Friday, April 27, 2007

IIMB pgsem SOP

I have worked in Indian software industry for past seven years. Most of indian software industry is consultancy oriented and geared towards learning ready-made tools. But I was more interested in doing product design and development. in year 2000 I joined the start-up team of Indegene life-systems working on hand held device applications for pharmaceuticals and biotechnology industries.

During my stay at indegene I designed and implemented the health internetwork india pilot project (http://www.nhicindia.ernet.in ) for world health organization. This project was a pilot for "bridge the digital divide initiative" and have been deployed in many south asian and african countries. I was also instrumental in creating the platform for multimedia content delivery that forms the core of indegene revenue till date. From indegene, I moved on to oracle to work on their CRM suite that had 400+ installations world wide. At that time, ours was the only team in oracle india center with a full product. As a team, We stabilized the product and took it through two releases. My roles involved resolving customer issues, working with product managers and enhancing the product.

I joined everypath, a provider of mobile business solutions in september, 2004. I was the first employee of everypath india office. I took active part in setting up the office and doing recruitment of core team. At that time Everypath was the only company offering a web development like stack for mobile devices. Even today, doing a quick google would reveal the kind of market expectations we had generated. Our team in india created applications for pocket PC and blackberry that were deployed by enterprises across US, UK and japan. At this point, my primary responsibilities were two fold. first was, working with customers and gathering their requirements. second was designing the applications according to customer requirements in tandem with the development team.

I was responsible for creating the mobile field service application (FSA) product. Everypath was a privately held company and it folded in December 2005 when the board decided to pull the plug after running into legal issues. For a while, i was working to support the mobile FSA product in japan. From there i switched to America Online (AOL) taking charge of development of embedded chat project. Embedded chat provides backbone for real time multi party text and voice applications like AIM, ICQ and AOL client chats. AOL was trying to open its services for world and contemplating a move to open source stack and commodity software.

Now, moving embedded chat project to commodity software with web browsers as user application was a technological challenge because it is a real time streaming application. Previous attempts by AOL US to move to open source stack had failed. After joining the project, I designed the new architecture and lead a team of 5 people who moved the product successfully into production using open source components.

when I look at my career so far I have been working in an engineering set up with small teams. Team creating products and solutions are typically smaller and that is true of all my teams. There were interactions with people from different walks but they were limited to product requirements gathering. But most important of all, I was always the executioner and never the planner. first requirements were always handed out to me, I never planned them. Now I am at a cross roads where I have a need to interact with people in marketing , sales and other departments.

The scope of my interaction is increasing and so far i am well equipped to interact with one type of people only. This is one need i feel. The other is to increase the scope of my work. So far all my work has been "direct involvements" with small teams. I know how to do what they are doing and that is how i am able to come up with estimates and guide my team. But I can not hope to know everything and I have to work in situations when direct involvement is not possible. I need to develop this skill to guide my team comprising of different skills that i may not know. That would be required to lead big teams and get involved in planning.

Some where down the line , i want to start my own company and I believe these skills would be required. I also hope to network with interesting people during my classes. Finally, education holds a value of its own to me and this course provides a nice opportunity to continue my education.

Wednesday, April 18, 2007

Usage of encryption/decryption and one way hashes

Everyone knows terms like one way hashes, digests, MD5 , encryption, decryption etc but not all people understand the nuances. what people understand is that you want to hide a message so you change the original message into a more difficult to read form. But as an application developer when do we need to use encryption/decryption and when do we use one way hashes?

You are going to use one way hashes when you never want to unscramble the original messages again. Think of authenticating the users. You only want to compare the user supplied passwords against what is stored in your database. So you first take the user supplied password ( when you created the login) , apply a one way hash on it (like SHA-1) and then store the hashed result in your database. when the user logins again, he supplied his password in plain text . You take the user supplied plain text password , apply the same hash function on it and then compare the result of hashing against what is stored in your database.

so schematically, at the time of login creation

  • plain text password = P
  • F(P) => apply one way hashing function F on P
  • store F(P) in database

when the user logins again , he supplies plain text password Q
then F(Q) should match F(P)

So here we do not compare P against Q. we always compare F(P) against F(Q). Now you can see that we are open to dictionary attacks in this scheme. I can guess your password, run it through a well known hash function and compare the results against what is stored in password database.

To foil such attacks we introduce something called salt. Salt is a sequence of random bytes, hashed and stored with the original password. The hashing function makes use of salt during hashing , so when given password P, we also generate a salt S and then store S and F(S,P) together in database. If someone is now guessing our passwords he has to guess the salts also.

Remember , we never talked about retrieving the original messages , i.e. plain text passwords. Now where do we want to use encryption/decryption? we typically use them in cases when we require to hide some data from prying eyes but need the plain text form inside our application. Say, given a message M, we can generate the encrypted message E(M) and display E(M) instead of M. When our application needs to read M, we apply a decrypt function D on E(M).

  • D(E(M)) = M
© Life of a third world developer
Maira Gall