Profile

Cover photo
Sitaram Chamarty
565 followers|202,621 views
AboutPosts

Stream

Sitaram Chamarty

Shared publicly  - 
 
http://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/

"Samsung smart fridge leaves Gmail logins open to attack"

Let me fix that for you:

"Morons who need a fscking fridge to remind them of their appointments, when they already have at least one device that probably does that anyway, leave themselves open to attack".
3
Eric Hanchrow's profile photoCaleb Cushing's profile photoSitaram Chamarty's profile photo
3 comments
 
+Eric Hanchrow Smart only means "hackable"
Add a comment...

Sitaram Chamarty

Shared publicly  - 
1
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Schadenfreude!

http://lwn.net/Articles/654932

(Note: I stopped using Firefox for general browsing when they added this Pocket integration.  I use it only for some very specific sites that I need which are JS heavy enough to bog down Qupzilla too much.)

PS: the hole is a doozy, by the way; like "get /etc/passwd" level doozy.
1
Avinash Ananth Narayan R's profile photo
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
https://blog.filippo.io/ssh-whoami-filippo-io/

"just try this command (it's harmless)".  Heh!

I usually use a throwaway userid for everything, with "sitaram" being used only for email and documents that I write.

So I guess he did not get my public key!

But just to spice things up, I should probably have different public keys for different servers, and the id_(r|d)sa files should not even be present...
Here's a fun PoC I built thanks to Ben's dataset. I don't want to ruin the surprise, so just try this command. (It's harmless.) ssh whoami.filippo.io For the security crowd: don't worry, I don't have any OpenSSH 0day...
2
Konstantin Ryabitsev (MrIcon)'s profile photoSitaram Chamarty's profile photoCaleb Cushing's profile photoWill Palmer's profile photo
7 comments
 
This isn't so much about "who has access to your public keys" as it is "who has access to the association between your identities" eg: GitHub will tell everyone which identity a particular public key is associated with. SSH will tell everyone [you connect to] which public keys you have available.  I definitely wouldn't consider "which public keys I have control over" to be a secret per-identity, but I definitely would consider "which identities I have control over" to be secret. eg: "Will Palmer" on google+ is the same as "wpalmer" on github, but I can understand not necessarily wanting to reveal that it such a person is also ksoze on bitbucket or wheisenberg on so-and-so AWS account.

Now, I thought I had long-since passed the point of having too many keys for all keys to be attempted, but honestly I don't know if that's client-side or server side.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
well screw you too crunchbase...
1
Caleb Cushing's profile photoSitaram Chamarty's profile photo
2 comments
 
I gamely do.  And enable it only if I really really (really) need it.  (On a different userid).

Funny thing is, most websites which hide content if you don't enable JS, give it up quite nicely when you turn off style sheets also.  Layout is crap but you can get the content alright.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Hacking Team runs crying... to whom?

Over the last few months to a year, I've taken to using the phrase "taxpayer-funded cyber-criminals" to describe NSA, CIA, and similar agencies of any country (even India has 2 such!).

With that bias clearly in mind, I certainly feel Hacking Team are criminals.

But the point is moot.  As Bruce Schneier said, they managed to piss off people who have death squads on their payroll.  And unlike the NSA/CIA, etc., they don't have a death squad of their own to call for backup.  Mere labels are not much to worry about in comparison.
3
Add a comment...
Have him in circles
565 people
Kashyap CK's profile photo
rupert THURNER's profile photo
Ramjee Ganti's profile photo
Sachin Patil's profile photo
Alexander Strasser's profile photo
Karol Kotwica's profile photo
Dan Carpenter's profile photo
Mahesh Gr's profile photo
News sot's profile photo

Sitaram Chamarty

Shared publicly  - 
 
http://www.downthemall.net/the-likely-end-of-downthemall/

"It is safe to say, that Firefox will not be Firefox anymore as far as extensions go, but instead will become yet another Chrome-clone."

    -- (sarcasm alert!) yes but Pocket will still work right, because it's no longer an extension?  That's alright then...!

"Right now, it feels like I just learned my dear old friend Firefox is going to die."

  -- it's been dying for some time now.  It died for me when they did that Pocket thing.  Right now I'm using Qupzilla for most everything except some sites that are a bit too heavy for it.

It seems like this means even the one biggest "loss" I suffered by moving to Qupzilla -- vimperator/pentadactyl -- would have stopped working anyway, so I would have had to suffer that loss eventually.

Some consolation, that, in some weird way...
2
Prasad Murthy's profile photoSitaram Chamarty's profile photo
2 comments
 
+Prasad Murthy I think one of the reasons claimed was "protect from spyware and adware".  Sure if you denude the API of some of the more interesting parts it will be more secure, but that's just more GNOME-ification of Firefox.

I am perfectly capable of knowing what to install and where to get it from; they don't need to mother me.

(GNOME-ification: verb; recognising that some of your users are idiots, and therefore deciding to treat all of them like idiots)
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
http://sitaramc.blogspot.in/2015/08/elixir-agent-fibonacci.html

...because posting code on G+ sucks (in fact I don't recall ever seeing any!)
There's a theory that says "if you put a million monkeys in front of a million typewriters, in a few years you can get the collected works of Shakespeare". There's another theory that says the internet was invented precisely to test this :-) ...
1
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
Met Prof Eben Moglen today, at an open source convention that TCS organised in IIT Bombay.

I was flabbergasted that he knew who I was.  His colleague Mishi Choudhary, whom I'd met a couple of times, told him about me.  (Oh, and SFLC uses gitolite!)

We spent a fair bit of time discussing (the lack of a sufficient volume of) open source contributions from India, both the corporate sponsored and the hacker-at-home kind.

Question for you guys: could you respond with all the open source tools, products, etc., you know of that had significant contributions by someone in India?  I realised while we were talking that I never made an effort to find out, so maybe our guesses were below the mark, and there are actually many of them.

[edited to add: basically, India seems to have acquired the reputation of being essentially an open source leech, at some level, and I'm trying to figure out if that is true [at the moment it seems to be] and if so how do we change that, even in a small way]
4
Sitaram Chamarty's profile photoJunio C Hamano (Gitster)'s profile photoAvinash Ananth Narayan R's profile photo
7 comments
 
+Sitaram Chamarty yeah you are right on money about bureaucracy.
I had created a simple plugin (cannot reveal the intention) atop the famous JavaScript library (this was 4 years before). As this was created within the company premises, the IP was with them. While pitching my idea to open source the library, my manager gave me the same vibe.
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
people say India is corrupt, and I agree that it is, in so many ways that affect the common man, much more than the average Western country.

But this: http://shadowproof.com/2015/08/03/federal-judge-strikes-down-idaho-ag-gag-law-defends-undercover-investigations-of-food-industry/ -- is way beyond anything I have seen in India; here the potential criminals got the law changed to suit themselves, and the victims had to go to a higher court to get that fixed!

Amazing... no wonder the US is a world leader :-)  I am sure our Indian politicians are taking notes!

(I did not read the actual ruling but if you want to, it is at http://media.idahostatesman.com/smedia/2014/09/04/15/15/2HJVP.So.36.pdf#storylink=relast, linked from http://www.greenisthenewred.com/blog/idaho-ag-gag-lawsuit-unconstitutional/8026/.)
7 states have passed laws restricting the free speech of animal rights activists. Now a judge says the Idaho ag-gag law is unconstitutional.
6
Andrew Dodd's profile photoJonathan Nieder's profile photo
2 comments
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
I always thought keyboard-interactive was only about 2 factor authentication; I never knew it could be used to supply your normal password too.  Learned something today...!

Anyway, even if CentOS/Fedora did not default to "off", the fact is that everything I manage -- even the web servers -- are behind "totport" (http://gitolite.com/totport/).  The actual servers, whether ssh or http or anything, may well be vulnerable to the latest attack, but you can't even reach them without giving the gateway a 2 factor auth code first!

Sadly, it only works for closed user groups where you're willing to take the pain to provision 2FA for them when they join the group; it won't work for truly "public" sites.
1
Eugene E. Kashpureff Jr (EugeneKay)'s profile photoSitaram Chamarty's profile photo
2 comments
 
there's a couple of "pictures" (hah!) on the totport page...

(betcha never expected me to come up with pictures!)
Add a comment...

Sitaram Chamarty

Shared publicly  - 
 
So... my continuing saga of finding a reasonable replacement for firefox, after they did the completely-against-the-spirit-of-open-source bonehead move of upgrading Pocket integration from a perfectly working addon to "core"...

The latest "winner" is qupzilla.  Hopefully this will last a while.  Quite fast too.  Minus points: doesn't have keyboard customisations, so I had to wade into the C++ (me!  even C I can barely manage on some days, can you imagine me trying to grok C++?) and hardcoded a few keys.  "d" to close the current tab, "," and "." for history ack/forward, and "h/l" for tab prev/next.

What I am unable to do is map "b" to "PageUp"; seems like some of the more basic keys are handled by Qt itself, not by qupzilla.  Living with having to type "Shift-Space" for now!

Just for completeness, here are the other contenders:

dillo: fast. No JS, so very secure.  Did I mention fast?  But the layout leaves a lot to be desired -- not too far from lynx actually.  Having to pagedown 12 times to read an article on El Reg got old after a while.

midori: slow.  Often slower than even Konqueror (which is no mean feat, let me tell you!)  Crashes often and early.  I have no idea how xfce chose this to be their default browser.  Complete pile of shit.  (Dillo is much better -- it never crashed, and did what it promised, however little that may have been!)

conkeror: emacs key bindings.  'Nuff said!  (I believe there's a way to get vi bindings for it, but apart from a tantalising hint, nothing more!)

rekonq: no idea what it looks like.  "ps" shows the process is running but the UI never showed up!

icecat: did not try it yet.  This may actually be the strongest contender.  I'll watch their release progress for some time, but at present I want to see how a non-Gecko browser works for me.


#nomorefirefox #qupzilla #browsers  
1
Caleb Cushing's profile photoMarc-André Laverdière's profile photoSitaram Chamarty's profile photo
6 comments
 
isn't that considered a "downgrade" now, the ability to see flash?
Add a comment...
People
Have him in circles
565 people
Kashyap CK's profile photo
rupert THURNER's profile photo
Ramjee Ganti's profile photo
Sachin Patil's profile photo
Alexander Strasser's profile photo
Karol Kotwica's profile photo
Dan Carpenter's profile photo
Mahesh Gr's profile photo
News sot's profile photo
Work
Occupation
aging geek, gitolite author (dayjob: TCS)
Contact Information
Home
Email
Story
Tagline
...one more monkey
Introduction
Sitaram Chamarty (keywords to determine if I'm the Sitaram you're looking for: CVS, GTS/MBR, ECK, ISICAL, TCS, Git, Gitolite.  The first 3 are not google-able -- you have to know me to know what they are; the rest are public)
Bragging rights
author of gitolite -- my only contribution to the open source world, which I've been leeching off of since 1995
Basic Information
Gender
Male