Category Archives: Kerika

Posts about Kerika, the company and its people

Guarding against XSS/code-injection

It’s possible to copy-paste text into a Kerika Chat message, and there are legitimate use-cases for this: for example, a developer may ask a question to a coworker who replies with a code snippet.

Kerika handles code in chat messages by storing two versions of the message: as plain-text, and as the original format. When a chat message is displayed, the original format is used but not executed, which means the embedded code is visible, but doesn’t run in the browser. This makes it easy and safe to share code snippets through chat messages.

While making this improvement, we went through all the places where a user can type in text, Card Title and Description, Board Name and Description, Tag, Attachment Name, etc. to make sure we are guarding against malicious code injection.

An easier way to search for cards by number

Along with the recent improvements we made to the Auto-Number Cards feature for Task Boards and Scrum Boards, we have also made it easier for you to search for cards by their number.

It’s simple to use: just type in a number in the Search box on the top of the Kerika app and Kerika will assume you are looking for a card with that number. It will also search for anything else with that number, but will prioritize a card matching that number as the first result it shows.

Virtual Teams: How to Make Them Succeed

At this year’s Lean Transformation Conference in Tacoma, Washington, Arun Kumar spoke on the subject of “Virtual Teams: How to Make Them Succeed”.

A synopsis of the presentation:

Virtual teams can be as successful, even more so, than traditional (collocated) teams – but you need to understand how the project dynamics change when everyone can’t be in the same room at the same time. In this session we will cover the key success factors to building a high-performing virtual teams: how you can plan your work, run your daily standups, communicate, and share content. We will discuss the different roles and expectations of Project Leaders, Team Members and Visitors, and how people can juggle multiple projects at the same time.

The presentation was an hour-long, including Q&A; here’s an edited version of the talk (about 45 minutes long.)

Arun Kumar, on how to Make Virtual Teams Succeed

We will start to do IP blocking

Regrettably, we will start doing IP blocking to stop persistent spammers from setting up Kerika accounts.

We have seen a consistent pattern of misuse that goes like this:

  • Someone signs up with a sina.com email address.  Sina is one of the largest ISPs in China, but we don’t have any users in China for the simple reason that most of Google’s services are blocked by China’s Great Firewall, and Kerika has a tight integration with Google’s G Suite.
  • The spammer isn’t actually located in China; they are in Manila (Philippines) and come from IP addresses like 203.177.13.60
  • These spammers send out hundreds, sometimes thousands, of invitations for users from the qq.com domain to join their (spurious) Kerika team.
  • These recipients are all users of Tencent’s QQ messaging system, based in China. Again, none of them would be actual or potential Kerika users, since the recipients are all located in China.

The user impact of this spamming was relatively small: almost no one with a qq.com email address would reply to these invitations, but the conduct was a very clear misuse of Kerika and harmful to our reputation, quality and brand.

(Among other things, these spurious invitations would pile up in the thousands.)

We have decided, therefore, to start blocking IP addresses using Amazon’s VPC service (since we use Amazon AWS extensively on our back-end.)

This is a brute force method, and not ideal, but we were starting to get really annoyed with these folks.  We hope this doesn’t impact any of our real users in the Philippines; if you are affected, please let us know!