Monday, May 06, 2013

Volunteering in an Internet Age

As Wikipedia puts it (partly) volunteering is: “An altruistic activity and is intended to promote good or improve human quality of life. In return, this activity produces a feeling of self-worth and respect; however, there is no financial gain”. But the most fascinating thing about this definition is that it holds true for this age too. Many verbs have received different definitions in contemporary times, but some have adopted accordingly. “Volunteer” is one.

A couple or a decade ago, it was all about charity related work where you would offer your effort and/or skills for a social event. But now there are many other activities that one could perform on the internet, which upholds the same values. It’s mainly two-fold as skills & effort, but eventually the same thing. As with offline volunteering, these are mainly performed for proprietary entities or non-profit organisations. At the end of the day, the world benefits, the online community benefits.

Although the topmost activity in this sphere is devoted to the Open-source movement, I wish to focus on a few popular products/websites that rely on Crowdsourcing. Crowdsourcing itself is a new-age term, which could be broadly defined as, “obtaining the efforts of a crowd (volunteers)”.

Wikipedia is the best and most popular example. What more, even this article has a couple of hyperlinks to it already. This online encyclopaedia is almost totally built on the efforts of thousands of contributing volunteers. Not only the submissions, but moderations too are handled in a similar nature by ‘administrators’ who are chosen from the previously mentioned fervent contributors. That helps in maintaining the credibility, which is always a common question raised against crowd-sourced content.

My next focus is a company, and a popular one in Google Inc. Google’s products have now become necessary platforms for thousands of other products and services both online & offline. For example, Google Maps is one such platform. The fact that people are able to contribute to it has resulted in the rapid expansion and improvement of the product itself. Anyone could contribute to “GMaps” through the Map Maker tool which was launched about 5 years ago. Talking about maps, a special mention of a non-commercial/non-profit counterpart in OpenStreetMap also needs to be made. There may be differences in content and quality between the two, but they both acquire and deliver the same kind of service.

Apart from maps and among many others, there were other programmes such as (now suspended) “Google in Your Language”, where they obtained the contributions from volunteers in order to localize their products.

Even though there is no guarantee on the numerous types of ways your contributions could be used in a final output, the age old saying of “volunteer to make a better world” still stands, even in this day and age with a sense of self-satisfaction.

Tuesday, February 12, 2013

Base64 encoding and its proper use

A friend of mine recently unveiled a new version of his website. Given that I too had worked on it sometime back, I decided to check it out. The main points I looked out for was security holes, since there were numerous such flaws which I fixed years ago.  Rather unsurprisingly the password reset feature of the site had one such ‘vulnerability’. It was done anew and the method used was not the most recommended although many developers opt for it. It wasn’t a bug, but a bad implementation ready to be exploited.

The culprit was an incorrect use of base64 encoding. For me, the main uses of base64 are storage and transmission of non-secret data. Although in the case of storage it’s something like hashing binary data etc. The last part ‘non-secret’ is very important. Because if one was to use the same for ‘secret’ information, then again it’s a non-recommended use. In the above scenario that was the exact thing that happened. A piece of data which was meant to be secret and easily non-readable was sent publicly after encoding with base64. And as most developers know, it’s just a jiffy to decode base64. So what I did was decode the string value, only to find out that two values were concatenated. One value was the victim’s email and the other a randomly generated string which wasn’t that hard to identify. Then it was merely to modify the above value with a known user’s email. And voila! I could reset his/her password.

Mentioned above was how a badly implemented encoding could make your web application vulnerable. And this is not something associated with low-profile companies, but even Facebook had a similar situation which was revealed in this article at 'Hacker News'.

The remedies are many, depending on how far you’d be content with given that security isn’t a 100% achievable thing. One solution is to make the random ‘salt’ a highly cryptic value. Another is to use a well-recognized encryption mechanism. Or you could even develop your own encrypt function although security experts warn against this. A rather straightforward and often used method is to implement one-way hashing such as MD5. All this methods have their advantages and perils. It’s up to the developer to decide which is best depending on factors such as performance, importance, accessibility, etc.