Suramya's Blog : Welcome to my crazy life…

August 2, 2023

A perfect example of a bad interview process

Filed under: My Thoughts — Suramya @ 1:16 AM

This person thinks that they have a great interview process designed to get them great candidates but each step is a massive red flag.

They are basically telling us that they don’t care about the candidate’s life or existing commitments, such companies will expect you to be in office or working from home 24/7 for no good reason other than it is expected. From personal experience I have seen that such companies don’t hire enough resources because they expect the work of 10 to be done by 5 people as they are putting in double the hours.

Putting in a ton of hours for a deadline or in an emergency is fine and you should absolutely be willing to do so when required. However, that shouldn’t become a standard thing that you are consistently putting in insane hours. It is not sustainable and can cause serious health issues and burnout. It is not cool and it doesn’t show commitment if you are in the office constantly.

It is better to step away for a while when stuck on a problem. To give an example, I was trying to get some data from a system at work yesterday and spent a few hours trying to get my program to work but it just refused to work. So I decided to take a break and after a good nights sleep again looked at the code, within 15 minutes I figured out the problem and got the program working.

I tend to be on the workaholic side and can get caught up in work to the point where I don’t realize that I have been working for hours without a break. This is not a healthy habit and I have had some great managers who would scold me for being up late night when I didn’t need to. In one of my previous companies we actually implemented a policy in our team to counter this habit, where if a person was on vacation and they replied to a non-critical email or sent any emails they had to put $10 in the Jar. Once enough money was collected it was used to sponsor a treat for the team.

“Work is a rubber ball. If you drop it, it will bounce back. The other four balls—family, health, friends, and integrity—are made of glass. If you drop one of these, it will be irrevocably scuffed, nicked, perhaps even shattered.” —Gary Keller, Real Estate Entrepreneur

No one lies at their deathbed and remembers all the long hours they worked. They remember the time they spent with friends and family and if they didn’t spend enough time they regret it. No one regrets not spending more hours at work.

As Dolly Parton said ““Never get so busy making a living that you forget to make a life.”.

– Suramya

August 1, 2023

Its a bad idea to lie on your resume in spite of Twitter ‘experts’ telling you it is ok

Filed under: My Thoughts — Suramya @ 12:11 PM

There is a thread going on on Twitter where a scammer who sells courses for 8k USD is giving advice to people on Job hunting. The following screenshot from the same thread was shared on Mastodon and came up in my feed and I honestly was shocked to see this kind of advice being given out.


Just put that you have a degree in your resume. Literally no one checks. Your degree doesn’t apply to your job anyway.

Just by reading this ‘advice’ I immediately know that this person has not ever worked in a large organization or is lying through their teeth. One of the first things that happens after you accept a job offer from a large company is that you go through a background check where everything that you put in the Resume and in your application for the role is verified. Depending on the company they might check X years of your professional work experience (some companies check your entire work history) but all of them verify the education details provided and require you to submit supporting documentation.

If you lied on your resume about having a degree you *will* be caught and in most cases your job offer will be rescinded due to fraud. Yes, Fraud as lying on the resume about your qualifications is considered fraud. You are better off leaving out your education and if your skills are good enough most companies have an exception process that can be utilized for hiring someone who doesn’t have a degree. In other places they sometimes consider your work experience in lieu of a degree.

The following LinkedIn post talks about the consequences some of the people who were caught lying on their resume faced:

3. Marilee Jones

Jones, who was dean of admissions from 1997 to 2007 at the ultra-prestigious Massachusetts Institute of Technology, perpetuated for 28 years the lie that she had three degrees. In reality, she had none. As the head of admissions, ironically, Jones cut the amount of space candidates would have to describe extracurriculars on applications, saying more space would mean more fluff. The school learned through an anonymous tip in 2007 that Jones had puffed up her own credentials, and she was forced to quit. The cost to replace Jones is estimated to be over $100,000

As per Law Depot, lying on your resume can have serious legal consequences. In addition to getting fired (if the lie was caught after you joined) you can also be sued, fined or jailed (or all three).

In a 2019 case outside of North America, an Australian woman was sentenced to 25 months in prison and fined the Australian equivalent of $22,500 USD after she was discovered to have faked references and lied about her education to obtain a high-paying government position.

All said and done, asking someone to lie on their resume is terrible advice and should never be followed. This guy should be ashamed of themselves and stop giving such bad advice.

Regards,

Suramya

July 31, 2023

What people think I do when I say I work in Cybersecurity

Filed under: Humor,My Thoughts — Suramya @ 9:17 PM

It is great to have siblings because they make sure that you are grounded and don’t get too full of yourselves. My sister Surabhi sent me this image to ensure I know what they think of my specialization.

Picture of a guy with lots of monitors and the image of a security guard for what my family thinks I do
What Professionals think I do when I say I work in Cybersecurity and what my Family thinks I do

Well, in all fairness when Gaurang became a ships captain we told him he was a driver of a ship (instead of a bus). So, I can’t really complain…

– Suramya

July 27, 2023

GPS Data Could potentially be used to Detect Large Earthquakes in advance

Filed under: Emerging Tech,My Thoughts — Suramya @ 10:31 PM

Earthquakes are extremely devastating and because we don’t have a way to predict them in advance they end up taking a huge toll on lives. The existing systems for earthquake prediction are fraught with false positives to the point of being useless. However, that hasn’t stopped people from trying to predict them, and in a new paper researchers Quentin Bletery and Jean-Mathieu Nocquet claim to have found a unique way to predict them up to 2 hours in advance using GPS data.

They analyzed high-rate GPS time series before 90 different earthquakes that were magnitude 7 and above to find a precursor signal and they observed a subtle signal that rose from the noise about 2 hours before these major earthquakes occurred. This looks extremely promising and if validated can change how we approach disaster management of earthquakes. However, the study still needs to be validated and we don’t yet know if the precursor signal could ever be measured for individual events with the accuracy needed to provide a useful warning.

The existence of an observable precursory phase of slip on the fault before large earthquakes has been debated for decades. Although observations preceding several large earthquakes have been proposed as possible indicators of precursory slip, these observations do not directly precede earthquakes, are not seen before most events, and are also commonly observed without being followed by earthquakes. We conducted a global search for short-term precursory slip in GPS data. We summed the displacements measured by 3026 high-rate GPS time series—projected onto the directions expected from precursory slip at the hypocenter—during 48 hours before 90 (moment magnitude ≥7) earthquakes. Our approach reveals a ≈2-hour-long exponential acceleration of slip before the ruptures, suggesting that large earthquakes start with a precursory phase of slip, which improvements in measurement precision and density could more effectively detect and possibly monitor.

This is an area where Machine Learning might prove to be useful to extrapolate and predict but that being said we still need to validate and verify before implementing it or depending on it. The paper with their findings was published in Science (DOI: 10.1126/science.adg2565)

Source: Hacker News: Early Warning: GPS Data Could Detect Large Earthquakes Hours Before They Happen

– Suramya

June 29, 2023

There is no such thing as micro-cheating and these are not examples of it

Filed under: My Thoughts — Suramya @ 12:17 PM

I am constantly surprised at how insecure these some of the men are. The following screenshot came up in my Mastodon feed (unfortunately I didn’t save the link to the post, just the image and I can’t find it now) and I was flabbergasted. This is a screenshot from a ‘romance’ guide that is explaining how addressing a man by their name instead of calling them hey you is an example of Micro-cheating…


34 Ways Your Girlfriend Is Micro- Cheating (And Totally Getting Away With It) 29. Addressing a man by his name unexpectedly (e.g. “Hey, Doug” instead of just “Hey”), which breeds a strangely powerful sense of intimacy.

What on earth is wrong with people? Calling folks by their name is basic curtsy. I admit I am bad at it because I have a hard time remembering names but that is not something I am proud of and I try to go the extra mile to ensure that I memorize names.

A quick search gave me the site, and the examples they use in this ‘article’ are beyond idiotic. Search for the text from the example above and you will find it. I am not linking to it because I don’t want to send them more traffic. For example, #25 claims that “giggling“, yes you read that right is an example of Micro-cheating… Some more gems from the site:

9. Letting a guy she interacts with ever so briefly on the bus or in an elevator believe that he’s got a shot for a few precious seconds before getting on with her day.
Just because someone smiled at you doesn’t mean they are interested in dating you.

30. Addressing a man by his full name instead of the nickname he goes by (e.g. “Hello, Douglas”), which is secretly one of the most subtle but impactful ways to flirt.
I don’t like calling folks by their nicknames unless I know them well enough to use it (not talking about examples where Christian is shortened to Chris) and that doesn’t mean I am flirting with them.

34. Sending texts to a guy that are laced with more emojis than she typically uses when communicating with her besties.

These folks need to talk to a psychiatrist because they need help. They are being trained from a young age to only think about women a certain way and to expect every lady they meet to fall at their feet to fulfill their every desire. This is obviously not what happens in the real world and then these folks grow more & more militant and misogynistic causing huge problems for everyone around them. Some of them have actually killed people because they didn’t get what they thought was their right.

– Suramya

June 28, 2023

Please stop shoving ChatGPT Integration into products that don’t need it

Filed under: Artificial Intelligence,Computer Software,My Thoughts,Tech Related — Suramya @ 11:50 AM

I am getting really tired of folks shoving ChatGPT integration into everything whether it makes sense or not. The latest silliness is an electric bike with ChatGPT integration. I understand the desire to integrate GPS/Maps etc in a bike, although personally I would rather use an independent device which would get updates more frequently than the built in GPS where the maps might get updated a few times a year. Unless the maps are getting downloaded live using 3G/4G/whatever. I even understand the desire to integrate voice recognition in the setup so that the user can talk to it. But why on earth do I want/need to have ChatGPT shoved in there?

Based on ChatGPT’s well known tendency to hallucinate there is a good probability that it might decide that you should take a path that is not safe or even dump you into the ocean because it hallucinated that it was the way to go. This is the same thing we saw with Blockchain a few years ago, everything was suddenly on the Blockchain whether it needed to be or not. The sad part is that these folks are going to make a ton of money because of the hype behind ChatGPT and then bail leaving the consumers with a sub-par bike that hallucinates.

Source: Urtopia Unveils the World’s First Smart E-Bike with ChatGPT Integration at EUROBIKE 2023

– Suramya

June 27, 2023

Thoughts on Meta joining the Fediverse (Mastodon)

Filed under: My Thoughts,Tech Related — Suramya @ 4:29 PM

The past few weeks have been interesting over at Mastodon where some of the community has been screaming and loosing their minds about the possibility of Meta becoming part of the Fediverse. Bloonface summarized my feelings about it perfectly in the following Toot:


Let’s just say the blunt truth here: It’s not going to be Meta or Project 92 or whatever that kills fedi, it’s the fact that every time anyone suggests a way in which normal people can use it in the same way that normal people use social networks, the entire network shits the bed and starts screaming about keeping the outsiders out. But then also the same people heap judgment on people for still using Twitter when Twitter actually gives them what they want

People have reason not to trust Meta because of their behavior in the past, and we have extreme examples where Opensource protocols were subverted (XAMPP) and the opensource clients killed off. However, we also have the example of AOL which was a closed garden opening up their network and users to the Internet which introduced a ton of people to the Open Internet and while there were initial hiccups and adjustments required in the long run it was good for the internet to ingest the closed garden into an open network.

One of the biggest reasons for people sticking with Facebook/Whatsapp/whatever is the cost of switching and the Network effect. Basically, what that means is that people use a social network/site because their friends are already using it and it is difficult to get them to switch. I have tried getting my family and friends to switch to Signal from Whatsapp but since most folks are on Whatsapp it becomes a chicken and egg problem. We can’t move there because all the friends are here. Having Meta become a part of the Fediverse would allow me to move to a new network/server and still be able to connect with my friends / relatives on FaceBook. This interoperability lowers the switching costs allowing users the freedom to change servers without loosing the userbase/network they have build up on the old system/

Cory Doctorow has written a fantastic article about Facebook’s war on switching costs that goes into detail on how reducing the switching costs and increasing interoperability is a good idea.

Unfortunately, there are folks who think that only the chosen few should be allowed to use ‘their’ networks and are screaming their heads off about something that is not even a formal discussion yet. Meta has had a few exploratory calls with Mastodon server admins and that’s it. No one has ‘betrayed’ the users or sold out or whatever. I can’t remember how many folks have been referencing that post about ‘Geeks, MOPs, and sociopaths in subculture evolution’ that I wrote about a while ago (not linking to the original post because I don’t what to increase its visibility). It is the same standard whining for a certain part of the user group that always tries to gatekeep everything and it is annoying.

I would love to have everyone move to Mastodon so that I don’t have to log into Twitter to catch up with folks. Currently not everyone is on Mastodon which means that either I stop following their work or I log into Twitter to read what they are doing till they migrate. If Twitter federates then I wouldn’t have to do that, I could read their posts from the comfort of my own server. Same thing with Facebook, I don’t log in much there but that means that I miss a lot of updates from family who still use it actively.

However, the advantage of having an open federated network is that even if some of the admins have a hissy fit and block the Meta (or any other servers) nothing is preventing their users from deciding to move their accounts to a more sensibly managed server as they are not locked in.

– Suramya

June 20, 2023

It is now possible to track someone using SMS Receipt Messages

Filed under: Computer Security,Interesting Sites,My Thoughts,Tech Related — Suramya @ 6:04 PM

With modern technology it is getting more and more easy to track someone. There are many apps, devices etc that allow a target to be tracked in near realtime by someone. This can be done using an App on your phone, find my phone functionality, family phone track etc etc. As someone who is worried about getting tracked they can disable GPS, get a new dumb phone that doesn’t support GPS etc which can mitigate the threat to a large extent. Unfortunately, now there is a new attack surface that allows an attacker to approximately locate a target with up to 96% accuracy.

Researchers have figured out how to deduce the location of an SMS recipient by analyzing timing measurements from typical receiver location. Basically they measure the time elapsed between sending a SMS and the receipt of the Delivery report and then use a ML model to predict the location area where the target could be located. The other advantage of this attack is that it doesn’t require any specialized equipment or access to restricted systems but can be executed via a simple smartphone.

Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture.

The biggest problem with this method is that it doesn’t depend on any software or anything that needs to be installed on the target phone. You just need a phone that supports SMS, which is pretty much all phones in the market. There is an option to disable delivery reports which would mitigate the threat to an extent but is an opt-out setup rather than an opt-in. One way to reduce this vector would be for manufacturers to disable the delivery report by default and folks who need it can enable it from settings instead of the other way round which is the case right now.

Source: HackerNews: Freaky Leaky SMS: Extracting user locations by analyzing SMS timings
Full Paper: Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings

– Suramya

June 12, 2023

A DIY Robot for automating a Cold boot attack now exists

Filed under: Computer Hardware,Computer Security,My Thoughts,Tech Related — Suramya @ 11:58 PM

A Cold boot Attack has been around for a while (It was first demo’d in 2008) but it has been a fairly manual tricky operation till now. But now there is a new DIY Robot has been created that reduces the manual effort for this attack. Now you might be asking what on earth is a Cold Boot Attack? No, it is not referring to having to wear cold shoes in winter. It is actually a very interesting attack where the attacker freezes the RAM chips of a system while it is running and then shuts it down, after which they remove the RAM chip and put it in another device to read the data from it. Because the chip has been cooled significantly it retains the information even after the system is shutdown long enough for information to be extracted from it. The original cold boot attack involved freezing a laptop’s memory by inverting a can of compressed air to chill the computer’s DRAM to around -50°C so that it persists for several minutes, even after the system was powered down.

Ang Cui, founder and CEO of Red Balloon Security has created a process & robot to extract the chip from the system. The robot is a CNC machine which is has a FGPA (field-programmable gate array) connected to it. The robot chills the RAM chips one at a time, extracts them from the board and then inserts them into the FGPA that reads the contents of the chip allowing them to extract the data from it. To make it easier and allow them more time to remove the chip, the system monitors the electromagnetic emanation of the device which allows them to identify when the system is running CPU bound operations. Once they identify that, they can extract the chip when the system is using the CPU and not reading/writing to the RAM. This gives the robot a window of ~10 milliseconds to extract the chips instead of having to do it in nanoseconds.

Cui and colleagues demonstrated their robot on a Siemens SIMATIC S7-1500 PLC, from which they were able to recover the contents of encrypted firmware binaries. They also conducted a similarly successful attack on DDR3 DRAM in a CISCO IP Phone 8800 series to access the runtime ARM TrustZone memory.

They believe their technique is applicable to more sophisticated DDR4 and DDR5 if a more expensive (like, about $10,000) FPGA-based memory readout platform is used – a cost they expect will decline in time.

Cold boot attacks can be countered with physical memory encryption, Cui said.

This is not an attack the average user has to worry about but it is something that folks working on critical systems like banking servers, government systems, weapons etc need to be aware of and guard against. More details on the attack will be provided during a talk at the REcon reverse engineering conference in Canada titled “Ice Ice Baby: Coppin’ RAM With DIY Cryo-Mechanical Robot

Source: Hacker News: Robot can rip the data out of RAM chips

– Suramya

June 10, 2023

The World Book encyclopedia is still in print and I really wanted a copy

Filed under: My Thoughts — Suramya @ 11:59 PM

Back in the early 1990’s we made a big investment and bought a copy of the World Book Encyclopedia. From what I can remember it costed quite a bit but it was worth it. Most of my research for any paper or project I had to do in my school years was done using these as the starting point. (and the middle and the end for most of the research).We still have the encyclopedias at home in Delhi but they are not much used. I think Vir has used them a few times to find something but with the internet putting the latest research at your fingertips the physical books are not that used.

However, there are multiple advantages to having a physical copy of something. For example, we are not dependent on internet connectivity or even electricity to be able to look up something in a physical book. Plus there is just a different feel to having a physical book in your hand rather than a digital copy.

Found a post earlier this week where this journalist found out that the World Book Encyclopedia is still being actively published in physical form every year and I was actually tempted to go and buy the latest version just so that I have it at home. Then I saw the cost for full set and decided that nostalgia is all well and good but not worth spending $1,199. You can also subscribe to an online version of the encyclopedia for lot cheaper cost but I don’t think I am going to do that. I have access to enough other sources where this is not needed.

This reminded me that I do have a CD version of the Encarta Encyclopedia lying around somewhere, maybe I should install it and see if it still works on my new system…

Source: Arstechnica: I just bought the only physical encyclopedia still in print, and I regret nothing

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress