Suramya's Blog : Welcome to my crazy life…

September 26, 2024

Python in Excel launched for all Office 365 Business and Enterprise users

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 10:35 PM

Excel is both a blessing and a bane for companies. Because of its capabilities folks have created formulas/macros/scripts/functions etc in Excel that allows them to generate data that is used to take major financial decisions with real world impact. But that capability also makes it an ideal vector for infiltrating an organization using Macros or scripts in Excel files to compromise systems.

Back in Aug 2023, Microsoft first announced that they are going to support running Python inside an Excel file. After that there was no major talk about it so I had hoped this meant that they had abandoned the project, but sadly I was mistaken. Redmond announced the official release of Python in Excel for Windows users of Microsoft 365 Business and Enterprise in a blog post. The post has a lot of details on the new capabilities this gives to power users and frankly I can see why folks are excited about it. But from a security and version control point of view this is a disaster waiting to happen.

There is a new learning series available for free for 30 days on LinkedIn that incorporates numerous examples, tutorials, and tips on how to best leverage Python in Excel.

Included in the Excel for Python release is a large language model integration that will allow Excel users to ask the Copilot to build scripts for them with plain language commands.

Microsoft partnered with data science tool maker Anaconda to develop the Python-Excel integration. As we’ve previously reported, data can move effortlessly between the two platforms using a few custom-defined functions.

This two-way function sending is a key part of security – Microsoft states Python processes Excel data without revealing the user’s identity, and all Python code runs in a secure, isolated environment, only accessing libraries approved by Anaconda​.

As with all the stuff MS has released recently, this also has LLM Integration but is on a very restricted list. The service is available to all Office 365 users with a valid Enterprise or Business Microsoft 365 subscription on the Current Channel.

Source: The Register: Python in Excel is here, but only for certain Windows users

– Suramya

August 30, 2024

Admiral Grace Hopper’s NSA Lecture from 1982 on Future Possibilities: Data, Hardware, Software, and People

Filed under: Computer Software,Tech Related — Suramya @ 6:05 PM

Grace Hopper is one of the founders of Programming languages and was the first person to devise the theory of machine-independent programming languages which she then used to develop the FLOW-MATIC programming language and COBOL. She had a phenomenal impact on the field of Computer Science/Engineering and her lectures are extremely interesting to watch as even after 40 years the concepts she talks about are still relevant. The NSA has finally released the video recording of a 1982 lecture by Adm. Grace Hopper titled “Future Possibilities: Data, Hardware, Software, and People.”

Initially they refused to do so because “With digital obsolescence threatening many early technological formats, the dilemma surrounding Admiral Hopper’s lecture underscores the critical need for and challenge of digital preservation. This challenge transcends the confines of NSA’s operational scope. It is our shared obligation to safeguard such pivotal elements of our nation’s history, ensuring they remain within reach of future generations. While the stewardship of these recordings may extend beyond the NSA’s typical purview, they are undeniably a part of America’s national heritage.”.

Thankfully after a massive push from the all over the world to get NSA to release the video saner minds prevailed and the entirety of the lecture has been released in two parts. You can watch them below:


Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (Part One, 1982)


Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (Part Two, 1982)

Since I don’t trust online systems to keep information available indefinitely, I have also archived the lectures on my system so if they disappear in the future I will have copies I can publish.

– Suramya

August 26, 2024

Anime character breaks free from Blender by hijacking its controls

Filed under: Humor,Tech Related — Suramya @ 10:58 AM

Kensyouen_Y has created a video using Blender depicting an Anime character model who becomes sentient and starts playing around with Blender’s UI, messing around with different tools and functionalities, changing her own hair color via Shader Nodes, and eventually crashing the software with her boisterous high jinks.

This is a phenomenally creative video, something that I couldn’t create in a 100 years. 🙂 Check it out below.


Anime character breaks free and hijack’s the 3D software

Source: Boingboing.net: Anime character breaks free: Watch her hijack 3D software in video

– Suramya

August 25, 2024

Browse Open source clones of classic video games

Filed under: Computer Software,Tech Related — Suramya @ 2:19 AM

There are a lot of games that can no longer be played because the systems to run the games are no longer in production and it is illegal to modify their code to work on the new systems or operating systems or emulators. That is where open source comes into play, developers have dedicated a lot of time creating open source clones of their favorite games.

You can access the list and instructions on how to install/play them at: https://osgameclones.com/, which gathers open-source or source-available remakes of great old games in one place.

A Remake is a game where the executable and sometimes the assets as well are remade open source. Some of these games aren’t exact remakes but evolution of original ones, which were eventually open sourced.
A Clone is a game which is very similar to or heavily inspired by a game or series.
An Official project is the official source code release for a game that was formerly closed-source, maintained by the original creators and has minimal changes.
A Similar game is one which has similar gameplay but is not a clone.
A Tool is not a game, but something that assists in playing or modding the game, such as a high resolution patch, or resource extractor.

I see Open source versions of Classics like Decent II, Doom II/III and many more on the site. Check it out if you have some free time.

Source: Boingboing.net: Open source clones of classic video games

June 27, 2024

What’s the Difference Between Mastodon, Bluesky, and Threads?

Filed under: Interesting Sites,My Thoughts,Tech Related — Suramya @ 11:39 PM

When Twitter was taken over by Musk a lot of us folks moved to alternatives because of the change in the quality and tone of Twitter. In the early days many alternatives were created but now the field has narrowed down quite a bit and the main alternatives are: Mastodon, Bluesky, and Threads. I have accounts on both Mastodon and Bluesky but primarily use Mastodon as most of the security and Tech experts migrated to Mastodon. Some interesting folks are there on Bluesky as well but for some reason I don’t find it as interesting to scroll the feed over there.

If you are not aware of the apps you might wonder what is the difference between them, EFF (Electronic Freedom Foundation) did a great write up on the various alternatives to Twitter and you can check out the article here.

– Suramya

June 19, 2024

Yet another example of why strict data privacy controls are needed everywhere

Filed under: My Thoughts,Tech Related — Suramya @ 11:35 PM

Here is yet another example of why we need data privacy and rules to protect the data that is collected about us. In this case a person snooped on the mobile data history of potential dates before going out with them.

I work for one of the most popular mobile providers in the country. Back when I was dating a few months ago, I'd check the lad's mobile data history at work to see what sort of porn they watch on their phones. Helped me to weed out and ghost a couple of freaks

I work for one of the most popular mobile providers in the country. Back when I was dating a few months ago, I’d check the lad’s mobile data history at work to see what sort of porn they watch on their phones. Helped me to weed out and ghost a couple of freaks

This is absolutely an invasion of privacy but still something a lot of us would do if we had the access to a system that gives us this information. I mean it is human nature to be curious and if we could most people would end up doing something like this and that is why Banks have strict policies and controls around looking up data that you shouldn’t be looking into like financial transactions or bank balances.

It would have expected the ‘most popular’ mobile provider to have controls around who can access such data. But even if the controls limit who can access the data it doesn’t solve the full problem because it doesn’t stop the people authorized to view the data from misusing it. The latin phrase ‘Quis custodiet ipsos custodes?‘ (Who will watch the watchmen?) highlights this problem. People who have official access can (and do) misuse that access and we have seen this misuse multiple times, folks in law enforcement have used their access to track and research their significant others, other folks have stalked celebrities and there are many more such examples..

That is why in addition to restricting access there needs to be a regular audit of the access requests made into the system and sign off to ensure people are not misusing the data. In my previous companies, we had to review audit logs for production access and sign off on the access (for the systems we were responsible for). For obvious reasons people couldn’t signoff on their own access requests.

Data Privacy is very important and because of the amount of data that companies collect about us it is a dangerous situation. In the ideal world they would not be storing this data in the first place but since that is not going to happen anytime soon we need to ensure that we build legal/technical frameworks around the systems so that the potential for misuse is reduced.

– Suramya

May 25, 2024

ICQ messenger shutting down after almost 28 years of service

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 6:12 AM

I used ICQ for the first time around 1997/98 and it was an amazing experience to be chatting with someone on the other side of the planet for free. I had been using BBS’s to connect with people but for obvious reasons they were all local folks. ICQ was the first system that allowed me to connect to the international world for free. I think it was also the first system where I encountered the infamous A/S/L(Age/Sex/Location) question. It was quite popular over on AOL IM as well, but I first encountered it on ICQ. I think it was probably because there was no concept of a profile picture at that time and ICQ used a number instead of a custom screen name for user identification.

Unfortunately the system is going to be shutdown on June 26th with no explanation given on why it is being shutdown. That being said It is impressive that the system managed to stay up and running for so long. I think the last time I logged into ICQ was sometime in the late 2000’s. I wonder if I still remember the password to be able to log in one last time before it is gone for good.

What would be really cool is if VK makes the source code behind the server opensource so that others can setup an alternate ICQ server for folks to use. But I doubt that would happen.

Source: Bleepingcomputer.com: ICQ messenger shuts down after almost 28 years

– Suramya

May 24, 2024

OpenSSF launches Siren to provide real-time security warning for Open Source Software

Securing OpenSource software (OSS) can be a bit of a challenge at times and a lot of the Infosec feeds that give information on Security issues in software are commercial paid entities. There are software that scan for OSS vulnerabilities but we can always use more threat intelligence networks.

Open Source Security Foundation (OpenSSF) has launched a new threat intelligence sharing group called ‘OpenSSF Siren‘ that aims to provide real-time security warning bulletins and deliver a community-driven knowledge base to fill the gap between the open-source and enterprise communities.

The OpenSSF Siren is a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects. Hosted by the OpenSSF, this platform provides a secure and transparent environment for sharing Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with recent cyber attacks. Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.

The Key features of the OpenSSF Siren include:

  • Open Source Threat Intelligence: shared with the community about actively exploited public vulnerabilities and threats.
  • Real-Time Updates: List members receive notifications via email about emerging threats which may be relevant to their projects, enabling swift action to mitigate risks.
  • TLP:CLEAR: To facilitate effective unrestricted transparent communication, the list follows the Traffic Light Protocol (TLP), Clear guidelines for the sharing and handling of intelligence.
  • Community-driven: Contributors from diverse backgrounds collaborate to enrich the intelligence database, fostering a culture of shared responsibility and collective defense.

You can sign up for it here: Siren Sign-Up
Source: OpenSSF sings a Siren song to steer developers away from buggy FOSS

– Suramya

May 23, 2024

Windows 11 will feature builtin Spyware in the near future or Recall AI as Microsoft Calls it

Till recently if you wanted to spy on someone and see what they have been doing on the computer, you had to infect their computer by making them visit a dodgy site or get physical access and download a RAT (Remote Access Trojan) & install it on the target’s computer, configure the Antivirus to ignore it and put in a backdoor so that you can access the data remotely. Obviously this was a lot of work so looks like some cyber criminals reached out to Microsoft (MS) and asked for help. MS being a super helpful company, has added a functionality called ‘Windows Recall’ to it’s windows 11 Preview build to solve this. Recall takes a snapshot (literally) of the screen every few seconds and stores it in a searchable database ‘stored locally’. Basically it does exactly what spyware does without having to install anything new on your system. As per the company below is how the Recall works:

Recall uses Copilot+ PC advanced processing capabilities to take images of your active screen every few seconds. The snapshots are encrypted and saved on your PC’s hard drive. You can use Recall to locate the content you have viewed on your PC using search or on a timeline bar that allows you to scroll through your snapshots. Once you find the snapshot that you were looking for in Recall, it will be analysed and offer you options to interact with the content. What actions you can take depend on the content and the chat provider capabilities in Copilot in Windows. For example, you may highlight a block of text and decide to summarise it, translate it, or open it with a text editor like Word or Notepad. If you highlight an image, you will be able to edit it or use your chat provider in Copilot in Windows to find or create a similar image.

Recall will also enable you to open the snapshot in the original application in which it was created, and, as Recall is refined over time, it will open the actual source document, website or email in a screenshot. This functionality will be improved during Recall’s preview phase.

The best part is that according to their own announcement the snapshots will not hide passwords/account numbers etc. However, it does block you from recording DRM’d video you might be watching because protecting that is important not simple things like personal information etc.

Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.

This is a gold mine for data thieves, abusers, industrial espionage, identity thieves and other cyber criminals. Once they have access to a PC they don’t need to do anything else except copy the data from the Recall DB to their own system and happily browse through the users personal data at their leisure.

I don’t think MS has thought about folks who use public computers such as the ones in an Internet Cafe or Hotels or Libraries. With this feature enabled all someone has to do is wait a few days then come back and copy incredibly private information that they can then sell/use. Privacy and Domestic Abuse experts are raising questions about this as well because sure as night follows day, abusers will use this to track what their victims are doing on a computer and that can go bad very quickly.

Even if the data is supposedly only on the local machine we don’t know when MS is going to force it to be uploaded to their servers using OneDrive or other similar setups. All the coverage I have seen for this functionality 99% of them have raised similar concerns about the security, privacy and quite frankly the need for this kind of surveillance.

Imagine what would a regieme like Taliban, China or other conservative/restrictive governments do with information they get from this system. You are dreaming if you think that they will not force MS to make this information available to them at the risk of losing access to that market if they don’t. Once you have the capability to do this, feature creep will happen for sure and we will end up in a Surveillance state.

The only Windows 11 system at my place is my wife’s laptop and you can be sure that I am going to disable this ‘feature’ as soon as it launches.

Source: Bleepingcomputer: Windows 11 Recall AI feature will record everything you do on your PC

– Suramya

May 20, 2024

Winamp announces it will open its source code to the public on 24th Sep 2024

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 11:59 PM

Winamp is one of my all time favorite music players but unfortunately it is only available on windows. But in an announcement from winamp team made recently, they state that they are planning to make the full source code for Winamp available to everyone on 24 September 2024. This will open up the possibility of the code being ported over to Linux and other operating systems, which would be awesome.

Winamp has announced that on 24 September 2024, the application’s source code will be open to developers worldwide.

Winamp will open up its code for the player used on Windows, enabling the entire community to participate in its development. This is an invitation to global collaboration, where developers worldwide can contribute their expertise, ideas, and passion to help this iconic software evolve.

Winamp has become much more than just a music player. It embodies a unique digital culture, aesthetic, and user experience. With this initiative to open the source code, Winamp is taking the next step in its history, allowing its users to contribute directly to improving the product.

“This is a decision that will delight millions of users around the world. Our focus will be on new mobile players and other platforms. We will be releasing a new mobile player at the beginning of July. Still, we don’t want to forget the tens of millions of users who use the software on Windows and will benefit from thousands of developers’ experience and creativity. Winamp will remain the owner of the software and will decide on the innovations made in the official version,” explains Alexandre Saboundjian, CEO of Winamp.

At this time we don’t know what license the source code is going to be released under so we will have to wait and see on that front. Depending on the license used there might be restrictions on the code use so… The announcement asks users to register their interest by entering their details at their Free-Llama site. I have done so and will share any details I receive from them as we get nearer to the release date.

Unfortunately, there is a good possibility that the code will not be released under a public open source licence like GPL/MIT etc as in that case they would have just dumped the code on Github and made the announcement. Unless… this is a way to drum up interest for the release.

In either case, we will have to wait and see. But I am very excited by this 🙂

– Suramya

Older Posts »

Powered by WordPress