal Haasan here, but that is one of the general routes in which people try to become popular. I’m looking forward to this movie. Kamal must have been excellent in this movie. Acting in ten roles in a single movie should be the wit’s end for most actors. Here is one more movie that is going to excel. Wait for the release.
Catch some action on movies.yahoo.in
