Suramya's Blog : Welcome to my crazy life…

February 2, 2023

KeePass vulnerability that allows anyone with write access to the config file export all stored passwords

Filed under: Computer Security,Tech Related — Suramya @ 5:17 PM

Keepass is an Open source password manager that I have been using for a few years. For me the main attraction was that the password database is stored locally instead of using a cloud based solution. Although, you can configure it to save the password file on a cloud store if you want.

Recently a security ‘vulnerability’ has been found in KeePass that allows someone with access to the system where keypass is installed to export the entire password database to clear-text without any user intervention. Basically if an attacker has write access to the XML configuration file they can add an export trigger to get cleartext passwords as and when they are used. There is an ongoing dispute where it is being debated that this is technically not a vulnerability in KeePass as anyone with write access to the configuration file already has enough access to perform more powerful attacks. The issue has been assigned a CVE-2023-24055.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

Personally, I think that while it does follow that physical access equals root access, there should be some notification / mechanism that gets triggered when the XML configuration file is modified outside the KeePass interface. Something like an alert that tells you that “The XML configuration file was directly modified. Please ensure that no extra triggers are installed” (or words to that effect). This way even if an attacker gets access to the system, they can’t easily get access to stored passwords would hopefully be protected with another password.

Source: Naked Security: Password-stealing “vulnerability” reported in KeePass – bug or feature?

February 1, 2023

Product Idea: Use ChatGPT to write movie/TV Tech Jargon dialogs

Filed under: Emerging Tech,My Thoughts,Tech Related — Suramya @ 3:00 AM

ChatGPT has taken the world by storm and everyday we hear more and more stories about how good it is and how it is changing the world. Personally I think the best description of the software is how Christine Lemmer-Webber put it:

ChatGPT is Mansplaining As A Service. A service that instantly generates vaguely plausible sounding yet totally fabricated and baseless lectures in an instant with unflagging confidence in its own correctness on any topic, without concern, regard or even awareness of the level of expertise of its audience.

People are using it for anything and everything including writing exams, writing articles, job posts, etc etc. While the result we get looks quite plausible there have been multiple cases where the output is subtly wrong and using the result as is can cause problems. However, there is one place that I can think of that ChatGPT would be extremely useful without any major drawbacks. If you have seen any TV show recently there are a lot of times where the characters will use technobabble to explain something and a lot of times the explanations are so ridiculous that they end up distracting you from the actual plot (such as it is).

My idea is that we encourage the writers to start using ChatGPT to write the jargon, even if it gets it wrong it wouldn’t be worse than what we have already so it is a win win. Plus since we all know that media tech works differently we don’t have to worry about the results being 100% accurate or correct.

One example is as below:

Forensic Scientist 1: Hey, have you seen the results from the trace DNA sample we collected from the crime scene?
Forensic Scientist 2: Not yet, I was just about to head over to the lab and check. Why, did you already receive them?
Forensic Scientist 1: Yeah, I just got an email from the lab. They’re pretty clear cut.
Forensic Scientist 2: Great, let’s take a look. What do the results show?
Forensic Scientist 1: Well, the sample is a match with the reference sample from our suspect. The lab confirmed a positive identification.
Forensic Scientist 2: That’s fantastic. Did they provide any details on the genetic markers?
Forensic Scientist 1: Yes, they identified several short tandem repeat markers that match between the sample and the reference. They also ran a mitochondrial DNA analysis and got a match there too.
Forensic Scientist 2: This is really strong evidence. But we need to be sure to double check all the details, especially since this is a high-profile case.
Forensic Scientist 1: Absolutely. I was thinking we should do a full review of the lab’s methodology and verify that the samples were handled and stored properly.
Forensic Scientist 2: That’s a great idea. Let’s also review the lab’s accreditation and see if they meet all the necessary standards.
Forensic Scientist 1: Right, we want to make sure our evidence is solid and can stand up in court.
Forensic Scientist 2: Definitely. Well, let’s head over to the lab and start our review.
Forensic Scientist 1: Sounds good. Let’s do it.

Another example:

Cybersecurity Professional 1: Hey, have you seen the alert about the recent cyberattack?
Cybersecurity Professional 2: Yes, I just received the notification. What do we know so far?
Cybersecurity Professional 1: The attack appears to be a phishing campaign. The attackers are using fake emails to steal login credentials from unsuspecting victims.
Cybersecurity Professional 2: That’s a common tactic. Did they manage to compromise any systems?
Cybersecurity Professional 1: Yes, we have reports of several systems being breached. Our incident response team is currently investigating the extent of the damage.
Cybersecurity Professional 2: Okay, let’s see if we can help with the investigation. What’s the first step?
Cybersecurity Professional 1: First, we need to isolate the infected systems and contain the spread of the attack. Then we can start looking into how the attackers gained access and what they did once they were in.
Cybersecurity Professional 2: Right. I’ll start working on the containment and isolation. Have you seen any indications of what the attackers are after?
Cybersecurity Professional 1: It’s not clear yet, but it looks like they are targeting sensitive information, such as financial data and personal information. We need to be proactive and make sure all our systems and data are secure.
Cybersecurity Professional 2: Agreed. We need to inform the relevant stakeholders about the attack and what measures we’re taking to prevent further damage.
Cybersecurity Professional 1: Absolutely. We also need to start preparing for the worst-case scenario, in case the attackers managed to exfiltrate any data.
Cybersecurity Professional 2: That’s a good point. We need to be prepared for the aftermath and make sure we have a plan in place to respond effectively.
Cybersecurity Professional 1: Right. Let’s get to work and make sure we minimize the impact of this attack.

What do you think?

– Suramya

January 25, 2023

Fewer than 50% of smart appliances are connected to the internet by users and that percentage is too high

Filed under: My Thoughts,Tech Related — Suramya @ 3:04 AM

Smart Appliances or Smart Devices are a pain. Yes, sometimes they make your life easier by allowing you to control your lighting from the bed or switch on your devices remotely but they cause major security problems. There is a term for these ‘smart’ devices: “Internet of Shit”. This refers to all the devices that are connected to the internet that have no business being connected to it. One example is an IoT enabled toilet, Smart Toaster, Smart Mirror etc etc.

There are a lot of potential issues in IoT devices including but not limited to:

  • If the manufacturer decides to shut down the service the device becomes an expensive paperweight
    • Older model Lexus cars lost all remote capabilities because the 3G towers it depended on shut down
    • Older Sonos speakers lost functionality when the company decided to decommission them
    • Tesla car bricked itself because it lost connectivity after owner parked it in a basement.
  • Need a 24×7 active connection
    • People got locked out of their house because a server upgrade was happening
    • During an AWS outage folks were unable to change the temperature using their NEST systems
  • Security Issues: IoT devices are the amongst the most insecure devices out there
  • Lack of Interoperability

and much more. When I bought my AC a couple of years ago I had to argue for a good 15 mins to get a non-smart/internet connected AC. The salesperson couldn’t digest why I wasn’t interested in having a smart AC. A few years later I got a washing machine and there was no option to get a dumb machine, but thankfully it has the option to create a local hotspot that I can connect to from my phone to control the machine. Yeah, it would be more convenient to do it from a distance but guess what I am already next to the machine when I am putting clothes for a wash and it is not that hard to connect to the local AP, start the cycle and then switch back.

A lot of appliance manufacturers bet big on the Smart revolution and according to recent studies are quite surprised to find out that fewer than 50% of their consumers actually connect their smart devices to the internet. The main reason behind it, in my opinion is that there is no major value add for a toaster or a fridge or a toilet to be connected to the internet.

This whole conversation reminded me of the following quote:

Tech enthusiasts: My entire house is smart. Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don’t recognize.

I am not as bad but nothing at my house is connected to the internet if it doesn’t need to be and then also it is on a separate network isolated from my home machine.

Source: Slashdot: Appliance Makers Sad That 50% of Customers Won’t Connect Smart Appliances

– Suramya

January 21, 2023

Fixing AssertionError: Font Arial,Bold can not represent ‘E’ when using Borb to modify PDF Files

Filed under: Computer Software,Knowledgebase,Tech Related — Suramya @ 12:47 AM

I have a bunch of PDF files that I need to modify to remove text from them. Initially I was using LibreDraw but that was a manual task so I thought that I should script it/Automate it. Little did I know that programmatically editing PDF’s is not that simple. I tried a bunch of libraries such as PyPDF4, pikepdf etc but the only one which worked was borb which is a library by Joris Schellekens. They have a great collection of examples and using that I got my first script that searched and replaced text in the PDF working.

However, when I tried to run the script against my pdf file the script fails with the following error:

Traceback (most recent call last):
  File "/home/suramya/Temp/BorbReplace.py", line 26, in 
    main()
  File "/home/suramya/Temp/BorbReplace.py", line 18, in main
    doc = SimpleFindReplace.sub("Manual", "", doc)
  File "/usr/local/lib/python3.10/dist-packages/borb/toolkit/text/simple_find_replace.py", line 80, in sub
    page.apply_redact_annotations()
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/page/page.py", line 271, in apply_redact_annotations
    .read(io.BytesIO(self["Contents"]["DecodedBytes"]), [])
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/canvas_stream_processor.py", line 290, in read
    raise e
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/canvas_stream_processor.py", line 284, in read
    operator.invoke(self, operands, event_listeners)
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/redacted_canvas_stream_processor.py", line 271, in invoke
    self._write_chunk_of_text(
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/redacted_canvas_stream_processor.py", line 203, in _write_chunk_of_text
    )._write_text_bytes()
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/layout/text/chunk_of_text.py", line 145, in _write_text_bytes
    return self._write_text_bytes_in_hex()
  File "/usr/local/lib/python3.10/dist-packages/borb/pdf/canvas/layout/text/chunk_of_text.py", line 160, in _write_text_bytes_in_hex
    assert cid is not None, "Font %s can not represent '%s'" % (
AssertionError: Font Arial,Bold can not represent 'E'

Process finished with exit code 1

I tried a couple of different files and the font name changes but the error remains

The script I was using is: 

from borb.pdf import Document
from borb.pdf import PDF
from borb.toolkit import SimpleFindReplace

import typing

def main():

    # attempt to read a PDF
    doc: typing.Optional[Document] = None
    with open("/home/suramya/Downloads/t/MAA1.pdf", "rb") as pdf_file_handle:
        doc = PDF.loads(pdf_file_handle)

    # check whether we actually read a PDF
    assert doc is not None

    # find/replace
    doc = SimpleFindReplace.sub("PRIVATE", "XXXX", doc)

    # store
    with open("/home/suramya/Downloads/t/MAABLR_out.pdf", "wb") as pdf_file_handle:
        PDF.dumps(pdf_file_handle, doc)


if __name__ == "__main__":
    main()

I searched on the web and didn’t find any solutions so I reached out to the project owner and they responded with the following message “Not every font can represent every possible character in every language. you are trying to insert a piece of text that contains a character that Arial can not represent. Maybe some weird kind of “E” (since uppercase E should not be a problem).”. The problem was that I wasn’t trying to replace any strange characters, just a normal uppercase E.

To help trouble shoot, they asked me for a copy of the file. So I was masking the data in the PDF file to share it and the script suddenly started working. Turns out that there was an extra space after the word PRIVATE in the file and when I removed it things started working (even on the unmasked file). So it looks like the issue is caused when there is an encoding issue with the PDF file. Opening it in Libre Draw and exporting as a new PDF file seems to resolve the issue.

Now we are a step closer to the solution, I just need to figure out how to convert the file from the command line and I will be home free. Something to work on when I have had some sleep.

– Suramya

January 17, 2023

I hacked the Tamil Nadu eGovernment site and all I got was this lousy blog post

Filed under: Computer Security,Computer Tips,Tech Related — Suramya @ 1:20 AM

Finally doing a writeup of how I found that the eGovernment portal of Tamil Nadu had a major bug with a huge privacy impact as it leaked user documents with sensitive information (Personally Identifiable
Information) to the public. This issue was reported and has been fixed as well so am sharing this information so that others are aware of this issue and help them avoid similar problems in sites they manage going forward.

This whole saga started when I had to apply for an epass to enter Tamil Nadu and noticed that the link sent to download the PDF copy of the pass did not require any password to access. The link to download the data was something like: https://tnegov.in/xxxxxx where xxxxxx was a 6 character code. It looked like they might be vulnerable to an parameter enumeration attack so I wrote a quick script to try calling the URL with various sequential codes starting with AAAAAA and moving up. To my surprise within 30 seconds of me running the script I found another person’s personal document (https://tnegov.in/AAAABY) accessible over the web without any authentication. This URL gave me a PDF file that contained a “First Graduate Certificate” (Given to the first person in a family that graduates) for a lady in Virudhunagar District in Tamil Nadu.

Since I had proven that the private information was being leaked, I immediately killed the script and reported it to the Tamil Nadu CERT team using their web form and the same was also sent via email to info.cert@tn.gov.in on 12th March 2021.

A day later I got a call from the CERT team asking for more details. The lady I spoke with asked me a few questions about what I found and wanted additional information about me. The question she got stuck at was “Where are you currently working?” As I was on a work break since I doing my Degree in Cyber security I told her that I was not working anywhere but was a student. She was really confused and kept asking the question in different ways. After a few attempts she finally believed that I was studying Cyber Security and told me that they would look into this.

I expected them to take immediate action since this was a major privacy blunder but nothing happened and it was complete radio silence from them so I emailed them again a month later (29th April) asking for an update with another followup email sent in May with no response to either.

On 21st May I looped India CERT in the mail chain to escalate and wasn’t too hopeful of a quick response. Interestingly they replied within 24 hours asking for a PoC and screenshot of the issue, so I responded with a copy of the script I had written along with the PDF file containing the PII that I had found.

After that I didn’t get any communication from the team and I got busy with exams and classes so I didn’t follow up. However, every so often I would try to access the URL and it would still give me a PDF download. In October over 7 months after I first reported it I finally got an error when trying to download the data from the site. Now I get a 404 message stating that the page can’t be found. (The site gives too much detail in the error message but that is a different story and something for me to look at when I get some free time).

The overall experience was quite poor as in spite of the immediate response to the first notification of the issue they didn’t give me any details on the ETA for the fix or let me know once the issue was resolved. Which would have made it more streamlined and I wouldn’t have had to check frequently that the issue was resolved. If nothing else an email thanking for reporting the issue would have been nice, although I have seen that other agencies / sites giving bug bounty to people reporting such issues.

If you are hosting a site that allows users to generate data/files that can be downloaded the following should be kept in mind:

  • When creating links to the generated files, don’t use sequential ID’s for the files as it makes it easy to iterate through. Instead create long randomized strings for the ID’s to make them harder to guess
  • Add some form of authentication before allowing the download, something like a emailed link or SMS OTP to validate identity before allowing a download. For example the Nagaland Government site for ILP forces you to authenticate with an OTP before allowing you access to the document
  • Add some checks for bruteforce attempts to guess file paths and block them.

Well this is all for now. I have a few more of these that I will be sharing over the next few months once I verify that the issue is resolved and safe to disclose.

– Suramya

January 13, 2023

Fixing autopost to LinkedIn not working via Social Networks Auto-Poster

Filed under: Knowledgebase,Tech Related — Suramya @ 9:57 PM

A few days ago my authentication token that allowed Social Networks Auto-Poster to post my blog entries automatically expired (I can only authorize for a max of 2 months at a time). Usually the fix is quite simple, I just go to the account settings in the Plugin and then click on ‘Authorize Your LinkedIn Account (without Marketing API)’, after which I just have to authenticate using my LinkedIn password select Yes and then I am done. This time however, when I clicked on the Authorize connection button the system would redirect me to www.suramya.com/blog instead of the Plugin page which meant that the authentication process couldn’t complete. I spent a few hours trying to troubleshoot and for the life of me I couldn’t figure out the problem. I even tried installing another plugin but faced the same issue over there as well. In the end I decided to take a break and crash for the night as I was going nowhere.

Today I started looking at the problem again and was going to raise a support ticket with the plugin author to have them take a look at the issue and decided to check the FAQs just to ensure I didn’t miss anything obvious. The first entry in the FAQ talked about what to do if the plugin was redirecting to a “Blank Page” or an error page, according to the FAQ this could be caused by certain plugins and the fix was to disable the plugin, authorize and then re-enable them.

The last plugin I had installed was to Autopost my blog posts to Mastodon so I disabled the plugin and then tried authorizing the app again. To my utter delight the system immediately authorized the connection and I was able to make a test post successfully.

The moral of the story is that you should always check the documentation when something is not working rather than trying various things randomly.

Well this is all for now. Will post more later.

– Suramya

January 6, 2023

Good developers need to be able to communicate and collaborate and those are not euphemisms for politics and org building

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 11:25 PM

Saw this gem in my Twitter feed a little while ago and had to save it so that I could comment on it.

Twitter screenshot stating: Because to some people, in order to be a senior software engineer it's about politics and org building (perhaps you'll hear euphemisms communication and collaboration)
Because to some people, in order to be a senior software engineer it’s about politics and org building (perhaps you’ll hear euphemisms communication and collaboration)

There is a constant theme in Programming that the good developers are anti-social, can’t be bothered to collaborate and should be left alone so that they can create a perfect product. The so called 10x developer. This is emphasized by movie stories about the genius developer creating something awesome sitting in their basement. Unfortunately that is not how real life works as this 10x developer is a myth. In real life you need to be able to communicate, collaborate and work in a team in order to be successful as a programmer. No single person can create an enterprise level software alone and even if you could it needs to be something that people want/need, so guess what you will have to talk to your users to understand what problems they are facing and then work on software that will fix them or make their lives easier.

In one of my previous company, my role was to look at new software/systems and bring them into the company. So we went to expos, talked to startups and explored the market and found a really cool software that we thought would be extremely useful for the business so we went back and pitched it to the business. To our shock no one was interested in adopting the software because it didn’t address any of the pain points that the business was facing. We thought it would be useful for them because we were looking at it from the outside and hadn’t bothered talking to them about what their pain points were. Then we sat down with the business and their development teams to understand the setup and find out what are the most urgent/painful problems that we should fix. After multiple discussions we went out and found a software that addressed a significant pain point for the business and as soon as we demo’d it, we were asked to expedite getting it validated/approved for installed in their org.

Similarly, one of the startups I was working with during the same time were creating tech to help blind people and I happened to mention that to the founder of a NGO (Non-Government Organization) that works with blind people and his response was that what they are creating is cool but I wish they would actually talk to some blind people before they start working on tech to help them, as the blind people don’t want systems that will give them sight but rather assist them in doing things without trying to recreate sight.

Coming back to the original point about Senior Software Engineer, it is not their job to work on every part of the project themselves. Their job is to look at the high level goal, design the architecture and work with other developers in their team to create the software. Another major task of the senior Software Engineer is to mentor their juniors, teach them the tricks of the trade and help them grow in their skills and role. I personally believe that I should always be training the people under me so that they can one day replace me so that I can move on to more interesting projects. If you make yourselves indispensable in your current role and no one can replace you then you will always be doing the same thing and can never move on. Yes, there is a risk that you might be replaced with a junior and get fired but that can even happen to the 10x developer as well. Personally, I would rather have 10 regular developers than a single 10x developer as they are a pain to work with. They will insist on having full control of the entire dev process will refuse to share information that other developers/database/network folks need and basically become a bottle-neck for the entire project.

The way I look at being a senior engineer/architect is that I get to work on the really interesting problems, write code for PoC’s (Proof of Concept) that fix the problem. Then I can handoff the code to others who can productionalize it with me providing guidance and support. Its not to say that I wouldn’t get my hands dirty productionalizing the system but I rather solve interesting problems.

Another myth is that the only person who knows the system will never get fired. I have taken over multiple systems over the years (at least 4 that I can recall for sure) where they were originally managed by a single person who refused to collaborate/communicate with the rest of the team. In some cases they were fired and I was asked to take over, in others they were moved to other non-critical projects so they stopped being a road block. It each case took us a lot of time to reverse engineer/understand the system but it was worth the effort to do that so that we could make future changes without fighting with someone for every change or having to call the person for information everytime the system gave problems.

Long story short: communications doesn’t equate politics and collaboration doesn’t equate org building. If you think that they do then you will be miserable in any mid to large size company. You might get away with it in a startup initially but not for long as the team grows you will be expected to work together with other developers/admins (collaborate) to create systems that others want and for that you will need to communicate with others to ensure what you are making is actually useful.

Well this is all for now. Will write more later.

– Suramya

December 1, 2022

Analysis of the claim that China/Huawei is remotely deleting videos of recent Chinese protests from Huawei phones

Filed under: Computer Hardware,Computer Software,My Thoughts,Tech Related — Suramya @ 2:23 AM

There is an interesting piece of news that is slowly spreading over the internet in the past few hours where Melissa Chen is claiming over at Twitter that Huawei phones are automatically deleting videos of the protests that took place in China, without notifying their owners. Interestingly I was not able to find any other source reporting this issue. All references/reports of this issue are linking back to this tweet and based on this single tweet that is not supported by external validation. Plus the tweet does not even provide enough information to validate that this is happening other than a single video shared as part of the original tweet.


Melissa Chen claiming on Twitter that videos of protests are being automatically deleted by Huawei without notification

However, it is an interesting exercise to think how this could have been accomplished, what the technical requirements for this to work would look like and if this is something that would happen. So lets go ahead and dig in. In order to delete a video remotely, we would need the following:

  • The capability to identify the videos that need to be deleted without impacting other videos/photos on the device
  • The capability to issue commands to the device remotely that all sensitive videos from xyz location taken at abc time need to be nuked and Monitor the success/failure of the commands
  • Identify the devices that need to have the data on the looked at. Keeping in mind that the device could have been in airplane mode during the filming

Now, lets look at how each of these could be accomplished one at a time.

The capability to identify the videos that need to be deleted without impacting other videos/photos on the device

There are a few ways that we can identify the videos/photos to be deleted. If it was a video from a single source then we could have used a HASH value of the video to identify it and then delete. Unfortunately in this case the video in question is recorded by the device so each video file will have a separate hash value so this is not how we could do this.

The second option is to use the Metadata in the file, to identify the date & time along with the physical location of the video to be deleted. If videos were recorded within a geo-fence area in a specific timeframe then we potentially have the information required to identify the videos in question. The main problem would be that the user could have disabled geo-tagging of photos/videos taken by the phone or the date/time stamp might be incorrect.

One way to bypass this attempt to save the video would be to have the app/phone create a separate geo-location record of every photo/video taken by the device even when GPS is disabled or Geo tagging is disabled. This would require a lot of changes in the OS/App file and since a lot of people have been looking at the code in Huawei phones for issues ever since there was an accusation that they are being used by China to spy on western world, it is hard to imagine this would have escaped from scrutiny.

If the app was saving the data in the video/photo itself rather than a separate location then it should be easy enough to validate by examining the image/video data of photos/videos taken by any Huawei phone. But I don’t see any claims/reports that prove that this is happening.

The capability to issue commands to the device remotely that all sensitive videos from xyz location taken at abc time need to be nuked and Monitor the success/failure of the commands

Coming to the second requirement, Huawei or the government would need the capability to remotely activate the functionality to delete the videos. In order to do this the phone would need to be connecting to a Command & Control (C&C) channel frequently to check for commands. Or the phone would have something listening to remote commands from a central server.

Both of these are hard to disguise and hide. Yes, there are ways to hide data in DNS queries and other such methods to cover the tracks but thanks to Botnets, malware and Ransomware campaigns the ability to identify hidden C&C channels is highly developed and it is hard to hide from everyone looking at this. If the phone has something listening to commands then a scan of the device for open ports/apps listening to connections would be an easy thing to check and even if the app listening is disguised it should be possible to identify that something is listening.

You might say that the commands to activate might be hidden in the normal traffic going to & from the device to the Huawei servers and while that is possible we can check for it by installing a root certificate and passing all the traffic to/from the device via a proxy to be analyzed. Not impossible to do but hard to achieve without leaving signs, and considering the scrutiny these phones are going through hard to accept that this is something that is happening without anyone finding out about it.

Identify the devices that need to have the data on the looked at. (Keeping in mind that the device could have been in airplane mode during the filming)

Next, we have the question on how would Huawei identify the devices that need to run the check for videos. One option would be to issue the command to all their phones anywhere in the world. This would potentially be noisy and there is a possibility that a sharp eyed user catches the command in action. So far more likely option would be for them to issue it against a subset of their phones. This subset could be all phones in China, all phones that visited the location in question around the time the protest happened or all phones that are there in or around the location at present.

In order for the system to be able to identify users in an area, they have a few options. One would be to use GPS location tracking which would require the device to constantly track its location and share with a central location. Most phones already do this. One potential problem would be when users disable GPS on the device but other than that this would be an easy request to fulfill. Another option is to use cell tower triangulation to locate/identify the phones in the area at a given time. This is something that is easily done at the provider side and from what I read quite common in China. Naomi Wu AKA RealSexyCyborg had a really interesting thread on this a little while ago that you should check out.

This doesn’t even account for the fact that China has CCTV coverage across most of its jurisdiction and claim to have the ability to run Facial recognition across this massive amount of video collected. So, it is quite easy for the government to identify the phones that need to be checked for sensitive photos/videos with existing & known technology and ability.

Conclusion/Final thoughts

Now also remember that if Huawei had the ability to issue commands to its phones remotely then they also have the ability to extract data from the phones, or plant information on the phone. Which would be a espionage gold mine as people use their phones for everything and have then with them always. Loosing the ability to do this just to delete videos is not something that I feel China/Huawei would do as harm caused by the loss of intelligence data would far outweigh the benefits of deleting the videos. Do you really think that every security agency, Hacker Collective, bored programmers, Antivirus/cybersec firms would not immediately start digging into the firmware/apps on any Huawei phone once it was known and confirmed that they are actively deleting stuff remotely.

So, while it is possible that Huawei/China has the ability to scan and delete files remotely I doubt that this is the case right now. Considering that there is almost no reports of this happening anywhere and no independent verification of the same plus it doesn’t make sense for China to nuke this capability for such a minor return.

Keeping that in mind this post seems more like a joke or fake news to me. That being said, I might be completely mistaken about all this so if you have additional data or counter points to my reasoning above I would love for you to reach out and discuss this is more detail.

– Suramya

November 28, 2022

Internet Archive makes over 500 Palm Pilot apps available online for free

Filed under: Interesting Sites,Tech Related — Suramya @ 5:05 AM

The Palm Pilot was the first ‘smart’ device that I owned, and coincidentally it was the first device that I bought with my own money, so it always has a special place in my heart. I started off with the Palm V and then upgraded to the m505 when it came out. I loved the device and used it almost constantly for a long time. Unfortunately, they made a bunch of bad business decisions and the company collapsed.

Now, the Internet Archive has created an online archive of 565 Palm Pilot apps available to run in your web browser and on touchscreen devices. The apps are not as sophisticated as what you get nowadays but they are a blast of the past and some of them stand up to the passage of time quite well.

Check out the archive at: Software Library: Palm and Palmpilot.
More details on the project: The Internet Archive just put 565 Palm Pilot apps in your web browser

– Suramya

November 19, 2022

I am a speaker at SmartBharat 2022 Conference

Filed under: My Life,Tech Related — Suramya @ 11:56 PM

Happy to announce that I am one of the speakers at SmartBharat 2022 and I will be presenting on “IoT and Opensource: Re-purposing hardware & Improving interoperability“. My session is scheduled for 24 November at 12:30 PM in hall 2. As a kid I would read EFY regularly and now I am presenting at one of their conferences so this is a pretty big deal for me.


You can register for the conference at: https://www.iotshow.in/

If you are coming for the conference do stop by and say hello, I am planning on being there for all three days of the conference. Post the conference I will share the slides (and the video if possible) here.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress