Suramya's Blog : Welcome to my crazy life…

January 25, 2023

Fewer than 50% of smart appliances are connected to the internet by users and that percentage is too high

Filed under: My Thoughts,Tech Related — Suramya @ 3:04 AM

Smart Appliances or Smart Devices are a pain. Yes, sometimes they make your life easier by allowing you to control your lighting from the bed or switch on your devices remotely but they cause major security problems. There is a term for these ‘smart’ devices: “Internet of Shit”. This refers to all the devices that are connected to the internet that have no business being connected to it. One example is an IoT enabled toilet, Smart Toaster, Smart Mirror etc etc.

There are a lot of potential issues in IoT devices including but not limited to:

  • If the manufacturer decides to shut down the service the device becomes an expensive paperweight
    • Older model Lexus cars lost all remote capabilities because the 3G towers it depended on shut down
    • Older Sonos speakers lost functionality when the company decided to decommission them
    • Tesla car bricked itself because it lost connectivity after owner parked it in a basement.
  • Need a 24×7 active connection
    • People got locked out of their house because a server upgrade was happening
    • During an AWS outage folks were unable to change the temperature using their NEST systems
  • Security Issues: IoT devices are the amongst the most insecure devices out there
  • Lack of Interoperability

and much more. When I bought my AC a couple of years ago I had to argue for a good 15 mins to get a non-smart/internet connected AC. The salesperson couldn’t digest why I wasn’t interested in having a smart AC. A few years later I got a washing machine and there was no option to get a dumb machine, but thankfully it has the option to create a local hotspot that I can connect to from my phone to control the machine. Yeah, it would be more convenient to do it from a distance but guess what I am already next to the machine when I am putting clothes for a wash and it is not that hard to connect to the local AP, start the cycle and then switch back.

A lot of appliance manufacturers bet big on the Smart revolution and according to recent studies are quite surprised to find out that fewer than 50% of their consumers actually connect their smart devices to the internet. The main reason behind it, in my opinion is that there is no major value add for a toaster or a fridge or a toilet to be connected to the internet.

This whole conversation reminded me of the following quote:

Tech enthusiasts: My entire house is smart. Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don’t recognize.

I am not as bad but nothing at my house is connected to the internet if it doesn’t need to be and then also it is on a separate network isolated from my home machine.

Source: Slashdot: Appliance Makers Sad That 50% of Customers Won’t Connect Smart Appliances

– Suramya

January 22, 2023

Working remotely doesn’t leads to lonely people no matter what folks on Twitter say

Filed under: My Thoughts — Suramya @ 1:11 AM

“100% remote work combined with a no meeting culture is going to create a large group of lonely, isolated workers”Alex Cohen posted this on Twitter a little while ago. Apparently the only way to ward off loneliness is to work in an office and attend meetings since having friends and spending time with them is obviously so last millennium.

I am someone who tends to be a little on the workoholic side if I am not careful. I have spent all weekend in office multiple times and one of my managers frequently used to message me asking me why I was still online at 3am and logged into office systems. That being said, there is more to life than work. In one of our Townhalls in a previous organization, someone asked the CEO a question “What are you doing to ensure employees have a proper work-life balance” and he responded (and I am paraphrasing since this was a while ago) “It is not my or the company’s responsibility to ensure you have a proper work-life balance. Only you know what balance would work for you and you need to tell us when you have enough work and need to stop for a break. If you allow/want we can give you work 24 hours a day 7 days a week because we have enough things to do. You need to be the one to decide what work-life balance means for you and then let us know. Then we will ensure that you get to follow that.” This stuck with me since I heard it and I quote it often with my reportees when we talk about Work-life balance.

This is not to say that you shouldn’t make friends at work or people objecting to the statement don’t enjoy working with others on a project. However, if you make your work the defining factor in your life, you are going to burn out. (Telling from experience) It is good to step away from work to do something else as that will rejuvenate you and might even give you a new perspective. For me I read books, go hiking and travel to get a break from work. You will not believe how many of my project ideas and fixes for issues I was facing were conceptualized while I was slogging away on a hilltop or driving to a new location for a trip.

Someone once told me that it is ok to love your job but don’t expect that love to be always returned. One recent example is the Microsoft Engineer who spent 21 years with MS as a great performer but was still fired earlier this week with little notice. There are multiple such stories and I could fill books with various similar examples.

I have been working remotely since 2020 and it does get tiring as I can’t meet folks face to face for discussions and I do miss the coffee breaks and the random discussions. However, once I log off from work I spend time with family, I go out with friends, I watch movies and do other things and guess what I am happy. Work is one aspect of my life and while it is an important part it doesn’t necessarily define who I am as a person.

When I was a kid I complained to my dad that I was bored and he responded that the fact that you are bored is your problem, you need to figure out how to keep yourself entertained because it is not the job of others around you to keep you entertained. So after that me and my sister would come up with things to keep us busy and entertained. The same concept applies to feeling lonely, it is not the job of others in your life to keep you from feeling lonely (they will obviously be there for you) but rather you need to reach out to them and make connections and do things that would keep you entertained & connected.

What do you think?

– Suramya

January 21, 2023

Fixing AssertionError: Font Arial,Bold can not represent ‘E’ when using Borb to modify PDF Files

Filed under: Computer Software,Knowledgebase,Tech Related — Suramya @ 12:47 AM

I have a bunch of PDF files that I need to modify to remove text from them. Initially I was using LibreDraw but that was a manual task so I thought that I should script it/Automate it. Little did I know that programmatically editing PDF’s is not that simple. I tried a bunch of libraries such as PyPDF4, pikepdf etc but the only one which worked was borb which is a library by Joris Schellekens. They have a great collection of examples and using that I got my first script that searched and replaced text in the PDF working.

However, when I tried to run the script against my pdf file the script fails with the following error:

Traceback (most recent call last):
  File "/home/suramya/Temp/", line 26, in 
  File "/home/suramya/Temp/", line 18, in main
    doc = SimpleFindReplace.sub("Manual", "", doc)
  File "/usr/local/lib/python3.10/dist-packages/borb/toolkit/text/", line 80, in sub
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/page/", line 271, in apply_redact_annotations
    .read(io.BytesIO(self["Contents"]["DecodedBytes"]), [])
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/", line 290, in read
    raise e
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/", line 284, in read
    operator.invoke(self, operands, event_listeners)
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/", line 271, in invoke
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/", line 203, in _write_chunk_of_text
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/layout/text/", line 145, in _write_text_bytes
    return self._write_text_bytes_in_hex()
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/layout/text/", line 160, in _write_text_bytes_in_hex
    assert cid is not None, "Font %s can not represent '%s'" % (
AssertionError: Font Arial,Bold can not represent 'E'

Process finished with exit code 1

I tried a couple of different files and the font name changes but the error remains

The script I was using is:

from borb.pdf import Document
from borb.pdf import PDF
from borb.toolkit import SimpleFindReplace

import typing

def main():

    # attempt to read a PDF
    doc: typing.Optional[Document] = None
    with open("/home/suramya/Downloads/t/MAA1.pdf", "rb") as pdf_file_handle:
        doc = PDF.loads(pdf_file_handle)

    # check whether we actually read a PDF
    assert doc is not None

    # find/replace
    doc = SimpleFindReplace.sub("PRIVATE", "XXXX", doc)

    # store
    with open("/home/suramya/Downloads/t/MAABLR_out.pdf", "wb") as pdf_file_handle:
        PDF.dumps(pdf_file_handle, doc)

if __name__ == "__main__":

I searched on the web and didn’t find any solutions so I reached out to the project owner and they responded with the following message “Not every font can represent every possible character in every language. you are trying to insert a piece of text that contains a character that Arial can not represent. Maybe some weird kind of “E” (since uppercase E should not be a problem).”. The problem was that I wasn’t trying to replace any strange characters, just a normal uppercase E.

To help trouble shoot, they asked me for a copy of the file. So I was masking the data in the PDF file to share it and the script suddenly started working. Turns out that there was an extra space after the word PRIVATE in the file and when I removed it things started working (even on the unmasked file). So it looks like the issue is caused when there is an encoding issue with the PDF file. Opening it in Libre Draw and exporting as a new PDF file seems to resolve the issue.

Now we are a step closer to the solution, I just need to figure out how to convert the file from the command line and I will be home free. Something to work on when I have had some sleep.

– Suramya

January 17, 2023

I hacked the Tamil Nadu eGovernment site and all I got was this lousy blog post

Filed under: Computer Security,Computer Tips,Tech Related — Suramya @ 1:20 AM

Finally doing a writeup of how I found that the eGovernment portal of Tamil Nadu had a major bug with a huge privacy impact as it leaked user documents with sensitive information (Personally Identifiable
Information) to the public. This issue was reported and has been fixed as well so am sharing this information so that others are aware of this issue and help them avoid similar problems in sites they manage going forward.

This whole saga started when I had to apply for an epass to enter Tamil Nadu and noticed that the link sent to download the PDF copy of the pass did not require any password to access. The link to download the data was something like: where xxxxxx was a 6 character code. It looked like they might be vulnerable to an parameter enumeration attack so I wrote a quick script to try calling the URL with various sequential codes starting with AAAAAA and moving up. To my surprise within 30 seconds of me running the script I found another person’s personal document ( accessible over the web without any authentication. This URL gave me a PDF file that contained a “First Graduate Certificate” (Given to the first person in a family that graduates) for a lady in Virudhunagar District in Tamil Nadu.

Since I had proven that the private information was being leaked, I immediately killed the script and reported it to the Tamil Nadu CERT team using their web form and the same was also sent via email to on 12th March 2021.

A day later I got a call from the CERT team asking for more details. The lady I spoke with asked me a few questions about what I found and wanted additional information about me. The question she got stuck at was “Where are you currently working?” As I was on a work break since I doing my Degree in Cyber security I told her that I was not working anywhere but was a student. She was really confused and kept asking the question in different ways. After a few attempts she finally believed that I was studying Cyber Security and told me that they would look into this.

I expected them to take immediate action since this was a major privacy blunder but nothing happened and it was complete radio silence from them so I emailed them again a month later (29th April) asking for an update with another followup email sent in May with no response to either.

On 21st May I looped India CERT in the mail chain to escalate and wasn’t too hopeful of a quick response. Interestingly they replied within 24 hours asking for a PoC and screenshot of the issue, so I responded with a copy of the script I had written along with the PDF file containing the PII that I had found.

After that I didn’t get any communication from the team and I got busy with exams and classes so I didn’t follow up. However, every so often I would try to access the URL and it would still give me a PDF download. In October over 7 months after I first reported it I finally got an error when trying to download the data from the site. Now I get a 404 message stating that the page can’t be found. (The site gives too much detail in the error message but that is a different story and something for me to look at when I get some free time).

The overall experience was quite poor as in spite of the immediate response to the first notification of the issue they didn’t give me any details on the ETA for the fix or let me know once the issue was resolved. Which would have made it more streamlined and I wouldn’t have had to check frequently that the issue was resolved. If nothing else an email thanking for reporting the issue would have been nice, although I have seen that other agencies / sites giving bug bounty to people reporting such issues.

If you are hosting a site that allows users to generate data/files that can be downloaded the following should be kept in mind:

  • When creating links to the generated files, don’t use sequential ID’s for the files as it makes it easy to iterate through. Instead create long randomized strings for the ID’s to make them harder to guess
  • Add some form of authentication before allowing the download, something like a emailed link or SMS OTP to validate identity before allowing a download. For example the Nagaland Government site for ILP forces you to authenticate with an OTP before allowing you access to the document
  • Add some checks for bruteforce attempts to guess file paths and block them.

Well this is all for now. I have a few more of these that I will be sharing over the next few months once I verify that the issue is resolved and safe to disclose.

– Suramya

January 15, 2023

Calling something older than Christianity doesn’t actually show that it is super old

Filed under: My Thoughts — Suramya @ 11:59 PM

I was reading Agents of Light and Darkness by Simon R. Green and came across this quote “Dedicated to the patron saint of lost causes, St. Jude’s is an old, old place; a cold stone structure possibly older even than Christianity itself.” in the book and it made me laugh. A lot of books have this habit of stating that xyz is older than Christianity as the measurement of how old things are and whenever I read it I just have to say that Christianity only started ~2000 years ago which is not that old compared to older religions, structures and things that exist in the world.

For example, Pyramids of Giza were built over 4500 years ago, a shrine worshiping Goddess (Shakti) made of stone at Baghor, Madhya Pradesh is dated 9000–8000 BC, Megalithic Temples in Malta are between 3000 and 700 BC. Even if you talk about religion Hinduism was started way back in 7,000 BCE, Zoroastrianism was founded ~1600 BCE and Confucianism, Buddhism & Jainism all were founded ~600 BCE. (Source: Oldest Religions in the world) There are so many things, places and ideas that are older than Christianity but there is a certain group of people in the world for whom the world doesn’t seem to exist before its start.

If you want to talk about old things, you can say that it is older than the discovery of fire or older than the start of agriculture or something similar and that still makes some sense. 2000 years is just a blink of an eye and even though it is a popular religion, measuring the age of something against it just doesn’t make sense to me.

– Suramya

January 14, 2023

Manager upset about order of recipients in email

Filed under: My Thoughts — Suramya @ 9:38 PM

There are a lot of people who are really concerned about their power & position, and will go to any lengths to ensure that everyone around them knows how powerful/senior they are. The below screenshot came up in one of my feeds a while ago and I found it to be really funny and all together ridiculous.

Didn't occur to me this is issue for some people.

One of the middle managers from one of our branch sent me an email, politely pointing out that he should be ahead of some recipient in TO field in the email I sent.

It was reply to me only not touching on the subject just pointing out the order.

Told him that's not part of our corporate culture and we don't do that.

Checked his AD account and he's new in company, account created 3 months ago.

When I craft the email I add people randomly from my head or alphabetically if I pull them from address book.

Seems silly thing to obsess about, order of recipient in email based on position, hierarchy.

Anyone encountered this before?
Manager upset about order of recipient in an email

What is even more funny is that people with actual power/position will not pull nonsense like this because they don’t need to. It’s only people who have little power who want to pretend that they have a lot. I have had the unfortunate ‘pleasure’ of dealing with some of these folks and it is always a massive pain because their ego will take any thing as an offense against them and will react accordingly to put the person in place. The only thing these folks will give any notice to is the people above them in power and for them they will do anything and everything to keep them happy.

This is one of the sillier examples that I have heard. Personally, I choose the email addresses in the order I remember them, starting with the main people (the people to whom the email is addressed) followed by the people who need to know what I am talking about in the email. I remember reading somewhere that folks in business schools and one of the big 4 consulting firms actually train people in what order the email addresses need to be listed but I can’t find the reference now. I think that is just a waste of time and energy which the person sending the email should that time on something useful or just take a short break instead of this nonsense.

I do remember having been called out for putting one of the senior people in the CC field instead of the To field even though they were just copied as a courtesy to keep them aware of what was going on. Going forward I remembered putting them in the To field but always found it silly. For me the To field is for the people the mail is addressed to or the people who need to action something on the email, the rest go into the CC field. For emails sent to me (I am in the To field), I have a rule that marked emails where I was in the To field in a specific color so that I knew those were emails I might need to action and that has worked great for me in combination to all my other email rules.

What do you think? Does the order of names in the email matter?

– Suramya

January 13, 2023

Fixing autopost to LinkedIn not working via Social Networks Auto-Poster

Filed under: Knowledgebase,Tech Related — Suramya @ 9:57 PM

A few days ago my authentication token that allowed Social Networks Auto-Poster to post my blog entries automatically expired (I can only authorize for a max of 2 months at a time). Usually the fix is quite simple, I just go to the account settings in the Plugin and then click on ‘Authorize Your LinkedIn Account (without Marketing API)’, after which I just have to authenticate using my LinkedIn password select Yes and then I am done. This time however, when I clicked on the Authorize connection button the system would redirect me to instead of the Plugin page which meant that the authentication process couldn’t complete. I spent a few hours trying to troubleshoot and for the life of me I couldn’t figure out the problem. I even tried installing another plugin but faced the same issue over there as well. In the end I decided to take a break and crash for the night as I was going nowhere.

Today I started looking at the problem again and was going to raise a support ticket with the plugin author to have them take a look at the issue and decided to check the FAQs just to ensure I didn’t miss anything obvious. The first entry in the FAQ talked about what to do if the plugin was redirecting to a “Blank Page” or an error page, according to the FAQ this could be caused by certain plugins and the fix was to disable the plugin, authorize and then re-enable them.

The last plugin I had installed was to Autopost my blog posts to Mastodon so I disabled the plugin and then tried authorizing the app again. To my utter delight the system immediately authorized the connection and I was able to make a test post successfully.

The moral of the story is that you should always check the documentation when something is not working rather than trying various things randomly.

Well this is all for now. Will post more later.

– Suramya

January 10, 2023

Thoughts on Digital payments, UPI and the changing face of Indian Payment options

Filed under: My Thoughts — Suramya @ 10:07 PM

Before demonetization happened back in 2016 in India where all ₹500 and ₹1,000 banknotes of the Mahatma Gandhi Series were discontinued overnight, digital payment systems like PayTm etc were there in the market but not super popular but immediately after the demonetization, online payment systems really took off especially UPI (Unified Payments Interface).

Currently India leads the world in digital payments and in ways to transfer money from one account to another. We started off with National Electronic Fund Transfer (NEFT) that allows a user to transfer money online to any bank that supports it and the transfer would complete within 24 hours. Shortly afterwards IMPS was introduced that allows a user to transfer money to another account instantaneously and whenever I have used it the money has been credited to the other account within a few seconds. Then we have UPI (Unified Payments Interface) which was launched on 11th April 2016 with the goal of making user to user payments easy & painless and supports person-to-merchant (P2M) and person-to-person (P2P) payments. In Dec 2022, 7828.9 Mn transactions were made with UPI for a value of 1,281,970.86 Cr (Rs. 1,281,970,86,00,000) and the total transactions using UPI were at 74,195.02 Millon which is more than the VISA + Mastercard transactions combined. More stats on UPI are available on the NCPI Website

People outside India have no idea how far UPI has changed the face of payments in India. You can go to a roadside shop in the smallest town in India and they are ready to accept payments using UPI. Last week we were in Yelagiri and one of our friends wanted to get a Tarot reading done by this lady sitting outside a temple we were visiting. She wasn’t carrying her wallet and asked if she could do an online payment and the lady immediately whipped out a QR code for her to scan and make a payment. Keep in mind that this is someone who charges Rs 50 for a reading and she loves online payments because it all goes to her account directly and she doesn’t have to worry about securing cash. Recently I went shopping in Bangalore and bought Rs 11 worth of stuff from a pharmacist and tried to pay with a Rs 20 note. I was told that they didn’t have change and was asked to pay online using UPI. So I asked them about online payments and the guy told me that only about 5-10% of people pay cash anymore and most prefer paying via UPI as it is more convenient. A similar story was shared by our neighborhood grocery shop as well. Cash is still in use but more and more people are moving to online payments just for the ease of use. Transactions from 5 Rs to multiple lakhs are done daily using UPI. (The only condition is that there should be a network/data connection available which is the case for most parts of India). If I run out of cash when traveling I just need my phone and can survive without having any cash on hand and it makes sharing/settling bills a breeze as everyone just transfers the money to one another instantly.

However, the west doesn’t want to acknowledge this and still thinks that people in India are living in the stoneage. If I was in the US I would need to use a third party system like Vinemo, PayPal etc to transfer money and they charge a transaction fees for each transaction. UPI on the other hand is free and is supported directly by the Bank/Credit card company. I can transfer money by scanning a QR code, or to a phone number that is connected to my UPI ID which in turn instantly credits the money to my bank account.

There is a privacy implication to this in that there is an electronic trail for every payment sent/received so if needed authorities can pull up all the data for a given user with a warrant. This also reduces the black money (money on which no tax is paid) to a minimum which allows the govt to tax the people correctly.

We Indians need to talk more about our accomplishments and especially success stories like UPI and similar stories as we are leading the world in this space and we should be proud of it.

Well this is all for now. Will write more later.

– Suramya

January 6, 2023

Good developers need to be able to communicate and collaborate and those are not euphemisms for politics and org building

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 11:25 PM

Saw this gem in my Twitter feed a little while ago and had to save it so that I could comment on it.

Twitter screenshot stating: Because to some people, in order to be a senior software engineer it's about politics and org building (perhaps you'll hear euphemisms communication and collaboration)
Because to some people, in order to be a senior software engineer it’s about politics and org building (perhaps you’ll hear euphemisms communication and collaboration)

There is a constant theme in Programming that the good developers are anti-social, can’t be bothered to collaborate and should be left alone so that they can create a perfect product. The so called 10x developer. This is emphasized by movie stories about the genius developer creating something awesome sitting in their basement. Unfortunately that is not how real life works as this 10x developer is a myth. In real life you need to be able to communicate, collaborate and work in a team in order to be successful as a programmer. No single person can create an enterprise level software alone and even if you could it needs to be something that people want/need, so guess what you will have to talk to your users to understand what problems they are facing and then work on software that will fix them or make their lives easier.

In one of my previous company, my role was to look at new software/systems and bring them into the company. So we went to expos, talked to startups and explored the market and found a really cool software that we thought would be extremely useful for the business so we went back and pitched it to the business. To our shock no one was interested in adopting the software because it didn’t address any of the pain points that the business was facing. We thought it would be useful for them because we were looking at it from the outside and hadn’t bothered talking to them about what their pain points were. Then we sat down with the business and their development teams to understand the setup and find out what are the most urgent/painful problems that we should fix. After multiple discussions we went out and found a software that addressed a significant pain point for the business and as soon as we demo’d it, we were asked to expedite getting it validated/approved for installed in their org.

Similarly, one of the startups I was working with during the same time were creating tech to help blind people and I happened to mention that to the founder of a NGO (Non-Government Organization) that works with blind people and his response was that what they are creating is cool but I wish they would actually talk to some blind people before they start working on tech to help them, as the blind people don’t want systems that will give them sight but rather assist them in doing things without trying to recreate sight.

Coming back to the original point about Senior Software Engineer, it is not their job to work on every part of the project themselves. Their job is to look at the high level goal, design the architecture and work with other developers in their team to create the software. Another major task of the senior Software Engineer is to mentor their juniors, teach them the tricks of the trade and help them grow in their skills and role. I personally believe that I should always be training the people under me so that they can one day replace me so that I can move on to more interesting projects. If you make yourselves indispensable in your current role and no one can replace you then you will always be doing the same thing and can never move on. Yes, there is a risk that you might be replaced with a junior and get fired but that can even happen to the 10x developer as well. Personally, I would rather have 10 regular developers than a single 10x developer as they are a pain to work with. They will insist on having full control of the entire dev process will refuse to share information that other developers/database/network folks need and basically become a bottle-neck for the entire project.

The way I look at being a senior engineer/architect is that I get to work on the really interesting problems, write code for PoC’s (Proof of Concept) that fix the problem. Then I can handoff the code to others who can productionalize it with me providing guidance and support. Its not to say that I wouldn’t get my hands dirty productionalizing the system but I rather solve interesting problems.

Another myth is that the only person who knows the system will never get fired. I have taken over multiple systems over the years (at least 4 that I can recall for sure) where they were originally managed by a single person who refused to collaborate/communicate with the rest of the team. In some cases they were fired and I was asked to take over, in others they were moved to other non-critical projects so they stopped being a road block. It each case took us a lot of time to reverse engineer/understand the system but it was worth the effort to do that so that we could make future changes without fighting with someone for every change or having to call the person for information everytime the system gave problems.

Long story short: communications doesn’t equate politics and collaboration doesn’t equate org building. If you think that they do then you will be miserable in any mid to large size company. You might get away with it in a startup initially but not for long as the team grows you will be expected to work together with other developers/admins (collaborate) to create systems that others want and for that you will need to communicate with others to ensure what you are making is actually useful.

Well this is all for now. Will write more later.

– Suramya

Powered by WordPress