“Future is Web” is a phrase we have been hearing for a few years now. And the latest talk on web is the web OS! But on second thoughts, does the web have enough power to replace the feature and flexibility that an OS provides? To mimic the operations of an operating system, we have Java, Flash, Silverlight and similar things. None of these are capable of doing some of the basic features that an OS provides. The basic functionalities that an OS requires like memory and process management, are alien to web applications. The delay in I/O is another key factor which restricts the further development of a web OS. So a pure web OS is a distant future.

The giant has already made promises of a pure web based OS. Yes, I am talking about Google Chrome OS which is in development now. By studying the latest products from Google, it won’t be anything bigger than an Android in better shape. Android which is a purely web oriented OS for mobile phones may be tweaked to an extent where it can be used in low power portable computers, or precisely – Netbooks. But the key point to be noted here is that, Chrome will be a web ‘based’ OS, not an OS in the web. So what will be a pure web OS? And why should one need it?

Mobility is the first advantage of having a pure web OS. Resource sharing and low cost end user hardware is another one. Consider having an entire OS in web, which will handle all the heavy tasks for you and all you need is a cheap, low end, web enabled notebook or netbook which is powerful enough to just run a browser. In short, you can encode an HD video even with a mobile phone! Interesting, isn’t it? Of course it is but the concept is very old and yet to become a reality. A few attempts have been made towards this end and the result was web applications like Google docs and Adobe’s online Photoshop. The interoperability of these online applications is essential for a web OS. No one will like to process a file in one application, download it and upload it to another application. It will be a fair job if these applications can send files/data to each other. It will be much better if both applications have access to a common online storage just like we have hard disks in our PC. And finally, it has to be free and open source! Before someone creates a perfect web OS, let’s take a look at something close to it. The eyeOS – an OS in a browser window, which is the Project of the Month in Sourceforge.

eyeOS is an attempt towards the perfect Web OS. “Open Source Cloud Desktop” is what they call it. You will have all your essential applications, a storage system and a desktop to integrate it all. eyeOS doesn’t look like a web page even though it’s inside the browser window. eyeOS package can be installed in your own server and you can allow other users to sign up and use it. The process is straightforward and simple as installing a Wordpress blog. The wizard driven installation won’t take much time and soon you will be provided with a login window as in normal OS. Once you pass this screen, you will take a couple of seconds to realize that what you are looking at is actually a web page inside a browser window. I was confused whether it was my Linux desktop; it has everything that a normal desktop should have. A task pane, notification area, desktop with changeable wallpapers and themes, games, application menu and everything that you won’t expect in a web page. It even has a browser and a task manager which lists the running processes like Windows Task Manager. The default installation comes with a handful of applications which can be further extended using a package manager like in most Linux distros. There is already a large pool of applications available for eyeOS. And all this is written in PHP and XML! Yes, eyeOS is a PHP application which runs on Apache server and doesn’t need a database. Instead of a database it relies on XML files. This is primarily for making the installation simple for the end user as all they would need to set up an eyeOS server is to enter account information for the first user. Flat files are used to avoid bottlenecks on data fetching. Core parts of eyeOS runs as independent applications and uses Javascript to send server commands. The UI is fast even on a 512kbps connection.

eyeOS is being developed by a company based in Barcelona and it’s currently in the 4th year of development. They also provide a tool kit with which we can develop cloud applications easily. A reasonably good wiki page, including a “Hello World application” is present to provide a walk-through towards eyeOS application development. Anyone fluent with PHP and Javascript can start writing applications for eyeOS without any further learning curve. You can try it out at their demo server : eyeos.info or get your copy of eyeOS package from here.

eyeOS may not be mature enough to host anything serious, but it is proof on how far a web application can go!

Almost a year back (Aug 15^th, ‘08, to be precise), AUTOMATTIC released WordPress 2.6.1 fixing over 60 bugs. Also the version featured with the introduction of ‘right to left’ typing for Hebrew and Farsi language administrators. In a very short period of time (may be around one month), the company alerted 2.6.1 version users of security holes in using the same. Here, in this small article, we are going to analyze those vulnerabilities that made AUTOMATTIC release an upgrade for WordPress version 2.6.1 so soon.

Ok, let’s be clear and to the point. The problem is created by the nature of:

1.    mt_rand () function of PHP and

2.    the truncation method that MySQL adopts

mt_rand ():

PHP has two random number generating functions: rand (), mt_rand (). The former uses GNU C library and the latter uses Mersenne Twister algorithm. Mersenne Twister algorithm was created by Takuji Nishimura and Makoto Matsumoto of Japan. mt_rand () is predominantly used in most of the PHP applications and most importantly, WordPress 2.6.1 uses it.

Normally a seed is used to initiate the generation of random numbers. If it is possible to determine that seed, we will be able to generate the same sequence for any number of times. In other words, we will be able to hack the working of random generation. Seed can be determined using a lookup. Now, once the seed is found, anyone can generate the sequence that the application generates. If you want to know how this is possible, you got to learn random number generation in PHP or there’s an alternative: bow to the fact that it is the nature of mt_rand () function.

Now, make a request for admin password which would send an activation link to the actual admin. But since we have the seed, we will be able to calculate the same activation link by enabling Keep Alive HTTP request.  Activating this link and using a different email ID in the form will allow creation of a new WordPress admin password and thereby complete control.

MySQL Truncation:

Let’s see the next one. When the string input given in a query is longer than the defined maximum length, MySQL, by default, truncates the string to the defined maximum length. For example, if the maximum value of the string column is defined to be 8 then, the input value, “qburst_expressions” will be truncated to “qburst_e”. There will be a warning displayed but, applications are normally not configured to handle those warnings. And importantly, WordPress version 2.6.1 was not.

Suppose I know the WordPress admin name, (let’s say, “godfrey”) and the maximum length of the username in MySQL is set as 32. When I register as a new user with the same name “godfrey”, obviously, MySQL will return an error as there already exists an username godfrey. Now, I try with “godfrey   “(with 2 spaces after the name), MySQL will truncate the string to “godfrey” and again return an error due to the same reason. Suppose I try with “godfrey                         g” (with 25 spaces between godfrey and g) then MySQL will not be able to identify a similar username and also truncate the name to “godfrey” to be inserted into the database column. This happen because the username exceeds the defined maximum length of 32 and the system will not be able to find a match in the database. Now we have 2 admin usernames in the table. This is sufficient to pass the validation and gain access to the password of the original admin, thereby complete control.

These holes in security made AUTOMATTIC to work on an upgrade at the earliest. And the next release fixed all these errors. So if you are planning to use WordPress, make sure you use the latest version and remain safe. WordPress 2.8.4 is available for download now. It is the latest stable version of WordPress according to the AUTOMATTIC’s last release.

From the offset of 2009, the name ‘Satyam’ has been in the news lines of major business newspapers and TV channels. It all started off with the disclosure by Satyam’s founder and then Chairman Ramalinga Raju about the financial fraud did by him and his close colleagues. This scandal rocked the Indian IT business, which was already shattered by the recession and led to a steep decline at the stock market. The Government of India had appointed directors at the Satyam board to find a solution to end this scandal. Finally, Tech Mahindra -The IT arm of Mahindra & Mahindra emerged as the potential buyers of Satyam for $354 million (In 2008, Mr. Anand Mahindra – Vice Chairman of M&M had contacted Mr. Raju for a tie-up, but due to the lack of response from Raju, the alliance didn’t happen.)

There were several eyebrows raised when Mahindra acquired Satyam through the open bid. The primary concern was making the defamed organization a profitable one amid the slow down and merging it with Tech Mahindra. Tech Mahindra’s main intention behind this acquisition is to extend their portfolio beyond telecom. Tech Mahindra, a Joint venture between Mahindra and British Telecom, has 70 of their revenues from telecom and has a very good customer base in Europe. They wanted to extend their reach to US, where Satyam has a good Client base.

Satyam, on the other hand, is diversified: with customers’ in banking, financial services and insurance (BFSI), manufacturing, retail and healthcare sectors. Tech Mahindra sees this leverage, when they bid for lucrative projects like ERP, where Satyam has expertise. Though Satyam is calumniated with the corporate fraud, none of its clients have doubt in its ability to deliver. That has prompted Tech Mahindra to go for Satyam.

According to CP. Gurnani, the new CEO of Mahindra Satyam and Sanjay Karla, the CEO of Tech Mahindra; both these companies will bid together for projects to get the leverage of diverse portfolios rather than bidding against each other. Though a comprehensive merging doesn’t look apparent on the cards now, the partnership will catalyze the proposed merger in a couple of years. By that time Mahindra Satyam will re capture its erstwhile structure, which they had before the scandal.