Brain Barf

"Lo mashalon ko jala dala kisi ne" - Prasoon Joshi

2011-08-18T23:26:00.000-07:00

Below is Prasoon Joshi's beautiful poem "Lo mashalon ko jala dala kisi ne" on the current rise of the country against corruption. I heard it on TimesNow during Arnab's newshour on Aug 18th. As an aside, if anybody is interested I used the Hindi language ITRANS method on my Ubuntu 10.10 for keying in the poem. It works like a charm.

लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

है शहर ये कोयलों का
ये मगर ना भूल जाना
लाल शोले भी इसी बस्ती में रेहते हैं युगों से
रास्तो मैं धूल है
कीचड भी है पर याद रखना
ये जमीन धुलती रही
संक्लप वाले आसुओं से
मेरे आंगन को है धो डाला किसी ने

लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

आग बेवजह कभी घर से निकलती ही नही है
टोलियों जत्थे बनाकर चींख यूं चलती नही है
रात को भी देखने दो आज तुम सूरज के जलवे
जब तपेगी ईट तब ही होश में आयेंगे तलवे
तोड़ डाला मौन का ताला किसी ने
लो मशालों को जगा डाला किसी ने
भोले थे अब कर दिया भाला किसी ने

The poem is also available at http://blog.lipikaar.com/prasoon-joshi-poem-against-corruption/. A video is available at http://indiatoday.intoday.in/site/video/prasoon-joshi-poem-against-corruption/1/148420.html.

Ghostnet, Stuxnet, What next ??

2011-02-16T09:07:00.000-08:00

I recently attended the 18th NDSS conference in San Diego from Feb 6-9, 2011, which was keynoted by Liam O' Murchu, a Stuxnet expert from Symantec. Though the technical details about Stuxnet have been available since long, I found the talk exciting for the larger lessons that were shared from the whole episode. Below is a mix of notes from the talk and my ramblings. Warning: experts on this topic may find it boring !

By Symantec's own admission, Stuxnet is probably the most complex piece of targetted threat seen to date. It contains seven methods to propagate:

Using USB drives, which contained a rootkit exploiting a vulnerability in windows explorer's handling of .LNK files.

By exploiting a print spooler vuln.

By exploiting MS08-067, which allowed remote code execution on a vulnerable MS Windows 2000, XP or 2003 server by sending a specially crafted RPC request.

Spreading via Network shares.

Using P2P sharing for updating itself and for communication between different infected machines on a network.

By exploiting hard-coded passwords in WinCC (a Siemens software for SCADA process visualization).

Spreading via Step 7 projects (the IDE used for programming PLCs).

In essence, Stuxnet used 4 zero-day exploits, 1 known exploit, 3 rootkits, and 2 compromised certificates (from JMicron and Realtek semiconductors) to sign the rootkits.

Stuxnet is not a 'yet-another-worm' that randomly goes about accumulating vulnerable machines for spam/DDoS gains or brownies for its perpetrators. Its highly-targeted nature - targeting specific uranium enrichment facilities in Iran - suggests a focused military-style operation involving (a) extensive and careful intelligence gathering and planning, (b) a structured software design and development cycle and (c) an extensive test cycle involving various hardware and software. In addition, Stuxnet's highly configurable architecture (~430 different settings) gives its controllers incredible control and precision over its lethality and spread. Apart from its technical sophistication, Stuxnet convincingly demonstrates the oft-quoted "threat from targeted attacks " and acts as the quintessential bellwether of times ahead. While its predecessors, like the Chinese cyber-espionage network Ghostnet, brought to light the new face of remote-controlled espionage in the 21st century, Stuxnet ups the ante many notches by demonstrating the lethal potential of targeted cyber-power.

Stuxnet is the first known malware to target control systems hardware (PLC). PLC (Programmable Logic Controllers) are critical elements in industrial automation and are traditionally programmed from a Windows control PC which is air-gaped - disconnected from any network - for security. In my opinion, Stuxnet big achievement was in bridging the air-gap.

Key to Stuxnet's success lay in the detailed understanding of its target gathered during the intelligence gathering phase. Stuxnet had clear understanding of (a) the PLCs being used (Siemens s7-300, s7-400), (b) the detailed configuration within PLCs controlling the uranium enrichment, and (c) the software development environment (Step 7 from Siemens) and the methodology used for developing and deploying code.

It is believed that Stuxnet was delivered initially via USB to a small number of industrial process control companies connected to the uranium enrichment plant. Contractors from such companies write the actual PLC programs (as Step 7 projects) on workstations connected to the corporate LAN. Stuxnet thus spread using zero-day network exploits to as many LAN workstations possible. Workstations containing Step 7 were then infected by hiding a dll (containing the PLC rootkit) into a Step 7 project such that the dll got loaded as soon as the project was opened. Stuxnet then relied on the Step 7 project zip file being transferred across the air-gap to a Windows control PC via removable media like USB. Once on the control PC, Stuxnet modified the PLC as necessary, making sure to hide its modifications.

There were 100k infections reported worldwide with more than 60% coming from Iran. It is believed that infections outside Iran were not intentional and probably spread due to infected Step 7 projects shared between contractors in various countries. Additionally, the zero-day .LNK vulnerability proved widely successful. It is believed that Stuxnet managed to finally infect the Natanz and Busheir plants in Iran and there was a reported shutdown of Natanz. An IAEA report states 1000 centrifuges in Natanz were offline in Nov 2009 which is close to the type of PLC configuration that Stuxnet was targeting.

Stuxnet increases the bar for security professionals and system architects by derailing the commonly held belief of air-gaping critical systems for providing extraordinary security. My personal opinion is that Stuxnet, in some way, only reinforces what Albert Einstein famously quipped, "Every day, man is making bigger and better fool-proof things, and every day, nature is making bigger and better fools. So far, I think nature is winning". The lesson for security professionals is thus simple: Air-gaps don't exist! There will be a human (read fool) bridging the gap.

With the world racing towards making things 'smart', from smart washing-machines to smart power grids, one really wonders whether all this 'smartness' will end up making us look dumber than ever. The landscape seems to be shifting faster than we can grasp it.

The last decade witnessed has already witnessed the rise in politically motivated cyber attacks like the Titan Rain (2003 - 2005), DDoS attacks on Estonia (May 2007), DDoS attacks on Georgia (August 2008), Chinese cyber-espionage network Ghostnet (May 2009), Operation Aurora (Dec 2009-Jan 2010), Stuxnet (July 2010), Operation Payback (Dec 2010). The question is: What next?

Observations and Suggestions using Chromium OS - Part 1

2009-12-01T22:14:00.000-08:00

I synced my old repository and updated it to the Developer build (Mon Nov 30 4:35:10 UTC 2009). Build was successful. I copied image to a USB and booted my Acer Inspire from USB.

Observations

Boottime was about 12 seconds from USB. But still great!
My network did not connect at boottime so had to login using the local username and password. This happened every time i booted. Maybe the network settings will get saved once i boot from a local harddisk.
Once logged in i had to manually select my network and then login to gmail etc. etc. using my google credentials.
I then connected my Acer to a 19'' widescreen with 1440x900 resolution. Had to use xrandr to get the screen resolution right but was no fuss. Used the following command:

$ xrandr --output VGA1 --mode 1440x900 --rate 60.1
Tested using youtube, google docs, google reader, picasaweb, a couple of flash-heavy sites (royalsociety.org), google chat, google books, google wave. Everything seemed 'much much' faster than same accesses via firefox.
Clicking on PDFs opens them up in google docs. But trying to download did NOT seem to work.
For adjusting sound, had to use alsamixer from commandline to get the sound volume up. I wish there was a sound button in the GUI itself for the same.
Could not figure out how to setup my network printer to print my google docs.
While playing a youtube video it felt as if the browser crashed and then recovered itself. I cannot describe what exactly happened unless i debug this further.
Could not play any silverlight videos. I guess the plugin will come someday.

I have started seriously using this as my preferred OS for my netbook even  though i am running it off a USB. It actually doesnt feel any different at all. It is a fresh new experience and thats what makes it exciting i guess.


Suggestions

It strikes me now after using Chromium OS that we were actually having redundant software for most needs all the while. If the browser is capable of showing photos, opening PDFs, editing documents, playing music, videos and games then when the heck have any other software. What is missing if you are a programmer, is a platform for developing and testing software in the popular languages. But maybe even that can be incorporated into the browser easily. For example, a tab of the browser could upon up as a text editor and perhaps google could host a variety of popular compiler and library stacks to compile,link and run code (think like LAMP stacks but for developing code). A user then just submits his code and gets his output. Ofcourse, such a system would require careful thought and design as there are many many issues to be tackled. But just a thought.

On a side-note, i remember that i read somewhere a couple years ago that Blake Ross (the firefox guy) was working on an operating system called Parakey which was pretty similar in spirit to Chromium OS. Dont know what happened to that. Anybody?

Have a sound button in the GUI for adjusting volume.
Have a key accelerator (like Ctrl+/? from google reader) to display Keyboard shortcuts.

My notes, screenshots and first impressions on Google Chromium OS on VMware!

2009-11-20T03:50:00.000-08:00

I was eagerly awaiting the release of Googles ChromeOS (Chromium OS). Google opened up the source at about 10:30AM today and i have it compiled on my Ubuntu 9.04 and working on my Vmware Workstation. Phew! The following are my notes, screenshots and first impressions of the whole experience.

Updates : A few corrections based on comments by Ethan.

Updates: I have uploaded my VMWare disk (.vmdk) here. Its about 350MB tar gzipped. MD5 Checksum is 8b158acfff42572dce632fdcb0707009. To use this vmdk one needs to first create a virtual machine and give the path to this vmdk file as the logical disk. Note that this is NOT .vmx but .vmdk. Thus you cannot open this file in VMWare directly. You will need to create a virtual machine.

ChromeOS Getting Started Documentation

The documentation is pretty neat and things worked out-of-the-box for me. I did not have to hack even a line of script. Started by watching the videos and reading the documentation here.

Setup

My compile environment was a Ubuntu 9.04 ACER Aspire Netbook. I actually wanted to get ChromeOS running on the same Netbook but the documentation suggested that the Chrome install process will nuke the entire harddrive and so i opted for creating the VMWare Disk Image instead.

Building the Image

The whole process, right from reading the initial documentation to getting up the VMWare took me about 5 hours and most of it was spent creating the chroot environment, compiling the packages and the kernel. After that, the image building and the creation of the VMWare Disk was pretty quick.

Running ChromeOS on VMware

1. Bootup Time

Ofcourse, running it on VMWare meant that i could not test its claimed bootup speed! But the bootup definitely 'felt' faster relative to my other OS bootups on VMWare. ChromeOS creates a file called /home/chronos/chrome_startup.log which showed bootup time as 47seconds. I believe that is good on VMware.

2. Login Prompt

The login prompt is plain and simple blue with two boxes for username and password.I noticed two things here:

The username/password could be your gmail credentials.That means that your Google account could act as a profile store.Does this mean someone can use a ChromeOS device only when online? Or only having a google account? I am not sure as of now.
It also accepts the username/password that i created while i was building the code. I think this option would be disabled for regular users.

3. Login Using Google Credentials

To begin with, i logged in with my Google credentials and was presented the following error page saying that the security certificate for google.com was revoked. My login had succeeded.

This seems to be like a bug to me but i will have to do some more trials before concluding that this is a real bug.

4. Login Using regular credentials

I tried logging in with the testuser account that i had created earlier. That seemed to work fine and i finally got presented with a functioning chrome browser.

I could login into gmail.com, reader.google.com, docs.google.com etc. with my regular gmail credentials and could operate my account as usual. No problems. Things even seemed a tad faster in my slow VMWare.

5. Some UI features

From the above screenshot, its clear that all the user sees when he logs in is the chrome browser interface. There is no desktop and no icons. The only icons that i could spot are 4 on the top right: time, an inactive icon, networks and a drop-down menu. A single chrome icon exists to the top left. Clicking on it takes you to Google Shortlinks which i believe is Googles replacement for desktop icons with links to Google Products. Smell a monopoly in the making?
Update: Ethan points out that it will be far from a monopoly because whatever is web-based would be supported. I agree but i would like to wait and watch and would be happy to be wrong.

6. Task Manager and Resource Stats

Clicking on the top gives an option to open the Task Manager which looks as below. This is pretty much the standard task manager except that we see a lot fewer tasks in it. Also, it hints at the multiprocess nature of the Chrome browser.

Clicking on Stats for Nerds shows an additional memory usage view. This is equivalent to typing about:memory in the browser tab. I don't understand everything in the stats yet but will dig in later. For example, i don't understand what Proportional Memory is.

A minor point: the note in the above figure states that other browsers like IE and Firefox will also be shown here if they are running. This could be due to the fact that the Chrome browser code-base used is the one used for Chrome on desktops. Or maybe they really intend to do that in the future ?

I couldn't navigate any further and could not find out additional shortcuts or additional interesting options and settings. Will need to dig more in the documentation to see if there are more interesting peeks here and there.

7. Browsing of files

The file browser is contained in the Chrome browser itself. Typing file:/// in the address bar shows the root file system as seen when browsing a remote directory. Not the best way to navigate a local file system i guess.

8. Shell and command line tools

To get to the command line, one has to press Ctrl+Alt+T. Frankly, i could not figure out how to navigate back to the GUI or to other open command-line and i had to keep doing Ctrl+Ds on the command line to get back to the GUI.
Update: Ethan points out that typing exit takes us back to the GUI. It is essentially the shortcut Ctrl+D.

The most irritating aspect to me was that standard utilities like ifconfig, route etc. were missing.
Update: I missed this completely. You can access all of these commands by using sudo as Ethan pointed out correctly. Thanks for the correction.

I could use vi, python and the standard shell builtin commands as far as i tried. Also, I found apt-get and dpkg installed but it would not let me install any packages using apt-get (the locks were read-only). I am not sure if this is intentional or a bug.

Thats all i could get my hands on for today but this is the beginning and the exploration would continue.I will be digging into the documentation and source code and keep reporting nuggets of information as and when i discover it for myself.

Conclusion

ChromeOS is exciting and would get even more exciting in the coming months and years. I remember my Professor telling us in class that systems should be like 'Toasters' i.e. it must not be required to read a manual to operate it. ChromeOS is definitely a step in that direction. Also, the lean philosophy adopted by ChromeOS should reduce the burden on end users as far as managing and securing systems is concerned. Ofcourse, there will be newer challenges but atleast ChromeOS reduces the surface area of problems.

I think Google needs to watch out and not make ChromeOS a Google-Centric product. That may not be well received by consumers already struggling to break free of existing monopolies.

What can we learn from Craigslist?

2009-11-16T14:34:00.000-08:00

Ref: Why Craigslist is such a mess?

There is lots to ponder, learn and unlearn from Craigslist in this new information age. The following are a few simple lessons that i extracted from the following quotes in the above referenced article on Craigslist. The article is a great read.

Lesson 1: We may not have a single definition for doing good business but we can all agree on the fact that businesses exist to serve the public.

But seen from another angle, craigslist is one of the strangest monopolies in history, where customers are locked in by fees set at zero and where the ambiance of neglect is not a way to extract more profit but the expression of a worldview.

Lesson 2: David(s) have, are and will always trump Goliath(s) in every age.

It is difficult to overstate the scale of this accomplishment. Craigslist gets more traffic than either eBay or Amazon .com. eBay has more than 16,000 employees. Amazon has more than 20,000. Craigslist has 30.

Lesson 3: People work the best when they are allowed to work.

The long-running tech-industry war between engineers and marketers has been ended at craigslist by the simple expedient of having no marketers. Only programmers, customer service reps, and accounting staff work at craigslist. There is no business development, no human resources, no sales. As a result, there are no meetings. The staff communicates by email and IM. This is a nice environment for employees of a certain temperament. "Not that we're a Shangri-La or anything," Buckmaster says, "but no technical people have ever left the company of their own accord."

Lesson 4: If there are sufficient economic incentives, things will get done. Doesnt matter what side of the fence you are.

Captchas—distorted words that can be interpreted by humans more easily than by machines—tamed spam on craigslist for a while. Then it came back full force, not because the spammers had solved the difficult problem in artificial intelligence but because they had hacked an easier problem in global economics

Lesson 5: Simplicity and usability go hand and in hand. K.I.S.S always works.

Without a computer science research department to work on evil-fighting algorithms, or a call center to take complaints, Buckmaster has settled on a different approach, one that involves haiku. The little poems he has written appear on the screen at times when users might expect a helpful message from the staff. They function as a gnomic clue that what you are seeing is intentional, while discouraging further conversation or inquiry.Attempt to post a message that is similar to one you've already entered, and this may appear:
a wafer thin mint
that's been sent before it seems
one is enough, thanks
The slight delays in cognitive processing that these haiku cause are valuable. They open a space for reflection, during which you can rethink your need for service.

Using Mendeley effectively on multiple systems using an external storage drive

2009-10-28T14:06:00.000-07:00

If you do not already know, Mendeley is soon to become the defacto standard for storing, indexing, searching, ordering and sharing all your academic research papers. Its free download and easy to setup. Check the website to get a feel for it. I will not describe Mendeley here but will get to my point.

WARNINGS

The solution presented below worked for me. It may NOT work for you. There is destruction of state involved so please go through the complete post and decide for yourself. I am making certain assumptions about this solution, so make sure your assumptions match mine before trying this out.

Assumptions:

My environment is Mendeley Desktop v 0.9.4.1 running on Ubuntu 9.04.
I assume good familiarity with Linux and esp. Ubuntu.
I assume you have 2 working Mendeley setups on both systems. Will still work if you dont have but all steps may not apply.
I assume that you have access to the original data that you indexed with Mendeley.
The solution may break with future releases of Mendeley esp. if they change some of the document paths.
This solution may not easily port to Windows/ MAC though i believe the line of reasoning should still apply.
I have used Mendeley possibly since its first release and i am quite familiar with its interface / settings etc.

My Problem

I have 2 Ubuntu 9.04 systems (home and work) that i use for my research and i spend equal time on both of them. So i end up storing a lot of papers (my total collection is about 5000) on both. Once i discovered Mendeley (about 5-6 months back), i would index documents on both my systems separately and then sync up the bibliographies (and corresponding metadata like notes) with Mendeley Web (which is the online component of the Mendeley system). Now, though i had access to the full bibliography on both my systems, i could not access the corresponding documents on both systems i.e. i could only access documents on the system on which they were indexed.

Mendeley currently gives an online account with 500MB storage and allows storing documents in it. My collection is somewhere about 5GB and its not worth syncing that much anyway esp. since some of it is of proprietary nature. But i desperately needed a solution since i am so used to using Mendeley now and need it whenever i am doing my work.

So this is what i did:

Initial Setup

I got a 120GB external harddrive and formatted it with ext4 (filesystem doesnt matter).
Then I set the properties of the external drive to always mount as /media/extstor2. This ensures that we always have a constant path prefix whenever you attach the drive. This can be easily done by clicking properties of the drive, selecting Volume tab and fixing the mount point settings (works on Gnome).
Created two folders called db and papers on the new drive.

mkdir /media/extstor2/db

mkdir /media/extstor2/papers

On my home system

I first reset my complete database. WARNING: This will completely destroy the database (i.e. your bibliography and notes but NOT your documents). I hate this step but this was necessary because mendeley stores absolute paths to all its documents (you can dig into their sqlite3 database and see for yourself) and so if you just shift the database onto a new folder all references to documents get messed up. Even using the repair option of Mendeley doesnt fix this. This should be a good feature for them to add soon.

mendeleydesktop --reset

After this i logged into my online account and deleted the entire collection from there. Note that if you have any notes attached to the document, this is the time to save them. There is no easy way to do that except cut and paste into some text editor.Note that the above step is essential because i think Mendeley has a bug where if it synchronizes again with the online account after you have created a new local database things get extremely messy and it crashes. Talking with experience here.

Now come the tricks:

cd /media/extstor2/db
mkdir Mendeley\ Ltd.
cd ~/.local/share/data
rm -rf Mendeley\ Ltd.
ln -s /media/extstor2/db/Mendeley\ Ltd./ Mendeley\ Ltd.

What i am doing above is essentially repointing the database location to the external drive. Note that this also means that you will always require the external harddrive to use Mendeley.
Opened up Mendeley again. This time it should start with nothing in it and offer you to login into your online account. DO NOT LOGIN YET.
Opened Tools->Options and clicked on File Organizer.
Enabled the 'Organize My Files' tab and set the path to /media/extstor2/papers
Enabled other options as desired.
Now logged in to my online account and let it sync. Nothing should sync as nothing exists but it is good to let the desktop handshake with the web account.
I then added all my folders where i keep my collection. Luckily i had not deleted them.
After this i let Mendeley index my complete collection (takes time proportional to your collection and system speed). Took about 5-6 hours.
Once done, coped all the saved notes to the corresponding papers. Had to do manually :(.
Then i synchronized again with the online account.

At this point we have a working database stored on the external harddrive. Now take this drive to your other system and proceed as follows:

On the work system

Connected the drive to the system and mount it as /media/extstor2 to begin with.
Then set the properties of the external drive to always mount as /media/extstor2. This ensures that we always have a constant path prefix whenever you attach the drive. This can be easily done by clicking properties of the drive, selecting Volume tab and fixing the mount point settings.
Reset current database.

mendeleydesktop --reset

Tricks Again

cd ~/.local/share/data
rm -rf Mendeley\ Ltd.
ln -s /media/extstor2/db/Mendeley\ Ltd./ Mendeley\ Ltd.

Opened up Mendeley.
Opened Tools->Options and click on File Organizer.
Enabled the 'Organize My Files' tab and set the path to /media/extstor2/papers
Enabled other options as desired.
Now logged in to my online account and let it sync. Now i saw everything just the same way as my home system.
Added your desired folders for watching files on my work system.

That's it!!! Problem solved. Enjoy. Let me know if this solution solves somebody else's pain.

A possible Twitter Worm or Scam!

2009-10-13T01:02:00.000-07:00

I got 4 email messages today saying that 4 people (whom i do not know) are following me on Twitter. Seems to me to be a possible twitter scam with a possibility that it might be a new worm.

These are my observations for now:

All four accounts belong extremely good looking girls
All seem to be from Mumbai, India.
All have the same Bio line which says "I am smart and simple girl, wanting to make some good friends"
All have about 800 followers and are following about 400 people.
All have almost the same tweets which are a combination of marketing website links and some mundane tweets albeit in different order.
All accounts were created on Oct 6th.
The tweets are posted using a combination of API and Web with lots of them being from the web.API alludes to a script doing the posting.

Questions i have:

How did they get so many people to follow their accounts in such a short time? Seems to me like some bug is being exploited. Or maybe people really fell into the beauty trap?

If anyone is interested these are the four twitter accounts

http://twitter.com/mariya_gonzales
http://twitter.com/pari_choudhary
http://twitter.com/mansi_joshi
http://twitter.com/janhavi_agarwal

More updates as i debug this further!

Simple way to show India's Diversity

2009-10-12T15:08:00.000-07:00

Westeners who have never been to India or have never heard about it do not seem to get the fact the there is no language called "Indian" or food called "Indian Food" or music called "Indian Music". They just dont get the fact that India is NOT "yet another country with a language, food, culture and tradition". There is so much diversity in the country that the only way to think of India is as a country of countries (I am purposely not saying of 28 countries because there is so much diversity even within states).

A simple way to show India's diversity would be to take a currency note of any denomination and count the number of languages in which the denomination is translated. There are 17 in total. See for yourself

To know what those languages are check this link from Reserve Bank of India website. http://www.rbi.org.in/scripts/ic_languagepanel.aspx.

My critique of the article "Religion, Marxism and Slumdog

2009-03-17T23:29:00.001-07:00

My comments on this article "Religion Marxism and Slumdog" by Francois Gautier.

I disagree with the notion that "Slumdog Millionaire" conveys an utterly negative image of India and should be protested by the Indian Government (like the Chinese would have done). I dont understand why? The film shows the real life of people living under those conditions. Slums, poverty, corruption are an unfortunate part of our society today and we cannot run away from it. By not showing it we would not be getting rid of it. And in todays connected world (in the age of google and youtube), i am not sure information can be controlled anyways.
Why should we be like China? Comparison between a Communist and a Democratic government is an apple and orange case. If China would have responded, its because they want to maintain a controlled global image irrespective of what happens inside their country. India cannot do it because we are a democracy and rightly so.
Leaving aside the missionary part, which of the following : caste, poverty, child marriage, superstition, widows, sati, are a virtue of Hinduism? They may have served a purpose centuries back when the society was different but they have no purpose now. The mere fact that these are still used by upper caste people as exploitation tools is infact a huge shame on us. There is no doubt that missionaries have capitalized on this. But, what will the lower castes who become the victims of these vices do? For many of these people, escaping into another religion was probably the only answer.
Author says, "Today, billions of dollars that innocent Westerners give to charity are used to convert the poorest of India with the help of enticements such as free medical aid, schooling and loans." But, who is responsible for this? It is we ourselves. Everyone dreams of a good life and so do the poor. If the Government cannot fulfill its promises for the poor, the poor are going to find some other means of fulfilling their needs. I think instead of blaming the missionaries (whose work can be viewed as both good and bad in different contexts), we (the people of India along with the Government) have to solve our problems of poverty and caste. If that is done, there wont be any incentive for anyone to either get converted or convert others.
Author says that western authors portray detrimental images of India and especially talk of 'Hindu fundamentalism'. I personally believe that fundamentalism of any kind is wrong be it Hindu, Islamic, German etc.. What i would defend is "Hinduism" and its core principles and not fundamentalism. What RSS,Bajrang Dal and Shiv Sena do in the name of Hindutva is precisely what Osama Bin Laden does in the name of Islam. This is what Hitler did half a century ago. Do you agree with them?
The immediate paragraph says "Hinduism has given refuge throughout the ages to those who were persecuted at home: the Christians of Syria, the Parsees, Armenians, the Jews of Jerusalem, and today the Tibetans, allowing them all to practice their religion freely." The author is now talking of Hinduism here and not of any extremist philosophies and he is absolutely right now.
The notion that India only belongs to Hindus is complete bullcrap and Hinduism does not say anything like that. "Hindu Fundamentalists" say that.The central idea should be for people to unite and live in harmony irrespective of their religion, caste and color.
Finally, author asks, When will the West learn to look with less prejudice at India, a country that will supplant China in this century as the main Asian power? My question is why do we need an approval from the west. If we eradicate our own vices and solve our problems, everything will fall in line automatically. I believe that asking this question is what makes us subservient to the west more than anything else.

I found this article completely off. The line of reasoning did not appeal to me at all and the conclusions drawn do not follow from the arguments.

Gold Farming in the digital age

2009-01-30T22:14:00.000-08:00

Ever heard of 'Chinese Gold Farmers'? Read on.

Check out the following documentaries which investigate gaming workshops in China that hire people to play online games like World of Warcraft. The workers, called 'Gold Farmers' by Westerners, sweat it out in front of their consoles to collect virtual currency, equipments and produce whole characters, which are then sold for nifty amount to other players over ebay or trade portals.

Why does this industry exist? Well, because not everyone who wants to enjoy the game can spend insane amounts of time collecting virtual money and building their armory. Thus, many prefer to just buy characters and virtual currency from people who have already done the hard work.

Check out this link to get a taste of the amount of money involved in gold trade. To quote a price from the site, 30000G (i.e. in-game currency) is valued at 494USD. That is almost 60G per dollar.

People also trade characters. Some websites which i found out are

http://www.wowtrades.com/
http://www.buymmoaccounts.com/
http://mmotp.com/trade/

BBC News Coverage of this phenomenon

My favorite moments of Obama's Presidential Inaugaral Speech

2009-01-22T14:25:00.000-08:00

The following two lines from Obama's speech were my favorite moments

Moment 1:

To those who cling to power through corruption and deceit and the silencing of dissent, know that you are on the wrong side of history; but that we will extend a hand if you are willing to unclench your fist.

Moment 2:

We reject as false the choice between our safety and our ideals.

I believe that both these lines symbolize his philosophy of change and hope. They show his commitment to shedding worn-out dogmas and notions which have traditionally influenced US foreign policy decisions. The start has been great and one has to see how it all plays out over the next 4 years.

Interesting reads for the weekend

2009-01-16T12:58:00.000-08:00

1. 30th Anniversary of the Spreadsheet (Very interesting and sarcastic perspective on how the spreadsheet has shaped our society)

2009 marks the 30-year anniversary of the now-ubiquitous spreadsheet program. And society as a whole has deteriorated ever since its invention. It was the spreadsheet that triggered the PC revolution, with VisiCalc the original culprit. Can anyone say that we've actually benefited from its invention? Look around: I think we've suffered.

2. How undersea cables get repaired

Videos of how the repair process works.

[Update] This Alcatel page explains the process with text and a cool flash animation. It also has a section on how cables are laid in the first place.

3. Interview with an adware author

Very interesting business and technical insights into the dark part of the cyber-world.

4. 10-power saving myths debunked

5. Saving power in datacenters with DC power

Interesting article on how converting from AC to DC in datacenters may help save power.

In a typical datacenter environment, power conversions abound along the path from the outside utility pad to the servers. With each conversion, some power is lost. The power starts at the utility pad at 16,000 VAC (volts alternating current), then converted to 440 VAC, to 220 VAC, then to 110 VAC before it reaches the UPSes feeding each server rack. Each UPS converts the incoming AC power to DC power, then back to AC. The UPSes then distribute that AC power to their respective servers -- where it's converted back to DC. As much as 50 to 70 percent of the electricity that comes into the datacenter is wasted throughout this long and winding conversion process.

There's a more efficient approach, one promoted by Validus DC Systems: taking the utility-supplied 13,000 VAC and converting it directly to 575 VDC (volts direct current) using an outdoor-rated conversion unit, then running power into the datacenter over 1.5-inch cabling. Each rack in the datacenter then has a 575-to-48-VDC converter that is 95 percent efficient. The direct DC approach can save users 50 percent or more between cooling savings and elimination of conversion losses, according to Ron Croce, COO of Validus

The worlds first flying car : Terrafugia Transition

2009-01-16T11:35:00.000-08:00

OMG ! Check this out. The future of travel is here. Has the Jetsons era begun?

Terrafugia, a Massachusets based company is purportedly test driving its road-cum-air vehicle, the Terrafugia Transition, next month. Check out the animation of this vehicle in action here. The animation shows the vehicle as a two-seater with ability to fold its wings. Its currently priced at $200,000 :-) .

It will be interesting to see how this concept picks up. For one, it will require a host of changes in current laws and infrastructure. Simple problems like, how would one take-off and land and license issues (will a pilot license be required or a driving license will suffice?) will hinder the concepts adoption. It will be interesting to see if it solves any energy related issues or adds to existing problem.

Whether it takes off or not in the immediate future, it may well be the pioneer of things to come. I am certainly excited and would have even bought one if not for the current economic crisis :)))).

A dose of my photography

2009-01-12T11:10:00.000-08:00

Please visit my website to get an (over)dose of my photography. Pretty amateurish stuff but i am learning.

Also, i hacked up a simple perl script for generating web albums called geekalbumz. The idea behind this was to display the photograph metadata (or EXIF information) along with the photographs. This helps newbies like me to compare various photographs and learn the nuances.

Frank W. Abagnale and the irony of security industry

2009-01-05T01:15:00.000-08:00

If you remember that name then most probably you have seen the epic movie Catch me if you Can starring Leonardo DeCaprio and Tom Hanks. In short, the movie is about this guy Frank Abagnale, (played by DeCaprio) who figures out novel ways to commit check fraud and embezzle money posing as various people (as a pilot, as a doctor and as a lawyer). The movie is all about how the hacker mindset works and is a must watch if you are in the information security field. The movie is replete with examples of social engineering tricks that determined hackers so often use. Its a good way to train ones thinking in the ways of the hacker.

This movie not a work of fiction but is based upon a real guy who did these things in real life. This is the website of the real Frank Abagnale, who is now, not surprisingly, one of the world's most respected authorities on the subjects of forgery, embezzlement and secure documents. Check out his website for more details on his lifes work in the last 30 years. Ironically, the guy who literally started check-fraud has been at the helm of defending against it for the better part of his life.

This irony presents itself in the security industry again and again with the guys who now defend the world were the ones who were once defended against. There is nothing wrong with it and maybe thats the way it should be but i just found the thought very interesting.

Art of Elevator Pitching

2009-01-02T20:50:00.000-08:00

Elevator Pitching is the art of getting your point across to an executive in less than 60 seconds, i.e. about the time you have with an executive in an elevator.

This website is a place where enterpreneurs have to pitch their products to the audience in less than 60 seconds. Some of the pitches are really great. Check it out !

I remember my mentor once telling me the importance of "back-of-envelope" or "back-of-napkin" presentations to executives and this seems to be the same concept but on steroids. It makes a lot of sense, especially for IT Security guys where the investments don't always translate to a predictable ROI.

How the Indian IT Industry is tiding the current global crisis ? - A Nasscom Report

2008-12-08T11:38:00.000-08:00

PuneTech blog reports about a recent talk by Ganesh Natarajan of Nasscom on how the Indian IT industry is tiding the current IT crisis. The presentation can be found here. The report is full of graphs and figures and is a very interesting and motivating read.

My summary of the report

Inspite of global uncertainities, the revenue aggregate (from IT-BPO sector) as a percentage of GDP continues to rise (albeit a little less compared to the rises in previous years).
This growth (in the face of current global crisis) is partly due to entry into new market verticals like Airlines, Media and healthcare apart from Banking, Financial, Insurance and Telecom. This reduces dependency.
The industry is progressing towards providing more end-to-end services. The report cites the BPO industry as an example, where in addition to customer support, services like finance, accounting, HR, procurement and knowledge services are also being offered.
India is exporting its services to more and more regions (though US still holds 61% of the share). The fast growing areas are Europe and Middle East. This makes us less prone to mistakes made by "Superpowers" :).
The report indicates that by 2020 India will lead the world in working age population. The estimated work force in India will be 47mn compared to -17mn in the US. This extreme imbalance in work force will work towards India's sustained growth.

To ensure that India does not lose its advantage a number of initiatives are being undertaken:

IT Export services are being spread across more cities to manage pressure on Bangalore, Pune, Hyderabad, Chennai, Delhi.Nasscom identifies around 43 Tier 2/3 cities.
There is a comprehensive program in place for making Indias large talent force "employable". These include short-time objectives like making large investments in training, medium-term objectives like faculty development programs to train and sustain faculty (this is very very important given the current crisis of good teachers in our country) and long-term objectives like setting up new IITs, investing in technology innovation etc.

Embracing New Technology : The Twitter Case

2008-11-18T14:44:00.000-08:00

I am a technogeek and try to integrate new technology in my everyday life as much as possible. This post is about how i am using twitter.

As most of you may know, twitter is this short messaging service which people use to convey updates in real time. It has become the micro-blogging platform of choice and has many cool advantages, one amongst them being able to convey live updates using a computer, regular mobile or smart phones. These updates can then be fetched via RSS feeds.

I use twitter to tell people (whoever is interested) what i am currently upto. These are normally sent to my twitter account as an SMS from my mobile. The current status then appears on my webpage.

So the next time, you call me and i do not pick up the phone, please check the twit on my webpage!

IPv4 Countdown vs. State of IPv6

2008-11-16T17:31:00.000-08:00

The Internet Assigned Numbers Authority (IANA) is the body that manages the unicast IPv4 address pool (ie from 0.0.0.0 to 223.255.255.255.255). IANA assigns blocks of this space to the 5 RIR's (Regional Internet Registries) i.e. AFRINIC, APNIC, ARIN, RIPENCC and LACNIC. The RIR's use their distribution policies to further allocate addresses to local registries and ISP's which propogate them to the endhosts.

Potaroo.net predicts the following dates for the exhaustion of IPv4 address space.

Projected IANA Unallocated Address Pool Exhaustion: 04-Feb-2011
Projected RIR Unallocated Address Pool Exhaustion: 05-Mar-2012

A live down-counter counting number of days until we hit exhaustion of the IPv4 address space can be found here . This counter is generated using data from potaroo.net report The report is pretty detailed and explains the modelling used for predicting the dates. Please note that the modelling is based on current address distribution policies used by RIRs and current consumption trends. The following graph (from potaroo.net report) shows the current status of IPV4.

An explanation of the graph follows:

Note that there are 256 /8's where each /8 is 16,777,216 addresses.

IETF_Reserved : Blocks reserved for special purpose. It consists of 16 /8 Multicast blocks + 16 /8 reserved blocks + 1 /8 (0.0.0.0/8) block for local identification + 1 /8 (127.0.0.0/8) for loopback + 1 /8 (10.0.0.0/8) for personal use + 1 /8 (14.0.0.0/8) for public-data networks.

IANA_Pool : Pools of /8 left with IANA for allocation to RIRs.

Allocated : Allocated by IANA to RIR. This does not reflect current consumption because RIRs may have a pool of their own.

So much for IPv4. Now lets look at IPv6.

In 2008, there have been atleast 2 big studies around the state of IPv6.

The reports are detailed but these are a few interesting points.

1) Arbor networks experiment measured the total amount of IPv6 flowing in the backbone , and they note that

At its peak, IPv6 represented less than one hundredth of 1% of Internet traffic.

2) The biggest reason cited in the summary for the above observation is money.

Specifically, the department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6.

3) Googles effort measures the state of IPv6 from a end node perspective as opposed to the Arbor measurement. Their key observations are :

0.238% of users have useful IPv6 connectivity (and prefer IPv6).
0.09% of users have broken IPv6 connectivity.
Probably a million distinct IPv6 hosts exist.
Russia leads the chart in IPv6 penetration.
IPv6 prevalance is low but increasing steadily by the week.
IPv6 - IPv4 tunelling is the most common transition mechanism.
MacOS has better IPv6 penetration than Vista because of its default policies in the OSes.

So given the predictions about end of IPv4 and the rate of adoption of IPv6, are we ready for migration? In Feb 2008, ICANN added IPv6 addresses for 6 of the 13 root DNS servers (news here) which is a step in the right direction but is it enough to prod people to migrate?

I have the following concerns about the migration:

What would dictate the migration: economics or a better-future-internet?
Will ISPs be willing to pay the price?
Even if they are willing to do so, can the consumers and business transition to IPv6 seamlessly?
Will security products continue working the same way?
Are the vendors testing their implementations with IPv6 to make a simple software update to the tons of software already out there?
How will this migration be different in impact than the Y2k bug of the last century? Are these comparable in any sense?

I have a feeling that economics will dominate this race more than anything else. If the migration is going to cost a lot of money for businesses without any added value then there is bound to be a huge pushback. Somehow the cost has to be justified to them to make this transition happen and just saying address space exhaustion may not strike a chord with every business.

The Rise and Fall of Gas!

2008-11-02T23:34:00.000-08:00

People who have been following the economy know the state of gas (petrol) prices. But, I can provide a visual reinforcement of that fact, clearly showing the bumpy ride that gas prices have followed over the year. The following graph is plotted using data collected by me over the last one year on gas prices in the Southern California region (in Los Angeles County and Orange County). The way i collect the data is by diligently recording the date, the mileage since the last fuel fill, price of gas, gallons filled and location every time i visit a gas station to refill my car . This data helps me keep a check on my car's fuel efficiency and also serves as an early warning diagnostic system for problems. (As an aside, i once noted a consistent drop in my mileage over a period of 2-3 weeks. It turned out to be due to carbon buildup in my EFI system. Quick action probably helped me save some engine life :) ).

The plot clearly shows that gas prices started around $3.0 per gallon beginning of year, climbed all the way upto $4.7 / gallon in mid of 2008 and are falling to less than $3.0 / gallon at the end of year.

Can one predict which direction the curve is headed now ? I cannot.

The Anonymity Paradox

2008-10-30T00:01:00.000-07:00

Scott McNealy, the former founder CEO of Sun Microsystems, once famously remarked on Privacy : 'Get over it'. This was a very bold statement to make especially for the CEO of a reputed company but he nevertheless spoke out of his experience. Its almost ten years since that statement was made and anyone who even barely uses the internet today wouldnt disagree much with Scott, though all of us would still want to believe in a perfect world.

As an aside, Privacy and anonymity are closely linked though there are subtle differences. Anonymity is keeping ones identity secret while privacy can imply keeping identity plus other information secret. For the purposes of this post i will consider privacy and anonymity the same and use them interchangebly.
In my opinion, privacy and connectivity are complimentary ideas i.e. both cannot coexist. The moment you are connected to the internet, your privacy ceases to exist. I believe that this is an unfortunate but true fact and one that people often find hard to digest. But believe it or not, total privacy does not exist in a connected world. At some level, privacy is just like security i.e. there is nothing like total privacy just as there is nothing like total security.

I can offer many reasons for this :

Every time we do an online transaction and give out our Name, Address and Credit Card details, we are essentially "hoping" and trusting that the website will not leak out our data. Some informed users may go one step further and check if the website displays a secure logo like HackerSafe or McAfee Secure etc. Unfortunately, as detailed in this blog, it turns out that these certifications are mostly useless and can be easily sidestepped.

But name, address and credit cards are not the only definitions of identity and hence privacy. There are still many ways of inferring identity. A few of them are :

Almost all websites that you browse will always log your IP address which can always reveal you or your ISP or your Organization. That is, you can almost always be tracked back.
With the explosion of social networks and Wikis, we are getting into the habit of revealing too much information about ourselves, our families, pets and everything that was once personal to us to a much wider audience. This voluntary discloure of information is in effect resulting in very complex attacks on privacy as witnessed in the Sarah Palin and Paris Hilton case.
The notion of Googling for information has caught on so much that we inadvertently reveal "stuff" about ourselves to google when we type in the search bar.
Every time we open our gmail account and browse our emails, we also get with it some relevant advertisements placed alongside our emails. What this means is that there is a program out there that is parsing our emails and trying to "understand" us.
Websites that measure website usage statistics such as Google Analytics also impact privacy in some way by storing information about your visits to websites(tracked by your IP) on its servers.

All this is fine, but where is the paradox in all this?

To state simply, my Anonymity Paradox is :

While it is difficult to maintain anonymity on the internet for the common user, the same internet offers a magical cloak of anonymity for hackers.

I was myself amazed when this realization struck me. Users find it difficult to keep their identies secret but hackers get away with their mischief without hardly ever being tracked down. The big reason for existence of the malicious hacking industry is because of this cloakability that the internet offers. Purists might argue that the law has been able to track down hackers but i do not think they will disagree over the fact that the ratio of captures to hacking incidents is very apalling at best. Hackers typically get caught when they themselves make a stupid mistake which compromises their anonymity (for instance see how Palins hacker was caught).

So at one end we have people cribbing about privacy on the internet while at the other end we have bad elements basking in the glory of the anonymous internet. To me, it looks like this is the way it is going to stay. Just like fire does not know intent and it just burns whatever it is asked to burn, the internet just does what its being asked to.

Does this all make sense ?

A Linux solution for copying and burning DVDs

2008-09-20T21:47:00.000-07:00

The following are my experiences with copying and burning DVDs on Linux. To summarize the experience in a phrase : "It was a walk in the park".

Operating System Ubuntu 8.04

Tools of the trade

k9copy (for copying DVDs)
brasero (for burning DVDs)

Installation
Installation in ubuntu for the above packages is as simple as
$ sudo apt-get install k9copy
$ sudo apt-get install brasero

Procedure

Insert DVD into tray and open k9copy.
Choose File -> Open. This will load the DVD and show the chapters and titles as shown below. Select all the titles that you wish to copy.

Select Action -> Copy. You will be prompted for a location where the final iso file will be saved. Make sure that you have disk space atleast 2 times the size of DVD.
Leave all the options in the below pane as is unless you know what those options mean.
Once the copy starts you will be able to view the progress in the right-side pane.
The copy process creates a folder called dvd and an iso image in the location specified earlier.
You can remove the folder dvd as it is not required during the burning process.
Now to burn the iso image, open brasero and select the option for burning iso images.
Insert and blank DVD and start the burn process.
Enjoy !

In my experience, i have copied 4 DVDs and burnt around 12 DVDs and the whole process took slightly more than half a day. There were absolutely no errors and the original DVD quality was maintained in all the copied DVDs.

Announcing another blog !

2008-09-15T09:09:00.000-07:00

Hello dear readers (if any). I have started another blog (with a better purpose this time). The blog is about Indians and our innovations i.e. Jugaadu Indians and our Jugaads. The inspiration for the blog came to me while reading an article in August 24 issue of The Week. The article is about Indian Ingenuity and our innovations (or colloquially called Jugaads). The following quote by Dr. R. Mashelkar puts everything in perspective

"we should think of innovation as a movement. The I in India has stood for imitation and inhibition for far too long. It is high time it stood for innovation. And the best thing about this movement is that we have the jugaad energy of a billion of us to power it forward. "

The NEWS Equation

2008-09-11T12:18:00.000-07:00

Our life today is controlled by media. Be it newspaper, television, radio or the internet, we depend on news for a lot of our day-to-day decisions and sometimes even blindly. This fact is well understood by Media companies, Governments and Businesses alike. Unfortunately, it is also being used actively to mislead the common man. News today is no more the simple raw information but it undergoes a complex process of editing and mixing before being delivered. Thinking over it for some time, i feel that the Media companies operate a huge mixer which continuously churns out news according to the following equation

NEWS = x% Information + y% Hype + z% Personal Biases + w% Political Biases

Different media companies use different values for x, y, z and w and yield different types of news. A case in point is the recent news about the bootup of Large Hadron Collider (LHC) in CERN. A channel called Aaj Tak in India ran a TV series which would have made a layman believe that the bootup of LHC would destroy the world. In this case, their percentage of hype was very high and little factual information was presented. Even if they would have done a simple google search for LHC and the myths surrounding LHC, they would have realized that speculations about formation of massive black holes have been long dismissed by emminent Scientists. But the media today is more interested in their own TRP ratings and very little interested in presenting facts.

When will people learn ?

2008-08-23T12:00:00.000-07:00

Airtel (one of India's leading cell phone providers) has recently tied up with Apple to offer the iPhone 3G in Indian market. Everything is good but is the following sort of sales pitch necessary to sell of iPhones?? Airtel is quoted here as saying :

"even the most deadly hackers on the planet won't be able to crack the
codes that support the iPhone's Airtel applications with rival company
SIMs."

My question is : WHY ???. Even if you really have provided tamper-proof security, throwing a n open challenge to the highly skilled and distributed hacker work force on the internet is nothing short of the proverbial "hitting the axe on your own leg". Such stunts may be good to test your products before entering the market but not once the products are already out there. Such stupidity has surely attracted the bees and its just a matter of time before the bees sting.

Return gifts from an internet cafe

2008-08-21T08:05:00.001-07:00

Today, i was at an internet cafe for getting a printout as my old printer died its natural death. As usual, the cafe was running Windows XP machines in administrator mode. I never like the look of a windows machine running in administrator mode in a public place and i was quite sure that it was already pwned. Nevertheless, i plugged in my USB drive which contained just the file i wanted to print. After a few seconds, my drive was detected and i could print the file i wanted. All was well and good.

Then i took the drive home and plugged it back into my laptop which fortunately runs Ubuntu. Lo and behold, my drive now had three return gifts from the internet cafe. Doing a quick antivirus scan on the files revealed the following

neoblitz@n30:/tmp$ clamscan /media/PKBACK#\ 001/*
/media/PKBACK# 001/1.jpg: OK
/media/PKBACK# 001/2.jpg: OK
/media/PKBACK# 001/autorun.inf: OK
/media/PKBACK# 001/New Folder .exe: Trojan.Autoit.gen FOUND
/media/PKBACK# 001/regsvr.exe: Trojan.Autoit.gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 396428
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 6
Infected files: 2
Data scanned: 1.57 MB
Time: 6.231 sec (0 m 6 s)

As you can see, i had 2 trojan binaries and an autorun.inf which pointed to those binaries. For people who didnt realize, this is a worm which uses an unsuspecting user to physically propogate it from machine to machine.

It makes me wonder, how many unsuspecting folks would have got infected by this. Also, the public machine itself is probably a part of some botnet and has all types of exotic malware already installed, sniffing passwords and recording transactions of unsuspecting users. Phew !

So the moral of the story is two-fold,

Do NOT trust public machines. Avoid using them for doing electronic transactions using your credit card, using your username/password for your email accounts and so on and so forth.
If you run as administator, then very likely you are not the only administrator :)

I will publish results of analysis of the binaries in the next post soon.

Sound bytes could now play the devils tune !

2008-07-27T02:28:00.001-07:00

The next time you want to download your favorite song (illegally ofcourse :)) from a p2p network or some illegal site, think twice. The latest in malware infection has just been found. According to this report from Kaspersky Lab, there is now a worm to infects your .mp3 files.

From the report, the workings of this worm are as follows:

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files. The marker is activated automatically during file playback. It opens an infected page in Internet Explorer where the user is asked to download and install a file which, according to the website, is a codec. If the user agrees to install the file, a Trojan known as Trojan-Proxy.Win32.Agent.arp is downloaded to the computer, giving cybercriminals control of the victim PC.

You can get directly infected by the worm or via an already infected mp3 file downloaded from some malicious site or P2P share. The simple precautions to take against this type of infection are the age-old and time tested ones:

Never run as administrator on your computer. I repeatedly keep hearing that its insane to not be administrator on your own machine. Please note that, if you run as administrator of your own machine, then there is probably another administrator of your machine :). This simple precaution can help mitigate tons of security issues and make attacking your system that more difficult.
Do not install stuff from websites that you do not know or trust i.e. do not randomly click install buttons unless you are absolutely sure.
If you are really crazy about p2p downloading as if your life depends on it, then try using a VMWare to download stuff. This way, in the event of a compromise, atleast your critical data residing on your real system is protected.

Testing your DNS servers for CERT VU#800113 (or Dan Kaminskys bug)

2008-07-24T12:49:00.001-07:00

Here are 2 pointers to diagnostic tools for testing your DNS server against Dan Kaminsky's vulnerability (or CERT VU#800113). Please note that these tools use a very simple test and may not be enough to provide a foolproof assessment of the strength of your DNS server.

DNS-AORC htps://www.dns-oarc.net/oarc/services/dnsentropy
Dan Kaminskys Page - http://www.doxpara.com

[Update] There is also a simple command-line from the same folks at DNS-OARC. Just fire the following command from a command line (ofcourse you need to have dig installed).

dig +short porttest.dns-oarc.net TXT

The first gives out a real cool output. Sample shown below. If you see GREAT as the output it means you are ok against the bug (as far as the tool is concerned).

"Kaminskys DNS bug" drama

2008-07-24T10:34:00.001-07:00

If you are reading this article and interested in computer security then you may already know about the blockbuster DNS bug and the whole drama around it. To put the long story short, a major bug in the DNS protocol was discovered around 6 months ago by Dan Kaminsky. To describe the bug simply, the bug makes DNS cache-poisoning attacks a walk in the park (details here). Kaminsky, being a white-hat researcher, responsibly informed all DNS vendors about the bug and wanted to make sure that all the DNS server implementations were patched before he disclosed the bug to the world at Blackhat'08. But, Kaminsky chose to address a press conference a month before the disclosure and hinted about the existence of the bug without giving all the details. This caused a furore in the community about Kaminsky's claims but he managed to convince people (THomas Ptacek of Matasano Chargen in particular) off-line about the importance of the bug by confiding in them with the details and encouraged ISPs to patch the bug as fast as they could before Blackhat. Thomas Ptacek, relaizing his mistake, immediately changed his pitch and started encouraging people to patch as soon as they can.

All was supposedly well, until Halvar Flake made an almost right guess at the bug. This somehow caused panic at Matasano Chargen and they released the full details of the bug before hurriedly pulling back the post. Ofcourse, with feed readers around the world caching his blog, pulling back the post did not do any real good and in their own words "the cat was out of the bag" for sure now. Dan Kaminsky diplomatically handled the disclosures and is now encouraging people to patch the bug as fast as they can. Unfortunately, the disclosure of details has already resulted in sample exploits for Metasploit to come out within the end of the day. Thomas Ptacek, ofcourse has now posted an apology on his blog !

Now, one can blame Halvar Flake and Thomas Ptacek for disclosing the bug. One can also blame Thomas Ptacek for breaking Dan Kaminskys trust. But if you are a security researcher, you know very well that you may not be the first one to discover the bug. Blackhats aka evil hackers, dont care about disclosing the bugs they find. They just use them !! So i believe that these discloures may atleast force lazy ISP's to patch their systems sooner. If that will really happen is something that remains to be seen. My guess is that inspite of all this drama, there will be DNS servers which will still never get patched and will be sitting ducks ready to be exploited. It will be interesting to see if hackers are able capitalize on this bug and use it for real damage.

If you want to test your DNS servers resilience to this attack, you can use the small "Check my DNS" widget on Dan Kaminsky's site (www.doxpara.com). It may be interesting to note that DJBDNS is not affected by this bug because of its sound design. Read Bruce Scheniers article for his praise of its design and the importance of thinking about security while development and not as an add-on.

Design of the Batpod !

2008-07-22T10:50:00.001-07:00

Batman: The Dark Knight was released to theatres across US on 18 July 2008 and it was a rocker. I watched the IMAX version of the movie on the second day after its release and it was well worth the money. I think it was the Joker (Heath Ledger) who made this movie the hit that it became. The film had everything to offer right from cool stunts, cool gizmos, great graphics and stunning cinematography. This was probably the best movie of the first half of 2008 for me.

Batman is known for his cool gizmos and machinery and this movie offered no less in that respect. The coolest gadget that batman had this time was his Batpod. At first glance, the Batpod looked completely undrivable. How the hell did Batman (or his stuntmen) drive this thing in the movie?

Firstly here a good photo borrowed from this site:

I also found these few interesting paragraphs on its design :

From this:

The vehicle has
no handlebars, but shields for the shoulders that allow for steering.
It was also difficult to keep balance on the huge 508 millimeter tires,
with engines in both hubs of each wheel. Not only that, the driver has
to lie belly down on either side of the tank, balanced on two foot pegs
spaced 3 ½ feet apart.

From this:

Despite its curious mechanics, this is a drivable vehicle. Flanking the
Batpod behind the front wheel are two elevated stirrup like devices
which the stunt driver, Jean-Pierre Goy, places his arms into and
steers the vehicle using his shoulders. The engines are located within
each wheel hub, seemingly reminiscent of the electric motor integrated
into every wheel of MIT Media Lab’s CityCar. According to the LA Times, this attitude laden design was conceived by Nathan Crowley and built by Chris Corbould.

Neat stuff !

On predicting futures

2008-07-07T10:50:00.001-07:00

You read it right. Its 'futures' and not 'future'. As historians and futurists would likewise agree, there is only one history but many futures. To put the remaining post in perspective, the post was prompted by an article on wired called 5 Things Wired Pronounced Dead Prematurely. From the article,

Web browsers (March 1997) Push media was about to supersede browsers. Or not. If we could push this claim from the archives, we would. (Original Article)

Its not so important that they got this wrong but the larger point being that, as humans we are very bad at predicting future events. As Nassim Taleb (author of The Black Swan) puts it, the future is non-linear and thus any attempts to predict it with the available knowledge and available trends is futile. This point chimes in with the earlier point of there being one history and many futures. The main idea behind these arguments is that, there are some unpredictable events that can completely change the course of progress.

I believe the browsers could not be obsoleted by push media for the following reasons:

Emergence of Firefox and its wonderful plugin framework
Emergence of blogging
Syndication of content via protocols like RSS
Emergence of Web 2.0 (stuff like Ajax, Web Services etc)
Google's efforts to turn the browser into a "operating system" by providing critical business software from within the browser.

What we see more often today is that push has merged itself into the browser instead of obsoleting it.

A fun javascript flipbook

2008-07-06T17:00:00.001-07:00

Getting bored with my work, i tried doing something completely useless this weekend :). I had some photos taken in burst mode during my trip to La Jolla in San Diego County, California. So i stitched them together using javascript to create a flip book effect. You can check out the demo and the accompanying javascript on my website here. Enjoy !

Unfortunately, i could not put up the demo here as blogspot does not accept stuff within the <script> tags.

Ruby Command line for dhingana.com

2008-06-21T11:02:00.001-07:00

I got bored of clicking links on dhingana and thought there should be an easy way to listen to songs. Being a command line freak, it was very natural for me to think of writing a command line tool. So i wrote a small ruby utility for downloading songs from dhingana.

The tool can be found here. Please read the disclaimer before using the tool and feel free to drop me a line.

PS: The website is work in progress and will be fully functional in 2-3 weeks.

Surfing in a hostile world !

2008-06-19T14:14:00.000-07:00

To get a hostile view of the world we surf in, here are a few statistics about all the current day malware forms coexisting with us.

A few highlights (as of today)

There are around 3000 botnet command and control servers active at any time in the day.
There are around 100K bot machines (using a 30-day age value of each bot).
US has around 4500 bot C&C's (the largest in the world ). Interesting to see that China is way down the list with only 115.
There were around 3.5 Million unique malware binaries seen in October 2007 with the number of unique binaries being atleast 1 Million every month ever since.
The 0-day detection stats for Antivirus vendors is very interesting. Out of the 68000 samples of new malware that were tested against wellknown vendors in the last 24 hours, the really well known ones like Kaspersky, McAfee etc. were able to detect only 70% of them while AntiVir detected around 98% of them. Curiosly, Symantec is not on the list.

These statistics are from ShadowServer. Shadowserver's statistics are generally considered very reliable in the security community.It is not clear to me as to what percentage of the address range they monitor but the stats are nevertheless very revealing.

Technological Singularity: Warning in disguise? - [Part 1]

2008-06-08T13:44:00.001-07:00

I was recently reading about technological singularity that a lot of who's-who in the field of AI/Robotics (Ray Kurzweil, Hans Moravec, Vernor Vinge etc.) are talking about. The June'08 IEEE Spectrum runs a special feature on this called "Rapture of the Geeks". Reading through the articles (and also having read Ray Kurzweil's The Singularity is near) i have a few questions on some of the predictions that futurists are making. I am trying to get feedback on these issues from some well known folks in the field and will post them as and when they become available.

One popular view of technological singularity predicts that machine intelligence will surpass human intelligence in the next few decades and we will have machines building more intelligent machines presumably not under human control. This means that humans would have succeeded in building something which can replace us at the top of the intelligent species list. If this is indeed true, then wouldnt it make human existence meaningless and eventually result in our extinction? Or worse, we may end up being pets to a superior intelligent species :) . My point
is, if humans are smart, why would they let this happen?
Ray Kurzweil predicts that singularity is just 3-4 decades away. He builds up his arguments based on the technological revolutions in Genetics, Nanotechnology and robotics. Innovations in these areas may help us build machines smarter than ourselves but they all would lack the consciousness that sets humans apart. Thus they can all be efficient than us but presumably not "street smarter" than us. Some scientists also predict that we will be eventually able to give our consciousness to these machines. But what would that help us achieve? Will it will help us better our own lives or extinct us?
Assume that the singularity does eventually happen, what makes us feel that we will be able to build a set of guiding principles under which our intelligent innovations will work? And why would those conscious intelligent beings follow our guidelines instead of inventing their own efficient guidelines? Isn't this similar to humans having children, children growing up and then deciding themselves on whats right and wrong? The only difference here being that these android offsprings would be far more capable (and lethal) than human children.
The final question is, if our technological progress is indeed pointing towards a singularity, then should we take it as a sign of progress or a warning for our future?

Security is all about breaking assumptions !

2008-05-24T12:04:00.001-07:00

Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold

If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.

30th Anniversary of SPAM

2008-05-03T10:12:00.000-07:00

As per this BBC news article, 3rd May 2008 is the 30th Anniversary of email SPAM. The first spam message was sent to 400 users on the ARPANET by a DEC employee on 3rd May 1978. But, this was not yet the beginning of the commercial SPAM era. It was only in April 1994 when a group of immigration lawyers sent the first commercial spam message to more than 6000 USENET discussion groups thus,spawning a new rogue business model using the internet.

Nature at its best !

2008-04-05T20:11:00.000-07:00

Famous three laws !

2008-03-19T01:01:00.001-07:00

Clarke’s Three Laws (from the book "Profiles of the Future" by Arthur C. Clarke) [1]

“When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.”
“The only way of discovering the limits of the possible is to venture a little way past them into the impossible.”
“Any sufficiently advanced technology is indistinguishable from magic.”

Asimov's Laws of Robotics [2]

A robot may not injure a human being or, through inaction, allow a human being to come to harm.
A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.
A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

References
[1] NYT Article
[2] Wikipedia Article

EyeOS ! Is it anything more than EyeCandy?

2008-03-08T11:51:00.000-08:00

EyeOS Professional Services has released this Browser based OS called EyeOS. Check the Demo at : http://demo.eyeos.org/

From the site :

eyeOS was thought as a new definition of Operating System, where everything inside it can be accessed from everywhere in a Network. All need to do is to login into your eyeOS server with a normal Internet Browser, and access your personal or corporate desktop, with your applications, documents and files... just like you left it last time.

eyeOS comes with a preloaded suite of applications, some for private use, like the file manager, a word processor, a music player, calendar, notepad or contacts manager. There are also some groupware applications, such as a group manager, a file sharing application, a group board and many more.

I am finding it difficult to comprehend why anyone would want to use this. Wasnt RemoteDesktop over VPN good enough?

This kind of technology opens a can of security worms. First of all, this is browser based and anyone can login from anywhere. So if a users account is compromised because he was logging into his company eyeOS server from a cybercafe, the companies data is at threat. Secondly, why would anyone want to leave word and excel and use applications provided by them? Or for that matter, why would anyone using Google Docs want to use this technology? I find it difficult to find the true value proposition in this product.

The idea is nevertheless neat.

Google Scanner from cDc

2008-02-23T20:11:00.001-08:00

The Cult of the Dead Cow (cDc) has released Goolag: a google scanner for searching website vulnerabilities and other juicy information using Google. The scanner is based on google hacking techniques developed by Johnny Long. The tool comes with its own dork database and helps in scanning fast.

As defined by JohnnyLong in his hacking database: googledorks are Inept or foolish people as revealed by Google.

Technically, dorks are search patterns that reveal sites with potential vulnerabilities. Check the hacking database for the extensive list of dorks. These search patterns are not specific to google but just that its more effective with google because of its vast index.

An example dork from the hacking database is "intitle:admin intitle:login" which gives Admin Login pages. Now, the existance of this page does not necessarily mean a server is vulnerable, but it sure is handy to let Google do the discovering for you, no? Let's face it, if you're trying to hack into a web server, this is one of the more obvious places to poke.

Microsoft opens up its Treasure Chest

2008-02-23T19:12:00.001-08:00

Microsoft has finally opened up their "treasure" chest. Microsoft has started a protocols program under which they are releasing loads and loads of Microsoft documentation.

From their website

"The Microsoft Protocol Programs foster innovation and interoperability by offering partners access to Windows Vista, Windows Server 2008, Microsoft SQL Server 2008, the 2007 Microsoft Office release, Microsoft Exchange Server 2007, and Microsoft Office SharePoint Server 2007 protocols for use on any platform. These programs enable and encourage a vibrant development community and support it with customer service. The result will be smarter, interoperable products that can be released in coordination with Microsoft product releases."

All the documents are available in PDF format.

The following document gives a roadmap for ploughing through the documents. [MS-DOCO]: Windows Protocols Documentation Roadmap

Height of obsessiveness !

2008-02-14T08:30:00.001-08:00

Check this link on autoblog

"The matchstick master built a full scale Mercedes-McLaren F1 car in his kitchen using 956,000 matchsticks and 1686 tubes of glue."

Don't forget to check out the photos gallery.

Real Programmers (courtesy: Xkcd)

2008-01-31T23:20:00.001-08:00

For those poor souls who dont follow xkcd, check this out....

MS08-001 Proof-Of-Concept Exploit

2008-01-31T23:11:00.001-08:00

Check out this cool proof-of-concept exploit developed by immunitysec for the IGMPv3 vulnerability (MS08-001).

http://immunityinc.com/documentation/ms08_001.html

The tool being used is their flagship Canvas product.

Mona Lisa's identity solved

2008-01-16T23:45:00.001-08:00

This is something for DaVinci fans. From this NYT article

"Experts at the Heidelberg University library say dated notes scribbled in the margins of a book by its owner in October 1503 confirm once and for all that Lisa del Giocondo was indeed the model for one of the most famous portraits in the world".

You can see the painting at the Louvre Museum in Paris or here.

TASERs

2008-01-15T23:52:00.001-08:00

Check out this impressive piece of (controversial) technology, called TASER, that is used by US cops to stun criminals. The TASER gun basically fires two dart like things towards a victim, connected to the gun by thin wires. The gun then generates electronic pulses which contract the victims muscles and sends him into a shock. But, these pulses are controlled so as to not disturb the electrical activity happening within the body. For an indepth on how-tasers-work, read the following article http://www.spectrum.ieee.org/dec07/5731/2.

TASER usage has been controversial because of incidences such as the one in University of Florida, where cops hit a student with a TASER after the student asked a series of uncomfortable questions to Senator John Kerry and did not comply when asked to leave the auditorium. The incident can be watched on Youtube at http://www.youtube.com/watch?v=y3FFnpS-eYA.

A neat HOWTO for cheating !

2008-01-15T18:58:00.001-08:00

Checkout this neat trick for cheating in a exam using just Coke.

http://www.youtube.com/watch?v=NpQZDJ2fGnI

Disclaimer: Use it at your own peril :)).

Update on my previous post - A brief history of computing, networking and the internet

2008-01-10T11:17:00.001-08:00

I missed seeing that the Nerds 2.0.1 series is in 3 parts and the link in the previous post was section 2 of the series.

This is the complete trilogy

Nerds 2.0.1 - Networking the Nerds (Section 1)
Nerds 2.0.1 - Serving the Suits (Section 2)
Nerds 2.0.1 - Wiring the world (Section 3)

Enjoy !

A brief history of computing, networking and the internet

2008-01-05T22:29:00.001-08:00

I stumbled upon this awesome documentary called Nerds 2.0.1 produced almost 10 years back. Its about how geeks working off their garages, living rooms and school dorms built some of the most brilliant technology serving mankind today. The video traces history of 4 of the most successful companies: 3COM, Novell, Cisco and Sun. A constant emphasis in the whole documentary, is on the role of the Venture Capitalists in silicon valley. The bright and dark sides of venture capitalism and venture capitalists is highlighted aptly. Its a must watch for all technology geeks, nerds and budding enterpreneurs.

http://video.google.com/videoplay?docid=-2534997893350167670

Interesting Army Slangs !

2008-01-01T22:56:00.001-08:00

I recently came across these US army slang and could not resist posting them. I liked these ones the most. (Credits: Wikipedia)

FUBAR - Fucked Up beyond all repair
BOHICA - Bend Over, Here It Comes Again
JANFU - Joint Army/Navy Fuck-Up
SNAFU - Situation Normal: All Fucked Up
TARFU - Things Are Really Fucked Up
AWR - (Alpha Whiskey Romeo) Allah's Waiting Room. When engaged, insurgents have a tendency to flee to the same building (the AWR), at which point the troops radio in an air strike.
BTDT — Been There, Done That
DAN — Dick, ass, and nuts. Used when referring to a smell,
particularly that of a soldier who hasn't showered in a while. When
used in a sentence, "Joe smells like DAN."
DICK — Dedicated Infantry Combat Killer (used in Infantry Training)
FIDO — "Fuck It. Drive On" Equivalent of "Shit Happens" Pronounced like a dog's name: Fy-dough
FM — Fucking Magic. Used to explain something complicated,
generally to someone new who has asked a question that would take too
long to explain. "How does that work?" "Oh, it uses FM."
FOAD — Fuck Off And Die
FODA — Fuck Off and Die Asshole. Note: Foda is also
Portuguese for fuck. When said by itself, it can have the same
connotation as "Fuck off and die, asshole." This would make it a
recursive slang in two languages.
FUBB — Fucked Up Beyond Belief
NDG — No Damn Good
NFG — No Fucking Good, a.k.a. busted, non functional, broken. also "New Fucking Guy"
NPGs — No Pussy Getters; see BCD
SOS — Same Old Shit; Shit On a Shingle. Creamed chipped beef on toast/biscuit, a breakfast staple.
SRDH — Shit Rolls Down Hill. Used to denote unwanted or unpleasing duties assigned to lower ranks.
US ARMY — Uncle Sam Ain't Released Me Yet
YMRASU — Yes, My Retarded Ass Signed Up (US Army backwards)

Microsoft's New Security Vulnerability Research and Defense blog

2007-12-29T01:24:00.001-08:00

This is good news from Microsoft ! M$ has a new blog for disclosing otherwise confidential technical information about their vulnerabilities.

From their website at http://blogs.technet.com/swi/default.aspx.
"We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. ... We expect to post every “patch Tuesday” with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization."

Will have wait and watch what this yields !

Ten Tips to increase the fuel efficiency of your car

2007-12-29T00:55:00.001-08:00

Here are ten tips summarized from http://www.edmunds.com/reviews/list/top10/103164/article.html for increasing the fuel efficiency of your car. Some of them may be applicable only to U.S. conditions but i think it can be largely practiced by everyone.

Maintain your car regularly as per the schedule given by the automaker.
Keep Your Tires Properly Inflated.
Dont overload the vehicle.
Drive less aggressively. Avoid braking hard and accelerating in a rush. From the article "On the highway, the DOE says that every 5 mph you drive over 65 mph represents a 7-percent decrease in fuel economy."
Use the highest gear possible.
Use cruise control whenever possible.
Keep your car clean and waxed. It helps improve the aerodynamics of the car.
Dont idle.
On the freeways, keep the car windows up as it increases drag on the vehicle and increasing fuel consumption.
Avoid starting the engine from cold many times in a day. This means that try to combine your short trips into a long one. A cold engine requires more fuel to get going.

Savvy Graph

2007-12-27T22:20:00.001-08:00

I guess everyone reading this post is somewhat familiar with amazon.com and may have done some shopping on it. It not very unlikely, that you may have searched for a product that has a ton of reviews and different ratings. I always felt that there should be a simpler way to make sense of all those reviews and ratings. Guess what ! Someone was thinking along similar lines and they actually a very neat and nifty tool called savvygraph.

Quoting from a article about savvygraph "Web site SavvyGraph displays the average rating and number of reviews for each on a simple graph to give you a quick method for comparing items on Amazon. The idea is that the higher the rating and number of ratings a product has, the better it's likely to be. So products garnering a place on the top right of the graph (high rating, high number of reviews) are the best buys. You can hover over push-pins to see which products are which, and the color of the pins indicate whether or not free Super Saver Shipping is available for that product through Amazon."

Visit http://www.savvygraph.com/ and see for yourself.

I liked the concept and feel its a useful enough tool to get a quick and dirty estimate about a particular product before pouring into reviews.

A small and stupid one liner for seeing the instantaneous bandwidth

2007-12-27T09:38:00.001-08:00

Disclaimer: May or may not work for you. Use a bash shell or make necessary changes to support any other. There may be many other ways of doing this efficiently.

Usage :
- Edit the variables int and dir as desired.
- dir = RX will calculate download speed
dir = TX wil calculate upload speed.
- Cutpaste the one liner as is on a bash shell.

int="eth1"; dir="RX"; oldbytes=0; while [ 1 ]; do bytes=`ifconfig $int | grep "$dir bytes" | awk '{print $2}' | awk 'BEGIN {FS=":"} {print $2}'`; bw=`expr $bytes - $oldbytes`; bw=`expr $bw \* 8`; bw=`expr $bw / 1024`; oldbytes=$bytes; sleep 1; echo "$bw Kb/s"; done

Use of the above : Left to the readers imagination.

MIT students power supercomputers with bicycles

2007-12-20T21:47:00.001-08:00

An excerpt from the article highlighting the achievement :

"The ten cyclists pedalled their bikes, set on stands, with the wheels driving dynamos to generate direct current power which was converted into the alternating current needed. The supercomputer modelled a nuclear fusion reaction."

Read the full article at

http://www.computerworld.com.au/index.php?id=312084283

This is not the first time something of this sort is being done. For a good list of things that are being done refer to http://freeenergynews.com/

Google Tech Talk: Vint Cerf (Co-Designer of the internet)

2007-12-10T14:54:00.001-08:00

For those of who who are not aware, "Google Tech Talks" are videos of lectures delivered by eminent personalities encompassing a wide variety of topics. The following is a very good lecture by Vint Cerf, who, as some of you may know is credited as the co-founder of the internet. You may want to search for more at videos.google.com

Amazon releases Kindle (Ohh la la !)

2007-11-20T01:30:00.001-08:00

For all the gadget lovers out there... lo and behold .....

Presenting the "Kindle" ... (photo courtesy: Amazon site)

Now this is what i call a real gadget ! Amazon released this awesome product called "Kindle" which is a purported replacement for paper books. Its essentially a eBook reader on steroids :).

The product has the following features: (reprinted from http://www.news.com/8301-10784_3-9820070-7.html?tag=nefd.lede with some minor edits)

Measurements: The Kindle weighs 10.3 ounces and is about the size of a trade paperback book.
Connectivity: The Kindle connects to the Web via the "Amazon Whispernet," a free high-speed cellular wireless network (Sprint EVDO). Books and other
content are available for direct download, without the need for connecting to a PC (though a USB port does provide PC connectivity for transferring files). The Kindle's internal memory can store up to 200 books, and it's expandable via an SD slot (which can also be used to load additional media).
Books: Once you're online via EVDO, electronic books are available directly from Amazon for up to $10--just click on the title you want, and it's downloaded (and you're charged) in about a minute's time. Amazon is currently offering more than 90,000 titles, including 90 percent of the current New York Times bestsellers.
Newspapers and magazines: The Kindle can also be used to subscribe to a variety of periodicals, including The New York Times, The Washington Post, The Wall Street Journal, Time, Le Monde, and Forbes. Newspaper subscriptions are $6 to $15 a month, and magazines are $1.25 to $3.49. Dailies are automatically delivered to the Kindle overnight, and each periodical includes a free two-week trial.
Blogs: The Kindle also offers more than 300 blogs, including Slashdot, The Onion, BoingBoing, and Techcrunch--but these are customized Kindle versions
that cost at least $1 a month. Moreover, unlike your RSS feeds, you can't add your favorite blog--if it's not on Amazon's list, you can't subscribe to it.
Web browsing: The Kindle can also browse the Web at large (it has its own QWERTY keyboard directly below the screen), but--unlike the Kindle-ized premium content listed above--most standard Web pages are something of a disaster.
Notation and bookmarks: You can bookmark key passages of what you're reading, and (using the keyboard), make, edit, and export notes. The Kindle also saves your place when reading anything, so you can always pick up where you left off.
Price and availability: The Kindle reader is now available from Amazon.com for $400.

Some more interesting specs from the Amazon Web site

Long battery life. Leave wireless on and recharge approximately every other day. Turn wireless off and read for a week or more before recharging. Fully recharges in 2 hours.
Unlike WiFi, Kindle utilizes the same high-speed data network (EVDO) as advanced cell phones—so you never have to locate a hotspot.
No monthly wireless bills, service plans, or commitments—we take care of the wireless delivery so you can simply click, buy, and read.
Includes free wireless access to the planet's most exhaustive and up-to-date encyclopedia—Wikipedia.org.
Email your Word documents and pictures (.JPG, .GIF, .BMP, .PNG) to Kindle for easy on-the-go viewing.

A case for reconfigurable work spaces !

2007-11-18T12:05:00.000-08:00

If you feel that you are a very efficient space utilizer/designer, please reconsider after watching this video !. The following video on youtube would make a very good case for "reconfigurable work spaces". I dont know if there is such a term already but i cooked it up after seeing this video. Watch it till the end ! Its a scene shot by someone in Bangkok.

Songza debugged !

2007-11-14T12:17:00.001-08:00

In an earlier post i had posted the link to this site called songza.com which is a music search and play site.

With some quick analysis of the packet captures i found that its nothing more than a "pretty search wrapper over youtube".

Below is an HTTP request/response session that a search generated.

The HTTP Request to songza.com with my search query string "Kandukondain" was

GET /a/query?q=Kandukondain HTTP/1.1
Host: songza.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071022 Ubuntu/7.10 (gutsy) Firefox/2.0.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://songza.com/
Cookie: __utmb=41883168; __utma=41883168.246409471.1194922056.1195069878.1195070278.7; __utmz=41883168.1194975040.4.2.utmccn=(referral)|utmcsr=n30bli7z.blogspot.com|utmcct=/|utmcmd=referral; __utmc=41883168

The HTTP response with the contents "GZIP encoded" was:

HTTP/1.1 200 OK
Date: Wed, 14 Nov 2007 20:06:09 GMT
Server: Apache/2.0.54
X-Powered-By: PHP/5.2.2
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 286
Keep-Alive: timeout=2, max=50
Connection: Keep-Alive
Content-Type: text/html

............QK.0....+.y^.MD.@...L....2J.d..iRb.R........6..r..{>.....r..r}...Lzq.M...C.D...-..&u...R.}i4....^...%.s.:I...;...E.L....b.......%.<f.."V.4F..T
.5...|..y.b.C-{.hI.s...;..{...[..FI ..jM+cX...
.M.
\......c.|y...p..J..&..\...2.Y..W...k... .E]...j...Ty.Q.....QKpj"Y....._....J...

The GZIP decoded data is as follows

[
{ "id": "76nOCoQ2FKQ", "title": "Yenge Yenathu Kandukondain Kandukondain", "url": "http://www.youtube.com/watch?v=76nOCoQ2FKQ", "flv": "http://rd.cache.l.google.com/get_video?video_id=76nOCoQ2FKQ", "rating": "-1" },
{ "id": "TftTsber0y0", "title": "Kandukondain Kandukondain - kannamoochi", "url": "http://www.youtube.com/watch?v=TftTsber0y0", "flv": "http://rd.cache.l.google.com/get_video?video_id=TftTsber0y0", "rating": "-1" },
{ "id": "Y8XYNQR4AL8", "title": "kandukondain", "url": "http://www.youtube.com/watch?v=Y8XYNQR4AL8", "flv": "http://rd.cache.l.google.com/get_video?video_id=Y8XYNQR4AL8", "rating": "-1" },
{ "id": "i1bu_mdpZdc", "title": "palike gorinka-------priyuralu pilichindi", "url": "http://www.youtube.com/watch?v=i1bu_mdpZdc", "flv": "http://rd.cache.l.google.com/get_video?video_id=i1bu_mdpZdc", "rating": "-1" }
]

As you can see, all the links are from youtube.

Using scribefire to publish Blogs !

2007-11-13T09:10:00.001-08:00

I came across this cool FireFox plugin called ScribeFire for editing and publishing blogs. You dont have to log into your blogs anymore to pubish blogs. Once installed, you can activate this by just clicking the small notepad icon at the right bottom of the browser.

You can download the plugin at https://addons.mozilla.org/en-US/firefox/addon/1730.

Also attached is a screenshot as i was editing this post ..

A cool music site !

2007-11-13T08:42:00.000-08:00

I came across this cool music site http://songza.com and was simply awestruck by it. Its a cool music search and play website.

Believe it or not, but i was able to search for English, Hindi, Tamil and Telugu songs in it. Its got a rocking UI and sound quality is good :).

I am not really sure how they do it but i am still digging around trying to find out. Will post my findings.

Maybe the dhingana folks have some competition now :).

Google releases Android and a $10M bounty

2007-11-13T08:25:00.000-08:00

Google has released its android developer kit for mobiles and also offered a $10M bounty for developers who develop cool apps for the same. Google is all set to rock the mobile space soon !.

For those of you who are not familiar with Android, its a SDK to access core mobile functionality using standard API calls. That means that you can now develop code that will work across mobiles.

Check out everything about Android at
http://code.google.com/android/

Also check this release video by Sergey Brin

Slogans for computer networking design...

2007-10-27T12:30:00.000-07:00

The following are a few good slogans that i picked up from my instructors (William Cheng) lecture notes for Computer Communications Course at USC.

Perfection is achieved not when there is no longer anything to add, but when there is no longer anything to take away. - Antoine de Saint-Exupery
The simplest explanation is the best - Occam’s razor
Be liberal in what you accept, and conservative in what you send - Jon Postel
In allocating resources, strive to avoid a disaster rather than to achieve an optimum - Butler Lampson

Southern California Fires : The Aftermath...

2007-10-27T00:34:00.000-07:00

The Southern California fires that started on Oct 21 2007 in Southern California affected the 7 counties of LA, Orange, San Diego, San Bernardino, Riverside, Ventura and Santa Barbara. San Diego was probably the worst affected, with reports suggesting a lot of damage to property.

I had first hand experience of the aftermath in Orange County. Smoke and ash filled the air and the whole county was smelling of smoke. So much was the air polluted that my car was covered with ash within minutes of leaving it out in an open parking lot. The smoke smell made it very uncomfortable to breathe even inside the car. Just to give an idea of how bad the air was, i took some photographs of Orange County area while driving from LA. The pics give an idea of the amount of pollution that was in the air.

One can see rising smoke from a nearby hill that was on fire.

The black sky is not due to rain bearing clouds but instead due to carbon, ash, smoke in the atmosphere.

The sun peeks bleakly from within the smoke (@ 5:00PM)

"Hello World"

2007-10-26T12:12:00.000-07:00

My "hello world" in blogosphere...

This blog should provide its followers the following:

General news and events of interest to me (ofcourse this is NOT CNN or BBC, but, my 2 cents)
Latest in the world of technology and gadgetry.
Cool news from computer security (my passion and my research).
Cool news about computing in general.
Tips and tricks that i learn or discover about *nix (if you dont get it then you wont need it :)).
Maybe a few experiences from some chapters in my life.