Suramya's Blog : Welcome to my crazy life…

September 5, 2019

Criminals use AI technology to impersonate CEO for a $243,000 payday

Filed under: Computer Security,My Thoughts,Techie Stuff — Suramya @ 10:46 AM

Over the past few years AI has become one of the things that is included in everything from cars to lights whether it makes sense or not and criminals are not behind in this trend. We have AI based systems testing computer security, working on bypassing checks and balances in systems etc and now in a new twist, AI is being used in Vishing as well. Voice phishing or vishing as it’s sometime referred to is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.

Anatomy of Vishing Attack
Anatomy of Vishing Attack. Source: https://www.biocatch.com/blog/detect-vishing-voice-phishing

In this particular instance criminals used commercially available voice-generating AI software to impersonate the CEO of a German Company and then convinced the CEO of their UK based subsidiary to transfer $243,000 to a Hungarian supplier. The AI was able to mimic the voice almost perfectly including his slight German accent and voice patterns. This is a new phase of crime and unfortunately will not be a one-off case as criminals will soon realize the potential then these kind of attacks are only bound to increase in frequency. Interestingly it will also make the biometric voice authentication systems used by certain banks like Citibank more vulnerable to fraud.

To safeguard from the economic and reputational fallout, it’s crucial that all instructions are verified via a follow-up email or other alternative means i.e. if you have an email asking for a transfer/detail call the person and if you get a call asking for transfer follow up via email or other means. Do not use a number provided by the call for verification, you need to call the number in the company address-book or in your records.

Well this is all for now. Will post more later.

Thanks to : Slashdot.org for the original link.

– Suramya

August 12, 2019

LinuxJournal.com: shutdown -h now

Filed under: Computer Related,My Thoughts,Techie Stuff — Suramya @ 10:24 AM

Last week I got an unpleasant surprise in my mailbox, an email from Linux Journal stating that they were closing up shop effective immediately as they had completely run out of money with no hope of resurrection. LJ was one of the first Linux magazines I wrote for and it will always have a special place in my heart.

IMPORTANT NOTICE FROM LINUX JOURNAL, LLC:
On August 7, 2019, Linux Journal shut its doors for good. All staff were laid off and the company is left with no operating funds to continue in any capacity. The website will continue to stay up for the next few weeks, hopefully longer for archival purposes if we can make it happen.
–Linux Journal, LLC

The website is up for the moment but might go down anytime. I do have an archive of all LJ issues on my home computer that I had made the last time LJ was about to shutdown and I will post them to the site in a few days. This archive doesn’t have the latest releases so I will need to download that before I post them online. In addition I am sure there are efforts ongoing to archive the website as well since it had a lot of great content on it. If not then I will kick off something to archive the site once I get home.

Well this is all for now. It was a great run LJ, you will be missed.

– Suramya

August 7, 2019

Using a slice of wood to make saltwater drinkable

Filed under: My Thoughts,Techie Stuff — Suramya @ 5:45 PM

“Water water everywhere, not a drop to drink” This is an often quoted line from The Rime of the Ancient Mariner by Samuel Taylor Coleridge and is something that is becoming more and more true every day. 71% of earth is covered by Oceans but we still have 2.8 billion people around the world who face water scarcity at least one month out of every year. Earlier this year city officials in Chennai, India declared that “Day Zero” (the day when almost no water is left in the city) had been reached in Chennai, as all the four main reservoirs supplying water to the city had run dry due to deficient monsoon rainfall in the previous years. Due to this finding more ways of generating drinking water a high priority for the Human race. Without water life as we know it can’t exist and our civilization can and will collapse.

One of the ways to solve this issue is to convert sea water to drinkable water by filtering the salt out and there are existing solutions which do this (check out the Saudi water desalination) but they require a lot of energy and/or specialized engineering. But this is about to change thanks to the effort of Jason Ren and his colleagues from Princeton University in New Jersey. They have developed a method that uses a new kind of membrane made of American basswood instead of plastic that enables filtration without requiring high pressure pumping of salt water. Basically they took a thin slice of American basswood and treated it with a chemical bath to remove extra fibers from the wood and make its surface slippery to water molecules. Once the wood is treated water flows down one side of the membrane and is heated to the point that it vaporizes. The vapor then travels through the pores in the membrane toward its colder side leaving the salt behind, condensing as fresh, cool water.

This process takes less energy than simply boiling all of the saltwater because there’s no need to maintain a high temperature for more than a thin layer of water at a time as per Jason Ren. In the initial testing using this method the team was able to filter about 20 kilograms of water per square metre of membrane per hour, which is not quite as quick as polymer membranes but this can improve if the membrane is made thinner.

This is quite a breakthrough and when I first read the article I was not clear why we need to use wood for the process. I mean we can use a polymer membrane and still achieve the same effect by heating only a thin layer of water at a time. But then I spent some time reading the actual research paper and that’s when I realized what a massive breakthrough this was. Basically the current commercial MD membranes have porosity lower than 0.80, thermal conductivity higher than 0.050 W m−1 K−1, and thermal efficiency up to 60% where as the new membrane has a porosity of ~90%, low thermal conductivity (~0.04 W m−1 K−1) and a thermal efficiency of ~71%. These factors combined reduce the energy requirements for desalination by a significant amount.

Now that we have a Proof of Concept that this works, we need to be able to scale this up on a massive scale and work for this is currently ongoing.

Thanks to Newscientist.com for the original link.
Research Paper: Hydrophobic nanostructured wood membrane for thermally efficient distillation

Well this is all for now. Will post more later.

– Suramya

July 22, 2019

Chandrayaan-2: ISRO spacecraft successfully achieves Geostationary Orbit

Filed under: My Thoughts,Techie Stuff — Suramya @ 3:55 PM

ISRO’s Chandrayaan-2 completed the first stage of the Moon mission by successfully entering Geostationary Orbit at 181.65 km above sea level. This is an amazing achievement by ISRO and is a proud moment for India. After the last min abort of the previous launch attempt all eyes were on ISRO to make a successful launch in a extremely tight launch window of only a few minutes. ISRO Chief K Sivan, made the following statement after the launch

I’m extremely happy to announce that the GSLVMkIII-M1 successfully injected Chandrayaan-2 spacecraft into Earth Orbit. It is the beginning of a historic journey of India towards moon and to land at a place near South Pole to carry out scientific experiments:

Now that the rocket has achieved Geo-Stationary orbit it will start orbit-raising operations followed by trans-lunar injection using its own power. Post that the rocket will head out to the Moon and below are the different phases of Chandrayaan 2’s journey:

  • July 22 to August 13: Chandrayaan 2 will orbit around the Earth in an elliptical path
  • August 13 to August 19: Course change to to establish into moon’s orbit
  • August 19: Enter Moon’s orbit
  • August 19 to Aug 31: Chandrayaan 2 will revolve in the Moon’s orbit
  • September 1: The Lander Vikram will detach from the Orbiter heading down to land near the South Pole of the Moon
  • ~September 7:Lander Vikram will make a soft landing in the south polar region of the moon
  • ~Landing + 4hours: Rover Pragyaan will roll out of the Lander Vikram and perform different tests on the Moon’s polar surface

@ISRO, a proud nation salutes you and here’s to the journey to new horizons.

BBC Coverage: Chandrayaan-2: India launches second Moon mission

Regards,

Suramya

May 27, 2019

Microsoft and Brilliant launch Online Quantum Computing Class that actually looks useful

Filed under: Computer Software,Interesting Sites,My Thoughts,Techie Stuff — Suramya @ 12:14 PM

Quantum computing (QC) is the next big thing and everyone is eager to jump on the bandwagon. So my email & news feeds are usually flooded with articles on how QC will solve all my problems. I don’t deny that there are some very interesting usecases out there that would benefit from Quantum Computers but after a while it gets tiring. That being said I just found out that Microsoft & Brilliant have launched a new interactive course on Quantum Computing that allows you to build quantum algorithms from the ground up with a quantum computer simulated in your browser and I feel its pretty cool and a great initiative. The tutorial enables you to learn Q# which is Microsoft’s answer to the question of which language to use for Quantum computing code. Check it out if you are interested in learning how to code in Q#.

The course starts with basic concepts and gradually introduces you to Microsoft’s Q# language, teaching you how to write ‘simple’ quantum algorithms before moving on to truly complicated scenarios. You can handle everything on the web (including quantum circuit puzzles) and the course’s web page promises that by the end of the course, “you’ll know your way around the world of quantum information, have experimented with the ins and outs of quantum circuits, and have written your first 100 lines of quantum code — while remaining blissfully ignorant about detailed quantum physics.”
Brilliant has more than 8 million students and professionals worldwide learning subjects from algebra to special relativity through guided problem-solving. In partnership with Microsoft’s quantum team, Brilliant has launched an interactive course called “Quantum Computing,” for learning quantum computing and programming in Q#, Microsoft’s new quantum-tuned programming language. The course features Q# programming exercises with Python as the host language (one of our new features!). Brilliant and Microsoft are excited to empower the next generation of quantum computer scientists and engineers and start growing a quantum workforce today.

Starting from scratch

Because quantum computing bridges the fields of information theory, physics, mathematics, and computer science, it can be difficult to know where to begin. Brilliant’s course, integrated with some of Microsoft’s leading quantum development tools, provides self-learners with the tools they need to master quantum computing.
The new quantum computing course starts from scratch and brings students along in a way that suits their schedule and skills. Students can build and simulate simple quantum algorithms on the go or implement advanced quantum algorithms in Q

Once you have gone through the tutorial you should also check out IBM Q that allows you to code on a Quantum computer for free.

– Suramya

September 3, 2018

Software hack to keep my speaker powered on

Filed under: Computer Hardware,Linux/Unix Related,Techie Stuff,Tutorials — Suramya @ 6:37 PM

A little while ago I bought a new klipsch speaker as my previous one was starting to die and I love it except for a minor irritation. The speaker has builtin power saving tech that powers it off if its not used for a certain period of time and that means that I have to physically power it on every time I wanted to listen to music which was annoying. As I would invariably be comfortably seated and start the music before remembering that I needed to power it on. Also, I could not start the music from my phone whenever I felt like as the speaker was powered off and I would have to walk to the room to power it on.

After living with the irritation for a while I finally decided to do something about it and whipped up a small script that checks if any music/audio is already playing on the system and if not it plays a 1 second mp3 of an ultrasonic beep. This forces the system to keep the speaker on and I love it as now I can start the music first thing in the morning while lazing in bed. 🙂

The script requires the mpg123 to be installed and you can install it on a Debian system by issuing the following command:

apt-get install mpg123

The Script itself is only 4 lines long:

#!/bin/bash

if ! grep RUNNING /proc/asound/card*/pcm*/sub*/status &> /dev/null ; then
    /usr/bin/mpg123 -q /home/suramya/bin/KeepSpeakerOn.mp3 &> /dev/null
fi

What it does is to check if any of the PCM soundcards have a status of RUNNING and if not it plays the mp3. I have a cron job scheduled to run the script every one min:

XDG_RUNTIME_DIR=/run/user/1000

* * * * * /home/suramya/bin/KeepSpeakerOn.sh 

One interesting issue I hit during the initial testing was that the mpg123 application kept segfaulting whenever I initiated it from the Cron but it would work fine if I ran the same command from the command prompt. The error I got in the logs was:

High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
        version 1.25.10; written and copyright by Michael Hipp and others
        free software (LGPL) without any warranty but with best wishes
Cannot connect to server socket err = No such file or directory
Cannot connect to server request channel
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
/home/suramya/bin/KeepSpeakerOn.sh: line 5: 10993 Segmentation fault      /usr/bin/mpg123 /home/suramya/bin/KeepSpeakerOn.mp3 -v

Spent a while trying to debug and finally figured out that the fix for this issue was to add XDG_RUNTIME_DIR=/run/user/<userid> to the cron where you can get the value of <userid> by running the following command and taking the value of uid:

id <username_the_cronjob_is_running_under> 

e.g.

suramya@StarKnight:~/bin$ id suramya
uid=1000(suramya) gid=1000(suramya) groups=1000(suramya),24(cdrom)....

Putting that line in the cron entry resolved the issue. Not sure why but it works so…

Well this is all for now. Will write more later.

– Suramya

August 24, 2018

Fixing the appstreamcli error when running apt-get update

Filed under: Computer Software,Knowledgebase,Linux/Unix Related,Techie Stuff — Suramya @ 12:05 AM

Over the past few days everytime I tried to update my Debian system using apt-get it would fail with the following error message:

(appstreamcli:5574): GLib-CRITICAL **: 20:49:46.436: g_variant_builder_end: assertion '!GVSB(builder)->uniform_item_types || 
GVSB(builder)->prev_item_type != NULL || g_variant_type_is_definite (GVSB(builder)->type)' failed

(appstreamcli:5574): GLib-CRITICAL **: 20:49:46.436: g_variant_new_variant: assertion 'value != NULL' failed

(appstreamcli:5574): GLib-ERROR **: 20:49:46.436: g_variant_new_parsed: 11-13:invalid GVariant format string
Trace/breakpoint trap
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke-Success 'if /usr/bin/test -w /var/cache/app-info -a -e /usr/bin/appstreamcli; then appstreamcli refresh-cache > 
/dev/null; fi'
E: Sub-process returned an error code

Spent a couple of hours trying to figure out what was causing it and was able to identify that it was caused because of a bug in appstream as tunning the command manually also failed with the same error. When I tried to remove the package as recommended by a few sites it would have removed the entire KDE desktop from my machine which I didn’t want so I was at a loss as to how to fix the problem. So I put the update on hold till I had a bit more time to research the issue and identify the solution.

Today I got some free time and decided to try again and after a little bit of searching stumbled upon the following Bug Report (#906544) where David explained that the error was caused due to a bug in the upstream version of appstream and a little while later Matthias commented that the issue is fixed in the latest version of the software and it would flow down to the Debian repositories in a little bit. Normally I would have just done an apt-get update and then install to get the latest package but since the whole issue was that I couldn’t get the system to finish the update command I had to manually install the package.

To do that I went to the Debian site and opened the software package list for Debian Unstable (as that is what I am using) and searched for appstream. This gave me a link to the updated package (0.12.2-2) that fixed the bug (I had 0.12.2-1 installed). Once I downloaded the package (Make sure you download the correct package based on your system architecture) I manually installed it using the following command as root:

dpkg -i appstream_0.12.2-2_amd64.deb

This installed the package and I was then able to do an apt-get update successfully. I still get the GLib-CRITICAL warnings but that apparently can be ignored without issues.

Hope this helps people who hit the same issue (or reminds me of the solution if/when I hit the issue again).

– Suramya

August 23, 2018

Identifying Programmers by their Coding Style

Filed under: Computer Security,Computer Software,Techie Stuff — Suramya @ 8:42 PM

There is an interesting development in the field of identifying people by what they write. As some of you may already know researchers have been able to identify who wrote a particular text based on the analysis of things like word choice, sentence structure, syntax and punctuation using a technique called stylometry for a while now but it was limited to natural languages and not artificial ones like programming languages.

Now there is new research by Rachel Greenstadt & Aylin Caliskan who are professors of computer science at Drexel University & at George Washington University respectively that proves that code, like other forms of writing is not anonymous. They used Machine Learning algorithms to de-anonymize coders and the really cool part is that they can do this even with reverse compiled code from Binaries with a reasonable level of confidence. So you don’t need access to the original source code to be able to identify who coded it. (Assuming that we have code samples from them in the training DB)

Here’s a simple explanation of how the researchers used machine learning to uncover who authored a piece of code. First, the algorithm they designed identifies all the features found in a selection of code samples. That’s a lot of different characteristics. Think of every aspect that exists in natural language: There’s the words you choose, which way you put them together, sentence length, and so on. Greenstadt and Caliskan then narrowed the features to only include the ones that actually distinguish developers from each other, trimming the list from hundreds of thousands to around 50 or so.

The researchers don’t rely on low-level features, like how code was formatted. Instead, they create “abstract syntax trees,” which reflect code’s underlying structure, rather than its arbitrary components. Their technique is akin to prioritizing someone’s sentence structure, instead of whether they indent each line in a paragraph.

This is both really cool and a bit scary because suddenly we have the ability to identify who wrote a particular piece of code. This removes or atleast reduces the ability of people to release code/software anonymously. This is a good thing when we look at a piece of Malware or virus because now we can find out who wrote it making it easier to prosecute cyber criminals.

However the flip side is that we can now also identify people who write code to secure networks, bypass restrictive regime firewalls, create privacy applications etc. There are a lot of people who contribute to opensource software but don’t want to be identified for various reasons. For example if a programmer in China created a software that allows a user to bypass the Great Firewall of China they would definitely not want the Chinese government to be able to identify them for obvious reasons. Similarly there are folks who wrote some software that they do not want to be associated with their real name for some reason and this would make it more difficult for them to do so.

But this is not the end of the world, there are ways around this by using software to scramble the code. I don’t think many such systems exist right now or if they do they are at a nacent stage. If this research is broadly applied to start identifying coders then the effort to write such scramblers would take high priority and lots of very smart people would start focusing their efforts to invalidate the detectors.

Well this is all for now. Will write more later.

– Suramya

Original source: Schneier’s Blog

August 12, 2018

Critique of a sextortion scam email that I received

Filed under: My Thoughts,Techie Stuff — Suramya @ 11:27 PM

Earlier this month I got an email that claimed to have photos/videos of me viewing adult sites and threatened that they would mail the photos to all my contacts if I don’t send them $7000. To make the email look authentic and scare me, they also included an old password of mind that they got from one of the many leaks over the past few years. I think this one was from a BBS that I used for a bit around 2000-2005.

The reason I am publishing this email and my critique is to show how full of crap such emails are. Basically if you ever get such emails you should never give them money because then they know that they can frighten you to pay and they will keep putting the pressure on to squeeze more and more money out of you.

On the other hand if you know that someone has managed to get their hands on some incriminating photos (they gave proof or you had sent it to them) and are blackmailing you then you should never give in to the blackmail. Instead reach out to the authorities and file a formal complaint. If you are a kid then talk to your parent and have them raise a complaint. Never ever give more photos/videos to the sick person blackmailing you because that just gives them more ammo to blackmail you.

Here are some links to sites that can help guide you:

UK National Crime Agency
Interpol Sextortion
FBI Sextortion

So lets get started, I am going to take apart the email I got to show you how useless and full of it the email is..

I know ***** is your password. Lets get directly to purpose. You do not know me and you are probably thinking why you are getting this email? None has compensated me to check you.

Umm ok… That’s an old password that I haven’t used in over a decade and even then it was used for throwaway logins that I didn’t really care about. It did catch my eye, good job adding it to the subject to catch my attention. Yes, no one compensated you initially but you sure want to get compensated now.

Well, I installed a malware on the adult video clips (adult porn) web site and guess what, you visited this web site to experience fun (you know what I mean). When you were watching video clips, your web browser started out operating as a RDP that has a keylogger which provided me accessibility to your display screen and also web camera. after that, my software collected your complete contacts from your Messenger, FB, as well as email. After that I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste hahah), and second part displays the view of your webcam, and its you.

Wow! You must teach me how you did this. How did you manage to get a browser to act as an RDP, especially on a Linux machine that doesn’t even support the protocol natively? Please sensei, teach me 🙂

Actually the even more amazing trick is how you managed to activate a webcam on my computer as I don’t have any camera’s connected to it. 🙂 Did you hack the display to turn it into a camera? Or did you send nanobots via the wire to reprogram/repurpose one of the parts on my desktop to convert it into a camera?

You got two different choices. Let us understand each of these options in aspects:

1st choice is to disregard this email. In this case, I am going to send your actual video clip to almost all of your contacts and just consider about the humiliation you feel. And consequently in case you are in an important relationship, how it will affect?

Now comes the threat… how are you going to send a video that I just proved can’t exist?

Latter solution is to give me $7000. We are going to think of it as a donation. As a result, I will without delay delete your video footage. You will go forward daily life like this never happened and you would never hear back again from me.

You will make the payment via Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google search engine).

BTC Address to send to: 1FwvWtFdGBRvoiCa8BQdzqpu5QoiCSRFMa
[CASE SENSITIVE, copy & paste it]

Holy S**T! You really expect people to pay you $7000 for an email that offers no proof of this supposed video that you managed to magically capture? Lets check if anyone was stupid enough to fall for this nonsense. We can use bitref.com to check the balance of any bit coin address and here’s what the current balance is for this address: $0.0. Yup you have received a big fat 0 for your trouble. In fact I would suggest you sell your software/tech to the NSA/MI5 or other spy agencies around the world and you will get a much better payday.


The money this idiot made from this scam so far.

If you may be thinking of going to the cop, good, this email message cannot be traced back to me. I have covered my moves. I am just not trying to charge you so much, I just like to be paid for. I have a unique pixel in this email, and right now I know that you have read through this mail. You now have one day to pay. If I do not receive the BitCoins, I will certainly send your video recording to all of your contacts including friends and family, colleagues, and so forth. However, if I do get paid, I will erase the video right away. It’s a non-negotiable offer and thus please do not waste my personal time & yours by responding to this mail. If you really want evidence, reply with Yeah! then I will send out your video recording to your 6 contacts.

I am really quaking in my boots. Its been over 3 weeks since you sent out the email, and I don’t know how many of my contacts have received this magical email. Though if I had to guess I would place the number at 0. Since the entire email is a scam to steal money from unsuspecting fools. I think if the person sending out the email hadn’t been so greedy and asked for $7000 but rather asked for something in the range of a few hundred they might have made some money.

Well this is all for now. Will write more later.

– Suramya

February 13, 2018

Explaining HTTPS using carrier pigeons

Filed under: Interesting Sites,Security Tutorials,Techie Stuff — Suramya @ 7:07 PM

HTTPS is something that a lot of people find hard to explain without going into a lot of technical jargon which frankly just confuses most people and causes them to zone out. However it is an essential service/protocol so understanding it is a good idea. To address this issue Andrea Zanin who is a student created the following primer that explains how HTTPS works using carrier pigeons as the messengers.

Below is an explanation on how HTTP would work with carrier pigeons:

If Alice wants to send a message to Bob, she attaches the message on the carrier pigeon’s leg and sends it to Bob. Bob receives the message, reads it and it’s all is good.

But what if Mallory intercepted Alice’s pigeon in flight and changed the message? Bob would have no way of knowing that the message that was sent by Alice was modified in transit.

This is how HTTP works. Pretty scary right? I wouldn’t send my bank credentials over HTTP and neither should you.

Check out the link for the full writeup.

Well, this is all for now. Will write more later.

– Suramya

Older Posts »

Powered by WordPress