Profile

Cover photo
Sitaram Chamarty
560 followers|197,335 views
AboutPosts

Stream

Sitaram Chamarty

Shared publicly  - 
 
I wish people would stop making crappy excuses to still use MD5.

"if you care about the chance of accidental MD5 collisions, you should be caring about accidental SHA1, SHA2, or SHA3 collisions as well." -- http://obnam.org/faq/checksum-safety/

Sounds somewhat specious to me.  Sure I care about collisions in all of them, but I have to care less (10^10 less!) in SHA1 than MD5, and even lesser in SHA256 (10^39 less!!), etc.

The actual probability depends on the number of messages in your corpus, not the size of messages.  Which is great, and you might think "oh I don't have so many files".

Well, in any dedup system (and definitely in obnam, if I understand correctly), a "message" is one chunk of a file, and a file can have many chunks.  So the number of messages is potentially much larger than the number of files in your corpus.  In fact this makes it dependent on the size of your files, contrary to normal logic for the probability of hash collisions.

I don't know what the relative probability of that is versus, say, getting hit by an asteroid, but it's definitely a lot better with even SHA1.
7
Sitaram Chamarty's profile photoWill Palmer's profile photoJeff Mitchell's profile photoDavid Michael Barr (barrbrain)'s profile photo
8 comments
 
I can't find any public references to my work any more but the essence is to use a 16-byte sliding window, hash the window and take the min and max hashes. Mix down to a single hash. Similar sized blocks with the same hash very likely have small differences. I'm currently working on a 64-bit version but I have a partial SSE4.2 implementation of the original 32-bit hash: https://gist.github.com/barrbrain/9052705
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Reebok store in Hyderabad can't sell you stuff unless you have a cell phone and are willing to give the number to them.  What a bunch of morons...

(just to be clear, the staff were quite sympathetic -- their goddamn computer insists on a number in order to produce a receipt!)

#reebok #boycottting-reebok-from-now
1
Łukasz Piwko's profile photoPrasad Murthy's profile photoCaleb Cushing's profile photoSitaram Chamarty's profile photo
6 comments
 
+Łukasz Piwko
I eventually gave them a fake number (take landline, replace leading 4 with 7) because by that time the credit card stuff was already done, and I did not want to risk that being equally f-ed up in some way, causing me to have to follow up with my credit card issuer...

So... "do not spend money" --> "do not spend money in future", is what I will be doing.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Nice.  I hope all the people who support the NSA's taxpayer-funded cyber-crime, or the people who are clamoring for less encryption or backdoored-encryption in the software we use, etc., are all in the database.  Heck all the people in the NSA may be in it, for all we know.  And the FBI and CIA and all the other TLAs.

Maybe at least some of the individuals affected will realise what it feels like to be on the wrong side of a taxpayer-funded cyber-crime operation.

http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html
The breach of an Office of Personnel Management system with information on millions of federal employees and contractors could have “potentially devastating” counterintelligence effects.
2
Prasad Murthy's profile photoSitaram Chamarty's profile photo
2 comments
 
The aadhaar database is not nearly as comprehensive as that one; have you seen the form?  It's an enormous amount of information...
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
It's terrible that something so tremendously important to security is being buried by a geek site, and people have to resort to posting it in comments on unrelated stories.

"What /. doesn't want you to see": http://mobile.slashdot.org/comments.pl?sid=7477721&cid=49793333
http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/SourceForge grabs GIMP for Windows’ account, wraps installer in bundle-pushing adware
1
Caleb Cushing's profile photoSitaram Chamarty's profile photo
3 comments
 
+Caleb Cushing it is very high but if I sometimes need a more-cynical-than-me view point on some topics and -- if I wait a day or so after the story breaks -- I usually get something I had not thought of.  I can't do that for all stories of course...
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
As you read about QUIC (https://docs.google.com/document/d/1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34/edit?pli=1) it's not the tech ideas that are the "OMG!" part.  The OMG! is when you realise there is now a company that has enough of a monopoly on both the server side and the client-side that they can run an experimental protocol "in the wild" and get feedback to fix things.  I don't think even MS in its heyday had that!

At a tech level -- that is great!.  But if you leave the tech aside... something to think about.
1
Fredrik Luthander's profile photoJeff Mitchell's profile photoSitaram Chamarty's profile photo
5 comments
 
+Jeff Mitchell 

from https://www.chromium.org/quic/quic-faq :

----8<----

How do I aim Chrome at the test server?

If you have an HTTP server, you'll need it to emit a response header that looks like:

    Alternate-Protocol: quic:<QUIC server port>

Then you can just run chrome as usual and it will automatically start using QUIC.

---8<---

Of course, I have not really tested any of google's services to check if their servers are doing this, and anyway I don't use Chrome (or even Chromium) so I can't be sure, but it definitely sounds like QUIC can be enabled without user intervention.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Go was one of the languages I got excited about at one time, then walked away from because of the crazy compiler strictness.  I ranted about it somewhere (I think I likened it to "driving while having to swat mosquitos with both hands" -- very distracting) but I don't think I went far enough in criticising the designershttp://www.evanmiller.org/four-days-of-go.html does much better -- it even psycho-analyses them!

quote: "Reading Go’s mailing list and documentation, I get a similar sense of refusal-to-engage — the authors are communicative, to be sure, but in a didactic way. They seem tired of hearing people’s ideas, as if they’ve already thought of everything, and the relative success of Go at Google and elsewhere has only led them to turn the volume knob down. "

Other quotes (please read the article for context): "feels like it is designed by an obsessive personality", "designer went too far, to the point of being antisocial", and "Rather than debate or engage, it was easier to make a new language and shove the new rules onto everyone by coupling it with Very Fast Build Times, a kind of veto-proof Defense Spending Bill in the Congress of computer programming."

And closer to the effect than the cause of all this: " the Go compiler's overt pedantry is a significant hindrance to trying out ideas with code".  Exactly!

I had the idea that an easy solution would be: make "go run" be lax, and "go build" be strict.  That would also fit right in with the "quickly test some code out" meaning of "go run" versus the more "production build" sense of "go build".

But the tone of some of the mailing list conversations I saw (or specifically, replies from the go bigshots on various threads) were such that I did not even bother to actually post that.  I already knew what the response would be (if there was one at all).
4
Eric Hanchrow's profile photoRavi Chamarthy's profile photoSitaram Chamarty's profile photo
4 comments
 
"pseudintellectual arrogance of Rob Pike" -- http://dtrace.org/blogs/wesolows/2014/12/29/golang-is-trash/

...someone finally names the dude in a post, instead of saying "the designer(s)" and so on :)
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
very nice... http://news.slashdot.org/story/15/04/20/1629237/george-lucas-building-low-income-housing-next-door-to-millionaires

Sadly this won''t bother people like Zuckerburg, who apparently bought up all the estates around his house because he wanted... privacy!  It would be so nice see a subsidised housing estate across the road from his home.
BarbaraHudson writes His neighbors wouldn't let him build a film studio on his land, so George Lucas is retaliating in a way that only the cream of Hollywood could &mdash; by building the largest affordable housing development in the area &mdash; and footing the entire $200 million bill, no governme...
3
Add a comment...
Have him in circles
560 people
dean guenther's profile photo
Debesh Das Gupta's profile photo
Yogesh Kumar's profile photo
mohan maharshi's profile photo
Øyvind A. Holm's profile photo
abhishek choudhury's profile photo
Bhagvan Kommadi's profile photo
David Bremner's profile photo
rupert THURNER's profile photo

Sitaram Chamarty

Shared publicly  - 
 
and here's why I refuse to use even Chromium -- the supposedly free version of Chrome: apparently proprietary code managed to sneak in to the Debian package.

Google managed to do it, and that too with a piece of code that is meant to listen in on your microphone!

I'm not even saying there was any mal-intent (though Google has long ago stopped using "don't be evil" as their motto, IIUC).  Regardless of intent, the fact that the project is related to a proprietary one, was my reason not to use it.
3
Caleb Cushing's profile photoSitaram Chamarty's profile photo
12 comments
 
+Caleb Cushing
none of those reports worry me.  First, they're not shown on Linux.  Even if they happen, it has to be something really nasty to get root, being there are no setuid binaries in the firefox package.  Whatever is left over, my "extreme separation" (see long comment above) takes care of limiting my risk.

If I used Chrome, the potentially nasty stuff is inside the code.  Seriously, Chrom* listens to your microphone -- how many Chrome users (forget about Chromium users) knew that?

I am moving away from firefox (though not 100%, sadly) because of the Pocket integration -- I see that as the thin end of the wedge of putting some other proprietary crap in it next year.  Chrome started out proprietary, so -- regardless of how many security features it has -- it's off my list.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Installed Konqueror.  Am going to try it "as is" (i.e., no extensions addons etc) for some time and see what it feels like...

This Pocket thing is really pissing me off.  It actually doesn't affect me directly; maybe I'm being petty about the hypocrisy.
1
Jeff Mitchell's profile photoSitaram Chamarty's profile photo
4 comments
 
Dillo is what I have started using now.  It's bloody fast, if a little "rough" around the edges.

Midori is slower and takes more memory than konqueror, so... plonk.

So, final team lineup [edited]:
  - dillo for everything which doesn't need a login
  - konqueror if that doesn't work, but still "no login"
  - firefox if both those fail (so far, only google maps has shown up to be a bit wonky in konqueror)
  - konqueror in a different userid, falling back to firefox in that userid, for anything requiring a login (the separate userid for login stuff has been my practice for a few years now anyway).

Now all I have to do is wean myself away from vimperator muscle memory.  Half-way there.

As a bonus, since dillo does not "remember last used tabs", I now read a page completely -- including linked pages of interest -- instead of opening 40 tabs and keeping them lying around for month...!
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Looks like I will eventually be looking for a new browser... (and no I won't use Chrome, or even Chromium.  No single company should have such a large mindshare).

What annoys me most about this is (as was mentioned in one or more of the comments in that thread), Firefox has been removing features where they were better suited as extensions, especially when not everyone needs/want it.  Yet an interface to a clearly proprietary service is added to the core.  (There are even people in that thread who are "power/premium" users of Pocket, using the Pocket extension happily, asking why it is in core, because they are quite happy with it being an add-on.)

https://groups.google.com/forum/#!msg/mozilla.governance/2PYq2w8tejs/i_IindFDxxgJ
(Pasted from https://bugzilla.mozilla.org/show_bug.cgi?id=1172126. There are some comments on Hacker News at https://news.ycombinator.com/item?id=9667809). Mozilla's recent integration with Pocket, a proprietary third-party service, is a mistake. It is very exciting to see the ways in which ...
1
Will Palmer's profile photoMarc-André Laverdière's profile photoSitaram Chamarty's profile photo
6 comments
 
more:  Firefox seems to be learning from GNOME.  They claim Pocket has been a pretty popular extension, but I looked at addons by number of users, and it's well over 60 (comes up on the 4th page from https://addons.mozilla.org/en-US/firefox/extensions/?sort=users).

So there are potentially 60+ other extensions which have a better claim of going in "core".

Sadly, none of them are commercial.

I'm an Indian.  I see so much corruption, that I immediately suspect someone is getting a kickback.  That's my story, and I'm sticking to it.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
from http://blog.easydns.org/2015/05/20/unfortunately-we-have-renewed-our-icann-accreditation/

awesome quote:
THANK ICANN
You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendy, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We're simply out of our league here.

edited to add:

from http://blog.easydns.org/2014/01/21/icann-unleashes-deadliest-ddos-attack-vector-of-2014/

"Anybody familiar with the backstory behind this knows that policies like this were more about ICANN appeasing the Intellectual Property lobbies so they could roll out their precious new cashcows^w^w new TLDs than stopping cybercrime or holding anybody accountable for anything."

I've said before that the gTLD thing was a make-money-fast scheme.  In 2012, they made 6 times their FY11 budget (as per my calculations; see https://plus.google.com/u/0/115609618223925128756/posts/9RsTk1NGhqT).  Glad others thought so too...
3
1
Caleb Cushing's profile photo
 
personally I think  we should just kill whois info since it's generally all behind a privacy guard anyways...
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
oh so totally cool!  I absolutely love this one...  it is truly heartwarming because it tells you that you are not alone, that the moronicity that spreads -grunge- glurge is NOT universal!
14
1
Sitaram Chamarty's profile photoLuis Bruno's profile photo
 
uggh; I typoed glurge as grunge.  And my daughter caught me out... now I won't hear the end of it for like a year or something :(
Add a comment...
People
Have him in circles
560 people
dean guenther's profile photo
Debesh Das Gupta's profile photo
Yogesh Kumar's profile photo
mohan maharshi's profile photo
Øyvind A. Holm's profile photo
abhishek choudhury's profile photo
Bhagvan Kommadi's profile photo
David Bremner's profile photo
rupert THURNER's profile photo
Work
Occupation
aging geek, gitolite author (dayjob: TCS)
Contact Information
Home
Email
Story
Tagline
...one more monkey
Introduction
Sitaram Chamarty (keywords to determine if I'm the Sitaram you're looking for: CVS, GTS/MBR, ECK, ISICAL, TCS, Git, Gitolite.  The first 3 are not google-able -- you have to know me to know what they are; the rest are public)
Bragging rights
author of gitolite -- my only contribution to the open source world, which I've been leeching off of since 1995
Basic Information
Gender
Male