Suramya's Blog : Welcome to my crazy life…

May 5, 2022

Thoughts around using GPS tracking to stop car thieves

Filed under: Computer Security,My Thoughts,Techie Stuff — Suramya @ 2:56 PM

Earlier today, I saw the following tweet Retweeted by the BengaluruCityPolice where they recommend that we install a hidden GPS tracker in the car that can be used to find the car if it is ever stolen.

On the surface this sounds like a great idea but there are larger implications that we are missing here. But first lets talk about why this wouldn’t work for long:

  • The thief’s are not fools, once this technique starts getting more popular the first thing they will do is search the car from top to bottom to find and remove the tracker.
  • If the car is underground or behind concrete/metal then the GPS tracker will not be able to transmit. So no signal.

There are other reasons as well but these are the top two that make the tracker useless. Now let’s look at the drawbacks shall we:

Once we have a GPS tracker in the car, all movement information of the car is now tracked and stored online. The current data privacy laws in India allow cops or others to get access to this data fairly simply. This data can also be sold to others (after anonymizing it) but it is quite simple to de-anonymize a dataset as proven by various people recently, such as the case last year where a Priest was outed as a user of Grindr app due to data de-anonymizer.

This is especially risky for women as this potentially allows people to figure out where they live or work, what their schedule looks like etc. Another problem is misuse of data by the company hosting it. History has shown that insiders at companies that store private data have used their access to view private details. This includes cops, tech employees etc. So the more data that is stored the more risk of data misuse and this doesn’t take into account the possibility of attackers hacking into the network to steal the movement data.

Once people have the data, it can then be used for many things such as:

  • Abusers can track their victims (wives/kids)
  • Identify who is having an affair with whom (Uber did this)
  • Figure out who is undergoing medical treatments
  • Criminals can see when we are on vacation and the house is empty.
  • Locate people who are traveling home at late night through empty areas
  • Employers could begin tracking employees to see if an employee is thinking about leaving by looking at visits to competitor’s office etc

These are not theoretical concerns there are been proven cases for each of the above. The risk is grave enough that the US Women’s Law Organization, which deals with a lot of domestic abuse cases has a whole section dedicated to GPS monitoring abuse.

We need to look at all aspects of the technology before we start implementing on a large scale. This includes looking at how the tech could potentially be misused.

– Suramya

May 4, 2022

Using reflection in pupils in public selfies to figure out the different ways a user can hold a device

Filed under: Computer Software,My Thoughts,Techie Stuff — Suramya @ 11:58 PM

Users in TV/Movies have been able to zoom enhance photo’s that look like they were taken with a broken down webcam from the 80’s to give crystal clear images for a while now. In fact the Zoom/Enhance trope has become so common that there are a whole bunch of meme’s out there for it.

Till recently such activities were possible only in the fictional world, thanks to advances in photo technologies and the increasing no of mega-pixels (plus other things) in the modern camera this is now possible in the real world as well. A few years ago, a Japanese stalker was arrested after he stalked and assaulted a 21-year-old “Japanese idol” at her home by zooming into a high-resolution selfie posted by the singer to view the train station reflected in her eye.

Now, a group of researchers from Keio University, Yahoo Japan, and the Tokyo University of Technology are using publicly posted selfies by users to examine the reflection of the smartphone taking the picture in the pupils of the photo to figure out how the phone is being used i.e. the different ways a user can hold a device like a smartphone: with both hands, just the left, or just the right in portrait mode, and the same options in horizontal mode. There are a bunch of potential uses for this technique and it is interesting and unique research.

But it also highlights the fact that we need to be careful of what we post/share as there might be information in the picture that we didn’t want to share. If you search for ‘photo sent caught cheating’ you will find multiple instances of folks sending pics that got them in trouble because there was something in the pic that gave the game away, such as this one or this one

Source: Using Pupil Reflection in Smartphone Camera Selfies

– Suramya

April 13, 2022

Internet of Things (IoT) Forensics: Challenges and Approaches

Internet of Things or IoT consists of interconnected devices that have sensors and software, which are connected to automated systems to gather information and depending on the information collected various actions can be performed. It is one of the fastest growing markets, with enterprise IoT spending to grow by 24% in 2021 from $128.9 billion. (IoT Analytics, 2021).

This massive growth brings new challenges to the table as administrators need to secure IoT devices in their network to prevent them from being security threats to the network and attackers have found multiple ways through which they can gain unauthorized access to systems by compromising IoT systems.

IoT Forensics is a subset of the digital forensics field and is the new kid on the block. It deals with forensics data collected from IoT devices and follows the same procedure as regular computer forensics, i.e., identification, preservation, analysis, presentation, and report writing. The challenges of IoT come into play when we realize that in addition to the IoT sensor or device we also need to collect forensic data from the internal network or Cloud when performing a forensic investigation. This highlights the fact that Forensics can be divided into three categories: IoT device level, network forensics and cloud forensics. This is relevant because IoT forensics is heavily dependent on cloud forensics (as a lot of data is stored in the cloud) and analyzing the communication between devices in addition to data gathered from the physical device or sensor.

Why IoT Forensics is needed

The proliferation of Internet connected devices and sensors have made life a lot easier for users and has a lot of benefits associated with it. However, it also creates a larger attack surface which is vulnerable to cyberattacks. In the past IoT devices have been involved in incidents that include identity theft, data leakage, accessing and using Internet connected printers, commandeering of cloud-based CCTV units, SQL injections, phishing, ransomware and malware targeting specific appliances such as VoIP devices and smart vehicles.

With attackers targeting IoT devices and then using them to compromise enterprise systems, we need the ability to extract and review data from the IoT devices in a forensically sound way to find out how the device was compromised, what other systems were accessed from the device etc.

In addition, the forensic data from these devices can be used to reconstruct crime scenes and be used to prove or disprove hypothesis. For example, data from a IoT connected alarm can be used to determine where and when the alarm was disabled and a door was opened. If there is a suspect who wears a smartwatch then the data from the watch can be used to identify the person or infer what the person was doing at the time. In a recent arson case, the data from the suspects smartwatch was used to implicate him in arson. (Reardon, 2018)

The data from IoT devices can be crucial in identifying how a breach occurred and what should be done to mitigate the risk. This makes IoT forensics a critical part of the Digital Forensics program.

Current Forensic Challenges Within the IoT

The IoT forensics field has a lot of challenges that need to be addressed but unfortunately none of them have a simple solution. As shown in the research done by M. Harbawi and A. Varol (Harbawi, 2017) we can divide the challenges into six major groups. Identification, collection, preservation, analysis and correlation, attack attribution, and evidence presentation. We will cover the challenges each of these presents in the paper.

A. Evidence Identification

One of the most important steps in forensics examination is to identify where the evidence is stored and collect it. This is usually quite simple in the traditional Digital Forensics but in IoT forensics this can be a challenge as the data required could be stored in a multitude of places such as on the cloud, or in a proprietary local storage.

Another problem is that since IoT fundamentally means that the nodes were in real-time and autonomous interaction with each other, it is extremely difficult to reconstruct the crime scene and to identify the scope of the damage.

A report conducted by the International Data Corporation (IDC) states that the estimated growth of data generated by IoT devices between 2005 to 2020 is going to be more than 40,000 exabytes (Yakubu et al., 2016) making it very difficult for investigators to identify data that is relevant to the investigation while discarding the irrelevant data.

B. Evidence Acquisition

Once the evidence required for the case has been identified the investigative team still has to collect the information in a forensically sound manner that will allow them to perform analysis of the evidence and be able to present it in the court for prosecution.

Due to the lack of a common framework or forensic model for IoT investigations this can be a challenge. Since the method used to collect evidence can be challenged in court due to omissions in the way it was collected.

C. Evidence Preservation and Protection

After the data is collected it is essential that the chain of custody is maintained, and the integrity of the data needs to be validated and verifiable. In the case of IoT Forensics, evidence is collected from multiple remote servers, which makes maintaining proper Chain of Custody a lot more complicated. Another complication is that since these devices usually have a limited storage capacity and the system is continuously running there is a possibility of the evidence being overwritten. We can transfer the data to a local storage device but then ensuring the chain of custody is unbroken and verifiable becomes more difficult.

D. Evidence Analysis and Correlation

Due to the fact that IoT nodes are continuously operating, they produce an extremely high volume of data making it difficult to analyze and process all the data collected. Also, since in IoT Forensics there is less certainty about the source of data and who created or modified the data, it makes it difficult to extract information about ownership and modification history of the data in question.

With most of the IoT devices not storing metadata such as timestamps or location information along with issues created by different time zones and clock skew/drift it is difficult for investigators to create causal links from the data collected and perform analysis that is sound, not subject to interpretation bias and can be defended in court.

E. Attack and Deficit Attribution

IoT forensics requires a lot of additional work to ensure that the device physical and digital identity are in sync and the device was not being used by another person at the time. For example, if a command was given to Alexa by a user and that is evidence in the case against them then the examiner needs to confirm that the person giving the command was physically near the device at the time and that the command was not given over the phone remotely.

F. Evidence Presentation

Due to the highly complex nature of IoT forensics and how the evidence was collected it is difficult to present the data in court in an easy to understand way. This makes it easier for the defense to challenge the evidence and its interpretation by the prosecution.

VI. Opportunities of IoT Forensics

IoT devices bring new sources of information into play that can provide evidence that is hard to delete and most of the time collected without the suspect’s knowledge. This makes it hard for them to account for that evidence in their testimony and can be used to trip them up. This information is also harder to destroy because it is stored in the cloud.

New frameworks and tools such Zetta, Kaa and M2mLabs Mainspring are now becoming available in the market which make it easier to collect forensic information from IoT devices in a forensically sound way.

Another group is pushing for including blockchain based evidence chains into the digital and IoT forensics field to ensure that data collected can be stored in a forensically verifiable method that can’t be tampered with.

Conclusion

IoT Forensics is becoming a vital field of investigation and a major subcategory of digital forensics. With more and more devices getting connected to each other and increasing the attack surface of the target it is very important that these devices are secured and have a sound way of investigating if and when a breach happens.

Tools using Artificial Intelligence and Machine learning are being created that will allow us to leverage their capabilities to investigate breaches, attacks etc faster and more accurately.

References

Reardon. M. (2018, April 5). Your Alexa and Fitbit can testify against you in court. Retrieved from https://www.cnet.com/tech/mobile/alexa-fitbit-apple-watch-pacemaker-can-testify-against-you-in-court/.

M. Harbawi and A. Varol, “An improved digital evidence acquisition model for the Internet of Things forensic I: A theoretical framework”, Proc. 5th Int. Symp. Digit. Forensics Security (ISDFS), pp. 1-6, 2017.

Yakubu, O., Adjei, O., & Babu, N. (2016). A review of prospects and challenges of internet of things. International Journal of Computer Applications, 139(10), 33–39. https://doi.org/10.5120/ijca2016909390


Note: This was originally written as a paper for one of my classes at EC-Council University in Q4 2021, which is why the tone is a lot more formal than my regular posts.

– Suramya

January 23, 2022

Some thoughts on Crypto currencies and why it is better to hold off on investing in them

Filed under: Computer Related,My Thoughts,Techie Stuff — Suramya @ 1:26 AM

It seems that every other day (or every other hour if you are unlucky) someone or the other is trying to get people to use Crypto currency because they claim that it is awesome and not at all dependent on government regulations and thus won’t fluctuate that much. Famous people are pushing it, others like New York City Mayor Eric Adams are trying to raise awareness of the product and have decided to convert his first paycheck to Crypto, El Savador started accepting crypto currency as legal tender etc. However, the promises made by crypto enthusiasts don’t translate into reality as the market remains extremely volatile.

I see people posting on twitter that Crypto currencies are better because they are stable, but in my opinion if a currency can drop 20% because Elon Musk tweeted a Broken heart emoji then it is not something I want to use to store my savings. Earlier this week the entire Bitcoin market dropped over 47% from it’s high back in Nov 2021. Mayor Adams paycheck which was converted to crypto is now worth ~1/2 of what it was when he invested it, and that is a massive drop. Imagine loosing 50% of your savings in one shot. You might suddenly have no way to pay rent or emergency repairs/hospitalization etc. Even El Savador has seen its credit become 4 times worse than it was before it moved to Bitcoin. People there are complaining that the promised reduction in cost for conversion to/from international currencies is a myth as they are paying more than what they were paying earlier as transaction costs.

Another major issue with crypto currency is the ecological hit caused by the mining. According to research done by University of Cambridge, globally Bitcoin uses more power per year than the entire population of Argentina. The recent Kazakhsthan unrest and protests were sparked off due to surging fuel prices that were caused by the migration of Bitcoin miners to the country after China banned them. This caused a lot of strain on the electricity grid and required an increase in the prices which kicked off a massive protest that has caused untold no of deaths. There are multiple folks coming up with new crypto-currencies that claim to be carbon neutral but so far none of them have delivered on the promise.

Bitcoin is thought to consume 707 kwH per transaction. In addition, the computers consume additional energy because they generate heat and need to be kept cool. And while it’s impossible to know exactly how much electricity Bitcoin uses because different computers and cooling systems have varying levels of energy efficiency, a University of Cambridge analysis estimated that bitcoin mining consumes 121.36 terawatt hours a year. This is more than all of Argentina consumes, or more than the consumption of Google, Apple, Facebook and Microsoft combined.

Check out this fantastic (though very long – 2hr+) video on economic critique of NFTs, DAOs, crypto currency and web3. (H/t to Cory Doctorow)

In summary, I would recommend against investing in crypto currencies till the issues highlighted above are resolved (if they are ever resolved).

– Suramya

January 21, 2022

nerd-dictation: A fantastic Open Source speech to text software for Linux

After a long time of searching I finally found a speech to text software for Linux that actually works well enough that I can use it for dictating without having to jump through too many hoops to configure and use. The software is called nerd-dictation and is an open source software. It is fairly easy to setup as compared to the other voice-to-text systems that are available but still not at a stage where a non-tech savvy person would be able to install it easily. (There is effort ongoing to fix that)

The steps to install are fairly simple and documented below for reference:

  • pip3 install vosk
  • git clone https://github.com/ideasman42/nerd-dictation.git
  • cd nerd-dictation
  • wget https://alphacephei.com/kaldi/models/vosk-model-small-en-us-0.15.zip
  • unzip vosk-model-small-en-us-0.15.zip
  • mv vosk-model-small-en-us-0.15 model

nerd-dictation allows you to dictate text into any software or editor which is open so I can dictate into a word document or a blog post or even the command prompt. Previously I have used tried using software like otter.ai which actually works quite well but doesn’t allow you to edit the text as you’re typing, so you basically dictate the whole thing and the system gives you the transcription after you are done. So, you have to go back and edit/correct the transcript which can be a pain for long dictations. This software works more like Microsoft dictate which is built into Word. Unfortunately my word install on Linux using Crossover doesn’t allow me to use the built in dictate function and I have no desire to boot into windows just so that I can dictate a document.

This downloads the software in the current directory. I set it up on /usr/local but it is up to you where you want it. In addition, I would recommend that you install one of the larger dictionaries/models which makes the voice recognition a lot more accurate. However, do keep in mind that the larger models use up a lot more memory so you need to ensure that your computer has enough memory to support the larger models. The smaller ones can run on systems as small as a raspberry pi, so depending on your system configuration you can choose. The models are available here.

The software does have some quirks, like when you are talking and you pause it will take it as a start of a new sentence and for some reason it doesn’t put a space after the last word. So unless you’re careful you need to go back and add spaces to all the sentences that you have dictated, which can get annoying. (I started manually pressing space everytime I paused to add the space). Another issue is that it doesn’t automatically capitalize the words when you dictate such as those at the beginning of the sentence or the word ‘I’. This requires you to go back and edit, but that being said it still works a lot better than the other software that I have used so far on Linux. For Windows system Dragon Voice Dictation works quite well but is expensive. I tested it out by typing out this post using it and for the most part it does work it worked quite well.

Running the software again requires you to run commands on the commandline, but I configured shortcut keys to start and stop the dictation which makes it very convenient to use. Instructions on how to configure custom shortcut keys are available here. If you don’t want to do that, then you can start the transcription by issuing the following command (assuming the software is installed in /usr/local/nerd-dictation):

/usr/local/nerd-dictation/nerd-dictation begin --vosk-model-dir=/usr/local/nerd-dictation/model  --continuous

This starts the software and tells it that we are going to dictate for a long time. More details on the options available are available on the project site. To stop the software you should run the following command:

/usr/local/nerd-dictation/nerd-dictation end

I suggest you try this if you are looking for a speech-to-text software for Linux. Well this is all for now. Will post more later.

Thanks to Hacker News: Nerd-dictation, hackable speech to text on Linux for the link.

– Suramya

August 7, 2021

Bypass of Facial Recognition made possible by creating Master faces that impersonate 40% of population

Filed under: Computer Security,Emerging Tech,My Thoughts,Techie Stuff — Suramya @ 9:00 PM

Over the years, there has been a lot of push for Image recognition systems and more and more companies are entering the field each with their own claims of supernatural accuracy. Plus, with all the amazing ‘tech’ being showcased in the movies and on TV people are primed to expect that level of accuracy. Unfortunately, reality is a lot more weird and based on research its pretty simple to fool image recognition systems. In the past people have tricked systems to misidentifying a banana as a toaster by modifying parts of the image. There was another recent event where the Tesla self navigation system kept thinking the moon was a Yellow light and insisted on slowing down. There are so many of these ‘edge’ cases that it is not even funny.

A specific use case for image recognition is Facial recognition and that is a similar mess. I have personally used a photo of an authorized user to get a recognition system to unlock a door during testing. We have cases where wearing glasses confuses the system that it locks you out. Now according to research conducted by the Blavatnik School of Computer Science and the school of Electrical Engineering it is possible to create a ‘master’ face that can be used to impersonate multiple ID’s. In their study they found that the 9 faces created by the StyleGAN Generative Adversarial Network (GAN) could impersonate 40% of the population. Testing against the University of Massachusetts’ Labeled Faces in the Wild (LFW) open source database they were able to impersonate 20% of the identities in the database with a single photo.

Basically, they are exploiting the fact that most facial recognition systems use broad sets of markers to identify specific individuals and StyleGAN creates a template containing multiple such markers which can then be used to fool the recognition systems.

Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. We optimize these faces, by using an evolutionary algorithm in the latent embedding space of the StyleGAN face generator. Multiple evolutionary strategies are compared, and we propose a novel approach that employs a neural network in order to direct the search in the direction of promising samples, without adding fitness evaluations. The results we present demonstrate that it is possible to obtain a high coverage of the population (over 40%) with less than 10 master faces, for three leading deep face recognition systems.

Their paper has been published and is available for download here: Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.

With more and more companies pushing for AI based recognition systems as fool proof systems (looking at you Apple, with your latest nonsense about protecting kids by scanning personal photos) it is imperative that more such research is conducted before these systems are pushed into production based on the claims in their marketing brochures.

Thanks to Schneier on Security: Using “Master Faces” to Bypass Face-Recognition Authenticating Systems

– Suramya

July 1, 2021

Never used foo/bar/baz as variable names, can I still call myself a programmer?

Filed under: Humor,My Thoughts,Techie Stuff — Suramya @ 4:14 PM

Just realized today that in my 24+ years of programming I have never named a variable foo, bar or baz. These are the goto names for placeholders in code & metaphysical variables and have decades of history behind them. Most programmers use them for temporary variables or place holders. Since I have never used them, can I still call myself a programmer? 😀

Jokes aside, you should use good variable names in your code that are meaningful, easy to read and concise. Some guidelines on how to do that are below:

Also, another point to keep in mind is to avoid acronyms that can have a different meaning in a different language or resemble rude words etc. See the screenshot below for an example of a ‘bad’ variable name:

Example of a bad variable name
Example of a bad variable name

Well this is all for now. Will post more later.

– Suramya

June 12, 2021

Linus educates anti-vaxxer on Linux Kernel Mailing list

Filed under: Interesting Sites,My Thoughts,Techie Stuff — Suramya @ 4:36 AM

There have been times in the past when Linus’s posts on the Linux Kernel mailing list have been less than polite and he was in fact asked to stop abusing colleagues on mailing lists. He then took a break from maintaining the kernel and took empathy training. Since then his responses have been pretty restrained and polite (for the most part). However, a few days ago someone named “Enrico Weigelt” posted a typical anti-vaxxer message on the Linux Kernel Mailing list:

> And I know *a lot* of people who will never take part in this generic
> human experiment that basically creates a new humanoid race (people
> who generate and exhaust the toxic spike proteine, whose gene sequence
> doesn’t look quote natural). I’m one of them, as my whole family.

This was in response to folks asking if the rising number of vaccinated people meant that the “Maintainers / Kernel Summit 2021″ would be an in-person event or if it would remain a virtual one for now. Linus responded to his message with his customary wit and technical response (though not as ‘colorful’ as his past responses).

I love that he started off his response with a blunt statement:

Please keep your insane and technically incorrect anti-vax comments to yourself.

You don’t know what you are talking about, you don’t know what mRNA
is, and you’re spreading idiotic lies. Maybe you do so unwittingly,
because of bad education. Maybe you do so because you’ve talked to
“experts” or watched youtube videos by charlatans that don’t know what
they are talking about.

Then he went on to explain what mRNA does and how it doesn’t stay in your body for more than a couple of days. You can read the full response below. I am posting a copy here so that I can refer people who send me anti-vaxx nonsense to it. Vaccines save lives. That is a fact. The study that links vaccines to autism has been debunked so many times that it is not even funny. But still there are people who fall for the trap. The problem is that the science is complicated enough that people don’t understand it and the denialist’s use simple language that is easy to understand (even though it is wrong). This makes it easy for people to think they understand the science behind it and become rabid anti-vaxxers.

Dealing with conspiracy theorists is difficult and I usually end up ignoring them or yelling at them. The lovely @OkieSpaceQueen has a great thread on talking to conspiracy theorists that I found very useful, along with their earlier thread focusing on how to talk to Flat Earther’s. They are a lot more patient than what I usually am and I am going to try to use the techniques in the thread going forward.

All that being said, I just want to close with a request to get vaccinated as quickly as possible. It can and does save lives.

On Thu, Jun 10, 2021 at 11:08 AM Enrico Weigelt, metux IT consult
wrote:
>
> And I know *a lot* of people who will never take part in this generic
> human experiment that basically creates a new humanoid race (people
> who generate and exhaust the toxic spike proteine, whose gene sequence
> doesn’t look quote natural). I’m one of them, as my whole family.

Please keep your insane and technically incorrect anti-vax comments to yourself.

You don’t know what you are talking about, you don’t know what mRNA
is, and you’re spreading idiotic lies. Maybe you do so unwittingly,
because of bad education. Maybe you do so because you’ve talked to
“experts” or watched youtube videos by charlatans that don’t know what
they are talking about.

But dammit, regardless of where you have gotten your mis-information
from, any Linux kernel discussion list isn’t going to have your
idiotic drivel pass uncontested from me.

Vaccines have saved the lives of literally tens of millions of people.

Just for your edification in case you are actually willing to be
educated: mRNA doesn’t change your genetic sequence in any way. It is
the exact same intermediate – and temporary – kind of material that
your cells generate internally all the time as part of your normal
cell processes, and all that the mRNA vaccines do is to add a dose
their own specialized sequence that then makes your normal cell
machinery generate that spike protein so that your body learns how to
recognize it.

The half-life of mRNA is a few hours. Any injected mRNA will be all
gone from your body in a day or two. It doesn’t change anything
long-term, except for that natural “your body now knows how to
recognize and fight off a new foreign protein” (which then tends to
fade over time too, but lasts a lot longer than a few days). And yes,
while your body learns to fight off that foreign material, you may
feel like shit for a while. That’s normal, and it’s your natural
response to your cells spending resources on learning how to deal with
the new threat.

And of the vaccines, the mRNA ones are the most modern, and the most
targeted – exactly because they do *not* need to have any of the other
genetic material that you traditionally have in a vaccine (ie no need
for basically the whole – if weakened – bacterial or virus genetic
material). So the mRNA vaccines actually have *less* of that foreign
material in them than traditional vaccines do. And a *lot* less than
the very real and actual COVID-19 virus that is spreading in your
neighborhood.

Honestly, anybody who has told you differently, and who has told you
that it changes your genetic material, is simply uneducated. You need
to stop believing the anti-vax lies, and you need to start protecting
your family and the people around you. Get vaccinated.

I think you are in Germany, and COVID-19 numbers are going down. It’s
spreading a lot less these days, largely because people around you
have started getting the vaccine – about half having gotten their
first dose around you, and about a quarter being fully vaccinated. If
you and your family are more protected these days, it’s because of all
those other people who made the right choice, but it’s worth noting
that as you see the disease numbers go down in your neighborhood,
those diminishing numbers are going to predominantly be about people
like you and your family.

So don’t feel all warm and fuzzy about the fact that covid cases have
dropped a lot around you. Yes, all those vaccinated people around you
will protect you too, but if there is another wave, possibly due to a
more transmissible version – you and your family will be at _much_
higher risk than those vaccinated people because of your ignorance and
mis-information.

Get vaccinated. Stop believing the anti-vax lies.

And if you insist on believing in the crazy conspiracy theories, at
least SHUT THE HELL UP about it on Linux kernel discussion lists.

Linus

Original thread Linus’s response on Linux Kernel mailing list to Anti-vaxxer message

– Suramya

June 11, 2021

Dangers of online ‘free’ html editing services: Your site is now part of SEO scam for shady services

Filed under: Computer Tips,My Thoughts,Techie Stuff — Suramya @ 10:52 PM

There are a lot of free services available online for various tasks that historically required you to download and install software. For example, if you want to convert a .doc file to pdf or if you wanted to edit your image or even clean up / optimize your HTML files, you can use online free services for it. As with anything you need to take a look at who is running the site before you decide to upload your personal data to it. In addition it might be a good idea to take a look at the privacy policy & data retention policy of any such sites before you use them. If a site doesn’t have a privacy policy/data retention policy and wants you to upload your private data/files to it then it is a red flag.

Most recent case of such a misuse came into my notice a few days ago, where a few of the highly-ranked online tools for editing / cleaning your html code were secretly injecting scam/spam links into the code being edited to push themselves and their affiliated sites up the search engine rankings. SEO or Search Engine Optimization gives extra weight to sites that are linked to from other legitimate sites and when a html cleaner program adds links to their solutions into each site/page that they are editing they get a leg up on every other product because their have a lot more weighted links than their competition. (Links to the site are not the only thing SEO use to raise their profile but SEO optimization is a huge topic that I won’t be covering here in this post).

Caspar over at casparwre.de found this out while trying to figure out why he couldn’t be the top result for ‘online scoreboard’ on Google. You can check out the full write up here

For instance, I saw a blog post from the German Football Association containing a link to Scorecounter. The word that was linked was “score” – yet having a link here made absolutely no sense in the context of the article. What was going on? 🤔

Here are some more examples of links I found on random domains (you need to search for “score” on the page).

Macworld Shop
NBC Washington
RICE University (The link has now been removed)
Intuit Quickbooks (The link has now been removed)


So that was the secret: the creators of Scorecounter also made an online HTML editor which injects links for certain keywords. The beauty of this scam is that by injecting links to their own HTML editor, they have created a brilliant positive feedback loop: the higher the editor rises in the search rankings, the more people use it and the more secret links they can inject.

In one way this is a fantastic (if shady) way to ensure that your product is at the top of any search for a given text/question. But usually it is only a matter of time before people figure it out and then you loose a lot of goodwill and get a reputation for shady practices. How many people will continue to use their product if they knew that their site will be used to hawk products that they personally have not selected/validated?

I took a look at the privacy policy and the general website over at: html-cleaner.com and they don’t have any note letting people know that the site introduces links to it’s own services and other sites into your text. This is shady behavior. Some of the reputable sites that I have seen in the past, let you know that they will be adding a subtext or a note at the bottom of the page being edited stating that it was created using xyz service. Adding the links into the text of the site makes it seem that the owner of the site is endorsing the service, which obviously isn’t the case here.

To close the post, I just want to say you need to be careful where you upload data or what program you are using to edit/create things because if it is created by people with bad ethics they can and often do steal your private data or modify your data or use it for purposes other than what you intended when uploading it.

– Suramya

June 8, 2021

Great book on Military Crypto analytics by Lambros Callimahos released to public

Filed under: Computer Security,Computer Software,My Thoughts,Techie Stuff — Suramya @ 9:58 PM

I find Cryptography and code breaking to be very interesting as there are huge implications on Cyber security. The current world is based on the presumption that cryptographic algorithms are secure, it is what ensures that we can use the internet, bank online, find love online and even work online. Cryptography historically has been a field working under heavy classification and there are multiple folks we don’t know about because their existence and work was classified.

Lambros Callimahos was one such Cryptologist, he was good enough that two of his books on Military Cryptanalytics covering code breaking (published in 1977) were blocked from public release till 1992. The third and last volume in the series was blocked from release till December 2020. It is now finally available for download as a PDF file so you can check it out.

The book covers how code breaking can be used to solve “impossible puzzles” and one of the key parts of the book is it’s explanation of how to use cryptodiagnosis to decrypt data that has been encrypted using an unknown algorithm. It has a whole bunch of examples and walks you through the process which is quite fascinating. I am going to try getting through it over the next few weeks if I can.

Check it out if you like to learn more about cryptography.

– Suramya

Older Posts »

Powered by WordPress