Over the years, Microsoft has evolved Windows into a very mature Operating System. I've found Windows 7 pretty stable and many people agree with that. However one thing I feel Microsoft hasn't got it right is the default window decoration.

Take a look at the two Command Prompt windows overlapping each other:

The one in the rear is using Classic Windows decoration which is similar to that of Windows 2000. The one in the foreground is using the new Window decoration introduced in Vista and is considered to be better by Microsoft and hence set as the default one. It also uses Aero effects to reflect state of background windows into current's top bar and borders.

Most people find the former a bit boring but at the same time less distracting, simpler, visually easy to follow and hence practically better in terms of user experience.

The latter adds some bells and whistles by extra colors, more shades, thicker and blended colored borders, semi transparent windows.

Now let's analyze the two:

Clearly, the new interface has many extra things which are not part of the content of the Window but are added just as "effects". However they require cognitive efforts to separate from the actual meaningful content.

In 99.9% of the cases I really don't want to see through my current windows to look at the blurred view of the Windows underneath; it just required my brain's processing power to figure out the current window's contents and separate them from the window underneath. Also, such a thick border doesn't contribute into anything positive in terms of User Experience.

On the other hand, let us compare equal sized windows of Windows Messenger and Google Talk. Windows Messenger uses default window decoration while Google Talk uses a much much simpler user interface.

In the above screenshot, Windows Messenger is not showing me a single meaningful thing in terms of an Instant Messaging service. On the other hand, with the same window size, Google Talk is delivering everything: my online friends, away friends, statuses, search box, unread emails. I can instantly click on a friend and start chatting. I can't do that in Windows Messenger without resizing the Window to something much bigger. That is because not much thoughts have been given to space utilization.

Microsoft is simply not learning one simple thing: more is less and less is more.

I hope one day Microsoft's UX/UI teams will try to utilize every pixel into something rather than just bloating up everything. And they must start with the default window decoration.

I am sad to learn that the man who brought beauty into Computing passed away today. Steve Jobs was an artist. His artwork has made the experience of interacting with computers aesthetically pleasing and joyful. Only Steve could have done it! He will be long remembered!

Since delicious's new owners are going to be making some changes in the bookmarks, it is a good idea to take a backup of your bookmarks.

The quickest is simplest way is to use the delicous's API. Just log into delicous the open the page:

https://api.del.icio.us/v1/posts/all

This API link provides you all your bookmarks in XML format. You can save the link and process the XML file however you like. Easy, isn't it?

While trying to play around with Rails running in a VirtualBox and accessing it from my host Windows OS, I found it to be painfully slow. I'd heard that Rails is slow but surely not slow enough to respond to a simple request in over a minute.

The problem is that WEBRick, the default development server for Rails 3.x, can be problematic with remote requests. The problem is caused by Reverse Lookups by the web server which cause the server to respond only after the lokups fails by timing out,

This can be fixed by replacing the following line in WEBrick's config.rb:

:DoNotReverseLookup => nil,

with:

:DoNotReverseLookup => true,

With normal installations config.rb can be found in /usr/lib/ruby/<version>/webrick/config.rb, or if you are using rvm, it'll be in ~/rvm/rubies/ruby-<version>/lib/ruby/1.9.1/webrick/.

This now makes the requests served almost instantly rather than make you wait till death by frustration.

One way to prevent hackers from finding vulnerabilities on your website is to keep them busy with fake ones. For instance few years ago when I was graduating in my undergrad programme, I developed a web based application to faciliate the data collection and publishing of my batch's Yearbook. The application provided the users interface to complete their profiles, write comments about their friends and upload photographs, of course after logging in.

The login procedure was much like any other site: user authenticated themselves using username and password which were matched from the database. However, if there was a single-quote in the user's provided username or password, the system gave an error message showing a query string which failed to execute. Not that it was a SQL injection vulnerability, I'd the message intentionally to see how people react after finding a potential vulnerabilty. Of course it only showed the message and didn't give the user any extra access.

Here is a code snippet of the authentication module:

    // SQL Injection 'TEST'
    if( strpos($username,"'") !== false || strpos($password,"'") !== false )
    {
        $sqlInjectionError = "
                <p><font size=2>Microsoft ODBC MySQL Drivers Message:</font></p>
                <p><B>Error in the query:</B></p>
                <p>[Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE GadhayKaRollNo = '".$_POST['username']."' AND GadhayKaPassword = '".$_POST['password']."'
                ";
    }
    // End SQL Injection 'TEST'

e.g. if someone provided username admin and password x' OR '1'='1, he she got the response:

Microsoft ODBC MySQL Drivers Message:

Error in the query: [Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE GadhayKaRollNo = 'admin' AND GadhayKaPassword = 'x' OR '1'='1'

I'd initially included it as humor but later found out that some of my fellows didn't get the joke and started getting excited about the "vulnerability". They got challenged and tried all sorts of SQL injection attacks. I started logging those breaking in attempts and found some further clever techniques being applied I wasn't aware of before. This simple snippet served as a HoneyPot, attracting hackers and giving away some important information as to what they are trying to do and what different techniques they apply once they see some potential as well as diverted their attention away from find some other subtle vulnerabilties which actually existed.

The weak typed languages, such as Ruby and Python, give you a lot of freedom by not enforcing you to explicitly declare variable names and their types. The good part is that you stay focused at the problem at hand by using the variable when you want rather than going into the fine details of the language. When you want to use a variable, just use it rather than going up in your code declaring the variable and coming back and re-thinking where you were in terms of the algorithm.

The downside of weak typing is that you can easily shoot yourself in the foot. Since everything is evaluated at run-time, your program will run smoothly until the problematic part of the code is executed. On the other hand, static typed languages such as C/C++ and Java prevent you from shooting yourself by enforcing you to specify the names of the variables you are going to use in a particular scope and their types. The compiler makes sure you haven't incorrectly used a variable and won't compile your program until you have fixed all of your errors. It can also warn you about the potential problems.

For instance, you use a variable named "colour" and few lines down you refer it as "color"; C++ or Java's compilers will catch it before the program is compiled and run. But if you run such Python code right away, you won't be that lucky. And if that piece of code is likely going to be run in a rare scenario, the problem might appear only at the production level.

However, using a code analyzer it is possible to detect many of the problems in weak typed languages without actually executing the code. The code analyzers can detect incorrect variable names, potential incorrect typing, warnings and coding style relating problems.

For Python, my choice of code analysis is PyLint. It is a simple and easy to use tool which quickly efficiently performs code analysis, finds bad smells in your code and can format the output neatly into a form of your choice. It also integrates well with different IDEs.

Installion

Installing PyLint is pretty simple. First install setuptools (http://pypi.python.org/pypi/setuptools#files). Then on command prompt run "easy_install pylint". If you are using Windows 7 or Windows Vista, make sure you open the command prompt in Administrator Mode.

Usage

You can run PyLint by calling the lint.py script which is usually placed in the Python's site-packages directory.

> python c:\Python26\Lib\site-packages\pylint-0.22.0-py2.6.egg\pylint\lint.py test.py

It is a good idea to make a batch file and pylint.bat file to avoid typing all of that.

You can also specify command line parameters to pylint to control the output format and verbosity. There are numerous parameters but you'll probably need a few of them: the format option (-f) and Errors Only mode (-E).

The -f specifies the format options. Choices are text, parseable, msvs and html. Depending upon the choice of -f parameter, pylint outputs its results on stdout in the specified format. Parseable format can be used by IDEs to format the lines and integrate it with their editor so that you may click on a message and the IDE will take you to the correspondinvg line. HTML is useful in case of version control systems which display their outputs in browsers. For instance you can configure your SVN to run PyLint on each commit and output will be displayed in a browser.

Add -E in options to change mode to errors-only. This is effectively the verbosity level of PyLint and will report only the errors, skipping the coding style problems and other warnings.

Integration with PyScripter

Integration with PyScripter IDE is pretty simple. Just install PyLint and run PyScripter. Press CTRL + L and output of pylint for your code will appear in the list in the messages window pane. Clicking on a message from the list will take you to the correponding line in the editor

To see only the error messages and hide coding style and other related warnings, goto Tools -> Configure Tools -> Py&lint and append -E in Parameters. Now when you'll run Pylint, you'll only see errors.

Pylint is an extremely important useful tool to use. It should be regularly used especially before committing your code to make sure you don't miss out anything. However you shouldn't completely rely on it as all code analyzers have their limitations.

There are scenarios when you'd want to throttle your connection to simulate inferior connectivity. For instance you'd like to see how your application is going to behave when working with a slow network connection. There are complex methods available but I found some simpler ways to achieve this:

For applications running on some standard protocol such as HTTP you can easily introduce a proxy such as squid to control the rate of traffic. At a higher level, it becomes even simpler in browsers with plugins such as Firefox Throttle and IE Throttle.

However if you want to test a standalone application in which it is not possible to introduce a proxy, you can throttle the network traffic at the lower layer of the network stack.

In Linux, it is possible to introduce throttling at interface level using traffic shaping. You can write traffic shaping rules to control the traffic; however I've found those rules a bit complex. There are scripts available that can do the job for you. One good such script is

The most useful tool I found for network throttling was wondershaper. It worked like a charm for me. Installing it was as simple as "sudo apt-get install wondershaper" on Ubuntu. Usage is very straightforward:

wondershaper eth0 500 500 # Limits the network traffic on eth0 interface to 500 kbps
wondershaper clear eth0 # Clears throttling

For Windows there are commercial tools available such as NetFilter.

I found that using simple social engineering it is trivially possible to make someone alter an entry in their mobile phonebook. This can be used by an attacker to redirect a victim's SMS messages and voice communication intended for a specific person, to attacker's own phone. The attack works by sending the victim an SMS from a new number, claiming to be another specific person B who is already in the victim's phonebook. The SMS claims that it is the new phone number of Person B and this message is being sent to all friends to update their phonebook. People are too occupied to verify such updates.

Imagine that you get an SMS from a new number and it says "Hello friends. This is my new number. Please update your phonebook and use this number from now onwards - Person B". In most of the cases, you wouldn't bother to verify it is indeed Person B sending this message and you'll quietly update your phonebook. Onwards, any message coming from attacker's number will appear from Person B's name. Having some prior knowledge about you and the Person B, the attacker can ask directed questions and get confidential information. For instance if you share a password with Person B and the attacker asks, you'll probably text it away.

A more interesting variation of this attack leads to true Man-In-Middle: The attacker manages to update phonebooks of two persons having acquitance with each other. Both of them's phonebook entries now start pointing to one number. The attacker forwards their SMS to each other after storing them on his own phone. In some cases voice call can also be covered with clever call forwarding. 

This attack works best in the countries where telecom proliferation is high. In such countries it is easy to buy a throw-away off-the-shelf SIM so having a new number on a spare phone is extremely convenient. Also, in such regions most of the communication is done over SMS instead of calls which is favourable for this case because in case of voice the person is easily recognized.

I tried it on few friends and it worked really well. I took the role of person B as well as the attacker and sent them the mobile number update request from a new number. Later I asked them some confidential questions related to them and me. It turned out that all of them had updated their phonebooks as well as responded to my queries without actually verifying it was me!

On a sidenote, a friend of mine wanted me to update his number in my mobile's phonebook and I tried to verify his identity. Here's how conversation went:

+92321xxxxxx: Hi, this is my number. Please update it - Ali A.
Me: Anyone can claim that he is Ali A. Please authenticate yourself!
+92321xxxxxx: Ask a question which only Ali A. can answer.
Me: What is his GMail password?
* no response *

Later I called up the claimed number to make sure that it was indeed Ali :-)

I had a DB crash today. MySQL's tables crashed and I needed to repair them.

MySQL provides three ways of repairing its MyISAM tables:

1. "Repair Table" SQL query. (e.g. "Repair Table TableName;" from MySQL Shell)
2. Using the mysqlcheck utility. (e.g. "mysqlcheck -uuser -p DBName TableName" from command line shell)
3. Using myisamchk utlity (e.g. "cd /path/to/mysql/files/DBName; myisamchk TableName" from command line shell)

The first two methods are online methods, that is you can perform them while MySQL server is running and apart from your corrupt tables other services keep running smoothly. However these processes can be painfully slow since the server must serve data and keep its integrity while performing the repairs.

However mysqlchk is an offline method; it requires that the server must be down. It opens the server files itself and examines them on its own. This method is quite faster. For me, the online method took more than an hour while the offline method completed its job in less than two minutes. It was worth shutting down the MySQL server.