Saturday, January 12, 2013

Thank you Docomo. People should learn customer service from you

I do not usually write these kind of negative posts. But I had to write this.


This happened half an hour ago.

Tata Docomo has been deducting Rs. 1.50 daily from my account from the last 20 days or so. At first I thought it was charge for a call but later when the same amount deduction was shown daily I knew. Lazy as I am, I thought of complaining about it someday. And today when the wifi went down for a few minutes, I had nothing to do and so I called them expecting to get a balance refund.
I live in Hyderabad. I understand only Hindi and English but the IVR system started blabbering in Telugu (atleast give a choice to select language first). Somehow after multiple rounds of trail and errors I press some button combination to connect to the customer care. He started off in Telugu even when I was using English. 


Me: Hi, I am a prepaid user. I am being charged Re. 1.50 per day since last 20 days for something I did not subscribe.
CC: (blah blah in some language I did not understand)
Me: Sorry I could not understand your language. Can you talk either in Hindi or English ?
CC: Let me look... oh yes you have subscribed to Movies updates (he said something like that)
Me: (What the **** are you talking about. I do not even watch them) Listen I have NEVER ever messaged to the 5 digit numbers for any service activation since the 5 months I am using your service then how did it get activated. Neither I am getting any SMS updates for Movies (thank you very much for this).
CC: No sir, your record shows it is activated. That means you must have activated it.
Me: That means I cannot get my money back.
CC: No sir.
Me: (banging head against wall) Could you atleast deactivate it ?
CC: Yes, Do you want information for any other services ?
Me: (forgive me for calling you) No thank you. Please deactivate this ASAP.
CC: Yes sir. It will be deactivated within 4 hours.

I email their nodal officer but the email delivery fails as the email id given by Docomo only accepts mail from their own domain. So I need to change my job, go work for Docomo to lodge a complain for their malpractices and shitty service.


Disappointed, I go for dinner and after an hour or so. I have a message waiting from C-Care. Expecting it to the end of all this I read it.

"Hi! You have been charged 50p for your call to the call center agent at 121."

Thank you Docomo. 

Wednesday, January 18, 2012

Best Indian television advertisements PART I (as far as I can recall)

Some of the better television advertisements. (I could easily recall these so I guess they served their purpose of creating an effect)

This has to come in the beginning. This was one of the few ads I still remember and could find easily on Youtube (it received few awards too).











One of the best advertisement "series" ever created...luv you zoozoo :D



This one is not soo good but anyways...


Friday, November 4, 2011

Why you are always told not to trust the user

My last post was about six months ago, so here is one just to remind I am not dead yet.

First lets begin with a short story. Once I found a link posted as someone's Gtalk status (http://ebooks.bits-pilani.ac.in). It is a service that allows you to browse whole collection of books of 24x7books.com. I assume this is yet another service almost no one at the concerned institution would be using. What I found was instead of sanitizing the user input on the server-side, it uses JavaScript to check the input string on client-side. I just do not understand if you are taking the pain to check the input, why not do it correctly. So as you might have guessed correctly, this site is prone to SQL injection attack. I guess the organization does not pay much attention to it so it has not been corrected yet (even after 4 months of reporting it). To check it you just have to disable JavaScript in your browser and use the super-n00b always true statement i.e. just use ' OR '1'='1  as the username and password.] and you can read thousands of books free [have not browsed the site much but I think almost all popular books are available as full versions unlike Google books.] . Certain more things can be done for e.g. using a much more creative query and some trial-and-error over field-names we can get a reset password link for a particular user whose user-id is known using the forgot password feature given.


UPDATE (6 Nov 2011): Seems they have updated their code(or someone dropped the table :P ) so the noob query string would not allow you to login. To view their query string just disable javascript and use ' /-- as the username and leave the password field blank (yet another flaw, showing the user stack trace and codes instead of a useful error page.)
Here is the query string they are using for authentication -
"select *from details where email='" + TxtEmail.Text.Trim() + "' and password='" + TxtPassword.Text.Trim() + "'"
But please do not try anything else (like DROP table :P)


Some xkcd fun :) (http://xkcd.com/327/)


Now the point is sanitizing user input is no rocket science and everyone knows that SQL injection is the MOST commonly exploited vulnerability. If ever there would be a web security 101 course anywhere, it might even feature in its introductory class. Despite this, reports of apps being hacked due to this keeps coming up. I believe the problem is we are never told about these things in the beginning. I remember we had a subject Java & Web Technology where we had to make a web application as our assignment. Most of the people focused on the design and usability [Ok including me] and made a shiny little PHP+MySQL app and nobody bothered to tell us about security and all those stuff.

So, where can you start learning about web security issues ?

1. http://code.google.com/edu/security/index.html  Some great videos here.
2. A course on the same page uses this http://google-gruyere.appspot.com/ A live web application where you have to actually find and exploit vulnerabilities. Very Cool stuff :)
3. http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf  Some text about how to validate input and prevent SQL injection.

....will continue on this topic in later posts.