Profile

Cover photo
Sitaram Chamarty
562 followers|199,503 views
AboutPosts

Stream

Sitaram Chamarty

Shared publicly  - 
 
well screw you too crunchbase...
1
Caleb Cushing's profile photoSitaram Chamarty's profile photo
2 comments
 
I gamely do.  And enable it only if I really really (really) need it.  (On a different userid).

Funny thing is, most websites which hide content if you don't enable JS, give it up quite nicely when you turn off style sheets also.  Layout is crap but you can get the content alright.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Hacking Team runs crying... to whom?

Over the last few months to a year, I've taken to using the phrase "taxpayer-funded cyber-criminals" to describe NSA, CIA, and similar agencies of any country (even India has 2 such!).

With that bias clearly in mind, I certainly feel Hacking Team are criminals.

But the point is moot.  As Bruce Schneier said, they managed to piss off people who have death squads on their payroll.  And unlike the NSA/CIA, etc., they don't have a death squad of their own to call for backup.  Mere labels are not much to worry about in comparison.
3
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
http://apple.slashdot.org/story/15/07/19/1229202/apple-patents-bank-account-balance-snooping-tech

I'm equally surprised.  Despite my hatred for Apple (and my tendency to look down upon open source techies who use Apple products -- and sadly there are too many of those), I had believed that Apple makes enough money directly from their sheep^Wcustomers, not to have to indulge in facebook-like (or even google-like) shenanigans!  In fact that was the only advantage of their overpriced goods, that your "cost" is upfront and straightforward.
An anonymous reader writes: Apple's latest patent filings shows that the company is looking into displaying advertising based on your available bank balance. If Apple moves forward with this type of technology it would be a complete 360 on its previous direction to not monetize everything they know ...
3
Caleb Cushing's profile photoSitaram Chamarty's profile photo
5 comments
 
I think even "every service [and their mother]" will still be less than what this seems to imply.  But I'll admit it's been several years since I left the "land of the free" so maybe even swiping your credit card runs a credit score now ;)
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
I wish people would stop making crappy excuses to still use MD5.

"if you care about the chance of accidental MD5 collisions, you should be caring about accidental SHA1, SHA2, or SHA3 collisions as well." -- http://obnam.org/faq/checksum-safety/

Sounds somewhat specious to me.  Sure I care about collisions in all of them, but I have to care less (10^10 less!) in SHA1 than MD5, and even lesser in SHA256 (10^39 less!!), etc.

The actual probability depends on the number of messages in your corpus, not the size of messages.  Which is great, and you might think "oh I don't have so many files".

Well, in any dedup system (and definitely in obnam, if I understand correctly), a "message" is one chunk of a file, and a file can have many chunks.  So the number of messages is potentially much larger than the number of files in your corpus.  In fact this makes it dependent on the size of your files, contrary to normal logic for the probability of hash collisions.

I don't know what the relative probability of that is versus, say, getting hit by an asteroid, but it's definitely a lot better with even SHA1.
7
Sitaram Chamarty's profile photoWill Palmer's profile photoJeff Mitchell's profile photoDavid Michael Barr (barrbrain)'s profile photo
8 comments
 
I can't find any public references to my work any more but the essence is to use a 16-byte sliding window, hash the window and take the min and max hashes. Mix down to a single hash. Similar sized blocks with the same hash very likely have small differences. I'm currently working on a 64-bit version but I have a partial SSE4.2 implementation of the original 32-bit hash: https://gist.github.com/barrbrain/9052705
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Reebok store in Hyderabad can't sell you stuff unless you have a cell phone and are willing to give the number to them.  What a bunch of morons...

(just to be clear, the staff were quite sympathetic -- their goddamn computer insists on a number in order to produce a receipt!)

#reebok #boycottting-reebok-from-now
1
Łukasz Piwko's profile photoPrasad Murthy's profile photoCaleb Cushing's profile photoSitaram Chamarty's profile photo
6 comments
 
+Łukasz Piwko
I eventually gave them a fake number (take landline, replace leading 4 with 7) because by that time the credit card stuff was already done, and I did not want to risk that being equally f-ed up in some way, causing me to have to follow up with my credit card issuer...

So... "do not spend money" --> "do not spend money in future", is what I will be doing.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Nice.  I hope all the people who support the NSA's taxpayer-funded cyber-crime, or the people who are clamoring for less encryption or backdoored-encryption in the software we use, etc., are all in the database.  Heck all the people in the NSA may be in it, for all we know.  And the FBI and CIA and all the other TLAs.

Maybe at least some of the individuals affected will realise what it feels like to be on the wrong side of a taxpayer-funded cyber-crime operation.

http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html
The breach of an Office of Personnel Management system with information on millions of federal employees and contractors could have “potentially devastating” counterintelligence effects.
2
Prasad Murthy's profile photoSitaram Chamarty's profile photo
2 comments
 
The aadhaar database is not nearly as comprehensive as that one; have you seen the form?  It's an enormous amount of information...
Add a comment...
In his circles
104 people
Have him in circles
562 people
Satish Yadav's profile photo
Brandon Casey's profile photo
Wilfried Adingra's profile photo
Karol Kotwica's profile photo
dean guenther's profile photo
Ahmed Hosni's profile photo
Amit Vashishth's profile photo
RajaRaviVarma A R's profile photo
Abhishek Amberkar's profile photo

Sitaram Chamarty

Shared publicly  - 
 
I always thought keyboard-interactive was only about 2 factor authentication; I never knew it could be used to supply your normal password too.  Learned something today...!

Anyway, even if CentOS/Fedora did not default to "off", the fact is that everything I manage -- even the web servers -- are behind "totport" (http://gitolite.com/totport/).  The actual servers, whether ssh or http or anything, may well be vulnerable to the latest attack, but you can't even reach them without giving the gateway a 2 factor auth code first!

Sadly, it only works for closed user groups where you're willing to take the pain to provision 2FA for them when they join the group; it won't work for truly "public" sites.
1
Eugene E. Kashpureff Jr (EugeneKay)'s profile photoSitaram Chamarty's profile photo
2 comments
 
there's a couple of "pictures" (hah!) on the totport page...

(betcha never expected me to come up with pictures!)
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
So... my continuing saga of finding a reasonable replacement for firefox, after they did the completely-against-the-spirit-of-open-source bonehead move of upgrading Pocket integration from a perfectly working addon to "core"...

The latest "winner" is qupzilla.  Hopefully this will last a while.  Quite fast too.  Minus points: doesn't have keyboard customisations, so I had to wade into the C++ (me!  even C I can barely manage on some days, can you imagine me trying to grok C++?) and hardcoded a few keys.  "d" to close the current tab, "," and "." for history ack/forward, and "h/l" for tab prev/next.

What I am unable to do is map "b" to "PageUp"; seems like some of the more basic keys are handled by Qt itself, not by qupzilla.  Living with having to type "Shift-Space" for now!

Just for completeness, here are the other contenders:

dillo: fast. No JS, so very secure.  Did I mention fast?  But the layout leaves a lot to be desired -- not too far from lynx actually.  Having to pagedown 12 times to read an article on El Reg got old after a while.

midori: slow.  Often slower than even Konqueror (which is no mean feat, let me tell you!)  Crashes often and early.  I have no idea how xfce chose this to be their default browser.  Complete pile of shit.  (Dillo is much better -- it never crashed, and did what it promised, however little that may have been!)

conkeror: emacs key bindings.  'Nuff said!  (I believe there's a way to get vi bindings for it, but apart from a tantalising hint, nothing more!)

rekonq: no idea what it looks like.  "ps" shows the process is running but the UI never showed up!

icecat: did not try it yet.  This may actually be the strongest contender.  I'll watch their release progress for some time, but at present I want to see how a non-Gecko browser works for me.


#nomorefirefox #qupzilla #browsers  
1
Caleb Cushing's profile photoMarc-André Laverdière's profile photoSitaram Chamarty's profile photo
6 comments
 
isn't that considered a "downgrade" now, the ability to see flash?
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
From http://www.forbes.com/sites/thomasbrewster/2015/07/06/us-gov-likes-hacking-team/

<quote> In another, the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was “exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money.” </quote>

That's it, (insert swear word that rhymes with something-trucker), you're scewed.  I thought your stupidity was limited to using extremely weak passwords and keeping said passwords lying around in firefox.

But noooo; that's too pedestrian for you, and too many people have done it.  You had to go piss off Bruce Schneier.  You f-ing morons, haven't you ever read http://www.schneierfacts.com/ ??

(On a serious note, I really think their reaction to this has been nothing short of moronic, so I do call them morons; just not for the joke reason above!)
4
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
http://thestack.com/mastercard-online-payments-selfies-020715

>    According to Mastercard, it will not keep images of fingerprints or faces, but it will be able to reconstruct both from stored data.
>    "They're storing an algorithm, not a picture of you.  And I'm sure they're doing the appropriate stuff to guard it," assured Phillip Dunkelpberger of biometrics firm Nok Nok Labs.

Umm... if it can reconstruct a fingerprint or face, it's more than just an algorithm!  Was the nok nok guy merely mis-informed or is he playing with words to mis-inform others?

As for the "appropriate stuff to guard it", I'm sure they are.  (Read that like "yeah right"!)

I've always maintained that biometrics are useless as authenticators, except possibly in a supervised setting.  Well, don't be fooled into thinking this is a supervised use.  The device is under the control of the attacker, so it's effectively unsupervised -- the app can certainly be given/sent fake data.

It would have been much better for security if the sensors came from the retailer.  But it would also be much worse for privacy; so I guess you can't win!

Also, I'm not sure if this can be called 2-factor authentication; it's at best a highly unusual variety: "what you are + what you are" instead of the more traditional "what you know + ( what you have or what you are )".
1
Marc-André Laverdière's profile photo
 
I agree 100%. I vaguely recall that some time back, people could unlock their laptop using that kind of mechanism. And it was show that a high-resolution printout of your face was enough to break that 'security'
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
and here's why I refuse to use even Chromium -- the supposedly free version of Chrome: apparently proprietary code managed to sneak in to the Debian package.

Google managed to do it, and that too with a piece of code that is meant to listen in on your microphone!

I'm not even saying there was any mal-intent (though Google has long ago stopped using "don't be evil" as their motto, IIUC).  Regardless of intent, the fact that the project is related to a proprietary one, was my reason not to use it.
3
Caleb Cushing's profile photoSitaram Chamarty's profile photo
12 comments
 
+Caleb Cushing
none of those reports worry me.  First, they're not shown on Linux.  Even if they happen, it has to be something really nasty to get root, being there are no setuid binaries in the firefox package.  Whatever is left over, my "extreme separation" (see long comment above) takes care of limiting my risk.

If I used Chrome, the potentially nasty stuff is inside the code.  Seriously, Chrom* listens to your microphone -- how many Chrome users (forget about Chromium users) knew that?

I am moving away from firefox (though not 100%, sadly) because of the Pocket integration -- I see that as the thin end of the wedge of putting some other proprietary crap in it next year.  Chrome started out proprietary, so -- regardless of how many security features it has -- it's off my list.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Installed Konqueror.  Am going to try it "as is" (i.e., no extensions addons etc) for some time and see what it feels like...

This Pocket thing is really pissing me off.  It actually doesn't affect me directly; maybe I'm being petty about the hypocrisy.
1
Jeff Mitchell's profile photoSitaram Chamarty's profile photo
4 comments
 
Dillo is what I have started using now.  It's bloody fast, if a little "rough" around the edges.

Midori is slower and takes more memory than konqueror, so... plonk.

So, final team lineup [edited]:
  - dillo for everything which doesn't need a login
  - konqueror if that doesn't work, but still "no login"
  - firefox if both those fail (so far, only google maps has shown up to be a bit wonky in konqueror)
  - konqueror in a different userid, falling back to firefox in that userid, for anything requiring a login (the separate userid for login stuff has been my practice for a few years now anyway).

Now all I have to do is wean myself away from vimperator muscle memory.  Half-way there.

As a bonus, since dillo does not "remember last used tabs", I now read a page completely -- including linked pages of interest -- instead of opening 40 tabs and keeping them lying around for month...!
Add a comment...
People
In his circles
104 people
Have him in circles
562 people
Satish Yadav's profile photo
Brandon Casey's profile photo
Wilfried Adingra's profile photo
Karol Kotwica's profile photo
dean guenther's profile photo
Ahmed Hosni's profile photo
Amit Vashishth's profile photo
RajaRaviVarma A R's profile photo
Abhishek Amberkar's profile photo
Work
Occupation
aging geek, gitolite author (dayjob: TCS)
Contact Information
Home
Email
Story
Tagline
...one more monkey
Introduction
Sitaram Chamarty (keywords to determine if I'm the Sitaram you're looking for: CVS, GTS/MBR, ECK, ISICAL, TCS, Git, Gitolite.  The first 3 are not google-able -- you have to know me to know what they are; the rest are public)
Bragging rights
author of gitolite -- my only contribution to the open source world, which I've been leeching off of since 1995
Basic Information
Gender
Male