Technology

being secure is common sense

Today the news is about Customers who paid by credit card at 51 UPS Store locations across 24 states in USA are at risk of their credit card being siphoned by cybercriminals.  Last year end it was turn of Target’s (large retailer) 98 million customers to have their card data stolen. These are not happening only in faraway USA. In Chennai (India) too, city police gets hundreds of complaints every month on money being siphoned from their bank accounts.

As the world becomes more and more connected, payment transactions moving from cash to digital, as individual consumers we too get inadvertently exposed to online security risks.  Common people (aam aadmi) knows if he leaves his wallet exposed he is going to get pick pocketed. She takes care to protect her purse, but that’s because cash (and gold) has been around for centuries. In every day life we do encounter people who imprudently don’t take care with their cash, I see them to be either simpletons who don’t know better or simply fools!

But in case of digital payments and online, these are recent technologies and it takes time for common people to learn and understand the risks and protections.

I am sharing here about two instances that happened to me yesterday and what I did after that. These made notice that to being secure takes effort, but its just common sense.

In the evening after a dentist appointment I was returning home with wife, we stopped in a near-by retail shop. Few thousand rupees transaction, I gave my credit card, entered PIN (which is nearly mandatory now thanks to Reserve Bank of India rules), collected the items and came home. Few minutes after I got a call from the shopkeeper informing I forgot my Credit Card in the shop. I rushed back, sincerely thanked the guy and collected the card.

But the few minutes the card was not under my possession would have been enough to skim the card to make a duplicate, and observing the PIN when I first entered it would have been easy too.  I have no reason to suspect anything in this case, but it is better to take precaution. As soon as I came home, I logged into my bank site and changed the PIN number. I could have called the bank for a replacement card but my threat perception on this was lower.

Secure-CreditCard

After the above incident, I was trying a new mail app for Windows (and other platforms too) called Inky. It advertised an unified mailbox experience, modern interface and single sign on. Once you create an Inky account, setup mail accounts like Google, Hotmail (Outlook.com), you could login from any device with just the Inky account and it will configure all your mail accounts automatically. Basically Inky was storing your mail account details in their server, they promise to safely  store all the passwords with strong encryption seeded with the Inky password.

After spending few minutes with the app I was not impressed. I saw no compelling feature and there was no way to view/edit my contacts that are already in Google & Hotmail. Lack of Address Book is a big turn off for me. Before uninstalling the app, I disconnected the accounts (GMail, Hotmail) and deleted the Inky account too. I have no reasons to doubt the sincerity of Inky, but being in state of paranoid I was, I changed my Google & Microsoft (Hotmail) Account passwords. It has been sometime I changed these passwords and they were in a sense due for a change!

I spent good part of 30 minutes which may be unnecessary. But it gave me peace of mind and wise men have said “Better to be safe than sorry”

Standard
Apps, Developer, Kids, Microsoft

Teaching my son to write software

The other day my 11 year old son asked me to teach him on how to write apps. I was thinking on what programming language I can start him with.

I didn’t want to start him with Mobile Apps as I feel that will curtail his possibilities . This meant Android Java, Objective C & Apple Swift won’t cut it. Being an ardent Microsoft language engineer I never liked Java, but that discussion is for an other day.

My friends know well about my “affair” with Visual Basic. Going with VB6 (there is a charm to this acronym’s sound) will mean he will be learning more on GUI/Drag ‘N’ Drop rather than programming and language fundamentals. Also the GUI guidelines of VB6 are rooted in Windows 95 days which are out dated in today’s iOS7/Metro/Material design world.

Next option was Visual Studio 2013 Express with VB.NET or C#.NET languages. Either of this would mean learning about objects and OOPS concepts at first class itself. I felt he will find it difficult to digest the vast surface of .NET Framework, without understanding which even Console.WriteLine(“Hello World!”); will appear to be magic for him. If he remembers software as magic (sorry Steve Jobs) he will not be curious enough to work his way through the entire process of how a program executes.

Speaking to one of my mentors (an expert teacher & coach on programming) I added Python to the list. For last few weeks I have been learning Python too as my side project but I am not at a stage where I will be able to teach my son. So reluctantly I gave up Python as the choice. I wish to teach my son Python after he is done with Basic.

After much deliberations I settled on Basic Language which is celebrating its 50th year at Dartmouth College where it was invented in 1964. Teaching my young son BASIC language in 2014 will be a fitting tribute that I can offer to this great language. Thinking of GW-BASIC brings in a nostalgic feeling for me, I started learning programming when I was about 13 (8th Standard) with GW Basic/Basica.

Having selected Basic I went looking around for MS-DOS and GW Basic, there are articles on how to get and install this combination even in Windows 8. If you want QBasic which included a  compiler and a textual based IDE for Microsoft Basic, it got shipped with every version of a Microsoft Operating System from DOS 5.0 till Windows 95 (you can get it from an old Windows 95 CD). I was not comfortable with either of this (running GW Basic or QBasic) in Windows 8 as it won’t give my son a chance to write true “Windows” programs or access modern necessities in later stages, as well as the archaic 8.3 file names he will not understand. I wanted a BASIC language in a modern avatar.

Looking around I found following three options. I just went with Free Basic, you can choose any of them (all 3 are good options).

1) Free Basic is a free open source compiler that’s fully compatible with Microsoft QBasic language. In fact almost all programs written for Quick Basic will compile with Free Basic. I found an IDE to go with it called FBIDE. Combination of FBIDE and Free Basic was awesome, it provided the simplicity of BASIC language along with ability to compile and run natively in  modern Operating Systems including Windows, Linux in both 32 and 64 bit as well as in DOS (I suppose that means MS DOS, DR DOS and FreeDOS).

2)  QB64 is a self-hosting BASIC compiler for Microsoft Windows, Linux and Mac OS X, designed to be compatible with Microsoft QBasic and QuickBASIC. QB64 implements most QBasic statements, and can run many QBasic programs, including Microsoft’s QBasic Gorillas and Nibbles games. QB64 also contains an IDE resembling the QBASIC IDE.

3) Small Basic from Microsoft, this is a commendable effort by Microsoft especially aimed for students. The site even includes complete curriculum to teach Small Basic. This is based on .NET Framework so has the same OOPS issues, but I guess they way its been presented here can be managed.

I came across Real Basic (now Xojo) which is a BASIC inspired environment allowing you to write commercial grade apps for Mac OS. Since its a business grade and paid environment I didn’t give it a try.

Before settling on “Basic” I seriously considered Pascal, Turbo Pascal was my favourite language in College, when we programmed using it on our lab’s Novell Netware lab. I consider losing Turbo Pascal (and its Delphi avatar) is a big loss to software programming field in the last two decades and I still feel sad for it. In mid 90s I worked with a friend to develop a complete student course material in Pascal for a local college. I still have the materials and accompanying projector transparency sheets, I remember the long hours I spent typing them in AmiPro word processor. AmiPro was one of the best in its heyday and light years ahead of MS Word on those days, I am surprised AmiPro even has a Facebook fan page.

Coming back to Pascal, I found a Free Open Source compiler called “Free Pascal” along with IDE ( Lazarus IDE) to go along with it.  I will be trying it out in the next few weeks, it might turn out to be a good introduction to OOPS as FreePascal supports objects.

Look below the first program in Free Basic that I thought my son

FreeBasic

 

Standard
iron python programming with visual studio 2013
Apps, Books, Developer

Learning Python

I have been reading about Python (programming language) for last few years and wanted to learn it. But over the years in my work I have become more of the Dilbert’s Pointy Haired Manager and haven’t done any actual coding for many years. So the idea to learn a language and start typing, doing real work looked daunting. As experts say, we humans are animals of habit and getting out of your comfort zone is difficult.

I said to myself let me make the first step on this, even though I was not sure whether I will pursue it further. Python.org website has all the necessary learning materials, guides, manuals and tools (all for free) to learn and program in Python.

There is a .NET Framework based implementation of Python language called IronPython which is popular with Microsoft technology developers. Iron Python compiles Python language code to an executable that runs on top of .NET Framework and Runtime. Programs written in IronPython can use both Python libraries and .NET language libraries. Microsoft through CodePlex community has released Python Tools for Visual Studio, which integrates IronPython seamlessly in Visual Studio IDE. Using PyTools Visual Studio turns into a full fledged Python IDE.

New Python Project from Visual Studio 2013

New Python Project from Visual Studio 2013

PyTools is free, so are Visual Studio Express editions, making it convenient for anyone interested to start with Python & VS. I have in my PC, Visual Studio Ultimate edition in which I installed PyTools. The installation was smooth and I got options to create a Python project in the familiar Visual Studio “New Project” wizard, which I did.

iron python programming with visual studio 2013

iron python programming with visual studio 2013

Excited on seeing the output, in my typical style I went ahead and purchased following 3 books to further learn Python:

  1. Python in Easy Steps by Mike Mcgrath (the book appears simplistic but is worth reading as the first book on Python) – Rs.209
  2. Programming Python 4th Edition by Mark Lutz (this is a big fat book of over 1650 pages, has everything about Python) – Rs.939
  3. Think Python by Allen Downey – Rs.428

Let us see if the books gather dust or I read them and learn Python!

 

 

Standard
Technology

Securing your business website

The other day a friend of mine called and asked for guidance. He is owning a small business and had registered his domain name for the business, got a web app developed by a software services firm in Mumbai, all developed, deployed and working. For this post let us call the website Example.COM. The business is not big, he employs less than 10 staffs all on offline activities. Their clients log in and check their transactions done with the company using the website example.com. In that sense the website is important to their business & over a period as revenues kick in he is aware that he has to have dedicated IT staff (Inhouse/Outsourced). Till then he was not having any regular maintenance or management, which is like driving without seatbelts.

Now the reason for his call was to find out how to have better control over his website. He was getting worried after the website went down nearly twice every week for last few weeks. The outsourced Mumbai services firm was giving him various reasons ranging from Registrar problem (which is highly unlikely) to server problems. And they can’t be held responsible too, as they have a contract or scope on what they are supposed to do (develop, maintain, deploy & manage).

I told him that you should hire my firm Vishwak Solutions to be your tech partner Smile. That aside, I told him to do the following and this post captures that.

securring business domain (safe locker)

Protect your domain name.

  1. Domain registrars including Dotster, GoDaddy, Network Solutions & Net4India have dashboards to manage your domain name & the DNS entries associated with it. When you hired the services firm you would have shared the credentials (with username/password ) for the registrar account with them. Immediately change the password and keep the password only with you. Any changes to DNS entry let them route to you, this will mean unfamiliar work for you but they can’t arbitrarily shuttle your website between servers or hijack it
  2. An email will be associated with the registrar account and by default its likely to show up in a whois public query on the Internet. Knowing this, hackers can attempt social engineering and gain unauthorized access to the email, using which they can reset the Registrar dashboard account & gain access to your domain. Your innocent looking email ID can become the weak link. In this case, my friends gmail ID was used for domain registration. I recommended him to immediately enable multi-factor authentication for his gmail ID (if you are using Hotmail instructions are here) which will prevent access to anyone without his mobile

Server hosting

  1. For example.com my friend has opted (not knowing the full impact) for a shared server, in which case his website gets hosted along with many other clients of the services firm. You get what you pay for, shared hosting is cheaper and that’s what my friend had paid for. Going with this option means your website performance can’t be guaranteed and can vary based on what the other websites in the same server is doing. Shared hosting is a good option for simple brochure ware & blog sites, but not for business webapps. I recommended him to go with his own server. Since cost is a concern and webapp load is low, a virtual server will do. Though Microsoft Azure or Amazon AWS provide this, they tend to be difficult to manage & estimate cost for this tiny requirement of example.com, since they charge for all ingredients (CPU, RAM, Storage, Bandwidth) separately. I prefer GoDaddy or Rackspace or Softlayer like ISP who offer bundles for as low as $20/Month. In this case I foresee my friend to pay about $130-200/Month for a good virtual server that will meet his needs
  2. Signup with hosting provider for daily or weekly backup of the entire virtual server that is away from the virtual server
  3. Keep the access to the hosting provider (GoDaddy/Rackspace/Softlayer) safe with you and this need not be shared with the services firm
  4. Get two administrator accounts created on the virtual server, one to be with my friend and one for the services firm
  5. Optionally, learn yourself on how to take a monthly backup of the virtual server to some other source like Google Drive or Microsoft OneDrive

Updates

  1. The software that runs in the server including your webapp is kind of a living thing. You need to constantly take care of it. In this case you need to sign up for an annual support contract with your server hosting vendor or with the Services Firm to do monthly updates of the entire software stack. Typically this will mean the Operating System (Windows Server or Linux), Database (SQL Server or MySQL), App Servers (.NET Framework or PHP Runtime), WebServer (Microsoft IIS or Apache), Specific software (WordPress or Joomla or Drupal) and any other runtimes
  2. As the webapp begins to do transactions, get your services firm to install and configure  a Web Application Firewall (WAF) like modsecurity to protect your webapp

Auditing

  1. In the next stage it is recommended to do a third party testing by a competent web security agency. You need to get a verification of the source code & architecture (white-box testing) and servers (black-box testing). Typically the agencies charge few hundred dollars for every iteration & to provide recommendations
  2. At the next level, you need to get detailed security tests for Personally identifiable information protection and targeted hacking

That’s it for now for my small business friend. For enterprises apps or for webapps doing financial transactions there are more steps to be taken care of. And that’s for an another day.

Standard
Developer, Events, Flashback, Microsoft, Rostrum

MSDOS.NET

(Backdated Post: 25/08/2000)

Being April 1st, it is appropriate for this post.

In late 2000 when the Microsoft world was going crazy on announcement .NET, it was .NET everything everywhere. Within the Microsoft user groups at that time, the joke used to be, anyone trespassing any Microsoft building in Redmond will be renamed as *.NET. So I would be called Venkat.NET if I was spotted by a Microsoft Product manager.

In this background during Microsoft Tech Ed 2000 India, in the organizing team we had to manage a 15 minute empty slot in the schedule. We couldn’t leave it free. We needed all the attendees to be in one hall, so that we could get the main hall ready without hindrance. And that was slot I used unravel for the first and only time anywhere in the world – Microsoft DOS.NET, the DOS operating system being upgraded beyond anyone’s imagination.

optimizing for performance, availability with msdos.net

msdos.net - dir outputs XML, Batch files exposed as COM+ objects, complete multi-threading & object pooling capability in MSDOS

Doing this session was fun, everyone enjoyed, yes the audience too like the spoof and laughed at it. It’s a different story that many years after this session Microsoft did re-architect and reimagine the humble command line to integrate with .NET when they released PowerShell.

Standard