Epilepsy, Javascript, Security and Debian

This would be quite a long post so would request everybody to relax, have their favorite hot/cold drink in their hand, kick up their feet and relax as it’s going to take time.

The first update I wanna share is about my epilepsy. For those who didn’t know I suffered a series of epileptic seizures about a year and a half back. I stayed in an hospital for about 3 months, luckily medicines helped me and didn’t had to go for brain surgery (which was a real possibility), needed a month and a half of physiotherapy to regain balance and muscular movement. It is still not 100% but can move around which is more than enough to be thankful for.

Last month, after coming from the Kerala trip, took the brave step of getting an MRI and a battery of tests. While the expenditure of the tests and MRI was expensive ( INR 25k), I was more apprehensive if it would result in a further stay in hospital which I was really afraid of. Thankfully, the doctors had said that 99% of the issue is gone. While I am supposed to visit him once every few months, he has advised to take another similar test around 6 months to a year from now but that’s upto us. The moment the doctor shared this, I felt like an unimaginary weight I had been putting on my shoulders had been lifted.

Due to my own experience, I tried to read as much as I could about epilepsy. While I have been lucky than most, from what little I could garner and understand epileptic seizures and strokes happen when some sort of abnormal chemical reaction happens in a brain. Why it happens could be for any number of reasons. In my case, it apparently was that the blood which flows to the brain had become thick and hence had to take blood-thinning medicines.

Some of the probable reasons for thick blood could be fatty tissue ( I am fat), thinking too much or just being out in the sun too much. I don’t know which of the reasons to believe as all and either of them is as likely as other or not. The only realization I have from the various explanations given is that probably that the doctors don’t know (more research is needed) . One of the other causes which I found out is also pollution which could have been a contributing factor. I say this as most people who were next to me were patients who had similar issues and most of them were in the prime of their health and still they got it.

One of the interesting things I came to know while I was researching about MRI (after the first check happened) after I was able to sit on the computer and use the web on my own was to know that MRI was actually named NMRI i.e. Nuclear Magnetic Resonance Imagining but due to the word ‘nuclear’ having negative connotations probably due to the association with the Atomic Bomb explosions. Ironically, I am a bit thankful as at least I was able to understand and empthasize a bit with people who may be going with something similar.

People who suffer from depression or mania of some sort come to know inherently that it’s not something they can control or be in charge of, at the most they try to find ways to learn to live with it. Most people, including me, more than ever before are hard on ourselves even though we are as if not more falliable than the next person. We are going to make more mistakes, whether it is in our spelling or our understanding of things. I hope this message and prayer brings some sort of peace and understanding to those who are either going through it or are part of people who are living through it. To have emotional outbursts and frustrations is pretty common as we are not in control as we were before. I would stop here now.

JSFOO

Last week I had volunteered to be part of JSFOO . I had been hearing about JSFOO from friends, colleagues for quite some time now. I volunteered and shared I would write about my experience and as well as help them with the report of the event. Having attended the event, I have mixed feelings about the event. Perhaps my expectations were too high, but most talks I found boring simply because it was another version of ‘My Javascript is better’ and at the most ‘hello world’ kinda script was shown . While there were two tracks, I could be in only one I found them to be too basic to my liking even though I am no Javascript developer. The first one I attended was from Ironswap security which was about XSS . I found the talk to be a bit confusing and at the same time was surprised when a couple of attendees asked me what XSS was. I don’t think even the presenter asked if people knew what XSS was and just went about his presentation.

One of the other things which irked me when some lady gave a sort of caricature explanation of what Open-Source is. I don’t know whether I heard her wrong, or she didn’t know what Open-Source is. While I am more of a free software person, I still understand the various nuances and the reason why open-source came in and what it means both from a business and a legal perspective. I just groaned inwardly for some new developer who might be thinking what open-source is and went with a vagueish understanding or definition.

There was an interesting presentation though about Frappe charts though. Although the lady sharing it was too fast, probably to get the whole thing under 20 minutes. I do hope nobody had to subtitle that talk as I know from personal experience how taxing, frustrating such an experience might be, more so if the person speaking, is speaking fast. You can’t roll the subtitles fast enough than the eyes and the brain can process. I do wish she had slowed down and gave some more attention to charting as it’s both as a business decision-making process function but woefully misunderstood and rated lower unless you are into stocks or bonds or have to give some sort of cost-benefit analysis to your peers, seniors etc. IMO how to make charts and how different ways to make chart is able to get different visual ways and understandings should be 101 for any student irrespective of whatever background s(he) is from.

One of the other interesting presentations was by Jyotsana Gupta who was from Mozilla who tried to share about some of the security addons. I wish she had taken more of a time and had gone more a bit in-depth, would have enjoyed that quite a bit.

The other interesting conversation was from somebody from Amazon Alexa and how to program for sound. He had a full day free workshop for the next day which I was unable to attend although I guess it would have been just as enriching. For India, it seems next to impossible as there are just so many dialects and ways of speaking and having probably more than a dozen or two dozen words and phrases for something or the other. While I could guess-work it still seems a long-haul from the basic ‘keyword’ patterns which people use and privacy issues but that’s another potboiler altogether 🙂

One of the things I kept hoping, probably against hope is somebody would talk about the Javascript Trap and share about librejs but that was not to be, although with some recent conversations and understandings that may also be a long road indeed, sharing below.

DevSecOps Pune 2 – Lean Coffee format

I almost didn’t go to this meetup. I called up the number of the organizer but then hung up as I ain’t a security expert, while this meetup was for security experts. The only thing which kinda pulled me for this meetup was not really the security aspect but the lean coffee methodology which I hadn’t heard about before so was curious. Somehow the organizer called me and I agreed to be part of the meetup although I had no idea what I would talk about. I have played with some security tools for myself and my clients but not in a serious manner. Anyways, turned up the next day and was lucky to call before as I was thinking that it would start at 11:00 hrs. but started at 10:00 hrs. The place is also near to my place so was able to make in one piece without much sweat. I had gone with the idea of not participating much. Also one of the rules of the game was not to talk of products but processes hence just went like that.

We were passed chits and I just wrote Debian on it, thinking it probably wouldn’t be picked up. As per lean coffee setup, was given a marker and any two choices I could put the marker too, I put my marker on what most people were interested in and anyway I had no knowledge of the two subjects. Somehow two people put a mark to Debian .

The first topic was taken up by Muneeb, a long-time friend whom I had not met up for a long time. He started with passwords (shared secrets) and shortcomings of the same. He shared about PKI but only asynchronous PKI or PKI with a certifying authority which I knew from the many public and not so public fallouts is and was a broken infrastructure. He also shared a bit about digital certificates which again has been on the way out in almost all countries except India. It is good if you are making money either as an agent or being a certifying authority but doesn’t do anything in terms of making the infrastucture any safer. There was talk of SSL but even as a novice web-user I know that all SSL is not the same. There used to be a slew of excellent add-ons such as certificate patrol, perspectives and convergence of which only certificate patrol has managed to still eke out a web presence. The site itself answers the many questions about how SSL itself is broken. It is an excellent resource for those who want to know about it.

While I didn’t go into the details of either how SSL is broken or MITM attacks are possible, I did share about synchronous public-private key infrastructure, Web of Trust and getting the public key signed by multiple developers. I did share the whole key-signing party which happens and how people trust or don’t trust you depending on n number of factors, part of which may be their own paranoia which depending on how you look at it can be healthy or not.

The other topics which were shared by people were often compliance and war stories they had encountered when dealing with different companies and compliance methods. I remember sharing about LTP and getting blank looks about it. I had actually been thinking about if as an attacker I would either do multiple DOS attacks on a machine/network and use one or the vulnerability to worm my way through. My question was about if they offered such kind of services and was told that in most companies they weren’t allowed to do even basic pentesting so what I was wondering is far out there from the reality. This is when some of their client companies are apparently doing software exports to other countries.

Something which I have seen for quite sometimes is the kind of password requirements esp. in Indian sites are. This is an example of an Indian site where I wanted to put a password –

Now while I won’t share the site name. It is a common occurence. Now why it doesn’t work most probably is because whoever coded for the password was looking at having just single numerical character, a single lower character and a single special character.

If you look at most user’s pyschology they would usually try to have a password which meets the least requirements rather than full. If I were an attacker, I would say it is a weak system as the attacker would know that most people would use something like this to fulfill requirements but also give easy access to an attacker. Password – Shirishag75; or something similar as most people use the common username to have the same profile everywhere. The attacker’s job becomes much much easier in such cases. And while I have shared one, there are probably hundreds of Indian sites which use similar methodology to ‘safeguard’ user passwords. What would have been better is the ability to have multiple special characters, multiple upper and lower characters and multiple numerical characters. Anything which improves entropy or randomness should decrease the chance of attack. This of course also depends upon the user to exercise and use that understanding but that’s a topic for another day.

When it came to Debian I shared the short history of free software, the four principles, Redhat and inspiration about Debian and the number of software packages we support and the number of hardware architectures we support. While I did share about the debian-security team and debian-security tools, I didn’t share anything about Debian Hardening as I knew we have a long way to go. Historically, we have taken a lot from BSD world as well shared back.

There was also the whole systemd debate and for a change, I decided to be the devil’s advocate. I knew the multitude reasons when we had to use it instead of the aging SystemV. From what I could remember, we had become de-facto upstream of SystemV which were taking developer resources and not giving enough return out of it. I remember meeting Lennart Poettering when he came to Pune in 2013/14 for Fudcon or some other Fedora event and had been reading lot of flame-wars in 2013, 2014 over systemd, some of which is still causes heartburn today.

One of the arguments which to my mind is the strawman argument is when systemd doesn’t start, the whole system collapses. This is a strawman to my mind as all things will fail eventually, for any number of reasons. For e.g. grub may fail, filesystems may fail, the only things which should probably prevent complete meltdowns are hetrogeneous systems but that probably would have been a topic for a different day altogether.

I do have machines running on systemd and SystemV and find the ones from systemd to be a tad bit more responsive. At some point if I am able to get a new machine, I probably will try OpenRC too as that’s now in Debian as well.

All in all, it was much more of an enriching experience as I was able to share some things while also learn a bit about topics I had no idea about, like compliance.

Before sharing about Debian, there was an inspiring coverage about 2 women who tried to enter Sabarimala and the travails they shared. What is and was interesting is that they were aware of the risks they were taking and still they went for it. There is also probably a semi-fictional movie story called Soni . I say semi-fictional because the way it has been shot and shown, seems to be real. While there isn’t enough data yet, it still tends to suggest that we have a long way to go through either as part of gender-justice or even better law governance. So with the above as inspiration, let’s see what’s been happening in Debian.

Debian

Debian has been in a bit of drama over the last couple of months. If I were to describe Debian as an organization, the mental picturization I would have of it as of today would be of a town-hall. It has beaureacracy, with the current organizational structure. From the current drama, one question which came to my mind is why we have 3 DAM’s for say around 35-50 odd AM’s. If nothing else, it seems quite a bit of strain on the workload of DAM as it is vis-a-vis the number of AM’s . Of course, it’s hard to gauge the amount of work the DAM’s may be going through as there aren’t any statistics which tells the number of hours they have to work, in addition of whatever day-jobs they hold. AFAIK apart from the special privilege of admitting a new member, refusing membership and revoking membership of an existing memeber and perhaps making reports and documentation which probably is shared with the Debian Leader.

Before starting with the drama at Debian, I would like to share an interesting article/blog post which was shared by a free software friend. I found it interesting because FSF for a long time had positioned itself as a vanguard of free software. As with most free software activists, I have no clue as to what to feel. I do feel shocked and more than a tad disasppointed with the way things have moved. For those who are and might be new to the world of free software, ‘FSF’ was always cherished to be ‘the unreasonable people’ . Unreasonable in the sense that they would uphold free software values. They would look to uphold small businesses and user freedoms. They were the reason ‘open source’ was born which is and was born with the idea of supporting ‘big business’. Now if FSF starts supporting Microsoft or any other big company how are they different from ‘open source’ or ‘OSI‘ .

Now coming to the drama, I first came to know about it from a mail at debian-dug-in which led me to provocatively titled mail message called ‘bits from the censorship team‘ , the trail led me to a humongous thread on debian-project, one of which seeks to explain the ‘crisis‘ in Debian. While I don’t know the reasons, from whatever interactions I have had with either Daniel Pocock both via blog posts and emails have been thoroughly professional. While I stand (sadly) by the reasons I had that day and today he has been a complete gentleman as far as I’m concerned. While I probably have had less than 50 odd interactions via mail I did find him to be respectful in all his replies. The same can be said of Nortbert with whom I had a chance to interact a bit more as I use some of the tex packages which IIRC were/are his baby. Whenever I did put up a bug-report or something, he did reach out and fixed those bugs in a timely fashion which is what attracted me to Debian in the first place. The third gentleman I have no idea about hence wouldn’t know. I have to point out though, that if you just read those two mails then they may result in a biased viewpoint. I would request people to read through the whole thread. There are many balanced voices which makes Debian a vibrant community.

What did hurt though was when I came to know about concerns being raised about Praveen’s contributions. While I could understand Rhonda’s concerns, I do wish she had framed in much better way. Most DD’s and even DM’s abandon packages when they are not working on it or they are retiring. If Praveen felt like that, he would do it that way only. I didn’t see any reason to expect any different way from him.

FWIW I have known the gentleman (Praveen) for almost a decade and more. He is and has been generous to a fault and has been a prime motivator for almost all the Debian-related activity, especially events which happen in India. Even last week, he was in Orissa which is known as a backward state due to number of reasons, one major reason being a perennially flooded every couple years or so. So even in a state where the basics are lacking for many, he is there sharing and enhancing digital literacy. Even here, Praveen was able to put a call out and now he has quite a few number of people who are willing to contribute and take over in case he needs to setep aside . Remember this is in a country which has no form of pension or Universal Coverage like most western countries do. While I wanted to share his some of his talks listed without his phone number, for some reason gimp is not co-operating today 😦

Brexit

Lastly, brexit seems to be like a slow train knowing it’s going to crash. Whenever I see any news about brexit, I am reminded of the incident in the Quwaiti Bazaar where a gentleman from Pakistan was unable to buy dates because he had the UK pound while Euro was ok. This was 2 years back. Incidentally today on twitter, a gentleman went through all the laws that Europe imposed on UK and all the laws seem sane. In fact, I remember on agriculture that Indian farmers and businesses wanted to sell some Indian-grown fruits and England denied them saying they had carcigiones, pesticides and what not and they turn around and say no when Europe wants the same standards for everybody.