* Posts by Sitaram Chamarty

104 posts • joined 30 Aug 2008


Official: IBM to gobble Red Hat for $34bn – yes, the enterprise Linux biz

Sitaram Chamarty


Honestly, this is a time for optimism: if they manage to get rid of Lennart Poettering, everything else will be tolerable!

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

Sitaram Chamarty


There seems to be a slight confusion here between sudo and being at the console.

The Xorg bug discussed here requires you to be logged in AT the console. On my not-yet-updated-for-this-bug Fedora system, there is a pam configuration line (specifically, `auth required pam_console.so` in /etc/pam.d/xserver) that appears to be ensuring that you cannot run an X server unless you have control of one actual console (that's one of those things you get when you hit Ctrl-Alt-F2/F3 etc).

This has absolutely nothing to do with sudo.

(You actually can run this over ssh also, but only if you are *also* logged in at the console, so it comes to the same thing)

If you're on a typical single user system that is running only the GUI and you rarely go to one of the actual ttys for any reason -- probably the only way to affect you is if someone who knows *some* userid and password to your box, *and* has physical access, were to do that Ctrl-Alt-F2 thing, login, and then run this command.

Servers, mostly running headless, likewise -- you'd have to get into the server room, attach a keyboard and mouse, and do this.

All in all, a very big bug, but not terribly scary for most people.

Imagine Python fan fiction written in C, read with a Lisp: Code lingo Nim gets cash injection

Sitaram Chamarty

Re: Indentation-significant syntax

Totally. I can read python but I can never *write* it. Trauma from RPG/400 back in the 90s I guess.

Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver

Sitaram Chamarty

Re: good lord; is this not a techie site?

> Some new crypto system outside the cryptographic mainstream is not what you want to count on for security

It's the bloody cryptographic mainstream that got us the Dual EC-DRBG backdoor and God knows how many more things like that. While I still have a lot of respect for NIST, stepping away and looking at independent cryptographers like Dan Bernstein is definitely a good idea.

In any case, Dan's stuff is no longer an outsider -- almost every crypto suite worth its salt (no pun intended) is implementing it. They're not doing it because they're fanboys either; there are solid reasons -- openness (often called "nothing up my sleeve" in crypto), implementation ease, side-channel resistance, etc.

Sitaram Chamarty

Re: good lord; is this not a techie site?

> That not everyone knows one or two specific niche facts or procedures does not give you *any* information on their personal level of competence and understanding of computers and related issues.


Except when they try to *say* things like "bloat" and "it should stay a module" and "I sense another smackdown [from Linus Torvalds]", etc.

xkcd 386, since you're so fond of xkcd.

Sitaram Chamarty

Re: good lord; is this not a techie site?

"In five years or so this may be worth considering"? Really? TLS had padding related issues several more years later, and I won't even bring up heartbleed. The (passive) passage of time does not indicate anything,

Hence why the "4000 lines -- easy to review" point that is being made here.

I am not a cryptographer, but I know enough, thank you. I still say this is pretty darn good, uses the right set of algorithms (I'll admit to being a Dan Bernstein fanboy), and -- while nothing is absolutely certain -- it's a darn sight more trustworthy than a lot of other code.

And from a practical point of view, it's almost trivial to setup compared to those.

Sitaram Chamarty

good lord; is this not a techie site?

The number of people who are confused about what WG currently is, and what it is trying to be... ouch.

Currently Wireguard is a DKMS module (see https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support for what that is). Basically, it is "out of tree" and every time a new kernel is installed (like when you do a "apt upgrade" etc and a new one comes in), all DKMS based modules have to be recompiled. Usually on *your* computer. Which means, among other things, you need to install gcc and a whole bunch of other packages.

Getting it into the Linux tree means you don't have to do that anymore. **It will STILL be a module**, except it will be part of the kernel sources, and the compilation happens at the distro, not in your computer.

In particular, it is NOT bloating the kernel any more than it currently is, as a DKMS module, for people who do not use it.

Oh and by the way, I've been using it for a couple of months now and it's absolutely wonderful. I've had no problems of any kind -- so read all that faff about "this is not yet complete" as typical open source "under-promise". It definitely "over-delivers", as far as I am concerned.

Notes/Domino is alive! Second beta of version 10 is imminent

Sitaram Chamarty

Re: It's actually used a lot

> Last time I saw, over 130 million users are on Notes/Domino.

Not by choice.

Don't forget Notes client is the only mail client that acquired "sort by subject line" in... wait for it... 2006.

Yes, 2006.

Eudora and Pegasus had it in pretty much from day one, if I am not mistaken.

Ever tried to view all headers in an email in Notes? A *tiny* window pops up and you can't expand it. You have to look for the headers you're interested in, within what -- if I recall -- is a 20x8 text window.

I've never used Outlook, but compared to Thunderbird (speaking only of the client UI and UX), there is NO comparison.

For €10k, Fujitsu will tell you if your blockchain project is a load of bull

Sitaram Chamarty

Re: Fundamentals sound, hype is bollocks

a blockchain is a bit more than a linked list; it's a linked list with a cryptographic hash that makes it difficult to modify old blocks.

of course, version control systems like git (and even git got the idea from monotone, and maybe it's turtles all the way), have been doing this for years before "bitcoin", so I am in no way claiming that difference is new with blockchain!

Hot new application for blockchain: How does botnet control sound?

Sitaram Chamarty

I'm surprised no one mentioned IRC as an analogy. Much more sturdy than a web server.

And this is not, as the article says, a blockchain issue. This will only succeed if they join specific, already popular/widely used, blockchains (bitcoin and ethereum come to mind).

If they join some little known blockchain they may get blocked. In a way they're leveraging the somewhat implicit "too big to kill" nature of the big two blockchain instances.

Is Microsoft about to git-merge with GitHub? Rumors suggest: Yes

Sitaram Chamarty

Re: the survey only listed Disney as a viable acquirer. How about AOL?

"until the internet stays open and alive"?

don't you mean "while"?

Are you sure you're a developer? :-)

No root for you, or how to stop worrying and love AWS China

Sitaram Chamarty

"the internet treats..."

"The internet treats censorship as damage, and routes around it". Wasn't that what people say?

I'd say China has found a way to break that. If you have to apply for a permit to serve port 80 or 443, and you don't get root on a machine you have at least rented, the amount of "routing around" you can do is pretty damn limited!

I think all wannabe totalitarians (and I am not excluding India's Aadhaar-crazed government here, and the USA was anyway only a democracy in name for some time) taking a good look and thinking... hmm, if China can do it, why can't I?

I wonder if, in about 20 years or so, all of the dystopian fantasies of Richard Stallman and Cory Doctorow would have come true.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

Sitaram Chamarty

People keep saying "turn off HTML".

You don't need to do that. You only need to turn off remote image loading.

In Thunderbird, this is called "Show Remote Content", and defaults to "no".

I looked at the EFF site as well as the "branded/logo-ed" site for this vuln, and could find no sign of this particular aspect, which makes it a non-issue for most TB users (and I'm willing to bet most other mail clients too).

Whoa, Gartner drops a truth bomb: Blockchain is overhyped and top IT bods don't want it

Sitaram Chamarty

Re: A small increment on the Luhn formula of 1954

You're confusing blockchain with proof of work.

Bitcoin == blockchain PLUS proof of work, but you can have blockchains which don't use proof of work as a consensus mechanism.

You must be a prof in a university somewhere -- that's all they care about, permissionless blockchains and crypto currency. After all, wilful ignorance of scaling limitations (to use a phrase from one of the previous comments) gives you more opportunities to publish.

Sitaram Chamarty


Spot on! In fact, looking at the quotes from Gartner in the article, I suspect a lot of the blockchain they're talking of is closer to permission-less cryptocurrencies, than the permissioned stuff that enterprises tend to use.

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Sitaram Chamarty


> "That's not chrome as in Google Chrome, by the way, that's chrome as in a confusingly named component of the Firefox engine."

I'm pretty sure the usage of the word Chrome as a name for a component of Firefox predated Google's **confusingly named browser** by a good few **years**.

'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature

Sitaram Chamarty

Re: "neither Meltdown or Spectre is much of a threat to a home user"

If by "stored on my PC" you mean on disk, that's not relevant. If you've logged on to paypal or your bank in one tab, and to a dodgy site in another, it would be possible to extract those creds, in theory.

Even if you logged out, and *then* went to the dodgy site, if the browser didn't zero out the locations where it kept your password in memory, something could be extracted.

I'm not saying it's easy or practical but as they say, "attacks only get better".

Sitaram Chamarty

Re: The bug is better than the buggy fix !!!

> neither Meltdown or Spectre is much of a threat to a home user

I hope you've updated your browser at least because Meltdown and/or Spectre can be used from Javascript. Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers. Not quite a fix, but from a browser's standpoint that's really all they can do.

No idea about Chrome, and even less about IE.

Don't worry about those 40 Linux USB security holes. That's not a typo

Sitaram Chamarty

Re: Wasn't that the primadonna maintainer project

the "IoT crapware DDoSes" (if you're talking about Mirai) were due to default passwords. Not much Linus can do about that -- it's on the vendor and/or the customer.

Official: Perl the most hated programming language, say devs

Sitaram Chamarty

the example code in the article...

...is a perfect example of how Perl is *unjustly* vilified.

All the line noise in that example is due to regular expressions -- a distinct sub-language that is nevertheless supported (though usually very badly and/or reluctantly) by all other languages.

Since perl supports regexes as first class citizens, it gets a bad rap because of how regexes look.

As for the $, @, {}, etc -- I've never understood this angst about perl's syntax. You expect a mathematician to use special symbols to mean special things to them. Heck, an electrician has to learn almost as much special stuff to get a license to wire your home (India excepted, heh!). Yet people think perl's using the character set a little more than other languages (which mostly stick to a-z for syntax) is a problem.

Twitter: Why we silenced Rose McGowan after she slammed alleged sex pest Harvey Weinstein

Sitaram Chamarty

Re: I think Linehan has it right

wow; I did not know this. Just deleted the dilbert feed from my RSS reader. I absolutely love Dilbert but not at this price -- supporting someone (however indirectly and ineffectually) who supports the "racist toddler".

Did ROPEMAKER just unravel email security? Nah, it's likely a feature

Sitaram Chamarty

block HTML or block remote access

I switched back to mutt about 2 years ago but I just checked Thunderbird and it has a "block remote content" setting, which was even enabled by default. The help text leads to a link that explicitly mentions CSS also, so I'm pretty sure this attack won't work on a default installation of TB.

As for webmail, I had to laugh at the claim that this attack will "fool even the most security savvy users". Sorry, but I find it hard to apply the phrase "security savvy" to people who use webmail directly on a browser (i.e., instead of via IMAP/POP3 on a proper mail client).

And if you're using an email service that does not allow IMAP or at least POP3, you should switch as soon as possible.

Indian telco Reliance Jio denies claims of 100m record data breach

Sitaram Chamarty

Re: biometrics target?

update: sample size upped to 2, got confirmation from the other one also!

Sitaram Chamarty
Big Brother

biometrics target?

Disclaimer 1: I am a strong opponent of Aadhaar (UIDAI) and I see Aadhaar issues everywhere so this may be some sort of bias on my part.

I know two people who took a Reliance Jio sim. Both were issued on the basis of India's new "papers please" card. In one case, the person was asked to submit his fingerprint to verify. (The other I could not reach in time to write this comment).

Disclaimer 2: As you can see, the sample size is ONE. Caveat reader!

That said, I strongly suspect that whoever snarfed the data (possibly our 'friendly" neighbour to the north) was after the fingerprint details, because everything else is already easy to obtain from other channels.

If the bank accounts (now forced to be linked to Aadhaar by our "papers please" government) of any of these people start seeing "action", we'll know for sure.

(The only defense Reliance will have if this happens is "there are so many other places people could have got these details". Sadly, that is also true!)

Create a user called '0day', get bonus root privs – thanks, Systemd!

Sitaram Chamarty

invalid user? then ABORT, you moron!

Subject line says it all.

I can imagine disagreement between the OS and systemd about what a valid user is -- can happen, though it should not.

But I can't imagine *continuing to run* when you find an invalid user!

Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke

Sitaram Chamarty

apparently not even auxiliary data

Disclaimer: I am a TCS employee.

It appears that the filenames were more like the names of the customers the presentations were made for, rather than *data* pertaining to the customers themselves. I therefore suspect a lot of the content may have been the same (i.e., present to customer A, modify slightly, rename, present to customer B).

It's still a pretty stupid thing to do, but thank God it wasn't stupidER, I guess!

Unfortunately, I was one of the people shouting from the rooftops (a few years ago) that we need unfettered github access, so I'm getting a wee bit of -- good-natured, don't worry! -- ribbing for this!

But then, I couldn't do without this access. I estimate that a good percentage of the commits for gitolite are made at work and I push them from my work laptop, simply due to how I divide my time.


PS: gitolite is a fairly popular access control system for git that is used by Fedora, kernel.org, Gentoo, and several other open source projects, and probably thousands of others

And yes, I intentionally mentioned it, in a shameless and blatant attempt to suggest that if you've heard of it, or even better, used it, then *you* at least won't generalise about TCS :-)

India makes biometrics mandatory for all e-gov projects

Sitaram Chamarty

Re: Catastrophic failure

It will fail, sooner or later. People (including myself) thought faking iris was going to be hard, would require consent, etc. Turns out... nope! I'm sure you saw the articles yesterday or the day before about CCC cracking Samsung 8's iris recog.

Biometrics is an arms race. I find it funny that people worry about quantum safe asymmetric crypto, which is much much further away than a biometrics fail, but maybe that's just my opinion.

Speaking as an Indian, I am worried sick about these things, especially if they ever start force-linking it to bank accounts. There **WILL** be massive theft of lots of money from lots of people.

I only hope they hit the really rich people, and not us poor bastards.

135 million Indian government payment card details leaked

Sitaram Chamarty

Re: Indian IT at it's finest

Why is it not an option? I am **pissed as hell** that the Indian government now wants to make Aadhaar mandatory even for paying taxes, which effectively means it's mandatory period. (The original idea was that it was mandatory only if you needed government benefits -- subsidised stuff for instance).

As a protest, I have now stopped using my credit card for anything less than 2000 rupees (an arbitrary limit I set; could vary depending on circumstances but that's the general idea).

Yes, ATMs have been (slyly, without any announcement or explanation, by the way) mostly dry for months now, but I go to my bank and get cash once in a couple of weeks or once in a month, and that works out fine. So far.

Am I at risk of being mugged or robbed, since this is cash? Maybe. I don't use public transport so I should be mostly OK. Does this form of protest actually register? Surely not -- its not as if Modi is worrying himself at night thinking "OMG, Sitaram is going against my cash-less dream". Is it any use then? Yes -- my own psychological satisfaction, plus the opportunity to talk about Aadhaar and explain its problems to everyone who asks me "why are you carrying so much cash".

I was a solid supporter of his anti-black money initiative last November, but Aadhaar is where I draw the line; I am now an ardent Modi- and Jaitley- hater.

But don't read too much into that -- Aadhaar was created by the corrupt crooks who are currently in opposition -- the Congress (spelled c-o-r-r-u-p-t-i-o-n) party. So, unless the Supreme Court does the right thing, all Indians are royally screwed in terms of their biometrics and other data being essentially public. Forever.

Sitaram Chamarty

Re: Indian IT at it's finest

Probably not, actually. The projects cited are all government projects, AFAICT. Sad to say, government employment does not attract good people.

That said, "privacy and security" are still "unknowns" for most developers.

1.37bn records from somewhere to leak on Monday

Sitaram Chamarty

Re: why would you believe a government "statement"

Governments have very little shame; the fear of ridicule is often an "individual" thing, not a collective thing.

Also, looking at the statement linked in the article, except a couple of points, the rest seem to be hinging on *regulatory* protections, (as opposed to, say, *technical* protections). This is akin to saying "murder is a crime". Sure it is, but it still happens, and it's not always caught either.

Sitaram Chamarty

why would you believe a government "statement"

it could well be Aadhaar. In fact I hope it is -- better it happens now, when it has not yet taken root in all sorts of unrelated life (seriously, they want to make it mandatory for even buying TRAIN tickets online!) than a few years later, when the damage would be much much worse.

And the sooner the morons in charge realise this is a bloody landmine (or gold mine, depending on how you look at it), the better.

The security crowd has been screaming about "identification, not authentication" (or the less accurate but more understandable "biometrics are a userid, not a password") but no one has been listening.

Now they have (or will shortly have) an app that can draw money from your bank account with just that one factor -- a finger swipe. I'm advising friends and relations who have an Aadhaar linked bank account to keep only a minimum of money there, and put the rest in a completely different account -- preferably in a different bank -- without Aadhaar linkage. The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.

(Oh and I've also been told that the biometrics are safe and can't be faked; words like "liveness testing" have been bandied about. To which my response is "that's today's tech. It's an arms race and tomorrow the scene may be quite different, someone may figure out how to beat it".)

Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat security

Sitaram Chamarty

can anyone explain...

...how a *browser* update causes problems for the login screen?

Has Chrome become as essential to the working of an OS as MS used to claim IE was in the old days?

(This is a genuine question by the way; I'm not being snarky or something)

Balancing miners borks blockchains, say boffins

Sitaram Chamarty

stopped reading at first line of abstract

this is against POW systems only.

I am yet to see any "enterprise" or "banking/financial" blockchains proposing to use POW.

As such, the first line of the El Reg article, ("The financial sector's enthusiasm for blockchain technology might be misplaced, according to a pair of Australian distributed computing experts") is total bollocks.

Blockchain has value. POW does not. And I probably will never understand why academics continue to focus on POW when industry does not (AFAICT) care.

Let's Encrypt in trademark drama

Sitaram Chamarty

Re: Comodo CEO (2011, same one now??) hilariously slammed in Moxie Marlinspike's talk

What planet do you live in?

"media pundit"? "[not a] real security professional"?

Moxie (and Trevor Perrin)'s Signal protocol is pretty much the only one that has been *proven* to be secure (at the protocol level at least). And that is the most recent one I can remember; I think even the cert pinning RFC was from them but I am not sure. Regardless, he *does* know his shit, and some anonymous coward saying it ain't so ain't gonna make it not be true.

Sitaram Chamarty

Comodo CEO (2011, same one now??) hilariously slammed in Moxie Marlinspike's talk


watch especially 05:19 to 06:52, then 07:45 to 11:30

heck watch the whole thing; Moxie is a very clear, articulate, speaker with a great sense of humour *and* knows his shit

Surveillance camera compromised in 98 seconds

Sitaram Chamarty

Re: disable UPNP and allow the mobile app to do everything

> And this is going to mitigate the problem, exactly how?

No direct connection from arbitrary external IPs to the weak device. The manufacturers leave upnp open because they want to talk directly to the device. Block that, because the app on the mobile (while in the same wifi network) should be able to proxy that traffic.

This also means you cannot control your home thermostat from your office, though. There's no easy way to allow that while disallowing attacks, unless you get into some kind of authentication dialog. With the *device*.

>> I'm pretty sure this is the most practical, scalable, solution for this.

> Oh, yes. Sure. If you say so.

a bit of uncalled-for hubris there I admit; mea culpa :-) Milord, I'd like that last comment of mine stricken from the record!

At least for the attacks we're seeing that caused krebsonsecurity.com and Dyn DDOS, disallowing external connections would have certainly stopped them cold.

Sitaram Chamarty

disable UPNP and allow the mobile app to do everything

the biggest failure is UPNP.

They should mandate disabling that. All communication to the "mothership" should go through a mobile phone which is on the same wifi network. Yes that would essentially be akin to XSS but in a good way.

I'm pretty sure this is the most practical, scalable, solution for this.

systemd free Linux distro Devuan releases second beta

Sitaram Chamarty

You're over-reacting. That was just a figure of speech. How can I tell? The rest of his post is perfectly sensible and reasonable. He even started out obliquely defending systemd. Does not come across as a person who even remotely thinks of that statement as a personal one in any sense.

Gone in 70 seconds: Holding Enter key can smash through defense

Sitaram Chamarty
Thumb Down

Gone in 10 seconds...

...my good impressions of El Reg as a tech-savvy pub.

This attack does *not* give you anything you could not get by using a USB boot, CD boot, or PXE (network) boot.

The only situation where you *do* get more than that is in "kiosk" type situations (where the CPU/case/disks are locked away but the keyboard/mouse/monitor are accessible).

And even then, the statement "With access to the shell, an attacker could then decrypt Linux machines" is totally wrong.

Let's Encrypt won its Comodo trademark battle – but now fan tools must rename

Sitaram Chamarty

doesn't make sense

They could have licensed it to the other party. I run a small project called "gitolite" which has just such a licence from the SFC, which owns the "git" trademark. It's free and it's only purpose is to protect their trademark.

Yelp wins fight to remain morally bankrupt

Sitaram Chamarty

what he should have done

is to capture the page before, then pay for the advertisement, capture again, and then sue. That's proof that this is a racket if the bad review goes away when you pay.

A lot more tangible, IMO.

Dropbox apologies for clunky administrator account access on Macs

Sitaram Chamarty

Condoleezza Rice

I have been boycotting Dropbox since they took on Condoleezza (sp?) Rice as a board member. Since I never had a dropbox account, for me,"boycott" means refusing document links that others send me that they want to share.

Of course I don't use Apple either so this specific issue doesn't bother me.

On another note, I'm curious what other apps do stuff like this; i.e., this one was found, how many more are hiding?

Speaking in Tech: Nope, sorry waiter. I won't pay with that card reader

Sitaram Chamarty

it's not the people...

I stopped listening because they concentrate so much on the storage industry, which is something I have zero interest in (not being an "enterprise" IT guy I suppose). Almost none of the companies they speak of are well known outside data center and similar operations folks.

On the plus side they give a decent breakdown of each episode with MM:SS timings so I do sometimes download and listen to segments.

On the minus side, I loved Sarah Vela's sense of humour, I loved her voice and I especially loved her laugh (like when she leg-pulled her cohorts), and she's now left the show. Sad...

Australian Banks ask permission to form anti-Apple cartel

Sitaram Chamarty

Re: Life's hard choices

Speaking for myself, I don't see anything wrong with millions of Apple users waking up to a zero bank balance... they're used to Apple robbing them blind anyway so this can only be a minor incremental pain.

Florida U boffins think they've defeated all ransomware

Sitaram Chamarty

my backup strategy

(I know you didn't ask me, but still...)

I have a simple strategy that consists of actually reviewing the files that my incremental backup program reports as having changed. (The backup program itself is "borgbackup" -- awesome stuff; look it up. Unix only though).

A modification of this could be to keep a trend of number of files in each top level directory that are changed per day, and if something unusual happens, alert someone.

An even simpler way that often works (for single desktops) is to count how many files changed today, and alert if it is at least 1.5X larger than the maximum number of files changed in the last N days (adjust N to taste). The alert should list the actual files that were changed so someone can quickly determine if there was a problem or "oh yeah those files, we know what all those changes are".

The assumption is that the malware (if any) has not borked my borgbackup software to produce false reports of what it is seeing. I suppose in theory that could happen with a more popular backup tool so YMMV.

Lenovo scrambling to get a fix for BIOS vuln

Sitaram Chamarty

Re: it's a backdoor, not a bug

I think he meant "as opposed to Lenovo installing it themselves". Probably referring to the so-called "free" apps that come with a laptop which caused some consternation recently (if something affects only Windows, I tend to not remember details).


Biting the hand that feeds IT © 1998–2019