Suramya's Blog : Welcome to my crazy life…

April 13, 2022

Internet of Things (IoT) Forensics: Challenges and Approaches

Filed under: Article Releases,Computer Related,Computer Security,Emerging Tech,My Thoughts,Tech Related — Suramya @ 6:18 AM

Internet of Things or IoT consists of interconnected devices that have sensors and software, which are connected to automated systems to gather information and depending on the information collected various actions can be performed. It is one of the fastest growing markets, with enterprise IoT spending to grow by 24% in 2021 from $128.9 billion. (IoT Analytics, 2021).

This massive growth brings new challenges to the table as administrators need to secure IoT devices in their network to prevent them from being security threats to the network and attackers have found multiple ways through which they can gain unauthorized access to systems by compromising IoT systems.

IoT Forensics is a subset of the digital forensics field and is the new kid on the block. It deals with forensics data collected from IoT devices and follows the same procedure as regular computer forensics, i.e., identification, preservation, analysis, presentation, and report writing. The challenges of IoT come into play when we realize that in addition to the IoT sensor or device we also need to collect forensic data from the internal network or Cloud when performing a forensic investigation. This highlights the fact that Forensics can be divided into three categories: IoT device level, network forensics and cloud forensics. This is relevant because IoT forensics is heavily dependent on cloud forensics (as a lot of data is stored in the cloud) and analyzing the communication between devices in addition to data gathered from the physical device or sensor.

Why IoT Forensics is needed

The proliferation of Internet connected devices and sensors have made life a lot easier for users and has a lot of benefits associated with it. However, it also creates a larger attack surface which is vulnerable to cyberattacks. In the past IoT devices have been involved in incidents that include identity theft, data leakage, accessing and using Internet connected printers, commandeering of cloud-based CCTV units, SQL injections, phishing, ransomware and malware targeting specific appliances such as VoIP devices and smart vehicles.

With attackers targeting IoT devices and then using them to compromise enterprise systems, we need the ability to extract and review data from the IoT devices in a forensically sound way to find out how the device was compromised, what other systems were accessed from the device etc.

In addition, the forensic data from these devices can be used to reconstruct crime scenes and be used to prove or disprove hypothesis. For example, data from a IoT connected alarm can be used to determine where and when the alarm was disabled and a door was opened. If there is a suspect who wears a smartwatch then the data from the watch can be used to identify the person or infer what the person was doing at the time. In a recent arson case, the data from the suspects smartwatch was used to implicate him in arson. (Reardon, 2018)

The data from IoT devices can be crucial in identifying how a breach occurred and what should be done to mitigate the risk. This makes IoT forensics a critical part of the Digital Forensics program.

Current Forensic Challenges Within the IoT

The IoT forensics field has a lot of challenges that need to be addressed but unfortunately none of them have a simple solution. As shown in the research done by M. Harbawi and A. Varol (Harbawi, 2017) we can divide the challenges into six major groups. Identification, collection, preservation, analysis and correlation, attack attribution, and evidence presentation. We will cover the challenges each of these presents in the paper.

A. Evidence Identification

One of the most important steps in forensics examination is to identify where the evidence is stored and collect it. This is usually quite simple in the traditional Digital Forensics but in IoT forensics this can be a challenge as the data required could be stored in a multitude of places such as on the cloud, or in a proprietary local storage.

Another problem is that since IoT fundamentally means that the nodes were in real-time and autonomous interaction with each other, it is extremely difficult to reconstruct the crime scene and to identify the scope of the damage.

A report conducted by the International Data Corporation (IDC) states that the estimated growth of data generated by IoT devices between 2005 to 2020 is going to be more than 40,000 exabytes (Yakubu et al., 2016) making it very difficult for investigators to identify data that is relevant to the investigation while discarding the irrelevant data.

B. Evidence Acquisition

Once the evidence required for the case has been identified the investigative team still has to collect the information in a forensically sound manner that will allow them to perform analysis of the evidence and be able to present it in the court for prosecution.

Due to the lack of a common framework or forensic model for IoT investigations this can be a challenge. Since the method used to collect evidence can be challenged in court due to omissions in the way it was collected.

C. Evidence Preservation and Protection

After the data is collected it is essential that the chain of custody is maintained, and the integrity of the data needs to be validated and verifiable. In the case of IoT Forensics, evidence is collected from multiple remote servers, which makes maintaining proper Chain of Custody a lot more complicated. Another complication is that since these devices usually have a limited storage capacity and the system is continuously running there is a possibility of the evidence being overwritten. We can transfer the data to a local storage device but then ensuring the chain of custody is unbroken and verifiable becomes more difficult.

D. Evidence Analysis and Correlation

Due to the fact that IoT nodes are continuously operating, they produce an extremely high volume of data making it difficult to analyze and process all the data collected. Also, since in IoT Forensics there is less certainty about the source of data and who created or modified the data, it makes it difficult to extract information about ownership and modification history of the data in question.

With most of the IoT devices not storing metadata such as timestamps or location information along with issues created by different time zones and clock skew/drift it is difficult for investigators to create causal links from the data collected and perform analysis that is sound, not subject to interpretation bias and can be defended in court.

E. Attack and Deficit Attribution

IoT forensics requires a lot of additional work to ensure that the device physical and digital identity are in sync and the device was not being used by another person at the time. For example, if a command was given to Alexa by a user and that is evidence in the case against them then the examiner needs to confirm that the person giving the command was physically near the device at the time and that the command was not given over the phone remotely.

F. Evidence Presentation

Due to the highly complex nature of IoT forensics and how the evidence was collected it is difficult to present the data in court in an easy to understand way. This makes it easier for the defense to challenge the evidence and its interpretation by the prosecution.

VI. Opportunities of IoT Forensics

IoT devices bring new sources of information into play that can provide evidence that is hard to delete and most of the time collected without the suspect’s knowledge. This makes it hard for them to account for that evidence in their testimony and can be used to trip them up. This information is also harder to destroy because it is stored in the cloud.

New frameworks and tools such Zetta, Kaa and M2mLabs Mainspring are now becoming available in the market which make it easier to collect forensic information from IoT devices in a forensically sound way.

Another group is pushing for including blockchain based evidence chains into the digital and IoT forensics field to ensure that data collected can be stored in a forensically verifiable method that can’t be tampered with.

Conclusion

IoT Forensics is becoming a vital field of investigation and a major subcategory of digital forensics. With more and more devices getting connected to each other and increasing the attack surface of the target it is very important that these devices are secured and have a sound way of investigating if and when a breach happens.

Tools using Artificial Intelligence and Machine learning are being created that will allow us to leverage their capabilities to investigate breaches, attacks etc faster and more accurately.

References

Reardon. M. (2018, April 5). Your Alexa and Fitbit can testify against you in court. Retrieved from https://www.cnet.com/tech/mobile/alexa-fitbit-apple-watch-pacemaker-can-testify-against-you-in-court/.

M. Harbawi and A. Varol, “An improved digital evidence acquisition model for the Internet of Things forensic I: A theoretical framework”, Proc. 5th Int. Symp. Digit. Forensics Security (ISDFS), pp. 1-6, 2017.

Yakubu, O., Adjei, O., & Babu, N. (2016). A review of prospects and challenges of internet of things. International Journal of Computer Applications, 139(10), 33–39. https://doi.org/10.5120/ijca2016909390

Note: This was originally written as a paper for one of my classes at EC-Council University in Q4 2021, which is why the tone is a lot more formal than my regular posts.

– Suramya

April 12, 2022

How not to ask for help on Online Forums

Filed under: Linux/Unix Related,My Thoughts — Suramya @ 1:12 AM

It is quite normal to be stuck while exploring a new operating system, or a new programming language or anything new to be honest and one of the great advantages we have now is the ability to go online & search for answers on the Internet and if you are unable to find a fix then you can request for help on forums. There are forums specific to all sorts of niche areas and some of them are quite active. I doubt that it will be a surprise to many that I am part of multiple Linux Forums and in this post I am going to talk about a specific post on one of them that is a masterclass on how not to ask questions/how not to ask for help/how to ensure your questions are never answered.

Let’s start with the post, then we can dig into each line of this gem (The first line is the subject of the post and the rest are the contents). 

Linux is bad
Dear Linux users,

Here is the top 3 reasons, I think Linux is bad:
1- Hard.
2- NVIDIA drivers.
3- I don't know how to write shell scripts.

My friend told me that I don't need to, the community is very helpful.
So I thought I should test them and see if they can help me finish my simple shell homework.

Sorry for the bait. I will switch to Linux if I get help, but you probably don't care.
Hopefully there is a weirdo who will think this is fun.

I have a hard time believing this is not some troll posting crap just to get a rise out of people but if that is not the case then this goes out of it’s way to ensure people react badly to the request, so without further ado lets dig in. 

Here is the top 3 reasons, I think Linux is bad:
1- Hard.
2- NVIDIA drivers.
3- I don't know how to write shell scripts.

Ok, not a great start. You are posting on a linux forum stating that it is bad because you find it hard, and don’t know how to write shell scripts. (I will partially give them the point about NVIDIA drivers because historically they have been a pain.) How is it Linux’s fault that you don’t know how to write shell scripts? Did you honestly believe that the creator of the OS should have come to your house to teach you shell scripting so that you don’t find it ‘hard’? There are multiple resources online that teach shell scripting, including some great courses on Udemy, YouTube, Coursera etc etc. All you have to do is be willing to put in the effort.

To the other point about Linux being hard, it is not. It is different than Windows and does things differently, that doesn’t make it hard. It’s just what you are used to, I use Linux for my primary OS and when I have to troubleshoot my wife’s Windows 11 laptop there is usually a lot of cursing involved. When I started with Linux it was the other way round, for the longest time I kept trying to do things the ‘Windows way’ and it didn’t always work. However, once you take time and explore the system the flexibility it gives you is fantastic. Don’t like the Desktop UI, change to a different one, don’t like the file manager, use a different one etc etc.

My friend told me that I don't need to, the community is very helpful.
So I thought I should test them and see if they can help me finish my simple shell homework.

Umm, who do you think you are that you need to test the community. Plus ‘testing’ by having them do your homework is not testing. This is called negging, where you give backhanded compliments and generally making comments that express indifference toward another person (in this case an Operating System) in an attempt to get them to go out of their way to impress you/do things for you. It is a tactic used by pickup artists to get women by putting them down so that they would go out with them/sleep with them to gain their approval. Sorry, that only works with emotionally distressed folks and not folks on a technical forum. We have no need to gain your approval.

Someone on the forum had the perfect answer for this: “The community is helpful, but you seem to have put more effort into trying to get someone else to do your homework for you, than into actually doing it yourself. We aren’t going to do your homework for you (and if you bothered to check the LQ Rules and “Question Guidelines” you’d see that), but we will help you if you’re stuck. “

Sorry for the bait. I will switch to Linux if I get help, but you probably don't care.

Yes we don’t care and why should we care that you swtich to Linux? Do you think you are someone important? This person needs to realize that they are not the center of the universe and that it is irrelevant to others if they decide to switch to Linux or not. Honestly speaking I don’t care if you use Linux or not. Linux users (for the most part) are no longer the anti-Microsoft zealots who will try to force you to use Linux. In my opinion you should use it if you like it, if you feel Windows or Mac works better for you, use that. 

Hopefully there is a weirdo who will think this is fun.

What a way to encourage people to help you! As calling people names is sure to make them want to help you… Right? No? How is that possible??? I thought I was the center of the universe and all the lesser people would fall over themselves to help me as they should feel honored that I am allowing them to help me.

Nope, it doesn’t work that way. It only works like that in movies (and maybe in some of the schools/colleges) where the Jocks/popular kids are treated like divine beings and others fall over themselves to help them so that they can bask in the glory of having interacted with the cool kids. Real life doesn’t work like that and most places you will be laughed out if you try to do this nonsense at work.

If you want help it helps to be humble, talk about what you have already tried, what specific portion is giving you problems and stow the attitude.

Interestingly enough people on the forum still gave hints on how they could approach the problem and pointed them to resources that can help if they put in the effort.

What do you think? Is it ok to post for help like this? Would you answer this person if you came across the post?

Original forum post in all it’s glory: linux is bad for reference.

– Suramya

April 11, 2022

I am now a Certified SOC Analyst (CSA)

Filed under: Computer Security,My Life,Tech Related — Suramya @ 5:08 AM

Over the weekend I gave my first Cybersecurity Certification exam and I am now a Certified SOC Analyst (CSA). 🙂 This is the first of five certifications I will be completing this year as part of my Degree in Cybersecurity.


Certificate No: ECC2945876310

The exam was interesting and for me the hardest part was remembering all the Windows event codes as I have a hard time remembering numbers. I feel that they should allow users access to their windows system (registry/event logs) as in a real life scenario we would always have access to the system and internet. Testing without the ability to search the internet doesn’t make much sense as it is not realistic.

That being said, I am looking forward to the next certification exam which I am planning to take end of the month/early next month.

Well this is all for now. Will write more later.

– Suramya

January 29, 2022

Getting random values from the quantum fluctuations of vacuum using an API

Filed under: Computer Security,Interesting Sites,Tech Related — Suramya @ 10:35 PM

Generating truly random numbers programmatically is something that sounds like it should be simple to do but is in fact quite hard. Most algorithms that generate numbers are in fact pseudo-random numbers, which means that they look random but can be predicted at times. So the ability to generate/get truly random numbers is a big deal. Cloudflare uses a wall to wall setup of Lava Lamps to generate random numbers that are used to encrypt the traffic on their servers. Other organizations have other methods where they measure the atmospheric radiation, sound etc etc.

The ANU QRNG website managed by Australian National University offers true random numbers to anyone on the internet. The random numbers are generated in real-time in the lab by measuring the quantum fluctuations of the vacuum.

They have API access enabled for accessing the numbers and users can download blocks of random numbers as well as a .zip file which is updated periodically.

The vacuum is described very differently in the quantum physics and classical physics. In classical physics, a vacuum is considered as a space that is empty of matter or photons. Quantum physics however says that that same space resembles a sea of virtual particles appearing and disappearing all the time. This is because the vacuum still possesses a zero-point energy. Consequently, the electromagnetic field of the vacuum exhibits random fluctuations in phase and amplitude at all frequencies. By carefully measuring these fluctuations, we are able to generate ultra-high bandwidth random numbers.

This website allows everybody to see, listen or download our quantum random numbers, assess in real time the quality of the numbers generated and learn more about the physics behind it. The technical details on how the random numbers are generated can be found in Appl. Phys. Lett. 98, 231103 (2011) and Phys. Rev. Applied 3, 054004 (2015).

I think this is a cool application and a lot of reputable sites/users are using this for their setup so it seems like a reputable source of random numbers. I would still take these numbers and then use that as the seed in a pseudo-random generator and use that result in your application instead of using the number directly.

– Suramya

January 28, 2022

IoT Devices and Reducing their Impact on Enterprise Security

Filed under: Article Releases,Computer Security,My Thoughts,Security Tutorials,Tech Related — Suramya @ 11:34 PM

IoT devices are becoming more and more prevalent in the corporate world, as they allow us to automate tasks and activities without manual intervention, which increases the risk to the organization by increasing the attack surface available to attackers. This is because IoT devices can act as entry points to the organization’s internal network. In order to reduce the security impact of these devices the attack channels and threats from the devices need to be mitigated. This can be done by implementing the suggestions in this paper

IoT or Internet of Things is a collection of devices that are connected to the internet and can be controlled over a network or provide data over the internet. It is one of the fastest growing markets, with enterprise IoT spending growing by 24% in 2021 from $128.9 billion. (IoT Analytics, 2021). This massive growth brings new challenges to the table as administrators need to secure IoT devices in their network to prevent them from being security threats to the network.

IoT devices allow us to manage, monitor and control devices and sensors remotely which in turn allows us to automate tasks and activities without manual intervention. But this capacity comes at an increased risk of vulnerability due to a massive increase of the attack surface available. They are becoming more and more prevalent in an enterprise setting, especially in the office automation and operational technology areas. This increases the risk to the organization by increasing the possibility of threats in areas that traditionally don’t pose cyber security risks.

IoT devices can act as entry points to an organizations internal network and be used to exfiltrate data from the network without raising flags. In 2018, attackers used a compromised IoT thermometer in the lobby aquarium of a casino to breach their system and exfiltrate their high-roller database (~10GB of data) out of the corporate network to servers they controlled via the thermostat. (Williams-Grut, 2018).

In this paper we will review some of the major threats and attack channels targeting IoT devices and look at how we can reduce the impact of these threats on the enterprise security.

IoT Threats and Attack Channels

IoT devices have multiple attack surfaces due to their design and usage. We will cover the major vulnerabilities in this section along with mitigation steps for each threat and attack channel.

A. Physical Vulnerabilities

Since these devices are usually physically deployed in the field in addition to the typical software and communication vulnerabilities, they are also vulnerable to physical attacks where the device can be physically modified to gain access. Some of the examples of Physical attacks are as follows:

  • Attackers physically remove the device memory or flash chips to read & analyze the data and software on the chip.
  • Attackers tamper with the microcontroller to gain access to or identify sensitive information
  • Physically modify the device to return incorrect data or telemetry. For example, camera’s or motion sensors overseeing sensitive locations could be modified to ignore breaches.
  • Use the device connectivity to act as a bridge to gain access to the corporate network.
  • Attackers authenticate locally to the device using debug interface on the device to gain access to the device internals

The best way to protect against such attacks is to ensure the following preventive measures are taken for all devices on the network:

  • Ensure that the device or sensor is not easily accessible physically.
  • All sensors and devices should have tamper proof seals installed on them with regular checks to verify that they are not tampered with.
  • Unused ports, connections, diagnostic connectors etc should be physically disabled when possible.
  • If possible, ensure the devices have hardware-based security checks on it.

B. Outdated Firmware

Many of the IoT devices and sensors run older versions of Linux with no easy way to update the firmware, installed software or applications to the latest versions. This creates a major security risk as the device is running software with known security vulnerabilities which allows attackers to easily compromise a device.

There is no easy way to resolve this problem and protect the devices as a lot of these sensors and devices are not designed with security in mind. The best way to approach this problem is to ensure you are working with reputable device manufacturers who will ensure that appropriate support and updates are going to be available for the device/sensor.

The organization should review the recommendations by the IoT working group of the Cloud Security alliance on how to perform IoT Firmware updates securely and regularly. (Khemissa et al., 2018) The should also include the IoT sensors and devices in the organization’s update cycles which will allow them to ensure that patches and updates are installed in a timely manner on them.

Another option is to explore installing open source firmware and software on the IoT device/sensor if this option is available. The opensource firmware’s are usually updated more frequently and can be customized to better secure the device.

C. Hard Coded Passwords/Accounts

Some of the IoT devices have hard coded account passwords that cannot be changed, and this gives an attacker backdoor access to the device that is difficult to protect against. Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing attackers to hijack firmware, devices, systems, and software etc. A famous case of such an exploit was found in 2017 when researchers found default hardcoded passwords in IoT camera’s manufactured by Foscam. (Heller, 2017) that gave admin access to anyone who used them. These passwords allow an attacker to gain access to the device and use it as a launch surface against attacks on the network.

Another famous attack exploiting this was by the Mirai malware in 2016. It scanned for and exploited Linux-based IoT boxes with Busybox (such as DVRs and WebIP Cameras) using hardcoded usernames and passwords. Once it gained access these devices were enrolled in a botnet containing over 400,000 connected devices which were then used to perform DDoS attacks on major companies across the world. (Fruhlinger, 2018)

To protect against these attacks, we should ensure the default passwords on all devices are changed frequently. An active pentest against the device should be conducted to uncover any hidden or hardcoded accounts. If any are found, the manufacturer should be contacted to prove an update to disable these accounts.

D. Poor IoT device management

A study published in July 2020 found that almost 15% of IoT devices on an enterprise network were unknown or unauthorized and between 5 to 19% of these devices were using unsupported legacy operating systems (Help Net Security, 2020). These devices make up what is known as a Shadow IoT network that is implemented without the knowledge of the organization’s IT team and can be a major weak point in the organization’s security perimeter.

The best way to protect against this scenario is to ensure regular scans are done on the network to identify any unknown or new devices connected to the network. The pentest will enable us to identify these unauthorized devices which can then be incorporated into the official network and update cycle or disconnected depending the requirements. Another way to find these unauthorized devices is to monitor and analyze network connections and traffic. New devices will change the network data flow, and this can be used to identify or locate new devices or sensors connected to the network.

E. Man-in-the-Middle Attacks

Communication channels in IoT devices are usually very trivially protected and an attacker can compromise the channel to intercept the messages between devices and modify them. This allows the attacker to cause malfunctions or show incorrect data. This can potentially cause serious harm if the targeted IoT devices are connected to or managing industrial or medical equipment. It can also allow attackers to hide their tracks and physical evidence of their work.

F. Industrial Espionage & Eavesdropping

IoT devices such as cameras, microphones etc are used to monitor sensitive areas or devices for problems remotely. If an attacker compromises these cameras, they allow them to visually and audially monitor their target compromising their privacy and potentially gaining access to sensitive data or video. For example, IoT cameras deployed in bedrooms have been used to record and leak intimate videos of the residents without their knowledge. Compromised security cameras have been used to record ATM pins entered by unsuspecting users.

Other steps that should be taken to reduce risk from IoT devices on your network:

  • Segregate your Networks: IoT devices should be on a separate segment of the network which is isolated from the production and user network with a firewall sitting between the two. This will allow you to block access to the production network from the IoT network which will prevent an attacker from gaining full access to the enterprise network in case they breach the IoT network.
  • Enable HTTPS/Encrypted connectivity for IoT devices: All connections to and from the IoT devices should be encrypted to protect against Man-in-the-middle attacks.
  • Deploy an IDS: Deploying an Intrusion Detection System (IDS) on the network can alert us to attack attempts. All alerts from the IDS should be investigated and verified.

These are just some of the attack surfaces available to attackers targeting IoT devices, in fact with the increase in computing power available to these devices they are almost mini computers and most of the attacks that impact traditional systems such as servers or desktops can target IoT devices as well with minimal modifications. So, it is essential that security trainings are conducted for all employees in the organization to make them aware of the risks posed by IoT devices and train the security team in methods to secure these devices from attackers.

Note: This was originally written as a paper for one of my classes at EC-Council University in Q3 2021, which is why the tone is a lot more formal than my regular posts.

– Suramya

January 27, 2022

New MoonBounce UEFI Bootkit that can’t be removed by replacing the Hard Disk

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 1:05 AM

Viruses and malware have evolved a lot in the past 2-2.5 decades. I remember the first virus that infected my computer back in 1998, it corrupted the boot sector and the partition table to the point where I couldn’t even format the drive as it wasn’t detected by the OS. I tried booting via a floppy and running scandisk on it (this is on DOS 6.1/Windows 3.1) but it wouldn’t detect the disk, same issue with Norton Disk Doctor (NDD). Was scared to tell the parents that I had broken the new computer but after a whole night of trying various things based on conversations with friends, suggestions in books etc I managed to get NDD to detect the disk and repair the partition table. After that it was a relatively simple task to format the disk and reinstall DOS. Similarly all the other viruses I encountered could be erased by formatting the disk or replacing it.

There were a few that tried using the BIOS for storing info but not many. I did create a prank program that would throw insults at you when you typed the wrong command every 5th boot. The counter for the boot was kept in the BIOS. But this didn’t have any propagation logic in the code and had to be manually run on each machine, plus it had to be customized manually for very new BIOS type/version so wasn’t something that could spread on its own.

With the new malware/viruses that have come out in the past few decades we are seeing more advanced capabilities of propagation and persistence, but till now you could still replace the drive infected with a virus and be able to start with a clean slate. However, that has now changed with the new MoonBounce UEFI Bootkit which can’t be removed by replacing the Hard Drive as it stores itself in the SPI flaws memory that is found on the motherboard. Which means that the bootkit will remain on the device till the SPI memory is re-flashed or the whole motherboard is replaced. Which makes it very difficult and expensive to recover from the infection.

Securelist has a very detailed breakdown of the Bootkit which you should check out. The scary part is that this is not the only bootkit that uses this method, there are a few others such as ESPectre, FinSpy’s UEFI bootkit that prove that the capability is becoming more mainstream and that we should expect to see more such bootkits in the near future.

Source: Slashdot: New MoonBounce UEFI Bootkit Can’t Be Removed by Replacing the Hard Drive

– Suramya

January 26, 2022

Got a new Biometric lock installed

Filed under: My Life — Suramya @ 3:39 AM

Yesterday I finally replaced my old Biometric lock that I have been using for the past 8 years with a newer model. The old one was still working fine for the most part but gave a fright a few weeks ago when its batteries died (I think that is what happened) and I couldn’t unlock the door. We did have a manual override key for the lock but I guess I don’t know my own strength because I broke off the key (in the lock) when I tried to unlock using the key. It looked like I would have to break the lock to get in but thankfully I remembered at the last minute that the lock had the option of providing power externally and was able to unlock using a 9 volt battery. Due to this and other small issues that were cropping up in the lock we decided to replace the lock with a newer version.

Searching online I found a lot of locks available but decided against most of them because I didn’t want the lock to be internet connected. There are enough security issues with the apps and I don’t like the idea of random folks being able to connect to my lock remotely for fun and profit. Finally narrowed down to two options, 1st was a godrej model and the other was the one we got. The Godrej one looked good but as per their support team required a door with a min thickness of 42mm and our door is only 35mm. We could have gotten extra plywood put in to thicken the door but since the other option was 10k cheaper, had more functionality and didn’t require modification we decided to go with that one instead.

Ordered the lock online and it was delivered in ~3 days, installation took a while because they took a while to assign a technician for some reason but after yelling at them for a bit (and offering to return the lock) it was finally installed yesterday. The installation person was pretty good and the whole thing took about 40 mins to complete.

Now with the new lock I can unlock the door with Finger prints, pin, RFID card and manual override key. In case of power going off it has the option of using a powerbank as external power so that is a relief. Plus it doesn’t require dismantling the handle to get access to the override key so that is a big advantage.

The new lock’s sensor is a lot more sensitive and processes faster than my old one. Thinking about what to do with the old one, one option is to send it to my parents place in Delhi another is to use it for secure storage here in Bangalore itself but that would require work and I honestly don’t have that many valuables that would require a biometric storage locker. In any case for now it is going into storage.

Well this is all for now, will post more later.

– Suramya

PS: I didn’t specify the lock model / make in the post specifically because I don’t think I want to make that public. But if you are interested in discussing more or are planning to buy you can reach out offline and we can talk in more detail.

January 25, 2022

Intentionally breaking popular opensource projects for… something

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 10:23 AM

Recently Marak Squires, the developer of extremely popular npm modules Colors & Faker decided to intentionally commit changes into the code that broke the module and brought down thousands of apps world wide. Initially it was thought that the modules were hacked as others have been in the past, but looking at the commit history it was obvious that the changes were committed by the developer themselves. Which brings us to the question of why on earth would someone do something like this? Marak didn’t explicitly state on why the changes were made but considering their past comments it does seem like this was done intentionally:

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six figure” salary.

“Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn’t much else to say,” the developer previously wrote.

“Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

The aftermath of the changes is that NPM has revoked the developers rights to commit code, their github account has been suspended and the modules in question have been forked. Now Marak is pleading for his accounts to be reinstated because the issue was caused due to a ‘programming mistake’ which seems like a far fetched excuse. Especially given how they made fun of the problem right after people reporting it. That doesn’t seem like the reaction we would see if this was a legitimate mistake.

My guess is that they thought this would play out differently with companies falling over themselves to give them money/contracts etc or something but didn’t anticipate how it would blow back on them. I mean if I was hiring right now and their resume came up I would think twice about hiring them because of this stunt. They have shown that they can’t be trusted and what is to stop them from making changes to my company’s software and bring it a screeching halt because they felt that they were not being paid their dues? I mean they have already done it once, what is to stop them from doing it again? This looks like a textbook example of what not to do in order to get people to work with you/hire you.

One of the things that I have heard from detractors of OpenSource software when I was pushing for it in my previous companies is the question about how can we be sure the software will be there a year for now and who do we blame if the software is broken and we need help. Stunts like this don’t help improving the image of Open Source software and this person is now reaping their just deserts.

The positive side is that because the code is opensource, it has already been forked and others have taken over the codebase to ensure we don’t hit similar issues going forward.

– Suramya

January 24, 2022

Citibank Bangalore – Doing a great job enforcing Covid Appropriate Behavior at their branch

Filed under: My Thoughts — Suramya @ 10:17 PM

Had to go to Citibank branch on MG Road, Bangalore today for some work and was extremely impressed by how well they are enforcing Covid Appropriate Behavior (CAB) at the branch. As I walked over to the entrance the security guard took my temperature and then asked me to wait outside as all the counters had people at them. As other folks came up to the gate the guy asked them to wait in queue and ensured all were maintaining 6 ft distance. A few people grumbled a little on being asked to wait outside but no one created a problem.

Once the counter freed up, I was allowed inside and proceeded with my work. Even while waiting inside, they ensured folks are not sitting close to each other and every single person inside was wearing a mask. It was nice to see such a well managed setup here. We can only control Covid spread by ensuring we all get vaccinated, wear a mask and follow CAB at all times.

– Suramya

January 23, 2022

Some thoughts on Crypto currencies and why it is better to hold off on investing in them

Filed under: Computer Related,My Thoughts,Tech Related — Suramya @ 1:26 AM

It seems that every other day (or every other hour if you are unlucky) someone or the other is trying to get people to use Crypto currency because they claim that it is awesome and not at all dependent on government regulations and thus won’t fluctuate that much. Famous people are pushing it, others like New York City Mayor Eric Adams are trying to raise awareness of the product and have decided to convert his first paycheck to Crypto, El Savador started accepting crypto currency as legal tender etc. However, the promises made by crypto enthusiasts don’t translate into reality as the market remains extremely volatile.

I see people posting on twitter that Crypto currencies are better because they are stable, but in my opinion if a currency can drop 20% because Elon Musk tweeted a Broken heart emoji then it is not something I want to use to store my savings. Earlier this week the entire Bitcoin market dropped over 47% from it’s high back in Nov 2021. Mayor Adams paycheck which was converted to crypto is now worth ~1/2 of what it was when he invested it, and that is a massive drop. Imagine loosing 50% of your savings in one shot. You might suddenly have no way to pay rent or emergency repairs/hospitalization etc. Even El Savador has seen its credit become 4 times worse than it was before it moved to Bitcoin. People there are complaining that the promised reduction in cost for conversion to/from international currencies is a myth as they are paying more than what they were paying earlier as transaction costs.

Another major issue with crypto currency is the ecological hit caused by the mining. According to research done by University of Cambridge, globally Bitcoin uses more power per year than the entire population of Argentina. The recent Kazakhsthan unrest and protests were sparked off due to surging fuel prices that were caused by the migration of Bitcoin miners to the country after China banned them. This caused a lot of strain on the electricity grid and required an increase in the prices which kicked off a massive protest that has caused untold no of deaths. There are multiple folks coming up with new crypto-currencies that claim to be carbon neutral but so far none of them have delivered on the promise.

Bitcoin is thought to consume 707 kwH per transaction. In addition, the computers consume additional energy because they generate heat and need to be kept cool. And while it’s impossible to know exactly how much electricity Bitcoin uses because different computers and cooling systems have varying levels of energy efficiency, a University of Cambridge analysis estimated that bitcoin mining consumes 121.36 terawatt hours a year. This is more than all of Argentina consumes, or more than the consumption of Google, Apple, Facebook and Microsoft combined.

Check out this fantastic (though very long – 2hr+) video on economic critique of NFTs, DAOs, crypto currency and web3. (H/t to Cory Doctorow)

In summary, I would recommend against investing in crypto currencies till the issues highlighted above are resolved (if they are ever resolved).

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress