Suramya's Blog : Welcome to my crazy life…

January 26, 2022

Got a new Biometric lock installed

Filed under: My Life — Suramya @ 3:39 AM

Yesterday I finally replaced my old Biometric lock that I have been using for the past 8 years with a newer model. The old one was still working fine for the most part but gave a fright a few weeks ago when its batteries died (I think that is what happened) and I couldn’t unlock the door. We did have a manual override key for the lock but I guess I don’t know my own strength because I broke off the key (in the lock) when I tried to unlock using the key. It looked like I would have to break the lock to get in but thankfully I remembered at the last minute that the lock had the option of providing power externally and was able to unlock using a 9 volt battery. Due to this and other small issues that were cropping up in the lock we decided to replace the lock with a newer version.

Searching online I found a lot of locks available but decided against most of them because I didn’t want the lock to be internet connected. There are enough security issues with the apps and I don’t like the idea of random folks being able to connect to my lock remotely for fun and profit. Finally narrowed down to two options, 1st was a godrej model and the other was the one we got. The Godrej one looked good but as per their support team required a door with a min thickness of 42mm and our door is only 35mm. We could have gotten extra plywood put in to thicken the door but since the other option was 10k cheaper, had more functionality and didn’t require modification we decided to go with that one instead.

Ordered the lock online and it was delivered in ~3 days, installation took a while because they took a while to assign a technician for some reason but after yelling at them for a bit (and offering to return the lock) it was finally installed yesterday. The installation person was pretty good and the whole thing took about 40 mins to complete.

Now with the new lock I can unlock the door with Finger prints, pin, RFID card and manual override key. In case of power going off it has the option of using a powerbank as external power so that is a relief. Plus it doesn’t require dismantling the handle to get access to the override key so that is a big advantage.

The new lock’s sensor is a lot more sensitive and processes faster than my old one. Thinking about what to do with the old one, one option is to send it to my parents place in Delhi another is to use it for secure storage here in Bangalore itself but that would require work and I honestly don’t have that many valuables that would require a biometric storage locker. In any case for now it is going into storage.

Well this is all for now, will post more later.

– Suramya

PS: I didn’t specify the lock model / make in the post specifically because I don’t think I want to make that public. But if you are interested in discussing more or are planning to buy you can reach out offline and we can talk in more detail.

January 25, 2022

Intentionally breaking popular opensource projects for… something

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 10:23 AM

Recently Marak Squires, the developer of extremely popular npm modules Colors & Faker decided to intentionally commit changes into the code that broke the module and brought down thousands of apps world wide. Initially it was thought that the modules were hacked as others have been in the past, but looking at the commit history it was obvious that the changes were committed by the developer themselves. Which brings us to the question of why on earth would someone do something like this? Marak didn’t explicitly state on why the changes were made but considering their past comments it does seem like this was done intentionally:

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six figure” salary.

“Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn’t much else to say,” the developer previously wrote.

“Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

The aftermath of the changes is that NPM has revoked the developers rights to commit code, their github account has been suspended and the modules in question have been forked. Now Marak is pleading for his accounts to be reinstated because the issue was caused due to a ‘programming mistake’ which seems like a far fetched excuse. Especially given how they made fun of the problem right after people reporting it. That doesn’t seem like the reaction we would see if this was a legitimate mistake.

My guess is that they thought this would play out differently with companies falling over themselves to give them money/contracts etc or something but didn’t anticipate how it would blow back on them. I mean if I was hiring right now and their resume came up I would think twice about hiring them because of this stunt. They have shown that they can’t be trusted and what is to stop them from making changes to my company’s software and bring it a screeching halt because they felt that they were not being paid their dues? I mean they have already done it once, what is to stop them from doing it again? This looks like a textbook example of what not to do in order to get people to work with you/hire you.

One of the things that I have heard from detractors of OpenSource software when I was pushing for it in my previous companies is the question about how can we be sure the software will be there a year for now and who do we blame if the software is broken and we need help. Stunts like this don’t help improving the image of Open Source software and this person is now reaping their just deserts.

The positive side is that because the code is opensource, it has already been forked and others have taken over the codebase to ensure we don’t hit similar issues going forward.

– Suramya

January 24, 2022

Citibank Bangalore – Doing a great job enforcing Covid Appropriate Behavior at their branch

Filed under: My Thoughts — Suramya @ 10:17 PM

Had to go to Citibank branch on MG Road, Bangalore today for some work and was extremely impressed by how well they are enforcing Covid Appropriate Behavior (CAB) at the branch. As I walked over to the entrance the security guard took my temperature and then asked me to wait outside as all the counters had people at them. As other folks came up to the gate the guy asked them to wait in queue and ensured all were maintaining 6 ft distance. A few people grumbled a little on being asked to wait outside but no one created a problem.

Once the counter freed up, I was allowed inside and proceeded with my work. Even while waiting inside, they ensured folks are not sitting close to each other and every single person inside was wearing a mask. It was nice to see such a well managed setup here. We can only control Covid spread by ensuring we all get vaccinated, wear a mask and follow CAB at all times.

– Suramya

January 23, 2022

Some thoughts on Crypto currencies and why it is better to hold off on investing in them

Filed under: Computer Related,My Thoughts,Tech Related — Suramya @ 1:26 AM

It seems that every other day (or every other hour if you are unlucky) someone or the other is trying to get people to use Crypto currency because they claim that it is awesome and not at all dependent on government regulations and thus won’t fluctuate that much. Famous people are pushing it, others like New York City Mayor Eric Adams are trying to raise awareness of the product and have decided to convert his first paycheck to Crypto, El Savador started accepting crypto currency as legal tender etc. However, the promises made by crypto enthusiasts don’t translate into reality as the market remains extremely volatile.

I see people posting on twitter that Crypto currencies are better because they are stable, but in my opinion if a currency can drop 20% because Elon Musk tweeted a Broken heart emoji then it is not something I want to use to store my savings. Earlier this week the entire Bitcoin market dropped over 47% from it’s high back in Nov 2021. Mayor Adams paycheck which was converted to crypto is now worth ~1/2 of what it was when he invested it, and that is a massive drop. Imagine loosing 50% of your savings in one shot. You might suddenly have no way to pay rent or emergency repairs/hospitalization etc. Even El Savador has seen its credit become 4 times worse than it was before it moved to Bitcoin. People there are complaining that the promised reduction in cost for conversion to/from international currencies is a myth as they are paying more than what they were paying earlier as transaction costs.

Another major issue with crypto currency is the ecological hit caused by the mining. According to research done by University of Cambridge, globally Bitcoin uses more power per year than the entire population of Argentina. The recent Kazakhsthan unrest and protests were sparked off due to surging fuel prices that were caused by the migration of Bitcoin miners to the country after China banned them. This caused a lot of strain on the electricity grid and required an increase in the prices which kicked off a massive protest that has caused untold no of deaths. There are multiple folks coming up with new crypto-currencies that claim to be carbon neutral but so far none of them have delivered on the promise.

Bitcoin is thought to consume 707 kwH per transaction. In addition, the computers consume additional energy because they generate heat and need to be kept cool. And while it’s impossible to know exactly how much electricity Bitcoin uses because different computers and cooling systems have varying levels of energy efficiency, a University of Cambridge analysis estimated that bitcoin mining consumes 121.36 terawatt hours a year. This is more than all of Argentina consumes, or more than the consumption of Google, Apple, Facebook and Microsoft combined.

Check out this fantastic (though very long – 2hr+) video on economic critique of NFTs, DAOs, crypto currency and web3. (H/t to Cory Doctorow)

In summary, I would recommend against investing in crypto currencies till the issues highlighted above are resolved (if they are ever resolved).

– Suramya

January 22, 2022

Malware can now Intercept and fake an iPhone reboot

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 1:50 AM

Rebooting the system has always been a good way to clean start your system (phone or computer). Some of the phone malware specifically don’t have the ability to persist so can be removed just by rebooting the phone (Especially on the iPhone). Now, researchers from the ZecOps Research Team have figured out how to fake a reboot on an iPhone. Which allows malware/surveillance software to spoof the shutdown / reboot of a phone. As you can imagine, this has massive security impact. The first problem is that we can’t be sure that the phone has been rebooted so malware can’t be removed. Secondly, some of the folks shutdown their phones while discussing sensitive information. Using this technique the attackers can pretend that the phone is switched off, while it is still on and eavesdrop using the phone’s camera and mic.

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown.” There is no user-interface or any button feedback until the user turns the phone back “on.”

The problem is exacerbated due to there not being any physical method of powering the device off. Earlier phone models had removable batteries which allowed a user to physically remove the battery when they wanted to secure the device. Now the battery is built in and there is no way to remove it without dismantling the device and voiding your warranty in the process. I have discussed this with various folks over the years that it is impossible to ensure a device is powered off when we shut it down because we can’t remove the battery.

A silver lining around this is that it looks like hard reboots are harder to spoof so if you want to be sure that your phone is actually off, you can shut it down using a hard-reboot. Another solution is to carry a Faraday bag with you and put your phone inside when you need to be off-grid.

Source: Schneier’s Blog: Faking an iPhone Reboot

– Suramya

January 21, 2022

nerd-dictation: A fantastic Open Source speech to text software for Linux

Filed under: Computer Software,Computer Tips,Linux/Unix Related,My Thoughts,Tech Related — Suramya @ 9:17 AM

After a long time of searching I finally found a speech to text software for Linux that actually works well enough that I can use it for dictating without having to jump through too many hoops to configure and use. The software is called nerd-dictation and is an open source software. It is fairly easy to setup as compared to the other voice-to-text systems that are available but still not at a stage where a non-tech savvy person would be able to install it easily. (There is effort ongoing to fix that)

The steps to install are fairly simple and documented below for reference:

  • pip3 install vosk
  • git clone https://github.com/ideasman42/nerd-dictation.git
  • cd nerd-dictation
  • wget https://alphacephei.com/kaldi/models/vosk-model-small-en-us-0.15.zip
  • unzip vosk-model-small-en-us-0.15.zip
  • mv vosk-model-small-en-us-0.15 model

nerd-dictation allows you to dictate text into any software or editor which is open so I can dictate into a word document or a blog post or even the command prompt. Previously I have used tried using software like otter.ai which actually works quite well but doesn’t allow you to edit the text as you’re typing, so you basically dictate the whole thing and the system gives you the transcription after you are done. So, you have to go back and edit/correct the transcript which can be a pain for long dictations. This software works more like Microsoft dictate which is built into Word. Unfortunately my word install on Linux using Crossover doesn’t allow me to use the built in dictate function and I have no desire to boot into windows just so that I can dictate a document.

This downloads the software in the current directory. I set it up on /usr/local but it is up to you where you want it. In addition, I would recommend that you install one of the larger dictionaries/models which makes the voice recognition a lot more accurate. However, do keep in mind that the larger models use up a lot more memory so you need to ensure that your computer has enough memory to support the larger models. The smaller ones can run on systems as small as a raspberry pi, so depending on your system configuration you can choose. The models are available here.

The software does have some quirks, like when you are talking and you pause it will take it as a start of a new sentence and for some reason it doesn’t put a space after the last word. So unless you’re careful you need to go back and add spaces to all the sentences that you have dictated, which can get annoying. (I started manually pressing space everytime I paused to add the space). Another issue is that it doesn’t automatically capitalize the words when you dictate such as those at the beginning of the sentence or the word ‘I’. This requires you to go back and edit, but that being said it still works a lot better than the other software that I have used so far on Linux. For Windows system Dragon Voice Dictation works quite well but is expensive. I tested it out by typing out this post using it and for the most part it does work it worked quite well.

Running the software again requires you to run commands on the commandline, but I configured shortcut keys to start and stop the dictation which makes it very convenient to use. Instructions on how to configure custom shortcut keys are available here. If you don’t want to do that, then you can start the transcription by issuing the following command (assuming the software is installed in /usr/local/nerd-dictation):

/usr/local/nerd-dictation/nerd-dictation begin --vosk-model-dir=/usr/local/nerd-dictation/model  --continuous

This starts the software and tells it that we are going to dictate for a long time. More details on the options available are available on the project site. To stop the software you should run the following command:

/usr/local/nerd-dictation/nerd-dictation end

I suggest you try this if you are looking for a speech-to-text software for Linux. Well this is all for now. Will post more later.

Thanks to Hacker News: Nerd-dictation, hackable speech to text on Linux for the link.

– Suramya

January 20, 2022

Impact of Google Hacking and Data Collection using Search Engines on CyberSecurity

Filed under: Article Releases,Computer Security,My Thoughts,Tech Related — Suramya @ 1:58 AM

The modern search engines scan most of the public sites on a regular basis and unlike the legacy search engines also have the capability of finding and indexing data or files that are not linked to from any other sources. This allows the search engine to index data/files that could have sensitive data or details on vulnerabilities. Using publicly available information attackers can perform searches for such information without touching the target system directly leaving little trace for the defenders to watch for to be alerted. Most organizations are not aware of the information being leaked by such means and how it is compromising their cyber security. The availability of the Google Hacking Database allows even minimally skilled attackers to search for information quickly and efficiently.
This poses a high risk to the organizations leaking sensitive data. There are no sure shot solutions to this problem and even the most careful organizations will expose data that when combined with other sources allow attackers a look at the organizations digital assets and systems.

The popular image of a hacker involves an attacker sitting in a dark room typing commands in a terminal to gain access and usually is completed in a very short period of time. In real life attackers spend a lot of time performing reconnaissance on the target before even engaging with the target system. One of the popular ways of performing reconnaissance is to use search engines like Google to find data, this technique is called Google Hacking and was introduced to public in 2004 by Johnny Long. He defined it as “the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security” (Johnny, 2004). Attackers use Google Hacking to uncover sensitive information about a company or uncover potential security vulnerabilities.

The modern search engines scan most of the public sites on a regular basis and unlike the legacy search engines also have the capability of finding and indexing data or files that are not linked to from any other sources. This allows the search engine to index data/files that could have sensitive data or details on vulnerabilities.

The Google Hacking Database (GHDB) is a consolidated database of queries that have been collected over the years thanks to contributions by researchers, hackers and general public that can be used to find sensitive data on websites such as files containing passwords, configurations, sensitive data, financial information, error messages, firewall logs and other such data. (Google Hacking Database, 2021) The database is in an easy to consume format and allows users to search for queries that will return specific types of data.

This database gives attackers the queries to be used to specific types of data, leveraging the indexing powers of Google for finding information that should not have been exposed to the public.

How Google Hacking Works

Google allows a user to search for information using search keywords and a combination of search operators to limit the search results. With the information available in the Google Hacking Database an attacker can search for specific information and limit the search to a given target domain. There are multiple kinds of queries available that target specific kinds of information. Some of the categories of information available using this are:

  • Advisories and vulnerabilities: Queries that allow us to locate vulnerable servers based on product or version-specific setups with known vulnerabilities..
  • Sensitive directories: Allow us to find directories with files that contain sensitive information
  • Files containing passwords: Locate files containing passwords.
  • Pages containing login portals: Locate login pages for various services
  • Error messages: Find files with errors messages that may contain details about the system.

Below are examples of the various queries that are available and the kind of data they expose.

Searching for passwords stored in files

Users sometimes store passwords in plain text files or excel databases that are accidentally uploaded to a public site. These are then indexed by Google (or other search engines) and can be found using specific queries. For example:

allintext:"*.@gmail.com" OR "password" OR "username" filetype:xlsx

searches for all Excel files that have gmail.com in the text along with “password”. This will find all files containing any of the search terms provided. If required we can limit the search to a specific site using the “site:” search parameter.

Search for Log files

Log files contain a lot of sensitive information if exposed to public. Error logs, access logs can expose information such as PHP version you are running, CMS version details, Operating system details etc. If firewall logs or system logs are exposed it can reveal information such as usernames, firewall version and configuration details etc. Similarly SQL logs can expose sensitive data as well. This information combined with other information can give an attacker a foothold in the system. For example:

allintext:username filetype:log

This query will give results that include the text username inside all *.log files and the following query will return all directories where logfiles are publicly accessible:

intitle:"index of" errors.log

SSH private keys

SSH private keys are used to encrypt/decrypt data exchanged during SSH connections. They also allow users to authenticate to servers without the use of passwords. If they are exposed anyone can impersonate that user and if passwordless login’s are enabled the key will allow the attacker to login to the server without a password. The following query will return all directories with publicly accessible private key:

intitle:index.of id_rsa -id_rsa.pub

Login Portals

A lot of times organizations expose their development or staging systems to the internet for testing and depend on the obscurity of the system for protection. These systems are vulnerable because development systems often don’t have the same protections and controls applied on them as production systems do. In addition, there are often systems that were not meant to be pubic such as router login pages, CMS admin sections etc that increase the attack surface of the organization. A sample query to find login pages for CISCO email security appliance is listed below:

intitle:"Cisco Email Security Virtual Appliance" inurl:csrfkey=

SQL dumps

Sometimes sites require SQL datadumps to be made for backup or restoration purposes and these dumps often have a lot of sensitive data in them. Using a search query similar to the one listed below attackers can find these dumps and explore the data:

ext:sql | ext:txt intext:"-- phpMyAdmin SQL Dump --" + intext:"admin"

There are many more queries that are available in the database to search for specific data and more are added everyday.

Famous attacks that used Google Hacking/Google Dorks
Attacks using Google Hacking/Google Dorks are difficult to identify due to the passive nature of the attacks. However, even with that restriction there have been a few cases of note where the attacker’s used this technique to attack an organization’s system and some of them are listed below.

N.Y. Dam attack from Iran, 2013

Between 2011 and 2013, Hamid Firoozi from Iran gained access to the Bowman Avenue Dam in Rye Brook, New York by finding an unprotected computer that controlled the dam’s sluice gates using Google Searches. (Matthews, 2016). The issue is rampant enough that the Department of Homeland Security and FBI jointly released a warning about Google dorking. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities,” (FBI, 2014)

Detection of Google Hacking Attacks

Detection of these attacks is difficult due to the passive nature of the attack. However, one of the technique that is quite successful is to use a Honey Pot approach. Organizations can store files with fake information that looks authentic and important such as username and password combinations or SSH private keys that belong to non-existent accounts. Because these accounts do not exist no one should be attempting to log in to them for legitimate purposes so when a login attempt is made to these accounts or when the files are accessed we know that a Google Hacking attack is in progress and the IP address etc can be flagged for followup or blocking. We can also lure the system into a fake network which is monitored to identify what information they are looking for in the network.

Using that information, we can take further preventive measures to protect the system.

Prevention Techniques for Google Hacking attacks

There are a few steps that we can take to avoid leaking sensitive data to attackers using Google Dorks as listed below:

  • Protect sensitive data with authentication for private information
  • Don’t expose development systems to internet, if that is not possible restrict access using IP based restriction.
  • Run regular vulnerability scans on your website/domain. A lot of the scanners now incorporate checks for popular Google Dork queries
  • Run manual dork queries against your site to locate leaks before attackers do
  • Add checks to your servers to find sensitive files in public directories such as any file with an extension other than a php/asp/html. These can we potential leaks
  • If you find sensitive content exposed, you can request its removal by using the Google Search Console.

Conclusion

Google Hacking allows an attacker to perform reconnaissance against your organization in a passive way allowing them to collect information that can then be combined with other sources to give them a foot hold. Preventing such information leaks is a good way to protect the organizational systems and the techniques listed above can help with that. We can also subscribe to services that perform these checks on your behalf.

We covered some of the techniques available to detect and prevent Google Hacking attacks in the paper and while the techniques discussed will not protect against all attacks, they will reduce the attack surface and protect you against most attackers.

Note: This was originally written as a paper for one of my classes at EC-Council University in Q2 2021, which is why the tone is a lot more formal than my regular posts.

January 19, 2022

Have been rewatching Xena and I love it

Filed under: My Thoughts — Suramya @ 11:35 PM

A few weeks ago I suddenly had the urge to (re)watch Xena: Warrior Princess after reading a bunch of tweets by Lucy Lawless who is an awesome person BTW. I had watched a few episodes of it over the years but never watched the full series, So I started watching the series and I love it. There is so much camp in the episodes and a lot of them are riffing off other series like the one episode “Scrolls of Xena” that is a parody of Indiana Jones. But the episode are mindless fun with a few moral lessons thrown in at times which makes them fun to watch without being grim. This is a trend I really dislike where everything needs to be make (or remade) into a grim/gritty version of itself.

As I was watching the series, I was reminded of this novel called ‘The Warslayer‘ by Rosemary Edghill where an actor who plays a character similar to Xena called ‘Vixen’ gets transported to a world where magic is real and she is expected to defeat the greatest evil to rise since she is ‘Vixen’ the scourge of evil everywhere. The novel has hat tips to Xena, Galaxy Quest amongst others and was a novels that I really liked when I last read it about a decade or so ago. I ended up re-reading the book and it was as good as I remembered. So, if you are looking for a good read check it out.

I still have another 90 or so episodes left so I know I will be watching the series for a while before I am done, especially since I am only watching a couple of episodes at a time as and when I get some free time or want a break from studies. If you haven’t seen the series, I highly recommend it.

Once I am done I think I might watch Hercules as well but with the actor who played Hercules acting like a bigoted/anti-science ass most of the time online I am not sure if I would be able to watch it without constantly getting reminded of all the nonsense he keeps posting. Let’s see, I still have a lot of time before I have to decide so will not break my head on this right now.

Well this is all for now. Will post more later.

– Suramya

September 19, 2021

Trip to Historic Hampi – Part 2: Visiting a 3000 year old Megalithic site

Filed under: My Thoughts,Travel/Trips — Suramya @ 11:05 PM

This is a continuation of my previous post about my trip to Historic Hampi. After spending a few days in Hampi, we had visited most of the famous places and were ready to head back when we got into a conversation with Mr Sarath Champati, who is the Associate Director for Conservation and Experiences at Evolve Back Resorts. During the conversation he mentioned that they were in the process of preparing a new trail and had just come back from a walk through of the trail the day before. This was an place called ‘HireBenakal’ which hardly anyone knows about which has Dolmen’s dating back almost 3000 years, making it a megalithic site. Since both of us are quite interested in history we requested that we be allowed to accompany them on the trail and after reminding us that this trail was still under development and involved a lot of hiking they agreed to take us up to the site the next day. We immediately extended the stay by another day and crashed early since we had to wake up early morning to reach the place.



Ombatthugudda, Start of trail to site

The next day we started early (around 6am) and reached the starting point of the trail by 7:30am. If you don’t already know about it, it is hard to find this place as there are almost no signs or directions. I bookmarked the location on Google Maps, so if you are planning to go you can use this to navigate: Ombatthugudda, Start of trail to site. There is single guard over there who is basically there to prevent folks from trying to dig up the Dolmens. A few weeks before we visited some folks from the nearby villages damaged 3-4 of the structures while trying to dig under them because they thought that there would be buried treasure under them. That is not the case but still the damage was done and some priceless artifacts damaged by morons.


Overview of the Hirebenakal Prehistoric site and the trail

The trail up from the starting point is a wonderful trek, you get to see a lot of flora and fauna. Plus since not a lot of people come this way there is a high chance of spotting wild animals on the way. While we were walking up our guide suddenly asked us to stop and talk loudly. After a min or so he showed us a pile of fresh shit on the trail and explained that it was from a Sloth bear which we had interrupted in the middle of taking a dump. They have very bad eyesight but have excellent hearing so if you are walking along quietly and stumble on them they might attack as they wouldn’t see you from a distance. If you keep making noise while walking then they hear you and leave so as not to have an encounter. Which is what had happened in this case. He then told us that the bear had been feasting on Mango and other fruits down at the village and he tried showing us the remains in the poop. But I took him on his word and didn’t try to verify what he was saying.


Fantastic view on the way

About a third of the way up we took a short detour (5 min hike off the main trail) and came to some really cool Rock Art which were dated to be more than 2000 years old. It is not clear why the paintings were done at these rocks but a popular theory is that they had something to do with religious ceremonies. There are about 10 rock shelters in the area which have these paintings.


Over 2000 year old Rock Paintings


Some more rock paintings

At first it was hard to see the paintings as they look like rust or regular mud but when you get closer they suddenly take shape and you can see people, animals and other day to day activities painted on the rock. As this is not a often visited site there were no barriers stopping us from getting close to the paintings so with extreme care to avoid touching/damaging the paintings we got as close as we could (a few inches away at times) to check out the paintings. The paintings are done with natural paint called Red Ochre made by mixing powdered haematite (an iron ore) with water.


Mr. Vinay showing us the paintings


Some more paintings

Since the paintings are exposed to nature a lot of them have been erased by erosion over time. The only way to preserve them is to cover them with something that prevents natural elements from touching the paintings. Unfortunately that would be a massive undertaking and not something that can be done easily or cheaply. Which is why we need to put pressure on the government and the Archeological Society to take steps to preserve these artifacts for future generations.

After spending a little while admiring the paintings we started back up the trail and noticed a massive boulder on the way which looked like it was cut in half by a giant knife. One theory is that this rock acted as a waymarker and guide for the folks coming to visit the Dolmen’s, another is that it was used to warn people about attacks or to notify them about the start of important ceremonies etc. It was carved by hand without any power tools and I can only imagine the time and effort required to cut the rock in half so precisely using only stoneage tools.


Stone kettledrum on the way to the site

Shortly after you see the rock signpost the trail flattens out and is a pleasant walk between trees and shrubs. Soon thereafter we started seeing Dolmens all around us. They started off as small structures about a foot in height and as you near the center they are massive structures over 10 feet high. One theory is that the central dolmens were for the chief’s or other important people in the tribe and the further you came out from the center the lesser the status of the people making the structures which translated into smaller structures that would be cheaper/easier to make. But again there is no way to know for sure why these were built or if any of the theories we are putting forward have any merit.


Tiny Dolmen’s near the outskirts of the site


Slightly larger Dolmen found as we get closer to the center


Dolmen’s getting larger as we get to the center

Dolmen’s are basically stone structures usually consisting of two or more vertical megaliths supporting a large flat horizontal capstone or “table”. They are found all over the world and are thought to be tombs or prayer places for ancestor worship. But no bodies have been found at any of the Dolmen’s around the world possibly because of the age and the fact that it looks like the bodies were left in the open inside them which would allow wild animals access to the bodies and over the years all evidence of them would be erased by time. One of the most famous examples of Dolmen is the Stonehenge in the UK but there are multiple sites in India with these structures as well.


Gigantic Dolmens at the center of the site

This particular site started off with over 490 when it was first discovered by local herdsmen but due to damage and time only ~200 are still left standing. There are multiple kinds of Dolmen’s here starting with 3-sided chambers with a large capstone on the top allowing them to balance on each other. These are massive stone structures with each slab weighing several tons. It is hard to imagine the effort required to cut the slabs and then lift them up over 10-15 feet in the air while ensuring the ‘walls’ are stable and don’t collapse. Some of these structures have a porthole carved into one of the walls and they are perfectly circular. Imagine carving a hole in a 6-8 inch thick slab of rock while ensuring the hole is perfectly circular. It would be difficult to do so with modern power tools but these folks did it with hand tools.


Circular hole carved in solid rock without power tools.

In addition to the 3 sided chambers, the site also has several buried and semi-buried dolmens called cists and dolmenoid cists along with irregular polygonal and rock shelter chambers. All of these were carved manually over the years. Near the center there is a massive water reservoir which is where archeologists think the tribes created the Red Ochre paint and one can see portions of the rock that are still colored red from the years of paint mixing.


Photo with the dolmens in the background


Shot of some of the Dolmens still standing after ~3000 years

As per the excavation and study done there, it doesn’t seem that people stayed here full time but rather came up from nearby villages to work on the structures. This supports the theory that the site had religious significance but as I said before it is almost impossible to confirm these theories since there is hardly any remains here. Which is one of the reasons idiots around the world dismiss the possibility that they were created by ancient humans. A popular theory is that Aliens came to earth and built these structures because humans couldn’t have done it. These theories are mostly sprouted by western ‘experts’ who can’t believe that indigenous people did what Europeans could not and thus try to discredit their work. Shows like Ancient Aliens and like don’t help either as they spread this racist theory that without ‘white man’ the natives couldn’t have created such works. These programs ignore the massive amount of supporting evidence that it is in-fact possible to create these structures with only muscle power and time. Similar theories abound about the pyramids and other ancient structures and all I can say to them is that, just because you couldn’t do it doesn’t mean that other cultures were not advanced enough and skillful enough to do it. Looking at what they did with stone-age tools it is humbling to imagine what they could have achieved if they had access to modern tools and resources.

Hirebenkal is one of the very few Indian megalithic sites found with associated habitations. In the nearby village archaeologists have unearthed rich cultural material, including pre-megalithic implements, iron slag, pottery of Neolithic, megalithic and early historic period. So it is sad to find it so neglected and poorly protected. There is ongoing effort to get the site classified as a UNESCO World Heritage Site. Hopefully it will happen soon and this amazing site will be preserved for future generations to admire.

After a couple of hours around the site, we started back and the trip down was a lot easier but a lot hotter (as it was quite sunny). We reached the start of the trek and had a quick breakfast there from the packed food that we had brought along. Once done with the food we headed back to the resort, where we relaxed for the rest of the day.

The next day, we had breakfast and started the drive back to Bangalore with a determination to try visit more such historical sites in India and spread awareness about them and our rich cultural history.

– Suramya

August 20, 2021

Human Upgrade 2.0: Patch 2/2 (Vaccine Dose 2) Applied Successfully

Filed under: My Life,My Thoughts — Suramya @ 12:26 AM

Finally got the second dose of the Covid vaccine earlier this week. As compared to the first dose this was a super efficient and fast process. We reached Manipal around 1pm and within 20 mins we were done with the vaccination and back on the way home. The staff ensured that there was enough social distancing and the shots were given very quickly.

I am someone who is scared of needles but even then I took the shot. This is because I rather get a quick and painless shot than end up in the hospital and get pumped up with drugs and lots of needles. It is a lot more painful (and scary) to be intubated than it is to get an injection. I know the shot doesn’t give you 100% immunity and there is still a possibility that you can get Covid even after getting vaccinated but in those cases Covid is not as severe and there is a higher probability that you will recover on your own without ending up in the ICU.

I did get a bad headache for a few days after the vaccine (I got it even from the first dose). Basically, my sinusitis got triggered by the shot and it takes a few days for my immune system to adjust to the new information given via the shot. Post that all is well. I know a few others who were sick for a week after the shot but that is still better than the sickness you might get if you get a severe case of Covid.

If you are eligible then you better get the vaccine as early as possible, to protect yourself and others around you.

– Suramya

PS: Am upset that I am still don’t get a better 5G signal!

« Newer PostsOlder Posts »

Powered by WordPress