Suramya's Blog : Welcome to my crazy life…

May 20, 2024

Winamp announces it will open its source code to the public on 24th Sep 2024

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 11:59 PM

Winamp is one of my all time favorite music players but unfortunately it is only available on windows. But in an announcement from winamp team made recently, they state that they are planning to make the full source code for Winamp available to everyone on 24 September 2024. This will open up the possibility of the code being ported over to Linux and other operating systems, which would be awesome.

Winamp has announced that on 24 September 2024, the application’s source code will be open to developers worldwide.

Winamp will open up its code for the player used on Windows, enabling the entire community to participate in its development. This is an invitation to global collaboration, where developers worldwide can contribute their expertise, ideas, and passion to help this iconic software evolve.

Winamp has become much more than just a music player. It embodies a unique digital culture, aesthetic, and user experience. With this initiative to open the source code, Winamp is taking the next step in its history, allowing its users to contribute directly to improving the product.

“This is a decision that will delight millions of users around the world. Our focus will be on new mobile players and other platforms. We will be releasing a new mobile player at the beginning of July. Still, we don’t want to forget the tens of millions of users who use the software on Windows and will benefit from thousands of developers’ experience and creativity. Winamp will remain the owner of the software and will decide on the innovations made in the official version,” explains Alexandre Saboundjian, CEO of Winamp.

At this time we don’t know what license the source code is going to be released under so we will have to wait and see on that front. Depending on the license used there might be restrictions on the code use so… The announcement asks users to register their interest by entering their details at their Free-Llama site. I have done so and will share any details I receive from them as we get nearer to the release date.

Unfortunately, there is a good possibility that the code will not be released under a public open source licence like GPL/MIT etc as in that case they would have just dumped the code on Github and made the announcement. Unless… this is a way to drum up interest for the release.

In either case, we will have to wait and see. But I am very excited by this 🙂

– Suramya

May 16, 2024

Google claims to have created AI to detect scams in realtime by listening to all your calls

Scams are getting more and more common nowadays, with folks loosing a lot of money due to this. We absolutely need more ways to detect and warn people about scams but I don’t think this is the right approach. By ‘this’, I am talking about Google’s recent announcement at Google I/O to use Gemini Nano to alert users to potential scams during a phone call.

The feature, which will be built into a future version of Android, uses Gemini Nano, the smallest version of Google’s generative AI offering, which can be run entirely on-device. The system effectively listens for “conversation patterns commonly associated with scams” in real time. Google gives the example of someone pretending to be a “bank representative.” Common scammer tactics like password requests and gift cards will also trigger the system. These are all pretty well understood to be ways of extracting your money from you, but plenty of people in the world are still vulnerable to these sorts of scams. Once set off, it will pop up a notification that the user may be falling prey to unsavory characters.

In order for the functionality to work we would have to give Google full and complete access to all our phonecalls & audio during the call. I don’t know about you but I don’t want to give this kind of personal data over to a company that has already lied about the data they collect (referring to the recent lawsuit on their tracking the web-browsing habits of users in incognito mode that they settled last month).

– Suramya

Source: Slashdot: Google Will Use Gemini To Detect Scams During Calls

May 13, 2024

Please don’t use AI to cheat on your interview no matter how tempting it sounds

Interviews are hard and at times folks who are really good at work don’t do that well in interviews. This could be because of nervousness, anxiety or just bad timing/questions. However, that doesn’t mean that you should cheat in the interview because trust me, you will get caught. Having been in the industry for over 24 years, I have seen multiple instances where folks decided to cheat in the interview thinking they would get away with it but in the end all of them were caught and ended up getting blacklisted in the company. In some cases it can even lead to charges & cases being filed against you.

Now that AI is getting into everything, it was inevitable that it would enter the interview world as well as an cheating aid. Enter www.milio.ooo/. They don’t even attempt to hide the fact that this tool is meant to help candidates cheat in their interviews. From their website, right at the top “Job adverts cheat, so why can’t you?”. I mean it doesn’t get more blatant than that… As per the description on their site the software listens into the audio stream of the interview and then displays the answer on the screen for you to parrot out. A sample question and answer featured on the site is shown below:

What digital marketing tools and platforms are you familiar with?

I have experience working with a variety of digital marketing tools and platforms, including: - Google Analytics: I have used Google Analytics extensively to track website traffic, user behavior, and conversion rates. I am comfortable setting up custom reports, analyzing data, and identifying opportunities for optimization. - HubSpot: I have experience using HubSpot for marketing automation, lead nurturing, and CRM integration. I have created email campaigns, landing pages, and workflows to drive engagement and conversions.
Sample answer to a question generated by the cheating software

The site doesn’t explain how it ensures that its responses actually match what is in your resume abd I doubt there is much of that happening here. In anycase, I do understand folks who are desperate can end up using tools like this one to get a job. But while it might look like a good bet in the short term it will get you in trouble in the long term. If the people trying to cheat actually put in the effort they put into cheating the system into actually learning the system they would be much better off.

Please remember that the folks who are taking the interviews (like me) have been doing this for a while and it is quite easy to figure out that someone is reading an answer off the screen. In the past we used to listen for keyboard sounds to figure out if someone was googling for answers but with this ‘AI’ listening that tell is no longer there. However, if this is on a video interview I can still figure out that you are reading off the screen by looking at you.

Also remember, most large companies do have face to face interviews as well and a final fit round before rolling out an offer letter. I have had an example in one of my previous companies where a person who had cleared all the phone interviews was in office for the final rounds and one of the interviewers asked them a basic clarification question and they were unable to answer, so the interviewer got suspicious and asked more probing questions. Finally the candidate admitted that someone else had taken the phone interview (this was before video calls/interviews) and they ended up getting blacklisted and obviously didn’t get a job. Even with video interviews, one of the candidates was recently caught lip-syncing the answers that someone else was giving.

This actually gave me an idea for a project (which I might or might not work on). Basically, a lot of times in meetings we talk about technologies or projects we are working on and sometimes I end up making a note for myself to look up something post the call because I wasn’t sure of what it does. It would be really cool to have an assistant/program running in the background that continuously gave information & links to additional information when people talk about projects or technologies or past discussions. I doubt it would be good enough to only give information I would need but it could be an interesting addition to make a person more productive. Basically the same technology used in this site but instead of interview answers actually giving links to more information along with summaries etc.

Long story short, please don’t cheat on interviews no matter what tech is powering the cheat tool.

– Suramya

April 19, 2024

Would Tesla cars still work if Tesla went out of business?

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 9:18 AM

Dave Winer asked the following question on MastodonIf Tesla went out of business, would my Model Y stop working??” and at the first glance it sounds like a ridiculous question. In fact, if you told someone even 15 years ago that you were worried that your car would stop working if the company that manufactured it went out of business they would laugh at you. But thanks to the over proliferation of Things as a Service which is used by a lot of manufacturers to control and profit out of stuff that should be included this is no longer the case.

Auto manufacturers are now adding functionality as a service to their cars for things that were included for free earlier. For example, BMW started selling Seat Heating as a Service in 2022. Tesla has subscriptions for Premium connectivity and ‘self-driving’. Mercedes goes even further and charges an extra $1200/year to unlock a fully functional accelerator.

However the big problem with Tesla (and other cars) is that all the critical software components are protected by DRM. Once a device has DRM on it, Section 1201 of the DMCA makes it a felony to bypass that DRM, even for legitimate purposes.

We have already seen cases where owners are unable to start their cars from the mobile app when the Tesla servers went down (Apparently the manual key worked in this case). Others have seen problems starting their car when they lost connectivity during software updates. I do seem to remember reading somewhere that there is a phone home system built into Tesla’s that would stop the car from working fully if it could no longer talk to the company servers but I can’t find the link to the story anywhere.

So long story short, if Tesla went out of business a lot of the functionality in the car would stop working. As per a forum post on ‘Tesla Motors Club’ from 2021 the following would stop working if the car didn’t have connectivity (I can’t verify this because I don’t have a Tesla and no desire to get one):

  • control aircon remotely turn on/off adjust temperature
  • turn sentry mode on/off
  • control heated seats and heated steering wheel
  • open/close trunk
  • check location/speed of the car
  • unlock remotely
  • allow someone to drive the car (while you’re in a different location to the car)
  • Smart summon
  • vent or close the windows
  • sentry mode alarm alerts
  • restrict speed
  • valet mode

I think some of these might work with physical controls but not sure. I think I will stick with my Honda City for now 🙂

– Suramya

April 16, 2024

Creating a Tic-Tac-Toe game using a single printf statement in a loop

Filed under: Computer Software,Interesting Sites,My Thoughts,Tech Related — Suramya @ 12:19 PM

The printf statement in C/C++ (and other languages) is a fairly innocuous command that prints information to the screen (or any other output stream). Reading over JWZ’s blog post (The Turing Police say “X Wins”) I found that I was mistaken as it is much more powerful than that. In fact, a single printf statement in a loop can be used to create a full interactive game of tic-tac-toe and this is demo’d by Nicholas Carlini, who has implemented this and you can view the code over at their GitHub Repo: tic-tac-toe in a single call to printf.

Apparently, this was inspired by the International Obfuscated C Code Contest. The repo has an explanation on how this works and I am still going through it to wrap my head around how it works and understand it fully. Check it out if you have some time.

– Suramya

March 6, 2024

Researchers demo the first worm that spreads through LLM prompt injection

Filed under: Artificial Intelligence,Computer Security,Computer Software — Suramya @ 10:17 PM

In the past year we have seen an uptick in the tech industry looking towards embedding LLM (Large Language Models) or AI as they are being pitched to the world in all possible places. Windows 11 now has built in Copilot that is extremely hard to disable. Email systems are using LLM’s to get additional details/information using the data from the email to add context etc. This creates new attack surfaces that attackers can target and we have seen instances where attackers have used prompt injection to gain access to data or systems that were restricted.

Building on top of that researchers have now created (and demo’d) the first worm that spreads through prompt injection. This is breakthrough work similar to how the Morris Worm was in the late 80’s. Basically, researchers created an email which has an adversarial prompt embedded in it. This prompt is then ingested by an LLM (using Retrieval-Augmented Generation which allows it to enhance the reliability of the LLM by fetching data from external sources when the email is processed by the LLM) where it jailbreaks the GenAI service and can steal data from the emails (or do whatever else the attacker wants such as changing email text, removing data etc). In addition the prompt also has the ability to make the email assistant forward the email with the malicious prompt to other email addresses allowing it to spread. The researchers have christened their worm as Morris II giving homage to the first email worm.

Abstract: In the past year, numerous companies have incorporated Generative AI (GenAI) capabilities into new and existing applications, forming interconnected Generative AI (GenAI) ecosystems consisting of semi/fully autonomous agents powered by GenAI services. While ongoing research highlighted risks associated with the GenAI layer of agents (e.g., dialog poisoning, membership inference, prompt leaking, jailbreaking), a critical question emerges: Can attackers develop malware to exploit the GenAI component of an agent and launch cyber-attacks on the entire GenAI ecosystem?

This paper introduces Morris II, the first worm designed to target GenAI ecosystems through the use of adversarial self-replicating prompts. The study demonstrates that attackers can insert such prompts into inputs that, when processed by GenAI models, prompt the model to replicate the input as output (replication), engaging in malicious activities (payload). Additionally, these inputs compel the agent to deliver them (propagate) to new agents by exploiting the connectivity within the GenAI ecosystem. We demonstrate the application of Morris II against GenAI-powered email assistants in two use cases (spamming and exfiltrating personal data), under two settings (black-box and white-box accesses), using two types of input data (text and images). The worm is tested against three different GenAI models (Gemini Pro, ChatGPT 4.0, and LLaVA), and various factors (e.g., propagation rate, replication, malicious activity) influencing the performance of the worm are evaluated.

This is pretty fascinating work and I think that this kind of attack will start becoming more common as the LLM usage goes up. The research paper is available at: ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications.

– Suramya

March 1, 2024

If buying isn’t owning, then piracy isn’t stealing

Filed under: Computer Software,My Thoughts — Suramya @ 12:27 PM

Nowadays it is quite common for folks to move from having physical copies of books, movies, TV series etc to having digital copies of the same. I like having digital versions of things because they are easier to store but that brings a whole lot of problems. Basically having an electronic item specially something that is hosted on a service or needs an external system to approve your right to open that file/game/book then it means that you don’t really own that item. The service can arbitrarily decide to remove it from their system, alter it without telling you or decide to reduce functionality and make you pay more for something that you already paid for.

We have so many examples of this happening, such as services removing movies that you bought from your systems because they figured it was more cost effective to not renew rights to the movie. Amazon Music has removed music that was paid for from their system or have changed it. Books were removed from Kindle by amazon when they felt it needed to be inspite of the users having purchased it.

Earlier this week in example no 400035 that shows that we don’t really own the digital content we ‘bought’, Sony deleted content that they had promised would be there forever with little to no recourse for the users to get their content back when though they had paid for it.

Funimation, a Sony-owned streaming service for anime, recently announced that subscribers’ digital libraries on the platform will be unavailable after April 2. For years, Funimation had been telling subscribers that they could keep streaming these digital copies of purchased movies and shows, but qualifying it: “forever, but there are some restrictions.”

But soon, people who may have discarded or lost their physical media or lack a way to play DVDs and Blu-rays won’t have a way to access the digital copies that they were entitled to through their physical copy purchase.

A little while ago Philippe Tremblay, director of subscriptions at Ubisoft made a comment that gamers need to get used to the idea they don’t own their games anymore and embrace digital downloads. This is absolutely ridiculous and should not be normalized. If I own something I should be able to do whatever I want with it. Unfortunately that is not the case because the content is protected by DRM (Digital Rights Management) which is supposed to be a tool to prevent piracy but instead is a tax or punishment for doing the right thing and buying content legally.

If I pirate a movie or a book I can do whatever I want with it and watch it wherever I want or convert it to another format that is easier for me to consume (mobi->epub for books as an example) But when I legally buy something the DRM on it stops me from doing the same thing as it is a felony for me to remove the DRM so that I can access stuff I paid for in a way that is convenient for me.

Before streaming services and digital stores became popular, at times the only way to get content was to pirate it. To give an example, back in 2007/2008 books by most of the authors I like were not available in India so if I wanted to read a book I would have to buy it from Amazon and have it shipped to India. Amazon used to charge $10 PER book to ship it to India at that time even if you ordered multiple books and paying that for a book that costed $7 made absolutely no sense. Same was the case with movies and tv series. With streaming and digital media taking off, I can now buy a digital book when it is released or watch a new TV series when it is launched legally. Now with this nonsense of deleting stuff that people have bought, we need to start keeping copies of all the stuff we buy offline so that I still have access to what I paid for even when a corporation decides that it is more cost effective to delete/remove access to it.

Source: Techdirt.com: Here We Go Again: Sony Disappears Digital Content That Was Pitched To Customers As ‘Forever’

– Suramya

October 17, 2023

Best Support response times and quality I have seen is from the WordPress Activitypub team

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 10:49 PM

I have been using Open Source since I found out about it back in 1999. At present majority of the software I have running on my system is opensource with a few notable exceptions such as Microsoft Word (Libreoffice still has formatting issues) and CrossOver by Code Weavers (that allows me to run Windows software on Linux) and a few games that I don’t get to play enough. Which means that I have considerable experience with the support offered by the various opensource projects. The support ranges from RTFM, no responses to questions or detailed responses from the team/users.

Out of all the projects that I have reached out for support the most fantastic & the fastest support response has been from Matthias Pfefferle (German Site) from the wordpress-activitypub project. I have raised multiple tickets with the project and have always gotten a quick (Fastest response in 2mins!!!), detailed and helpful response to my questions. For the issues I raised, some of them required a code fix and a fix was released within days. I don’t think I have received such a fantastic response even from sites/projects where I am a paying subscriber.

Anyways, we always post about the bad experiences we have so I think that we should also take time to post about the fantastic experiences and people we interact with because there is way too much negative news out there and these small things can help bring a smile to someones face and make sure they know that their hard work is appreciated.

If you run a WordPress Blog (self-hosted) you should definitely install this plugin and federate your posts to Mastodon (and the rest of the fediverse).

– Suramya

October 9, 2023

Microsoft AI responds with absolute nonsense when asked about a prominent Cyber Security expert

Filed under: Artificial Intelligence,Computer Software — Suramya @ 11:39 PM

The more I read about the Microsoft implementation of ‘AI’ the more I wonder what on earth are they thinking? Their AI system is an absolute shambles and about 99% of the output is nonsense. See the example below:

I did not realise how inaccurate Microsoft's Al is. It's really bad
Microsoft AI returns absolute nonsense when asked about who Kevin Beaumont is

I did not realise how inaccurate Microsoft’s Al is. It’s really bad This is just one example – it lists a range of lawsuits I’ve filed, but they’re all fictional – it invented them and made up the citations. It says I gave Microsoft’s data to @briankrebs. It says Krebs is suing me. It says @malwaretech works for me. The list goes on and on. Very eyebrow raising this is being baked into next release of Windows 11 and Office. It will directly harm people who have no knowledge or recourse.

I mean I can understand if it got one or two facts wrong because the data sources might not be correct, but to get every single detail wrong requires extra skill. The really scary part is that Google AI search is not much better and both companies are in a race to replace their search engine with AI responses. Microsoft is going a step further and including it as a default option in Windows. I wonder how much of the user data being stored on a windows computer is being used to train these AI engines.

There needs to be an effort to create a search engine that filters out these AI generated responses and websites to go back to the old style search engines that actually returned useful & correct results.

– Suramya

August 29, 2023

Excel holding up the Global Financial System, now with Python support

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 1:12 PM

It is both impressive and scary how much of the world’s financial systems is being run using Microsoft Excel. Folks have created formulars/macros/scripts/functions etc in Excel that allows them to generate data that is used to take major financial decisions with real world impact.

In one of my previous companies we actually had a full discussion on how to get an inventory of all the Excel code in use at the company and how to archive it so that we have backups and version control on them. Unfortunately, I left before much headway was made but I did learn enough about excel use to scare me. (Especially since I am not the biggest fan of Microsoft software 😉 )

Now you might ask why so many people are using excel when there are better tools available in the market and these companies have inhouse teams to create custom software for the analyst and I asked the exact same questions when I started. I think it is probably because the tool makes it easy for folks to come up with formulas and scripts that get their work done instead of having to wait for an external team to make the changes etc that they need.

Now, a few days ago Microsoft made a surprise announcement that going forward they are going to support running Python inside an Excel file. Yikes!! In order to use this functionality you will need to be part of the Microsoft 365 Insider program and then you can type Python code directly into cells using the new =PY() function, which then gets executed in the cloud. From what I have read, this will be enabled by default and needs to be disabled via a registry key.

Since its inception, Microsoft Excel has changed how people organize, analyze, and visualize their data, providing a basis for decision-making for the millions of people who use it each day. Today we’re announcing a significant evolution in the analytical capabilities available within Excel by releasing a Public Preview of Python in Excel. Python in Excel makes it possible to natively combine Python and Excel analytics within the same workbook – with no setup required. With Python in Excel, you can type Python directly into a cell, the Python calculations run in the Microsoft Cloud, and your results are returned to the worksheet, including plots and visualizations.

We already have issues with Excel Macros being used as vectors for malware & viruses, this just opens a whole new front in that war. Now, admins will have to worry about attackers using Python in Excel to infiltrate the organization or to send data outside the org. I can see how it is useful for people working with datasets and MS is adding this functionality to keep up with other tools such as Tableau etc which are more powerful but still I feel that this is a bad move.

Another problem that folks are going to face is that now your Excel sheets have Python programs inside them, how are we supposed to version the code, how is code review done? Basically this code should be going through the standard SDLC (Software Development Life Cycle) process but wouldn’t. We also need to ensure that all changes are reviewed and monitored to protect against insider attacks but the way the system is setup this is going to be extremely difficult (We have already seen that with Macros and Formulas etc).

Lets see how folks address this risk profile.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress