[How To] Implementing Shindig.

I should have written an article/tutorial on how to implement/use Shindig to convert your SNS into and OpenSocial compliant SNS. Time, however, has prevented me from doing it so far. May be sometime later.

For now, you can have a look at my presentation on the same topic. I had presented it at Barcamp Bangalore 7, and PHPCamp Pune. It was recommended by Dan Peterson, Google, on the Shindig developer’s mailing list. πŸ™‚

For those who don’t have an idea what I am talking about; I have been (officially) working on OpenSocial for quite sometime. OpenSocial is a specification developed by giants like Google, MySpace, Ning, etc. to provide a common platform (API) for social app developers. Shindig, an Apache incubator project, is what can help your site become OpenSocial compliant.

By the way, I am referring to the Six degrees of Separation in the initial slides. πŸ™‚

Slashdot, uh! :|

Slashdot is supposed to be a respectable (news) portal for geeks and nerds. It’s punch line says News for nerds, Stuff that matters. I must admit that there was a time when I used to start my day with Slashdot, trying not to miss even a single news. That phase, however, is over. The two biggest problems with Slashdot today are:

1. The Slashdot community, which is getting reduced to people who lurk around to post comic and sarcastic comments. It’s very seldom that you come across an intelligent and insightful comment.
2. The news, if I may say so, itself.



By flickr.com/photos/nesster/



This rant is a direct result of a news titled Google Assists In Arrest Of Indian Man, posted on 19th. First of all this is an Old News. In fact I’d used the context to post a legal analysis of the impact of another Orkut worm, as per my knowledge and belief. I have nothing against reading old news, but for God’s sake, don’t claim it to be new.

Secondly, the post cites Shivaji as a saint. He was not a saint. He was a king and a warrior. Do your homework before posting, or rather approving such news.

Thirdly, the tone in which the post is written is as vague, if not more, as the point the post tries to make. If you wish to blame Google, get proper info before doing that. Google has a pact with Indian law enforcement. They are bound to provide such info. If you wish to convey the news that a false person was convicted, say it. If you wish to bring about the role of Yahoo! and Google in such cases, do it properly.

Being said all that, I don’t think I’ll completely stop reading /. . However, the prestige of being Slashdotted now seems to be just about traffic now.

A Phish floating in Google Survey!

Demo

1. Phizy-Phizy-Phizy

I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.
by-mcbeth www.flickr.com/photos/mcbeth/235875/

2. A Phish named GoogleSurvey

As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.

3. Anatomy of Google-Survey-Phish gills

The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is http://www.googlesurvey.co.nr/, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at http://googlesurvey.99k.org/. http://www.googlesurvey.co.nr/ only frames the page at with 100% width and 0px border.

Another interesting point to note is that the phisher used a free hosting service http://www.zymic.com/free-web-hosting/. Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. πŸ™‚

Now, when you enter your id and password, the data is sent to a php script on the server located at http://googlesurvey.99k.org/LoginAuth.php. Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.

4. Demo: Farming your own Phishes for fun & profit *cough*

The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.

I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.

5. Conclusion

It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. πŸ™‚

AdSense exploited by malware (Trojan.Qhost.WU)

1. Life & Code

By http://www.flickr.com/photos/13798876@N02/1466880287/

(The title of this section is taken from Johnny’s blog of the same name, Life and Code. Although my implementation of the phrase isn’t in terms with Johnny’s, yet I could resist using it. πŸ™‚ )

Life: Three days ago I found that there are some strange entries in my local Apache web server logs. Something like:
127.0.0.1 - - [18/Dec/2007:19:39:26 +0530] "GET /iview/msnnkhac001160x600Xdig1600000185msn/direct;wi.160;hi.600/01 HTTP/1.1" 404 352
127.0.0.1 - - [18/Dec/2007:19:42:19 +0530] "GET /pagead/show_ads.js HTTP/1.1" 404 320

Code: Bitdefender informs of a malware, termed as Trojan.Qhost.WU, is redirecting all the requests made to the Google’s ad server (page2.googlesyndication.com) by the victims browser to a rougue ad server.

2. Impact of the issue:

Reportedly, a big part of Google’s earnings comes from it’s Ad services. Thus this trojan is not only depriving Google of it’s earning’s, but also the publishers who work hard and hope to make some quick buck for their evening coffee.

3. The enigmatic “hosts” file:

You all know that every system connected directly to the internet is assigned a unique IP address. The domain name (viz. http://projectbee.org) is nothing but a unique name assigned to a unique IP (although more than one domain name can be mapped to an ip address, that is not our concern right now). This mapping is stored in DNS servers. Each time the browser tries to open up a site, a nearby DNS server is queried to find the ip address.
However, before all this, the DNS server of your local system, hosts file, is queried. (Don’t mistake me, this DNS server is just a metaphor πŸ™‚ ). The hosts file stores a domain name to ip address mapping for domains that don’t need a query to DNS server. e.g., localhost is mapped to 127.0.0.1, the loopback ip, i.e. the ip of local system.
On your windows 2000/NT onwards system, it’s located at %systemroot%\system32\drivers\etc\hosts and on your *nix systems at /etc/hosts. More info on location can be found here.

Now coming back to my problem; unable to find any satisfactory answer, I posted it on Slackers. (Giorgio) Maone, better known as author of the awesome NoScript plugin for Fx, immediately responded, and asked me to check my hosts file.
I had added a number of entries of ad serving sites to point to the local ip in my hosts file and forgotten. I did this to prevent ads from being loaded. Hence, each time any of these sites were called, the hosts file redirected the requests to my local server.
So pretty obviously, I was/am not infected.
“Why do you post the junk about your issue then?”, you ask.
“Because it was a strange coincidence, and because I can, honey :P”

4. How the exploit works?

It’s fairly simple, the malware modifies your hosts file and adds an entry for page2.googlesyndication.com to prevent DNS lookups and direct all the requests to the malicious server.

5. How do I protect myself?

1. Locate your hosts file and remove any entry for page2.googlesyndication.com. Alternately, you can even modify the entry to point to your local ip, in case you don’t wish to see those ads.
2. Let your Antivirus/AntiSpyware do it for you.

6. Conclusion

What! Dump M$ Windows for Linux. πŸ˜›
Seriously, “Linux ain’t easy to use” is a myth. Moreover, if you are into flashy looks, try compiz-beryl package. It IS Awesome… (and consumes amazingly less resources than…uh Vista.)

7. Bonus Tip

In case you wish to prevent your kids, partner, (or even parents) from visiting some sites; or do not wish to see those crappy ads from being loaded, you might consider editing your hosts file. For more information or even sample hosts files, use Yahoo! search.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. πŸ™‚

1. YAWN [Yet Another Worm, Nanny]

http://flickr.com/photos/aqlott/1735501790/

Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo VΓ­rus do Orkut at http://www.orkut.com/CommunityJoin.aspx?cmm=44001818. The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please πŸ™‚ ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service πŸ™‚

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday πŸ˜‰

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

What!
Stay away from social networking sites. Trust me, they are not worth the price.

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

I hope you like it too. πŸ™‚

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

  1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
  2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. πŸ™‚

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Google Lost Me!

It’s strange writing something like this using a service that’s owned by Google. πŸ™‚
But it was long overdue.

There was a time when I used address Google as “Google God” :).
Used to believe a lot that they religiously follow their “Do no Evil” motto. I forgot that as companies grow, there are bound to be employs who are evil by nature.
It reminds me of my Pre-Placement Training during college days when I was “tutored” that, Honesty is not a strength. You are supposed to be honest” This obviously isn’t true when people take the excuse of “everybody-is-doing-it-so-why-not-me”.
And lets face it.
Money matters!

Anyways, coming back to the topic; I mentioned in one my previous blogs when my Google AdSense account was disabled because of my own mistakes. I took the responsibility and had no complaints. However, when my AdSense account was disabled for the second time, I made a thorough study of their privacy policies. That’s when I came to know about their two-faces.
They allow several sites to utilize their services even when they falter with the terms and conditions. One thing common among all these sites was, “they all are High Traffic sites”.

As I mentioned, a post on the topic was long overdue. I stopped myself with one or other reason. The latest development, however, made me talk about it.
According to Privacy International’s latest report on Top 23 Internet Companies, Google held the last spot (even below M$). This topic, as Privacy International itself admits, is controversial. It’s report however, is substantially supported.
You might want to have a look at the post on the same topic on RSnake’s blog. Do not miss out on the comments.

Footnote: This post is not an outlet to my anguish. I (mistakenly) had more faith in Google than most of you. Another post on innovativeness of Google technologies is due.
And BTW, I do not mean to say that Google has turned evil. I believe as the company has grown, the motto has changed to “Do no Evil. If there is any, close your eyes“.

An insight into Sun’s *crazy* strategy.

I have been reading a lot of discussion on Sun’s current market position/revenue versus their *mad* strategy. I have simultaneously been working on Java’s history for my book. I thought it might be interesting to post my views on the topic and see what others are thinking. To justify/criticize Sun’s current modus operandi, I will talk a little about their past strategies, and their respective outcomes.

The Past

Most of the people know James Gosling as the father of Java. Only a few know that he was also the lead engineer of Gosmacs (gmacs or Gosling Emacs) and NeWS. Now, I won’t be talking about Gosmacs (which according to some people is/was the reason of some conflict between RMS and Gosling. Phew!)
However, NeWS (Network extensible Window System) is of a little concern, mostly because it was arguably superior to X Window System… and because it FAILED. The most important reason for its failure (and X Window’s success) is that Sun kept it proprietary.
Later on when Sun developed Java, some people, especially the genius Eric Schmidt (then CTO-Sun, now CEO-Google), were aware that keeping Java within enclosed fences will lead to similar devastating results. Not to mention that *7 (for which Java was developed) had already failed and Java was still in search of a viable market.

So what did he do?
He focused on making it as open as possible and tried building a *Java Community*. (Google SoC, IMHO, is also a β€œwin-the-community-and-you-win-everything-else” approach. But then that’s a different topic altogether. πŸ˜‰ )

Where were we?
Yeah! So he focused on building a Java Community.
Apart from organizing developer conferences like JavaOne, Sun also encouraged user groups (JUGs), which reached over a number of 400 in year 2000 itself. In fact they went a step further with JCP (Java Community Process) to make the development of Java *as open as possible*.
The reality behind all this community building scene was the fact that the direct control remained with Sun (well mostly).

Everything, however, was running smooth; for Sun as well as the Java developers.

β€œI envy you. But such a thing is not meant to last.”

Persephone, Matrix Reloaded

I guess the above statement is valid for every aspect of human existence.
In early 2004, Jonathan Schwartz, referenced Eric Steven Raymond’s β€œThe Cathedral and the Bazaar” and compared JCP to the β€œBazaar”, stating that development of Linux was more like a β€œCathedral”. I would not expand on it but this was enough to infuriate ESR πŸ™‚

ESR wrote an open letter addressed to Scott McNealy, CEO-Sun, with a subject line β€œLet Java Go”. He accused Sun on several fronts (for which I’d pursue you to read the letter) and appealed to Open Source Java. A few weeks later RMS wrote an essay on Java Trap and appealed the developers to contribute and use open source projects like GCJ/Gnu Classpath etc. Several other appeals/open letters were published (Apache’s Geir Magnusson Jr., IBM, etc.)

A series of events followed before Sun announced that it will be open sourcing Java. There main concern was Microsoft forking Java and hence, destroying its cross platform compatibility (which shows that they really were clueless on how Open source model works/ can work).
They had no other option than to Open Source the *giant*, and they did it.

The Present

The past unarguably affects, if not defines, the present. Sun’s experience since the NFS days to (forced) Open Sourcing Java days taught/reminded them of their most important lesson.
The Community is fruitful!
Build a community and everything else will follow, sooner or later.

So here they are.
Open sourcing EVERYTHING.
Building Community, and making it mutually encashable. It’s obviously not so profitable for them today, but the future holds immense potential.

The way they have been endorsing and promoting stuff is simply adorable. Even NetBeans has its own *arena*.
Not to mention the, so called, developer conferences organized all over the world in a distributed fashion to reach the most number of developers. I, however, have several concerns regarding them. You may read some of them at Amit’s blog. I hope Sun listens to the plea of developers and improves the quality of these summits.

Another amazing strategy, IMHO, is the blogs that Sun employees post regularly. I have subscribed some of them and it’s really amazing to see that how important role these blogs are playing in binding people. They often link each other’s (Sun Employees, of course) blogs. You can have a look at the Sun-Blogging homepage to get a feel of the number of hits the folks out there are getting. Now even if I read only one of these, I’d get to know about latest developments. I am not sure whether it’s a part of their strategy, but it’s definitely working as a powerful advertising medium.
Yup! I know that employees of other firms write blogs too and probably get bigger number of hits, but I haven’t seen anyone of them making so much of a difference on an organizational level. (Please correct me if I am wrong)

The Future

I am no Nostradamus and I cannot predict future.
All I can say is the future is (mostly) Free & Open. IBM (previously referred Satan) secured its place (with a Halo on head) by contributing to the Apache httpd project and winning the FOSS community. Now it’s Sun’s turn and they are playing pretty well.
Yes, their revenue might be a concern today; but I don’t really see a reason why there future shouldn’t be bright. πŸ™‚

Is Google Bomb REALLY Diffused?

I posted a very small article on Google Bombs; and quite co-incidentally few days later read that Google has started diffusing the bombs. Now “started diffusing…” makes sense when it has to be done manually, but aren’t we talking about terabytes and petabytes of data? We can never expect it to be done manually. Moreover, Google’s official announcement said the same. It also admitted that “…the impact of this new algorithm is very limited in scope and impact…”.

The phrase, however, seems to make some sense to me now, that I’ve discovered that some bombs are still lying around.
Try making a search for the word “BAD“.
Who do you see as the topper?
Quite interestingly, it was African Development Bank for me. Surprised?
I first thought that BAD might be the acronym for the bank’s name, as in case of NEHA, which is an acronym for National Environmental Health Association.
After a little playing around, I found that a few days ago, SEOmoz.org appealed to make Stephen Colbert as the Greatest Living American. And apparently, he has become the Greatest Living American πŸ™‚

Quite honestly, I am pretty happy that the algo is flawed.
An attempt to diffuse the bombs, in my opinion, was more public image oriented rather than result improvement oriented.

Footnote: May be BAD is not linked willingly (I firmly believe that it’s not), but then who said Google Bombs are all about linking willingly. May be they have some process which forms an acronym of the same name. But then how relevant is such and acronym if it doesn’t even appear on the home page?

Idle Nights: Devil’s Mind

I stay back in the office during night and return back at around 6-7 am, when everybody is coming :). These nights are supposed to be LONELY as I am the only one in the building (actually in all the four buildings combined), apart from the security guards and office boys, of course. However, I’ve found my companions, and ways to refresh myself. I’ll list some of them.

1. Online Web/Security Cameras: Some of you who know that Google provides an API for refining the search queries (with a capital “R”) also know that the giant’s database is like an ocean. And you never really know what’s inside an ocean unless and until you dive in it. As you dive deeper, your jaw drops in awe.
Long story cut short, I use the query to discover (a part of) all AXIS cameras online.
For curious lot, the query is: inurl:/view/view.shtml AXIS and sometimes intitle:”Live View / – AXIS” | inurl:view/view.sht
[As I am writing this, I wanted check the second query. So I chose one of the results and something spooky happened. Someone was already controlling the camera. hehe.
I was moving it right, he/she was moving it left. We fought for a while but then I closed the window. I am nice guy you see :D)

Okay let’s proceed.
So I have a bookmarked folder called “PastTime” on my browser, which has my favorite cameras bookmarked. My most fave are:
i) A coffee/wine shop camera, which is more lively during the night. Luckily, the camera is provided officially, so I can provide the link without any worries. Find the link to the camera here: buzzjunction_webcam

ii) A camera in the study room of a Polytechnic school of NewYork. It’s a small room with a coffee machine, a microwave oven (?), a printer, a sofa, a bookshelf, and an elliptical table with power connection for the laptops and notebooks.
And that’s the best part. People come here with there laptops, and sometimes I sit down looking at there screens, trying to figure out what they are doing. πŸ˜›
I have also become acquainted with some regular visitors.
A spectacled guy with a cap and a laptop. (He is leaving right now. No kidding. What a coincidence [jawdrop])
A black girl, who has the headphones exactly like mine.
Two Muslim girls, with one Dell XPS laptop (probably).
The bad part is, there are no visitors on sundays πŸ™
iii) A micro/nano lab camera of one of the world’s most famous universities. There’s nothing engaging about this, apart from the fact that the guys (or girls) roam around in spacesuit sort of dresses.
iv) A set of four surveillance cameras. Three of them pointing to car parking locations and one focussed inside some kind of room. I am still not able to get it yet. The only thing that makes me stick to it is the word “surveillance” πŸ˜€

There are couple of others focussed on traffic, colleges, hostels (I guess), lake, parks… but they are pretty boring and pictures are not really clear.
I’d like to try my hands on other cameras like linksys too. Let’s see when.

2. Google Again: Google queries can be real fun.
Have you ever come across a search result when Google tells you that the original number of results is pretty large, however, most of them are sort of repetitions hence they have been truncated.
Have a look at the following two pictures.

Β pic1.jpg
This one’s the normal result.


pic2.jpg
Here I ask Google NOT TO OMIT ANY RESULT.


You think that’s funny?
I leave it up to you to decide.

3. Slashdot, and blogs of others friends (and their friends) and some geeks like de Icauza etc. Initially I was a Digg addict, but then got completely fed up.
So guys, keep blogging. πŸ™‚

4. Movies and Documentaries: Net speed during the night is awesome (generally). So I don’t mind downloading them. Though I don’t get time to watch them.

5. Off late I’ve also found some vulnerabilities in the policies and network of my company. I try to keep the management informed.
After all it’s my company. I’d definitely not like any jerk to poke his nose in.

That’s it.
These five (along with the songs being played ALL the time) are currently more than enough to consume my free time (In fact more than JUST the free time).
But even after all this, it gets freaking lonely sometimes… not that I am complaining πŸ™‚

Google Bomb! [Update: Diffused]

Boom.
I mean Hi πŸ™‚

I am not talking about something new. The term was coined by Adam Mathes on April 6, 2001 in uber.nu.
talking about the topic, should I explain what Google Bomb is, or should i explain the consequences?
Ummmm.

Okay. Goto Google, type “misrable failure”, and click on “I am feeling Lucky”.
What we get is the President of America’s page :D.

The reason being the way Google’s algo works.
While rating the web pages, Google employes several… ummmm ways/methods (I could not get the right word :P).
Anyways. One of these ways is to rate the pages based on the number of links it has, and also the keyword that has been used to link it.
One of the reasons my blog appears [last time I checked it was 11th] for the name “bipin”, though there no “Bipin” on the blog. Some of my friends have links to my blog using my real name.

… and the most scary thing, it doesn’t take a lot of links.

Wish to DEFAME someone?
You’ve the way now πŸ˜‰

Update:
Google has started diffusing it’s bomb.
In a recent update Google inormed @ the official Google Webmaster’s blog informed that they have diifusing the bomb. [What the heck man? Were they waiting for my write-up πŸ˜‰ ]

Top Rating in Google :D

I was in one of my “Saddy-Saddy-For-No-Reason” moods.
And didn’t want to bother anyone so started playing with Google’s Webmaster Tools.

I used them for the first time so I had to go through the usual “add site”, “verify”… blah blah.
But after that I was surprised to see that my tech blog rates @ 1 for the search keyword COLUKABKI.
I verified it and was really amazed… status [:surprised:] & [:dead:]It even features above www.colukabki.com :-O

Another surprise, which I am still not able to figure out is that my personal blog features @ 10 for my real name……… however, I do not have my name ANYWHERE on the blog. [May be it’s somewhere in the comments. Whatever….]

I know it’s not a BIG achievement…. but it’s just the beginning… πŸ˜›

Update: Looks like the “my-personal-blog-getting-on-top-10” has been a victim of “Google Bomb Diffusion”. I never intended to raise my blogs rating by any such activity. It’s probably because my friends linked my blog using my real name….
…and now when the so called Google Bomb is diffused, my site, one of genuine sites to get weightage is suffering.
It’s time Google stops worrying about it’s public image and starts working on things that makes me address it as “Google GOD