QBurst

Almost a year back (Aug 15^th, ’08, to be precise), AUTOMATTIC released WordPress 2.6.1 fixing over 60 bugs. Also the version featured with the introduction of ‘right to left’ typing for Hebrew and Farsi language administrators. In a very short period of time (may be around one month), the company alerted 2.6.1 version users of security holes in using the same. Here, in this small article, we are going to analyze those vulnerabilities that made AUTOMATTIC release an upgrade for WordPress version 2.6.1 so soon.

Ok, let’s be clear and to the point. The problem is created by the nature of:

1.    mt_rand () function of PHP and

2.    the truncation method that MySQL adopts

mt_rand ():

PHP has two random number generating functions: rand (), mt_rand (). The former uses GNU C library and the latter uses Mersenne Twister algorithm. Mersenne Twister algorithm was created by Takuji Nishimura and Makoto Matsumoto of Japan. mt_rand () is predominantly used in most of the PHP applications and most importantly, WordPress 2.6.1 uses it.

Normally a seed is used to initiate the generation of random numbers. If it is possible to determine that seed, we will be able to generate the same sequence for any number of times. In other words, we will be able to hack the working of random generation. Seed can be determined using a lookup. Now, once the seed is found, anyone can generate the sequence that the application generates. If you want to know how this is possible, you got to learn random number generation in PHP or there’s an alternative: bow to the fact that it is the nature of mt_rand () function.

Now, make a request for admin password which would send an activation link to the actual admin. But since we have the seed, we will be able to calculate the same activation link by enabling Keep Alive HTTP request.  Activating this link and using a different email ID in the form will allow creation of a new WordPress admin password and thereby complete control.

MySQL Truncation:

Let’s see the next one. When the string input given in a query is longer than the defined maximum length, MySQL, by default, truncates the string to the defined maximum length. For example, if the maximum value of the string column is defined to be 8 then, the input value, “qburst_expressions” will be truncated to “qburst_e”. There will be a warning displayed but, applications are normally not configured to handle those warnings. And importantly, WordPress version 2.6.1 was not.

Suppose I know the WordPress admin name, (let’s say, “godfrey”) and the maximum length of the username in MySQL is set as 32. When I register as a new user with the same name “godfrey”, obviously, MySQL will return an error as there already exists an username godfrey. Now, I try with “godfrey   “(with 2 spaces after the name), MySQL will truncate the string to “godfrey” and again return an error due to the same reason. Suppose I try with “godfrey                         g” (with 25 spaces between godfrey and g) then MySQL will not be able to identify a similar username and also truncate the name to “godfrey” to be inserted into the database column. This happen because the username exceeds the defined maximum length of 32 and the system will not be able to find a match in the database. Now we have 2 admin usernames in the table. This is sufficient to pass the validation and gain access to the password of the original admin, thereby complete control.

These holes in security made AUTOMATTIC to work on an upgrade at the earliest. And the next release fixed all these errors. So if you are planning to use WordPress, make sure you use the latest version and remain safe. WordPress 2.8.4 is available for download now. It is the latest stable version of WordPress according to the AUTOMATTIC’s last release.

A variety of netbooks have been invading the market for quite a few months now. There have also been reports that consumers who bought a netbook later realized that they had actually wanted a notebook. Majority of the consumers cannot tell the difference between the two, which may be attributed partly to the similar suffixes of the two words.

So, what is the difference between the two?

A simple answer is that, compared to notebooks, netbooks are simply smaller, lighter and cheaper – approximately the size and weight of a hardback novel or diary, weighing around 1 kilogram. Screen sizes (the diagonal measurement across the screen) vary from 7-10 inches for a netbook to 12+ inches for a notebook, typically around 15.4 inches. Netbooks, powered by Intel’s Atom processor are not as powerful as notebooks, and lack the facility to play CDs or DVDs.

Connectivity is the central focus for netbooks and their primary use is to surf the net. Built-in Ethernet and wi-fi is used for connecting to the internet. It is intended to be used mainly by people who want to keep connected while on the go. With its prices below $300, it is an excellent solution during the credit crunch!

Statistics prove that netbooks have succeeded in creating a new market above handheld computers, smart phones and personal digital assistants. Analysts are torn whether or not netbooks will eat into the notebook market share. Since the recession is still underway, people will be looking for cheaper products, which suggest that netbooks will be in demand.

However, netbooks are presently limited by battery size, processing power and storage space, which gives notebooks a clear edge of it.

No matter what, I do believe that there is certainly space in the world for both to function and live together in peace.

Check out the netbooks available in the market

Articles on Google waves is flooding the web, trying to bring out a deeper understanding on this wave renaissance. There is so much of expectation generated now as people are anxiously looking forward to get their hands on it. With the little information revealed by Google, let us try to figure out something more on how this is going to work. In Google wave 1 we discussed about Google waves as a product. This time let us view Google waves in the perspective of a developer, that is, Google waves as a platform.

What is a platform?

Platform in software realms can be understood as an entity on which software can be made to function. A platform provider will provide APIs (Application Programming Interface) for software to be developed in his platform. Let’s take a few examples: Java, the product of Sun Microsystems serves as a platform and it comes with APIs like AWT, JDBC, JMF and so on. These APIs are also provided by Sun Microsystems. Apple Inc, owner of iphone had APIs confidential until October 2008 when the company open sourced and made it license free to develop software applications to be run on iphone. Lately, there is facebook API which is both powerful and popular.

What about Google API?

Google has promised to come up with a public API which can be used by any developer to create applications that run on the wave platform. There are 2 ways by which a developer can make his presence felt in Google waves. The first method is by building robots or creating gadgets. The other method is by embedding waves on third party websites. Let’s try to get some insight on these new terminologies.

Robots, Gadgets and Embed API

Robots are automated participants in a wave. Remember the robot in ‘Lost in Space’. It is a similar kind of simulation except that these robots will function inside the computer. A robot created inside a wave will be able to read, modify and delete blips and wavelets. A wavelet is a smaller wave that is resident inside a wave and a blip resides inside a wavelet. The diagram below will give you better picture.

The developer can create robots and perform interactive operations within a wave. What are the interactive operations? Well, that is left to the creativity of the developer. Learn more about robots here. Wave Gadgets are similar to the ordinary gadgets in its mechanism to get embedded as third party development applications. But there is more offered. A wave gadget can function within a live wave. An example Google gives to explain this is one which lets participants of a wave to vote on where to go for lunch. Learn more about gadgets here.

The second method using Embed API enables to bring waves into third party websites. There will be simultaneous updates in websites as and when an update is made inside a wave. Google has already come up with a few embeds. ‘You tube playlist discuss’ is one among them and is sure to gain so much popularity.  Learn more about embed APIs here.

As Facebook is dominating now with so much integration, it is certain that we can expect even more from Google waves. So if you are a developer, be informed about what is going on in Google waves and get ready to play with the tools as soon as you get them.

Links for further study:

http://code.google.com/apis/wave/

http://googlewavedev.blogspot.com/

For most of us finding information on the Internet is synonymous with going to Google.com, typing in a word or phrase and clicking search. In fact Google does account for a major share of the search engine market and with good reason too. check this out if you are still in doubt.

Thus despite new players coming up, Google still remains the leader in information search on the web. That is exactly why it makes sense to understand and develop efficient googling techniques. Mentioned below are few tips which, when practiced while searching the web using Google, will save time and improve search results. (more…)

In response to Google Chrome OS, Microsoft has announced that the new version of MS Office, which is expected to hit markets by 2010, will feature online collaboration. This dramatic announcement was made at the partner conference in New Orleans.

The new generation office suite will enable users to access their documents online with co-authoring capabilities. PowerPoint will be streamlined with video and picture capabilities which will revolutionize presentations.

Though Microsoft is coming up with online capabilities for Office, they don’t have the intention to provide comprehensive online access, which they think can scale down their business. This won’t be a great concern for Google Docs, as they are providing comprehensive access to users. Google considers it as a weaker reply for the Google Chrome OS, which is the core of Microsoft’s business.

In its endeavor to be the leader on the software space, Google Inc has announced its foray into the manufacture of Operating System, with its maiden project named ‘Google Chrome OS‘. Google has already locked its horns with Microsoft on numerous projects and the present one will intensify the competition. Being the 90% market shareholder of the OS market, it will be interesting to see how Microsoft reacts to this concern. Since Google believes on Open Source concept, if the Chrome OS project is rolled out successfully, then it will revolutionize the entire PC, Laptop and OS markets.

In its official blog, Google explains more about Chrome OS, which aims the Netbook market initially. Google Chrome OS is expected to hit the market by the second half of 2010.

Pocket-sized Dell Mini 10V

The Arrival of Netbooks has turned the PC market upside down as diverse models and players are coming in short span of time. This segment triggered the competition when Acer introduced its first Netbook model Acer Aspire One in to the market. Dell took further long time for foraying in to Netbooks market. They started with Dell Inspiron Mini 9 then followed by Mini 10,12 and now the advanced Mini 10V.

The hapless performance of Mini 9,10 and 12 forced Dell to come up with a robust model, which can capture some market share in this segment. The drawbacks of the former models were the lack of good memory and hard drive space. Mini 12 was expected to become a leader however; its limited memory slot and hard drive pushed them out of the competition. (Dell Inspiron Mini 12 has 1GB DDR2 memory slot and 80 GB Hard Disk)

Mini 10V Tech specifications

Processor – Intel^® Atom^TM N270 (1.6GHz/533Mhz FSB/512K L2Cache)

Operating System – Microsoft Windows XP

Memory – 1GB,DDR2,533MHZ

Hard Drives – 160GB SATA HDD 2.5 inch 5400RPM

Display – 10.1″ Widescreen 1024 x 600 WSVGA (WLED)

Apart from these, Mini10V comes up with 1.3 MP webcam, Blue tooth module and for power there are 3 cell & 6 cell Li-lon batteries.

Battery Performance

With the 3-Cell battery , it gives a max of 3 hours and 6-cell battery exhaust after 6.5 hours.

Price – $375

While there is no doubt that good SEO consultants can help drive more traffic to your site, many small businesses cannot afford a good consultant.  But you don’t need to despair if you can’t afford an expensive SEO consultant.  If you are one of those DIY type business owners, this article will help you create a fairly decent search-engine optimized site.  Even if you plan to use a web design/development agency and not do it yourself, you can demand that they create a site that complies with basic SEO tenets.

Here is how to go about placing yourself on the right side of search engines:

1. Keyword analysis – This should be done before you start building your site.  If you already have a site, you may have to tweak your content based on the results of this analysis.  Know what keywords are used by your customers to find you.  This may not be industry jargon words.  A good tool to start with is Google’s Keyword Tool.  You need to identify the keywords or phrases that have high volume but less competition.  Once you identify the keywords for a page, mention it a few times on that page.  Do not over-stuff your page with keywords.  Search engines penalize keyword stuffing.  Write naturally, but don’t forget to repeat your keywords a few times.
2. Make sure every page on your site has a proper title tag, meta keywords and meta descriptions.  Again, there is no need to repeat your keywords too many times, but your keyword should be there on the title tag, as it’s the most important tag from a search-engine perspective.
3. Search engine friendly URLs (SEF).  You need to have meaningfully named URLs that accurately describe the page content.  Example: www.example.com/camera/dslr/nikon/D5000 is better than www.example.com?product_id=123.  Carefully choose your URL names and structure.  Now, how do you create search-engine friendly URLs?  You can provide URL rewriting rules in .htaccess if you are using Apache; but it is cumbersome to manage.  Many content-management systems like Drupal and WordPress support SEF, so if you are using these, you’ve got yourself covered.  Most web app development frameworks like Symfony also support SEF.
4. Provide textual description for all non-text elements like images, audio and video.  For example, use alt tag with images.  This will help the search engine better understand your multi-media content.  This has the added benefit of making your site accessible.
5. Search engine bots should be able to spider all your content even if the content resides in a database and are dynamically displayed.  For example, your products may be sitting in your product catalog table in a database, but should create a static looking page for each product.
6. Make effective use of heading tags like h1 and h2 to showcase the relative importance of text.  Your important text should be text and not images.
7. Use ordered lists for creating menus rather than using tables.
8. The anchor text (hyperlink to another page) should contain keywords that describe the target page.  Instead of writing “Click here for D5000 details”, it’s better if you write “check out the D5000 digital SLR camera“.
9. Avoid duplicate content issues.  If example.com, www.example.com and www.example.com/index.php all point to the same page, you should consider one of them as the primary URL.  If you designate www.example.com as your primary or canonical URL, then the other URLs should be permanently redirected to the canonical URL.  You can redirect by using the HTTP 301 code.  Also consider storing the session id or affiliate parameter in a cookie and then redirect the URL with parameters to the canonical version.
10. Never copy-and-paste content from other sites.  You may be violating copyright laws and incurring duplicate content penalty. Likewise, if you are getting your content from a syndication service, check that the same content is not syndicated to other sites.  Do a Google search on your content and if you find that your content has been copied by someone else, file a DMCA request with Google.
11. What if you have multiple top-level domains? Like example.com and example.net?  If you plan to have identical content on all these sites, do a permanent redirect to your primary domain.
12. Multiple language versions of your site – I would say use a different sub-domain for each language.  Example: fr.example.com for French and de.example.com for German.  Using the same URL for different language versions is not a good idea.
13. Block search engines from seeing admin panels, HTTPS content etc by using the robots exclusion protocol.  Password protect those pages you don’t want the outside world to see.
14. How do you know if Google has indexed all your pages?  Search for site:example.com on Google.  It will return the number of pages indexed.
15. Externalize CSS and Javascript.
16. Follow XHTML 1.0 strict standard.
17. Reduce the amount of code in your page, and maintain a good content-to-code ratio.
18. Speed is important.  Your pages should load fast and should not timeout.
19. Use microformats to describe your data.
20. Last but not the least, build quality in-bound links.

Some of the above items need further explanation.  However, there is a wealth of information available in blogs and online articles.  So start digging and learn more on this interesting topic.

The new avatar of Microsoft’s latest search engine, Bing, is here.  An updated version of  Microsoft’s former search engines, namely Live Search, Windows Live Search  and MSN Search, Bing.com went fully online on June 3, 2009.

Bing Features

Here’s a quick look at some features of Bing that could give other search engines such as Google and Yahoo a run for their money (although it would be a while before Google can be, if ever they are, outsmarted!).

Do note that some of these features are available in the United States version only. You can change your country settings using the toolbar at the top right hand side of the Bing site.

• The background image changes daily.  They are mostly striking images of noteworthy places in the world. You can hover over the images to see interesting facts about them. (more…)

Twitter is growing by leaps and bounds each day as more and more users are realizing its use as a marketing tool. Twitter started out as a simple microblogging tool for users to stay in touch by answering about the question, What are you doing?. It is now being used widely by companies as a means of promoting their new products, sharing their news & views, posting job requirements and keeping in touch with customers.

Recently, the computer giant Dell, revealed in one of its blog posts that more than $2 million has been generated in revenue from @DellOutlet, one of its Twitter sites. Here is how Dell has been using Twitter.

Dell identified early that Twitter is an effective means of communicating with customers. Dell Outlet, the sales division of Dell started tweeting in 2007, using Twitter as a means to attract customers by extending exclusive offers, discounts, clearance events and new arrival information.

Users who follow Dell on Twitter receive messages when discounted products are available at the company’s Outlet Store. Those who are interested will immediately click to purchase the product or they might forward the information to their friends.

Dell has been able to compute the revenue generated by Twitter users by tracking the clicks that came from Twitter to its site, which resulted in sales. The figure $2 million is a relatively small amount for a company like Dell. However, it goes to show that small companies can also reap rewards by using Twitter as a marketing tool. Recognizing the benefits of using Twitter, Dell has created Dell.com/Twitter to allow customers to choose the most relevant Twitter account for them to follow.

Thus, Twitter as a sales/promotional tool is no doubt invaluable to small and large companies alike; given proof of the kind of revenue it helps to generate.

Twitter continues to gain popularity and expand its user base day by day as more and more corporate companies are diving in to make the most of it. However, Twitter has yet to come up with a business model which could generate revenue for Twitter too. It is speculated that they might introduce paid accounts or take a share in sales generated from Twitter.

As the long awaited business model takes its own time in materializing, Twitter users are quite happy tweeting their way to success.