Jeetu's shared memory

Watch New Year’s Eve coverage of Times Square 2009

Google says that they treat search queries as case-insensitive and all letters in a search phrase are always interpreted in lower case. For example, searches for barack obama, Barack Obama and BARACK OBAMA will all return the same results on Google.

There are however instances when the case of a search query is as important as the search phrase itself because the word meaning can change with the case. Some examples of Capitonym words include March (month) & march (walk), Polish (language of Poland) & polish (to shine), Bill (person’s name) & bill (invoice), etc.

For instance, “Ram” is the name of a Hindu God while “RAM” is an abbreviation for Random Access Memory. They both share the same spelling and it’s the case that helps you understand the real context of the word. Unfortunately, Google searches are not case sensitive (or fold case) and hence most search results for Ram or RAM are about the “temporary” memory.

To solve this problem and help you conduct case sensitive searches on Google, someone has created a Google Appengine powered search engine at Case Sensitive Search – it scans through Google search results and filters out results that match the case of your search query.

Coming back to original example, here’s is a comparison of case sensitive Google search results for “Ram” vs. “RAM”.

Perform Case Sensitive Search with Google – Digital Inspiration

At the 25th Chaos Communication Congress (CCC) today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.

When you make a secured connection to a website via HTTPS, a public key certificate is sent from the server to your computer. This certificate contains a digital signature which your computer uses to verify the identify of the site to which you’re connecting. Certificates are “signed” by a Certificate Authority (CA), which acts as a kind of middle-man: you trust the CA, so you can trust the certificates signed by the CA. Anyone can create a certificate authority, though, so most browsers have a list of known reputable and trustworthy CAs. When your computer gets a certificate from a server, your browser checks the CA that issued it to determine whether the CA is trustworthy. If the CA is trustworthy, your browser assumes that the certificate being presented is trustworthy.

The public key cryptography utilized by Certificate Authorities is evolving, as are most things in the technology world. Some CAs used the MD5 algorithm to compute the digital signatures for certificates. MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.

Researchers attacked the MD5 algorithm using 200 PlayStation 3 systems and were able to construct a bogus Certificate Authority that looks like a known trusted CA. What this means is that these guys could generate a certificate for www.amazon.com which, when presented to your browser, would be accepted as the real thing. The digital signature on the fake certificate is listed as coming from a supposedly reputable CA, so your browser happily accepts it, reassuringly showing you the little padlock icon.

Okay, so how does this affect you? If the researchers’ results can be duplicated by a malicious agent, they could generate any number of certificates that would be trusted by browsers all around the world. This alone might be sufficient, though this attack could be coupled with a sophisticated DNS attack to make it really really really hard for anyone to realize that they’d been suckered. Your browser would report that you’re at yourbank.com; your browser would report that you were using HTTPS to protect the connection; and your browser would report that the SSL certificate being used for that HTTPS connection really did belong to yourbank.com. Granted, the level of effort required to perform such an attack is currently enormous, and the potential gains are probably limited, so it’s likely not the kind of thing that would be pulled on average Internet users. But it’s still something about which to be concerned.

The attack outline states “[w]ith optimizations the attack might be done for $2000 on Amazon EC2 in 1 day.” Thankfully, the researchers are not releasing their specific implementation. That’s somewhat reassuring, but expect conniving folks somewhere to try to recreate the researchers’ results for less academic purposes.

The PDF concludes with this: “No need to panic, the Internet is not completely broken” and assures us that the “affected CAs are switching to SHA-1″. SHA-1 is believed to be weak against certain attacks, though, so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3.

Bottom line: as always, be cognizant of your browsing habits. If something looks or feels fishy, don’t provide any account names or passwords. Use different passwords for different websites, so that if you do get suckered by a phishing attack the phishers don’t get the keys to your online kingdom.

Rediff has launched it’s content portal in Pakistan – and is probably trying out the new interface as well (which Ajit talked about earlier).

The Pakistani site runs on Joomla (can easily make out from the URL structure), interface is a lot cleaner (has a slightly NYT appeal) and is currently ad free (almost! though not sure for how long)

The site has made extensive use of Joomla components (JA Slide etc), uses Google translation api to support different languages – and is well structured in terms of showing relevant category articles.

This is quite interesting, as Ajit Balakrishnan earlier ‘termed the current UI of Rediff (the newsy style) as ‘horseless carriage’ and the new look sports of a typical magazine styled layout.

I believe the new look is primarily driven by ease of publishing and categorizing articles that CMS tool like wordpress/joomla provide – and hence (the carriage) can be better controlled by editors.

What’s your take on the UI of Pakistani portal? Any tip whether this is the same interface they will be launched in India?

Update: This was a false tip. Will Rediff take action against this site? It should.

Related posts:

1. Rediff launches Train Fare Search Rediff has launched Train Fare search that enables users to…
2. Rediff to speak Different Languages Rediff is bracing up to launch the portal in 22…
3. Rediff Q2 Revenue Shows Slump, Traffic Flattening? Rediff’s quarterly revenues have stared showing signs of downturn. Here…
4. Rediff opens up the Developer Platform: Better Late than Never Signs of a successful company is agility!, i.e. how quickly…
5. Rediff goes live with open platform (iShare being the first) Rediff opened it’s developer platform few months back and today…
6. Rediff Invests in Eterno Infotech Rediff has announced an investment in Eterno Infotech, a Bangalore…

Amazon CTO Werner Vogels posted an copy of his recent ACM Queue article, “Eventually Consistent – Revisited“. It is a nice overview of the trade-offs in large scale distributed databases and focuses on availability and consistency.

An extended excerpt:

Database systems of the late ’70s … [tried] to achieve distribution transparency — that is, to the user of the system it appears as if there is only one system instead of a number of collaborating systems. Many systems during this time took the approach that it was better to fail the complete system than to break this transparency.

In the mid-’90s, with the rise of larger Internet systems … people began to consider the idea that availability was perhaps the most important property … but they were struggling with what it should be traded off against. Eric Brewer … presented the CAP theorem, which states that of three properties of shared-data systems — data consistency, system availability, and tolerance to network partition — only two can be achieved at any given time …. Relaxing consistency will allow the system to remain highly available under the partitionable conditions, whereas making consistency a priority means that under certain conditions the system will not be available.

If the system emphasizes consistency, the developer has to deal with the fact that the system may not be available to take, for example, a write … If the system emphasizes availability, it may always accept the write, but under certain conditions a read will not reflect the result of a recently completed write … There is a range of applications that can handle slightly stale data, and they are served well under this model.

[In] weak consistency … The system does not guarantee that subsequent accesses will return the updated value. Eventual consistency … is a specific form of weak consistency [where] the storage system guarantees that if no new updates are made to the object, eventually all accesses will return the last updated value … The most popular system that implements eventual consistency is DNS (Domain Name System).

[In] read-your-writes [eventual] consistency … [a] process … after it has updated a data item, always accesses the updated value … Session [eventual] consistency … is a practical version of [read-your-writes consistency] … where … as long as [a] session exists, the system guarantees read-your-writes consistency. If the session terminates because of a certain failure scenario, a new session needs to be created and the guarantees do not overlap the sessions.

As Werner points out, session consistency is good enough for many web applications. When I make a change to the database, I should see it on subsequent reads, but anyone else who looks often does not need to see the latest value right away. And most apps are happy if this promise is violated in rare cases as long as we acknowledge it explicitly by terminating the session; that way, the app can establish a new session and either decide to wait for eventual consistency of any past written data or take the risk of a consistency violation.

Session consistency also has the advantage of being easy to implement. As long as a client reads and writes from the same replica in the cluster for the duration of the session, you have session consistency. In the event that node goes down, you terminate the session and force the client to start a new session on a replica that is up.

Werner did not talk about it, but some implementations of session consistency can cause headaches if a lot of clients doing updates to the same data where they care what the previous values were. The simplest example is a counter where two clients with sessions on different replicas both try to increment a value i and end up with i+1 in the database rather than i+2. However, there are ways to deal with this kind of data. For example, just for the data that needs it, we can use multiversioning while sending writes to all replicas or forcing all read-write sessions to the same replica. Moreover, a surprising vast amount of application data does not have this issue because there is only one writer, there are only inserts and deletes not updates, or the updates do not depend on previous values.

Please see also Werner’s older post, “Amazon’s Dynamo“, which, in the full version of their SOSP 2007 paper at the bottom of his post, describes the data storage system that apparently is behind Amazon S3 and Amazon’s shopping cart.

The following is a guest article by Neil Davidson.  Neil Davidson is
co-founder and joint CEO of Red Gate Software. He also runs the annual Business
of Software Conference with Joel Spolsky. His blog is at http://blog.businessofsoftware.org
and you can follow him on Twitter at http://twitter.com/neildavidson.

A couple of weeks ago, Jason Cohen of Smart Bear wrote
a guest post on 6 reasons why this economy is good for startups. Damn you
Jason, both for your perfect timing and for writing the blog post I wish I had
written. So I’m going to have to ride on your coat tails, scrape the barrel and
come up with 6 more reasons why now is as good time as any for startups.

Here
they are:

1) VC money is hard to get. Yes, this is a good thing. You only need VC money
for a software startup in certain, very narrow circumstances: if this isn’t your
first startup, and if having the money would genuinely accelerate your
growth (if you’re Dharmesh, for example).  It takes time to get to used to
running a software company. Mulla Rasrudin once said that good judgment comes
from experience, and experience comes from bad judgment. Lots of money and bad
judgment don’t mix well. If you’ve not done this before then you will make many
mistakes. Make small ones, not million-dollar ones, and make them without VCs
breathing down your neck.

2) Even if you are unlucky enough to get VC funding, the odds are still good.
In the late 1990s, in the days of Webvan, pets.com and Boo.com, the five year
survival rate of VC-backed software companies was still close to 50%.

3) You need constraints to build great software. If there’s one thing we’ve
got plenty of in this economy, it’s constraints. Make good use of them.

4) Constraints enforce discipline. You’ll need to, among other things, manage
your expenditure, focus on making products that people actually want to buy,
learn the difference between cash flow and profitability and figure out how to
market on a shoe-string. Now is an excellent time to forge those skills. You
will need them the next time things go bad.

5) Times are turbulent, but the turbulence contains many pockets of
opportunity. Big companies will be too large, or too clumsy or too slow to fill
these pockets, but you, as a startup, can. And you only need the tiniest market
niche to start up. Once you’ve started, you’ll gather momentum, and you’ll
figure things out. Don’t overanalyze: odds are you’ll find success doing
something other than what you intended anyway, so whether you pick a small
market niche or a billion dollar opportunity doesn’t matter. You’ll end up doing
neither.

6) In difficult times, skill and hard work, which you can control, become
more important than luck, which you can’t. I like this soccer analogy. If you
want to compare my soccer skills with David Beckham’s then don’t put us both six
feet away from an open goal and ask us to kick a ball into the net. I might get
lucky, and he might show off and miss. Instead, start us off from the other end
of pitch against a couple of defenders and a goalkeeper. Then you’ll get a true
picture.

Starting a business is risky, but not as risky as you think. The oft-stated
fact that 90% of startups fail within their first year is an urban myth. In
reality, the four year survival rate for IT startups is over 50%, and there’s no
evidence that this is significantly lower for companies founded in a downturn.
And most start-ups that fail don’t crash and burn, owing people money and
bankrupting their founders. They are quietly wound down, or sold on, and the
founders set something else up or return to employment, with the added skills
that even attempting, and failing, to build a business bring.

Starting up isn’t for everybody, but don’t use the state of the economy as an
excuse for inaction. Research shows that external factors such as the economy,
or the industry you’re in, aren’t the only – or possibly even the main – factors
that determine success. How much you love your product, and how deeply you’re
prepared to commit, count just as much. So choose something you are zealous
about, think things through, save up some cash and quit your day job.

Looking for other startup fanatics?  Request access to the OnStartups LinkedIn Group.  100,000+ members and growing daily.

Oh, and by the way, you should follow me on twitter here (that’s @dharmesh).

SBI website, www.sbi.co.in was hacked on Dec 25th – though the site has been restored, the transaction features are not yet enabled and will take another few weeks to conduct transactions at the site.

What’s interesting to note is that SBI wants to avoid the word ‘hacking’ and is calling the disruption ‘technical problem‘ – again, a case of not informing users whether their data is safe or not.

The bank has three million Net banking users. If you are one, did you receive any mailer from SBI informing the issue (i.e. technical snag?)

Do you feel comfortable hearing about the hacking from third party sources (and not the bank itself?)?

Related posts:

1. Mobile Banking in India – SBI, UBI, BoI to roll out Mobile Banking Applications Now that RBI has granted permission to transfer funds…
2. Myntra’s Privacy Hack [Your Invoice Open to Public] Myntra had a privacy plug that enabled anybody to view…
3. On RBI’s Mobile Banking Guidelines – Interview with Sanjay Swamy, mChek Continuing with our earlier thread on RBI’s mobile banking…
4. An Apple’s iPod a day doesn’t keep doctors away! iPodders – Are you listening? Connect the dots between the following stories: Swiss Hearing aid…
5. Google Group hacked again? Now this is a shame..shame on a company which holds…
6. Spamming – the Indian Startup way Won’t take names, but you should be able to guess:…

We have confirmed from various sources that Microsoft is launching its ad network Drivepm in India. Infact it has also started hiring for the Drivepm division in India. Drivepm was a part of aQuantive (An online advertising firm) that was acquired by Microsoft last year for a whopping 6 billion dollars.

Microsoft launched Drivepm in Canada earlier this year and I think they are gearing up for a early 2009 launch in India. We have confirmed news that they have hired people in India to start their India centric operations. Though there has been no official launch or word from Microsoft on their India launch.

The ad network space in India is one that refuses to die down even though the ad dollars are seeing a slowdown the world over. And if homegrown ad networks weren’t enough international ad networks like fox networks have launched in India.

The count of ad networks operating and catering to the Indian market has easily gone above a dozen and it continues to grow. The question still remains as to how they differentiate themselves from each other as most of them promise low cost inventory and highest reach. I expect a few to shut shop and a few to be acquired in the next 2 years. Ultimately only half a dozen networks would survive the next 3-5 years in India. Whats your take??

Related Posts

• GooseFish Media Ventures Merges GoSinbad & Divanation Into NetworkPlay – We Spoke To RamMohan The Founder To Know More..
• Why Are Publishers Creating Their Own Ad Networks? And Which Publishers In India Can Join The AdNetwork Game?
• IAB Reveals Digital Pricing Benchmarking Study: Overall Ad Revenues Increase
• AOL Reportedly Eyes The Indian Ad Network Pie And Why it Might Get The Biggest Piece
• Ozone Media Ad Network Gets IDG Funding: WAT Looks at the Coming of Age or the Irrational Exuberance of Indian Online Advertising

Also Check Out:

WATShow.com – Our Video Show

WATJob.com – Our Job Site

WATGame.com – Our Gaming Blog

WATSearch – Our Search Engine

> I’m not seeing any news on the blog or the mailing list.

There’s a lot of quiet activity going on, the best place to look right
now is the searchui mailing list and the Launchpad bug tracker.

https://bugs.launchpad.net/wikia-search/+bugs

Activity there is guiding daily work.  I’m focussed right now on
thinking through every step of the workflow from a “wiki” perspective -
what failures do we have right now in the process of users being able to
monitor the site, monitor each other, and act effectively?

> Could you tell
> us a bit what’s going on? Also, I think wikia is using yahoo api for
> search, when are you going to use the actual wikia index alone?

Hard to say when we’d be able to use the actual wikia index alone.  The
main idea is to focus right now on solving one of the “chicken-and-egg”
problems by using Yahoo BOSS to get industry-standard algorithmic search
results as a base for community activity.

I’m using Wikia Search as my main search engine, “eating our own
dogfood” as they say.  I wasn’t able to do that with the limited test
index, and neither was anyone else really.  With the Yahoo backend, end
users are able to function and therefore actually use the site in a way
that starts to make it better and better every day.

This will generate the large quantity of freely licensed data that we
will need, as a community, to start thinking about how to feed that
human intelligence back into the algorithmic part of search.

It’ll also help us to build up traffic levels so that the project can
afford more servers to do a better crawl of the web, etc.

It’s a project to *build* a freely licensed, all open source, community
controlled search engine.  It’s going to take some time and there are a
lot of moving parts.

Twenty years after the release of the Morris Worm, one of the first worms discovered on the Internet, the Web has proven to be the primary place where bad guys lurk, looking for poorly secured websites to plant malicious code. And, they find plenty.

According to the 2009 Security Threat Report [PDF] from Sophos, one new infected Web page is discovered every 4.5 seconds. With that in mind, we thought we’d take a look at the top security threats you should be looking out for in 2009.

Sponsor

SQL Injection Attacks

The Sophos research showed that over the past year the number of SQL injection attacks against innocent websites increased, a trend Sophos expects will continue next year.

Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware.

A recent report from the Internet Crime Complaint Center also points to an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. Unfortunately, cyber criminals prey on the needs of Web users at any given time, and this time the economic crisis is their meal ticket.

The article is well worth reading if you’re interested in how attackers compromise websites by SQL Injection or if you want ideas on how to reduce the likelihood of intruders gaining access to your private data.

Third Party Advertising Agencies and Scareware

In February 2008, Sophos confirmed a ‘poisoned Web advertising campaign‘ on BBC competitor ITV‘s website that affected both Windows and Mac machines. While we’ve all seen Scareware, the pop ups designed to scare people into buying anti-virus software, this is the first time it has been seen for the Mac.

According to Sohpos, a Flash file was injected into traffic served up by ITV.com via third party advertising agencies. Designed to promote a program called Cleanator (Windows) or MacSweeper (Macs), the programs claimed to detect “compromising files” and encouraged users to purchase a full version of the package.

As websites often use third parties to serve up their advertising, Graham Cluley, senior technology consultant at Sophos suggests taking care when selecting agencies. “Website owners should ask the third party agencies they use what procedures they have implemented to positively vet the adverts that they deliver for malicious content or unsavory links.

Social Networking Sites

With social networking on the rise, the bad guys have found yet another playground on the Web. The Sophos report reveals 1800 Facebook users had their profiles defaced in August by an attack that installed a Trojan while displaying an animated graphic of a court jester.

Gated sites appeal to the bad guys because they form a “launching pad” for mass distributing malware attacks and spam, like the recent Koobface Trojan which attacked both MySpace and Facebook and transformed victim machines into zombie computers to form botnets.

Twitter too has become a tool for cyber criminals to distribute malware and marketing messages. In many cases, the bad guys steal members’ usernames and passwords and bombard the victims’ friends with marketing messages or direct them to third party websites. With Twitter especially, it is difficult to discern where links are going due to the 140 character limit and the use of services that shorten URLs.

On the flip side however, Chris Boyd of FaceTime Security Labs at this years RSA Conference explained that social networking sites are incredibly useful for security researchers. “The people that create these things have been on social networking sites since the beginning; they need to be on them a lot to understand them intimately enough to exploit them. But many times they leave a trail online that we can use to track them, to find out things like their names, ages and friends.”

Apple Macs Becoming “Soft Targets”

While Mac malware is miniscule compared to Windows malware, Sophos recommends Mac users follow safe computing best practices and avoid complacency even though cyber criminals are more likely to stick to attacking Windows computers in the foreseeable future due to the higher financial incentive.

With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it.

Along with the scareware attack mentioned earlier, there have been other attempts to infect Mac computers in 2008: the OSX/Hovdy-A Trojan, the Troj/RKOSX-A Trojan, and the OSX/Jahlav-A Trojan.

Smartphones: A New Toy for Cyber Criminals

While most malware and spam is produced as a result of financial incentive, with smartphones, Sophos believes malware will more likely be written by those wanting to make headlines. As neither the iPhone or the G1 has yet been the target of a significant attack, someone will want to be the first and claim the title.

Apple iPhone

According to Sohpos, iPhone users are more vulnerable to phishing attacks than their desktop counterparts for three reasons:

• They may be more willing to click on links because entering URLs on a touch screen is more difficult
• The iPhone version of Safari doesn’t display URLs embedded in emails before they are clicked on making it more difficult to tell whether a link leads to a phishing site
• The iPhone browser doesn’t display full URLs making it easier for the bad guys to trick users

Google Android

Hackers are only just getting a real look at the Android OS so there is not much to report however, one security flaw was revealed only days after the G1 went on sale. The flaw, discovered by Charles Miller, a principal security analyst at Independent Security Evaluators, was in the browser partition of the phone. According to the New York Times, the flaw enabled keystroke logging software to be installed, making it an easy trick to steal identity information and passwords.

Additionally, while many are impressed with Google’s open attitude to applications, others are concerned about the ease in which malicious software could be distributed and caution when it comes to downloading third party apps is advised.

Sophos predicts as more people purchase smartphones, creating threats will become increasingly attractive to cyber criminals: Imagine a generic Mac OS X attack made for the iPhone that could also cripple the Mac computer.

Other Interesting Stats from the Sophos Report

• There were five times as many malicious e-mail attachments at the end of 2008 than at the beginning of 2008
• The United States hosts the most malware on the Web at 37 percent
• Computers in the United States relay the most spam at 17.5 percent

Cyber criminals will always be ahead of security experts simply because most of what the anti-malware providers discover is generally published for the public; the bad guys aren’t as open with what they do. But, being aware of trends, keeping security patches up to date, and installing firewalls will do much to thwart the majority of attacks.

What security threats do you think we should be thinking about in 2009?

Photo Credit: Flickr tsevis

Discuss