Interview of Ajin Abraham

Infosec has always fascinated me. After i wake up from my occasional slumber, i always look around to see if i can identify someone to admire (maybe it is the hero-worshipper in me). Off late, i have focussed on identifying people whom i like in infosec. I, then, pester them till they agree to give me an interview. I then post them questions over email, and they, well, respond over email. That’s how it works.

Today’s interview is with @ajinabraham.

I like Ajin Abraham because he hasn’t wasted much of his time in identifying his field of choice. Maybe that is the reason his body of work is so impressive (and he is young, so he has time on his side as well). So, without further ado, let’s talk to Ajin.

1. What is your online handle / real name (depending on your preferences)?

My online handles are ajinabraham or xboz in the dark past :).

2. What do you do for a living (company name not required, role / nature of work is preferred)

I am freelance security engineer, I do security engineering that includes developing security tools, security algorithms, pentesting mobile and web apps, code reviews etc. Apart form these I do applied security research and publish the outcomes at multiple security conferences. Also, I run an e-learning platform called OpSecX for security education and once in a while I do hands on live security trainings at security conferences.

3. Can you describe your journey in application security so far?

During school days, I was always curious on how games, software and os works. A teacher at school understood my fascination with computers and she taught me VB.NET. Unlike many others, I never started in C/C++ but instead in VB.NET and Microsoft Frontpage. I feel good about that now. At that age, everyone found C very boring and primitive. .NET and Frontpage offered great GUI experience and you could build a real application than printing fibonacci series.
It was applied programming that allowed me to create things that I imagine with ease. I could have never done anything better with C at that time and understand the beauty of application development if it was not for .NET. Eventually my curious mind took me to the internals of the applications where I started with reversing to understand the inner workings. The more I understand how applications work, the more I was able to use them in ways they are not intended to work. Later with the help of Google and StackOverflow, I learnt a great deal of things in Security and Engineering. I wrote security tools and published my research in the 2nd year of my Bachelors. Over years I found that there is a career that is in align with my passion and later got hired as an Application Security Engineer during the final year of B.Tech.

4. What were the challenges in your journey & how did you overcome them?

Today there are active community and security folks to guide someone in the security field. It was not like that when I started. The only help I had was Google and later StackOverflow. It was difficult for me to understand the concepts as I directly jumped into something before grabbing the fundamentals. Over time and experience I learned that I have to make my basics strong and clear. Thats when I started to learn everything from the fundamentals. It helped me a lot to understand things in depth.

5. What are the most important things that you want to focus on in coming years?

* Travel and explore the world and cultures.

* I am a petrol head, I love any thing that revs. More Drives and Rides.

* Keep my security knowledge updated. This is a rapidly changing field.

* Write more open source security tools, maintain the existing ones

* Do more application security research.

* Share what I have learned through trainings.

6. What, in your opinion, will be most in-demand things from an application security standpoint?

Skilled personnel. We have everything in large quantity but the quality is not that great. Even though I am not a fan of AI, it seems like Machine Learning and AI promises a lot of advancements in this field. But we need skilled persons to implement this at the first place. In India, Application Security is always viewed from a Job perspective and most people doesn’t give importance to Applied Research and the Academics side of it.

7. What, in your opinion, should the industry focus on?

Hire people based on skills over years of experience and certifications. Also make opportunities to build up quality resource over quantity. Promote application security research and develop that culture right from college or school.

8. Where do you see the application security industry heading to?

Application Security is fairly new compared to other branches of Security domain. I don’t know what we will have in the coming future but as more and more things move to cloud, we need solutions to defend them. Eventually we will have huge data sets which will definitely help the machine learning solutions to perform better with higher accuracy. I am also excited as you are, lets wait and watch.

9. How can one become an expert in your field (not security in general, but the work that you are doing currently)?

Rule 1: Passion or Interest is what keep you forward. (Don’t start if you don’t have it)
Rule 2: Give it Time and Patience
Rule 3: Always start with the fundamentals
Rule 4. Always learn, unlearn and relearn

10. Do you think bug bounties help?

I don’t personally like bug bounties as for me I found it a waste of time.

But it has couple of sides.

The good thing is it helps companies to save a lot on their budget for security, spend less but get applications tested by a large crowd.

For the participants it’s a good way to make money.

In the security industry, there is a new bread who claim themselves as bug hunters/ security researchers/ experts by finding few low hanging vulnerabilities in web applications. Some of them don’t even know how applications work. They don’t even know how the vulnerability occurs, how to fix it or how to report it professionally. Some of the bug bounty reports are hilarious (

I really admire and appreciate those 1% bug hunters who do real nice job, the guys who know their stuff. But others are pure disgrace to the industry. I am sorry to say it, but that’s the truth. This is what google says about their bug bounty program “Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security,”.

11. What is your vulnerability disclosure policy (ignore if not applicable)?

I use to do aggressive full disclosures in the past but currently follows a 30 days disclosure policy with few exceptions.

12. In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

I don’t think the usage will decline. The interesting fact is, most Indians don’t really care about Personally Identifiable Information (PII). I haven’t seen that culture of defending privacy in India much.

13. What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

I do a lot of open source work, you can find it here:
Also I occasionally blogs about my research outcomes here:

14. What do you advice the newcomers who want to hop on to the information security bandwagon?

Start form the basics and fundamentals, learn how things work.

Always try to learn things by self. Ask only when you are really stuck. There is a great difference in learning and understanding by self and some one explaining it to you.
Use Google and StackOverflow.
Explore for there is no limits.

{ctrl+z} My Interview :: Here’s what I should have said

So, after a long time, i finally broke my jinx of not updating my blog! I hope to keep updating it more often now.

Life is a collection of memories. If you don’t have memories, you don’t have a life (which means you are dead. That is why Shiva — the lord of death — is also called “smarahara”. “smara” incidentally, is sanskrit word which has two meanings. One, it refers to kaamdeva — the god of love. It also means memories. Amazing language, isn’t it? But i digress). My information security career has also gifted me with many memories, one of which is this interview. I didn’t like one of my responses during the interview and i kept going back to it, for some reason.

I finally got the reason (or so i think). This LinkedIn post is an introspective attempt to articulate that reason. Please find a reproduction of the same below: –

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Being a thick skinned guy that I am, I usually don’t like to admit mistakes. Scratch that, I NEVER like to admit mistakes. However, there are instances when one, during introspective phases (I know, it is a big word, yipee-ka-yay — MS Word 2013), identifies his/her mistakes and what he could have done instead of how-could-I-do-it and wish-he-forgets-it type of things.

So, during one of those ‘aha’ moments, I realized a mistake that I happened to commit during one of my interviews.

The Question

Around the end of an interview, one of the interviewer asked me this question

“If you had unlimited budget, what would you have done to improve your organization’s security posture?”

Now, on the face of it, this is a pretty open ended question that allows you to articulate some of the key controls / strategies that you think would add value to an organization’s security posture. This question also allows an interviewer to probe the mind of the person who is being interviewed to gauge his priorities. AND, this is also the sort of question, the response of which, will open you up to scrutiny.

My Answer

When I faced the interviewer, I was on the way from a normal ISMS professional to a higher plane (by establishing a SOC or Security Operations Center). I was then struggling with handling incidents with limited resource and skill (more on skills and competencies in a later post), so my response was a reflection of my struggles:-

“Given unlimited budget, I would like to invest in a tool / technology / process which ensures that infected machines are isolated as soon as they are identified. Also, I would like to be able to analyze them faster”.

How wrong I was!

An organization’s security posture is dependent on the following 3 Ps:-

People, Process, Technology

People — The most important thing in the triad. If people

(a) don’t have an understanding of the information that they have and its value and

(b) don’t want to secure it (due to different reasons, and surprisingly, deliberate espionage doesn’t feature till the end of the list), you will not be secure no matter how many processes and technical measures you have.

Think of all the passwords that have been shared, all the intellectual properties lost due to people and you will get the drift of what I am trying to write here. Awareness sessions on information security DO’s and DON’Ts, communicating all and any process changes to all relevant people, assessments (both online and behavioral) to gauge how people treat information security when no one is watching are some of the things that an organization can do to ensure that people act their part to keep information secure while handling. All information security branding related activities would also come here. The branding activities could include posters, quizzes that includes giveaways, etc.

Process — I can never tire of saying this “The way you handle information will dictate how secure you can make it”. Please refer to this post to know more about my thoughts on this.

Technology — All technical gadgets worth their salt (e.g., DLP, SIEM, IDS / IPS, Firewall, etc.).

So, while technology is important, information security is inherently a people and business problem. It is perfectly possible to implement a cost-effective ISMS that is aligned to the business and it is equally easy to botch it by blindly implementing “best practices”.

What I should have said

“Given unlimited budget, I would invest in security awareness at all levels, coupled with good detection tools, a superb DLP tool, and a capable incident response team”.

Now that would be a better answer, don’t you think?

Client Data Security — Why and How

I have finally decided to break the jinx of not keeping my blog updated. I shall update it once a week. Here’s the post for this week.

In today’s fast changing business world, regulations related to security are pervasive, so much so that with every new project (whether in the same or a different geographical region as that of the client), comes a whole set of laws to carry out (to the letter) as far as client data is concerned. If there is anything that the law misses, it is covered in the contract.

The next question is — why do client put these clauses (related to their data privacy) in their contracts?
They put it there because if the information leaks/gets modified, the client is liable to suffer monetary & intangible losses (lawsuits, fines from government, damaged image, lost clients, etc.).

Hence, in order to make sure that we understand and commit to the security and privacy of client information, they put the relevant clauses in the contract.

Bottom line — client data is sacred, and any security issue related to it can come back to haunt us (legally and otherwise). Hence, it makes business sense to protect our client data.

This poses some challenges.

The challenge is — No one, in their right minds, would want to put client data at risk. However, by virtue of our work & our focus towards it, security sometimes takes a back seat. This is reflected in our activities (we can also call them habits, as they keep happening from time to time). Some of them are (the list below is indicative):-

1. Noting some crucial information on a piecec of paper and keeping it at a public place;
2. Sharing password so that any client information that you have is now easily accessible to others;
3. Not keeping your anti-virus software updated;
4. Clicking on a link in mail without checking it first;
5. Discussing/sharing sensitive client information with people who do not need it to do their work;

Human beings are creatures of habit. Habits are very important in security. If i have a habit of sharing my password, there is a high chance that people near me (with good or bad intentions) can get access to it; further, if i have a habit of not locking my machine while going away, it is possible for someone to look at a crucial information (of client or personal) & make use of it.

Below are some habits that are found to be helpful in increasing the security quotient of a project, and should be used by all to ensure that we do not compromise the security of client information:-

1. Secure your passwords
 While it is not always practically possible to remember a password that resembles Garnier Fructis (Long and Strong), one should understand that once you put a sensitive information like password somewhere other than your brain, you should protect it, lest it get into someone else’s hands.

2. Do not share your passwords
 Once a password is shared, it is no more yours. If you have to share it (due to project requirements), make sure that you do not re-use that password for any other purposes and that you change it as soon as possible.

3. Keep your anti-virus software updated
 While anti-virus software usually are put on auto-update by default, it pays to be vigilant and update it manually if the update gets failed (e.g., due to bad network conditions).

4. Be careful while clicking a link
 Most of the bad code (virus/trojan/worm, etc.) require your effort (unknowingly, of course) to get onto your machine. We do so by clicking on some link without checking it first, thereby getting a bad code on our machine.
Always check a link (by putting your mouse over it, not clicking) before clicking it. If the link is pointing to a direction (e.g., an IP address or some mis-spelt address), do not click it.

5. Do not share client information with anyone who does not need it
 Now this is tricky! How to find out if the person who is asking it needs it? A rule of thumb is — if the person does not belong to your project and is not authorized by your respective manager / superior, he/she should not have that information.

6. Lock your machine while leaving it unattended
 Leaving your machine un-attended is a dangerous habit as almost all the access rights/privileges are attached to our machine identities. As one moves up the corporate ladder (and sometimes depending on the project requirements), one gets access to information that is confidential in nature. This habit of leaving the system/desktop/laptop unattended & unlocked may prove disastrous (Think someone-stealing-a-file-that-your-VP-sent-for-your-eyes-only)!

Bait for Your Identity

I overheard this interesting talk last sunday while harassing some poor developer to close an NC, have a dekko. But before that, a very short intro of the characters.

Character #1 — Baba Gyandev, aka if-google-had-a-body-this-would-be-it, BG in short

Character #2 — Baby Busy, aka this-will-never-happen-to-me, BB in short, BG’s follower#1

Character #3 — Paranoid Pandu, aka even-my-breadth-should-be-encrypted-to-save-it-from-sniffing, PP in short, another follower of BG

Context — BG & his disciples are in a very good mood. BG is happy because of planetary alignments, BB got a good appraisal recently, and PP just bought the latest encryption software for his laptop. More than that, they are happy because of their body has been treated to the best seafood meal that they had in recent times.

BB — This place is good, we should come here more often.

BG (after a big gurgling sound escaping the deepest corners of his intestine, making everyone else in the restaurant look for cover) — Yeah, fish is good.

BB — I don’t know why some people have devoted themselves to anti-fishing causes on Internet, it is not if we are trying to finish all the fishes!

PP — That was not this fish, BB, it is called Phishing, and it is very dangerous.

BB (with some alarm on her face) — Oh!

BG — PP, please do not terrorize her. BB, while it is true that phishing is a concern, it can be managed by some very easy-to-do things.

BB — Baba, please tell me more about this. What is this about?

PP — It is about stealing your identity.

BB — My identity? What identity?

BG — Bhaktjano, it’s not the identity that all of us are always looking for, inwardly (who am i? What am i on this earth for, stuff like that). I can talk about it more over seafood in Taj Banjara. The identity, that we are talking about now, is that of us on the information superhighway called Internet.

BB — Identity on Internet? What is my identity on the Internet?

PP (with some irritation) — Don’t you have a facebook account? Or yahoo/aol/hotmail/gmail ID? Or any other ID on any other website (irctc/icici/sbi/any-other-bank)?

BB — So what? Those are just login IDs, not my identity, Mr. know-it-all!

BG — Please don’t fight, kids. BB, in today’s online world, everything is connected to everything else on the Internet. You can share content of one website on another, e.g., share an online article or a review of latest movie that was put on some other news site, on your facebook account; you do a lot of financial transaction online. All of this requires that those sites know you. They give you login IDs so that they can recognize you, the next time you logon. So, all these IDs that we have online constitute our online identity. It is what we are and how people will recognize us when online.

BB — Yeah, i remember opening a recurring deposit account online in ICICI. They neither made me write a letter nor call me for an approval. I started it online and it automatically deducts money from my account every month.

PP — That was because they knew it were you, because they knew the login ID belonged to you.

BG — Correct. But now, the issue is — Crime always follows money. Bad people have realized that many (if not all) of the transactions are happening online now, it makes more sense if we can somehow get those IDs and passwords.

BB — Hmmm….. Baba, how do these people do it? Where does Phishing comes into picture?

BG — They will create copies of the well-known websites, with similar spellings, and put them online. Then they wait for you to land there.

PP — They do not always wait for your to come, they try to lure you to it. Remember that LinkedIn invitation that you said you had got from me? And the facebook invitation from your husband?

BB — Yeah, i do. I also remember that you had a look and then asked me to delete them and not to click on any link in that mail.

PP — Because it was a SPAM, meant for anyone who would believe and click on them, thereby landing on the fake site. The person will provide his actual user ID and password, and then, la-la land!

BB — How to stop it?

PP — These people are a reason why i am very skeptical while online. I don’t trust Internet!

BG — PP, in that case, stop buying house because land mafia may take it over, stop buying gold or silver ornaments because they can be stolen, stop carrying money in pocket because they can be , well, picked up. And while you are at it, stop living (PP looks at BG in shock) because there are criminals out there who murder for living.

BB starts laughing.

BG (with increased calmness) — Just because there are some issues with a technology or a facility, you don’t stop using it. Atleast not when you get so much benefits from it. More so, when you can save yourself using some common sensical tips.

BB — Please give me some tips so that i can save my identity online.

BG — the first step – don’t click on any link blindly. Check it before clicking on it. Is it pointing to what it says it would?

PP — A link to facebook should not go to some random site like

BG — True. In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Always check them before clicking.

PP — Also, look at the language of the mail.

BG — In other words, do not click on links within emails that ask for your personal information.

PP — True. Actually, no organization in its right mind would ask for it in mail. If it does, there is something ‘phishy’ there.

BG — Never enter your personal information in pop-up windows.

BB — What is wrong with pop-ups if it comes up after the original site has loaded? It means it has come from the site, right?

PP — Not necessarily. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.

BB — Means, i should never give confidential information in pop-ups.

BG — Correct. Also, phishing doesn’t always need Internet.

BB — ?????

BG — You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.

PP — If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information.

BG — In other words, don’t give (or offer to give) your account ID and password to some guy over phone just because he claims to be from IT-Support. I know you did that yesterday.

BB (blushing) — that was because i needed some document very badly but was not able to logon to my machine. I had raised a ticket too.

PP — How do you know that this guy had called because of that ticket? I was there, too and you did not verify his identity.

BB (getting a little angry) — There is nothing interesting in my account, even if the user gets the password.

PP — yeah, true, but you re-use passwords, right? Which means one password of yours can open many accounts of yours !

BG — Actually, it is not just a matter of having something interesting in your account. Once your account is compromised, it will be used by bad people to lure your friends and contacts.

PP — For example, if i get your twitter / facebook / gmail ID, i can just ask your friends from little money (i can guess who are your friends by looking at your past activities), and if they are like you, they will transfer money first and then call. And that is just for starters.

BB is silent.

After some time, BB breaks the silence.

BB — So what should i do to stop it from happening?

BG — Be suspicious if someone contacts you unexpectedly and asks for your personal information. It could be in any format (online or offline), but ultimately, you have the responsibility over your information, Keep it secure!

PP — You can also keep changing your passwords regularly and use security features available with major sites (like two factor authentication of gmail, privacy features of facebook, etc.).

BG — Keep your browser and operating system updated and secure because many phishing attempts are hidden in viruses and other bad code.

BB — Baba, what if i accidentally gave some information? What should i do then?

BG — Contact related officials immediately and inform them.

PP — for example, if you accidentally gave your banking related information, then contact the bank immediately. In case of an online account, change the passwords immediately and notify the website.

BB — Thank you, BG and PP.

OpenSAMM — Part 01

This is part of a series of presentations that i am going to create for explaining an open secure SDLC maturity model, called SAMM aka OpenSAMM. Click here to view the presentation.

Disclaimer — This is NOT an original work. I have taken help from the official presentation and some other articles/presentations available on internet. I regret that because i forgot to keep track of the sources, i cannot credit them properly in the presentation. However, if i get any information about the source, i will update this presentation with the credits. Would request people to get back to me if they have information on the sources.

Although it is generally believed that security should be in-built and not a patch after development, very few companies give it a try for one or more of the reasons:-

  1. There is little explicit demand (after all, my customers are not saying they want security, why should i bother? If i put some investment and cannot get it back, it’ll be bad for business, won’t it?);
  2. As a corollary to the above point, clients probably worry that if they demand security, maybe they have to pay for it (in terms of additional efforts and hence cost);

However, with SEC demanding that companies disclose “potential” security breaches (and this usually means that apart from companies to take notice of this fact, us compliance professionals can take little sadistic respite in the fact that we would be in little more demand 😉 ), i think companies better start demanding security in their applications (at-least those that come under purview of SEC).

OpenSAMM (or SAMM) is a maturity model that helps gauge the maturity of secure SDLC implementation in an organization. It also provides a benchmark against which similar efforts from different organizations can be judged. In retrospect, isn’t this how ISO propagated (capitalism, anyone?). Business wise, i think it makes perfect sense to demand security from a service provider, and then benchmark it against those of other vendors, makes ROI sense.

I gave this presentation at an OWASP Chapter Meet. Hope to finish the entire series in a couple of months. Watch this space for more!

ISO 27001 : A Business View

Hi People,

I am back after a strong lethargic break. Before i go back to hibernation (i can promise that i will be regular from now onward, but people who know me will differ — and i don’t blame them, either — but i digress), let me share a presentation that i did for a NULL meeting (what? You don’t know NULL? Shame on you!, go back and Google; on second thoughts, read this please and then go back, coz i am not sure if you will come back!).

Please visit this Google Presentation and share the feedback. My take is:-

ISO 27001 is a standard which provides a structured and step-by-step approach in solving many security problems , most of which do not involve technology.

I have tried to take some examples to illustrate some events that technology will need some years to solve. However, using a methodology such as ISO 27001 helps us in securing, and maintaining the same, the information and infrastructure supporting it.

Sach Ka Samna — Some InfoSec. Myths, Busted

OK, I am not Rajeev Khandelwal, but like our world, information security has its own share of myths, that, over a period of time, have quite a collection of believers behind them, masking the truth. This article is an attempt to rationalize their bust.

Long passwords means secure system

Long passwords means one thing — I will write it somewhere!

No seriously. How else would I remember it ?

Does that mean we should shorten our passwords? Not really. The God is (as has always been) in detail.

What it means is that we have to be careful while choosing a password. Keep it easy to remember, yet tough for others to guess (yeah, all the best!). It also means that everytime we chose to write it somewhere, we are on our way to make our system insecure.

Oh, I almost forgot the mother of all password mistakes — sharing it with others!

Security is a trade-off. Be careful what you trade it for!

Keeping anti-virus updated will save me from viruses

Anti-virus industry is like cops. We all know the probabilities and outcome of a cop vs. thief. Cop has to win everytime, thief only once. What it means is, if you have a paid version AND the anti-virus that you use currently, is the market leader (tough to determine), you can sleep on weekends (in night, sometime).

Does that mean we should shut our systems down and dust our papers and pens off?

Update your anti-virus daily (and keep a licensed copy of it, please. Kaspersky has gone cheap. And no, I have not yet received any commission from them!), and while you are at it, keep a backup of your important data. On a separate media (not on a separate partition on the machine).

Also, think about firewall and getting it installed on your machine.

SSL is secure

Nothing is 100% secure. That small padlock icon means that the data between the client (your browser) and the server (where the website is stored) is encrypted. But it doesn’t mean that people cannot sniff the data (if the server is compromised, or if there sniffed the initial cryptographic key — classic Man In the Middle).

If I don’t access Internet from my machine, my data is secure

True. But then you have to stop using USB sticks, stop using CDs/DVDs. In other words, stop using your computer.

Bottom line, there are more ways to get into your machine than there are hair on my head (I am not bald!). What it takes to secure your machine is a collection of good security practices (including some boring work like patching your machines, changing your password regularly, not sharing your password, etc.)

Linux is more secure than Windows

While I personally like Linux (because of its power), it is also true that mis-configured (or one that is not configured at all) linux is no better than windows.

So, should we dump all our Windows systems and migrate to Linux? The answer to most of us is NO. One, we will have a hard time finding proper versions of everything that we require for our business. Two, the work associated with migration (including testing, and training) doesn’t make it a viable solution.

A possible solution could be to use Linux for some servers (like file and mail servers) while keeping Windows for clients.

Information Security Standards & regulations are just pain-in-u-know-where

I couldn’t agree more! However, regulations are there because they are response to some real pain that business had been facing for quite some time. Regulations like HIPAA, HITECH, SOX evolved out of a business need to secure customer data. Traditionally, they shouldn’t be present. Corporations/enterprises should have included security as part of their SDLC. More on that later, however.

We have to be worry about hackers

Reports have shown that internal threats are more dangerous than outside ones. After all, we know the loopholes, right? Problem is, not everyone is un-professional. People don’t do these kind of things very often (even in a cut-throat world like ours). However, the cost of one incident is so great (IP loss, loss of image, etc.) that organizations have to consider this threat as real. Where there is money, there will be criminals (real or virtual).

Further, increasing reliance on contractors, consultants, and outsource vendors increase the exposure.

Main Khelega

India vs. Pakistan, 1989, Sialkot

A bleeding nose.
Concerned people, seeking medical attention for the lad

Main Khelega, One Answer
Four in next ball, answer sealed, stamped and delivered.

Sachin Tendulkar
Answer to our fervent prayers for a hero, so unblemished, so integral, giving hope to parasites like me, reminding us of one’s strength and ability to become whatever one wants!

Main Khelega
Because Karma is what we should do, karma is what makes us, karma is our link & our salvation.

To India Integral & to a Hero
Main Khelega!

Remove the blogger navbar

You must have noticed the blogger navbar (also called navigation bar) on top of almost every blog (on blogger, of course!). It looks like this (part of it):-

a portion of blogger navbarI will tell you why is it not visible on my blog (oops, site!), and also why is it not visible on many other blogger blogs. The reason is, they disable it using a CSS trick, which is neat. Take a look at this blog on blogger for a step-by-step procedure on how to make the navbar go poof (dresdain files, anyone?). I used the steps mentioned in the blog, and it worked like a charm. Also, it completes the deception (as far as my website is concerned 😉 ).

Use Google to host your website : For Free! — Part TWO

In my last post, i wrote about why i chose to use Google blogger to host my website. Here are the basic steps to do so:-

  1. Create a blog on Blogger;
  2. Modify the blog design;
  3. Change configurations in your DNS settings (of the domain that you own) and that of the blog.

Now let’s tackle the steps in detail.

  1. Creating a blog on blogger is not very difficult, so i won’t describe it here. However, a step by step video tutorial on how to create a blog on blogger (aka blogspot) is present on Internet. However, why two names for a blogging platform? Beats me!
  2. Now, we are going to make our blog look like a website. Please follow the steps below to do so:-
  3. Logon to using your ID and password;
  4. Under the heading “Manage Blogs”, click on “Design” for the blog that you want to change the design of (you will see many blogs under the heading if you maintain more than one blog using one user ID. However, makes me gape at the stamina of people who maintain more than one blog! However, i digress).
  5. Click on “Template Designer”.
  6. Choose a template by clicking on it. After doing changes, click “Apply to Blog”.
  7. Click “Back to Blogger”;
  8. Click “Posting”.
  9. Click on “Edit Pages”. Click “Leave this Page” (if a windows comes asking whether you want to save any changes on this page).
  10. Click on “Create a Page”.
  11. Provide a page title and page text for the page (e.g., page title could be “About Me” and page text could be a brief description about yourself).
  12. Click “Publish Page”.
  13. Now blogger will ask you the placement for page(s). Choose the “Blog Tabs” option.
  14. Click “Save and Publish”.
  15. That’s it! You now have a blog with website-ish look!

To create and add further pages, logon to your blog, go to “New Post”, click “Edit Pages”, then click “New Page” to add another page to your site.

Now, to the most important aspect of them all — how to configure your DNS settings so that everytime someone types, it takes them to without changing the address in the address bar! Yes, that is very important (we are not doing any redirection here). But before that, let me put up my gyaan hat on and deliver some very boring lecture to you (you can skip it, but then i would come to know about it and would deliver a curse that all your close relatives will be turned into gyaan-vriksh and would treat you as wanting some free gyaan. You know the results of that, won’t you!).

Basically, everytime you type a website address onto your browser’s address bar, some things happen:-

  1. Browser would try to locate the IP address of the server where this site is stored (using some hocus-pocus known as name resolution in coordination with a group of servers called DNS Servers);
  2. Once IP address is known, the browser requests the server (@ that IP address) for the website (that you requested);
  3. The server sends a copy of the website to the browser, and the browser displays it to you.

Phew, some steps! So don’t blame your browser the next time it fails to show the latest pics of some celeb who wanted her 15 seconds of fame because India won the WC, because the server might have been the culprit.

Anyways, back to the topic (men are pigs, i tell you!). Now, here, google not only allows us to use its server for our blogs, it also allows us to tell everyone about their IP address (well, not strictly, just the host name; rest all is managed by google).

To do all this, you MUST have a valid domain name that is registered to you. If you don’t have one, you can use one of the many registrar sites that sell a domain name. Use one of the them to buy a domain name of your choice.

After you have bought a domain name, visit the google help center page that details how to publish your blog under your domain name. Follow the steps below once your reach the google help center page:-

  1. Select “Host my blog on a URL that i already own”.
  2. Select “on a top level domain (
  3. Now you have to add something known as CNAME. Another google support page for step-wise instructions on how to do that for your domain registrar.
  4. After you are done with adding the CNAME, you have to add some IP addresses to your “A Records”. If you don’t fill “A Records”, visitors who leave “www” from your site address while looking for it, will see an error page. Basically, you will find the “A Records” on the same page on your DNS Manager provided by your hosting service.You will need to create four “A Records” pointing to the following four different Google IPs:-
  9. After you add them, you have to save your zone file (there would a button on the hosting provider’s interface somewhere to save it). Wait for an hour or so before moving onto the next step.
  10. Now, logon to the blogger, and go to “settings” > “Publishing”.
  11. Click “Custom Domain”.
  12. Write in your new URL (, and save your settings. If you do not enter the “www,” you will receive an error message.
  13. You are done!

Some helpful notes:

  1. If your new domain isn’t taking you to your blog, wait another day or two to make sure all the DNS servers have been updated. If it still isn’t working, contact your registrar to make sure you entered the DNS settings correctly.
  2. Your original BlogSpot address will automatically forward to your new domain. That way, any existing links or bookmarks to your site will still work.