scr.im: A new, cute way to fight with spam?

I ran across a site called scr.im (http://scr.im/) today. In my personal opinion, it is an extent of url shorten (e.g: http://bit.ly/).

You basically enter your email address and it will generate a shorten url for you with a simple mechanism to force users to choose the matched text block, a simplified version of captcha.

Looking to see this in action, give mine a try: http://scr.im/jayzeng

When clicking the text block, a POST request is made:
captcha=E3M94&action=view&token=87735429e36a2256b62b5ed27de9eeda&ajax=y

Obviously, captcha is the name and value of the captcha text, token appears to be a text-based (possibly) md5 hash (since it is 32bit and alphnumeric). My bet it is

md5(current time + salt). 

My quick attempt is it does not implement any

if(number of failures > predefined_number_attempts) {
  block_ip() OR user_has_to_wait(5mins)(); 
}

This introduces the opportunity for attackers to brute force the site, which makes this service absolutely no-sense.

Well, not exactly right, it seems to me this site is simply an attempt to explore a new way to reduce number of spam, with little effort (and added complexity for end users).
Most users for this site will be individuals and/or small businesses. So even if the site is breakable, any one really cares? It is only an email address that is intended to share with a group of interested parties.

Validation of XML with XSD with C#

So you seen the following warning message?

Warning 1 'System.Xml.XmlValidatingReader' is obsolete: 'Use XmlReader created by XmlReader.Create() method using appropriate XmlReaderSettings instead. http://go.microsoft.com/fwlink/?linkid=14202' filename.cs 225 13 MonitoringFramework

private static bool isValidXML(string sXmlPath, string sXsdPath)
{
	bool isValid = true;
	XmlTextReader xReader = new XmlTextReader(sXmlPath);
	XmlValidatingReader xValidator = new XmlValidatingReader(xReader);
	xValidator.ValidationType = ValidationType.Schema;
	xValidator.Schemas.Add(null, sXsdPath);
	try
	{
		while (xValidator.Read()){}
	}
	catch (Exception e)
	{
		isValid = false;
	}
	return isValid;
}

The above code produces the following warning:
System.Xml.XmlValidatingReader' is obsolete

What is the solution? Below is my take on this problem

public static Boolean isValidXml(string sXmlPath, string sXsdPath)
{ 
	bool isValid = true;
	try
	{                
		XmlReaderSettings settings = new XmlReaderSettings();
		settings.Schemas.Add("", StringToXmlReader(sXsdPath));                
		settings.ValidationType = ValidationType.Schema;
		XmlDocument document = new XmlDocument();
		document.Load(sXmlPath);
		XmlReader rdr = XmlReader.Create(new StringReader(document.InnerXml), settings);
		while (rdr.Read()){}
	}
	catch
	{
		isValid = false;
	}
	return isValid;
}

private static XmlReader StringToXmlReader(string input)
{
	return XmlReader.Create(new MemoryStream(Encoding.UTF8.GetBytes(input)));
}

How to get file extension in C#

It looks like this is a fairly popular interview question, particularly in junior or entry level .Net developer positions.

While there are tons way to do this, I am listing two common approaches.

  • The most common way is string manipulation:
    string file = "abc.xml";
    Console.WriteLine(file.Substring(file.LastIndexOf(".") + 1));
    
    /// Returns xml
    
  • .Net also has native class Path allows you to get file extension:
    /// Because Path.GetExtension returns extension ends with a dot, so you may want to get rid of it. 
    string file = "abc.xml";
    Path.GetExtension(file).Replace(".", "")
    /// Returns xml
    

Path also has a list of other handy file IO methods:

  • ChangeExtension(string path, string extension)
  • GetPathRoot(string path);
  • GetDirectoryName(string path);
  • GetExtension(string path);
  • GetFileName(string path);
  • GetFileNameWithoutExtension(string path);
  • GetFullPath(string path);
  • GetInvalidFileNameChars();
  • GetInvalidPathChars();
  • GetPathRoot(string path);
  • GetRandomFileName();
  • GetTempFileName();
  • GetTempPath();
  • HasExtension(string path);
  • IsPathRooted(string path);

More details are available at http://msdn.microsoft.com/en-us/library/system.io.path.aspx

Where is my drupal login page?

I constantly forget drupal login url, (by default, unless you have built custom aliases) /admin will simply shows a 403 (access denied) and /login returns a 404 (page not found), which is great from the security perspective.

The following are its login urls:
/user
/?q=user
/?q=user/login

For personal blogs and small company sites, a good security practice is to grant access to a group of whitelisted users and deny the rest. In case you don't know, you can easily achieve this task in drupal, administer-> user management -> access rules. Below is my access rules, I only allow myself and blocks anyone else, which is represented as a percentage sign (%).

drupal access rules

^ Top of Page