NovoGeek.com - Krishna's weblog

First of all, I’m really happy and proud to say that I’ve received Microsoft Most Valuable Professional (MVP) award for the third consecutive year. YaY!! I’ve received my first MVP award in 2010 under “ASP.NET” category and in 2011, 2012 under “Internet Explorer” category. Kudos to Microsoft which uniquely recognizes and values its experts through the MVP award program.

So, how to become a Microsoft MVP? Well, this is the most frequently asked question in most of the user group meets, email conversations etc. Fellow MVP and friend Vijay Raj wrote an excellent blog post on this which gives great inputs.

My MVP story:

My first encounter with an MVP happened through a series of email discussions 4 years back (January 31, 2008 2:52 PM to be precise! I was just 6 months old in software field). At that time, AJAX start pages were highly popular and PageFlakes.com, a Web 2.0 mashup built in ASP.NET created a revolution. I wrote a long mail to the owner of PageFlakes.com with lots of enthusiasm and many queries like how he built the awesome product, how I can be a techie like him etc. I didn’t expect a reply, but was overwhelmed when I saw his reply the next day. The owner was Omar Al Zabir (Microsoft MVP for 7 years!) and he replied to my mail with this interesting link-How to become a good developer overnight! (Strongly suggest you to read this!!!).

Omar’s post had a strong influence on me and I was determined to work with passion (the MVP thing was completely out of my sight). I started with creating a web mashup something like PageFlakes in the next 4 months. Here it is!. Though it wasn’t complete and rich enough, given my experience and knowledge, that was big and the learning I had was huge!! I felt like sharing my experiences and captured them in my blog. Also, I took my learning to ASP.NET forums and helped developers who are struggling with similar problems.

Then came jQuery using which I rebuilt my mashup page (purely client side). I was learning and contributing extensively on JavaScript, AJAX, front end performance tuning, JS design patterns, jQuery plugins, browser compatibility etc. at forums, blogs, online events and MUGH for about 2 years. Suddenly, on 1st April 2010, I got a mail that I am a Microsoft MVP! Of course, I wasn’t alone throughout the journey and I was guided by amazing folks within and outside Microsoft. Thank you all for molding this wet clay!

The moral is, I worked rigorously with lots of passion and shared my learning, without worrying about “how to become an MVP”. Year on year, I maintained my consistency in learning and sustained sincerity without worrying if my award will be renewed. If Microsoft had not come across my profile, I wouldn’t have been an MVP but still I would be having my hard earned learning with me, which is the key towards a bright career. If you are a new MVP, just don’t get sick and count days before your MVP renewal date (am not kidding!). There is a lot to life beyond an award.

By the way, if you too are passionate and find all this interesting and relevant, tweet me for any help. I still remember how much I looked for help.

My gyan for fellow/new/wanna-be experts:

In the past 3-4 years, tech community has grown a lot. Thanks to Twitter/Facebook which made tech communication across geographies easier. There are several passionate developers, new MVPs every quarter, promising community folks etc. whom I/we interact with. While many of you are doing it right, here are few tips for those who are doing it wrong! (Strictly my personal opinions/beliefs and no way related to MVP award program).

• Focus on gaining depth and hands-on expertise in the technology/area of your interest. Don’t just be news aggregators-there are enough social media sites for this purpose.
  
  
• Please, please don’t try to impress existing MVPs, folks from Microsoft on Twitter/FB for the sake of award or other expectations. If you are an expert and contributing genuinely, Microsoft will find you and reward your efforts.
  
  
• At any point of time, quality beats quantity. If you are writing, say, 365 blog posts/year all alone, you need to question the quality of your learning. There is enough documentation on “How to create a new ‘xyz’ application in visual studio” at MSDN. If you refer MSDN articles, explain the same with screenshots and call it expertise, I pity your ignorance.
  
  Instead, build something which solves existing technical challenges or dives deep into a subject and show it to the world. Doesn’t matter even if you write 1 or 2 blog posts per month but make sure your learning is rock solid and has good impact.
  
  
• Microsoft is definitely one of the best employers to work for. However, don’t look at MVP program as an entrance to bag a job at Microsoft. Understand what you really want to do with the expertise you gained. Be patient, don’t be desperate and hasty.
  
  
• Just that you want to be an MVP or you are a new MVP, you need not kill your instincts, become a fanboy and boast about Microsoft’s products/technologies. Stop that. Appreciate the good, help improvise the bad.
  
  
• You are/wanna be a tech expert and not a sales representative. Speak the internals and stop surviving with “new features in xyz language”.(e.g., If you love programming, at least know closures, continuations, callbacks, recursive programming etc. Learn Lisp or may be Scheme and see how ideas in them are related to the new features in C#. You will love your code.)
  
  
• If you are working on Microsoft technologies/products, it doesn’t mean you should not work on open source ones. How many of you have appreciated the beauty of Git and GitHub? There are some brilliant projects on GitHub which you can fork/follow and learn. Do you know that you can set up a full fledged blog on GitHub for free using Jekyll (a ruby gem) & Disqus?
  
  
• Don’t convince yourself that you have read the entire material on a particular technology and you don’t have anything to do till the next version releases. Foolish!
  Just check the extraordinary and evergreen research going on at universities like Stanford, Berkeley, CMU. You will be amazed. When you are writing about HTML5 syntax in your blog, researchers are coming up with innovative ways of solving severe security flaws at protocol level and giving you a simple syntax. Grow up and widen your learning.

Hope the post provided useful information and motivated you enough for gearing up to the next level. Let me know what you feel in the comments below. Happy learning!

Tags: tech events, novogeek

Every HTTP request has a set of Request Headers which carry pieces of useful information from the client to the server. One such request header is the "Referer" header, which contains address of the previous page from which the current page was requested.

E.g., If you search for "HTML5" on google and click on the first result (link to wikipedia's page), you would be navigated to Wikipedia's HTML5 page and the "Referer" header contains the address of the previous page (i.e., google's search results page). Check the details in the below screenshot of IE9 F12 toolbar.

Over the years, “Referer” header (actual spelling should be “Referrer”, but it was misspelt in specs itself :p) has been used in several useful scenarios.

Fun with referrer:

By using “document.referrer” property in JavaScript, the address stored in referer header can be read. Using this web pages of Web 1.0 era displayed welcome messages, special offers, redirected to personalized landing pages etc.

if (document.referrer != ''){
alert('Hey! Welcome from '+ document.referrer);
}

CSRF protection:

Cross Site Request Forgery (CSRF) is a well known web based attack using which an attacker can make requests on behalf of the user. Leveraging CSRF, an attacker can construct GET/POST requests in a web page and make the victim open the page.

<!-- If this image tag is injected, it generates the below dangerous GET request -->
<img src="http://bank.com/funds/transfer?amount=10000&targetAccount=9876543210"/>

To defend against CSRF, the server has to differentiate between HTTP requests originating from a genuine user’s page vs an attacker’s page. Protecting against CSRF is a well explored area and it has several defenses such as using secret validation tokens, custom headers, Referer header etc. In most cases, the Referer header is used to check if the request is from the expected domain and not from attacker’s domain.

However, security experts have shown that referer headers can be easily stripped (Kotowicz’s demo) in all browsers and hence majority of CSRF defenses depending on referer header will fail.

Privacy Concerns:

In the era of social networks and personalization, data has become the currency of the web. By looking at the referer header, advertisements can learn from which page a user has visited the current page and provide more relevant ads. This means the browsing habits of users are being exposed to the cloud (Watch this Defcon video- How our Browser history is leaking into the cloud).

Till recently, Facebook exposed user’s unique Id in Referer header which caused serious concerns. Sites which are too concerned about privacy prefer to strip referer header and stay safe.

Damn! What web developers frequently use in their requirements is in fact not a recommended practice! Solutions are coming up!

Origin Header:

Researchers at Stanford Web security lab proposed that a new header called Origin Header should be used to uniquely identify requests. It is different from Referer header in that it just contains the origin (scheme://host: port) and not the entire address of the previous page. So this removes the privacy concern and can be used as protection against CSRF.

As far as I’ve seen, Origin header is implemented in Firefox, Chrome as an experimental feature and needs standardization (needs further verification).

Noreferrer: HTML5 introduces a new link type attribute called “noreferrer”. When an anchor tag is decorated with “rel=noreferrer” attribute, the pages which follow the hyperlink will not include referrer information in the header. This would pull down the privacy problem caused by Referer header. As of now, no browser supports this ‘noreferrer’ attribute.

So, the take away is, HTTP Referer header may be a handy option but it bears its own security and privacy problems and hence should be evaluated carefully. Instead, Origin header would be an ideal solution which would cater to the needs of web developers, respecting security and privacy.

Tags: browsers, web, security

It is always exciting to attend a technical conference focusing on a particular theme and even more if you get the opportunity to present. Continuing their good run, HasGeek has organized JsFoo Chennai 2012, India’s first JavaScript conference series, at IIT Madras Research park. There were several interesting proposals made and mine got voted for the final schedule along with other awesome entries.

My session is about the security considerations one should think of while integrating 3rd party JavaScript content into their site (in other words, security of web mashups). 

Presentation: Click here

Demos: Recursive Mashup Attack and Clickjacking

Learning aside, the best part is, I’ve met several awesome passionate geeks, few whom I know on twitter and few I would have never met otherwise. Loved the event even more, since people working on different platforms and having good expertise in JavaScript came under one roof and discussed. Diverse opinions and lots of learning!!

For those who missed, check JsFoo site for videos of sessions, which will be uploaded shortly. Also, here is an interesting review written by one of the attendees.

Tags: tech events, web security, javascript, html5