చికెను వింగ్సూ, అల్లప్పచ్చడి

అల్లప్పచ్చడి (అల్లం పచ్చడి) వాడకంలో నేను అసలు సిసలు తెలుగు వాడిని. అల్లప్పచ్చడి అంటే హోటళ్ళలొ తెల్ల చట్నీతో పాటు ఇచ్చే ఎర్ర చట్నీ అనుకునేరు. నేను చెప్పేది మామూలుగా మనం సంవత్సరానికోసారి పట్టుకునే అల్లప్పచ్చడి గురించి. ఆ గట్టి అల్లప్పచ్చడిలో కొద్దిగా మంచినీళ్ళు గానీ, పెరుగు గానీ కలిపి ఎలాంటి ఫలహారాల్లోనయినా నంజుకుని తినే విషయంలో నేను అసలు సిసలు తెలుగువాడినన్నమాట. మనలో మనమాట, ఇడ్లీల్లోనూ దోశల్లోనూ అల్లప్పచ్చడి భేషుగ్గా ఉంటుంది. పెసరట్టు ఉప్మాలో అయితే మరీ భేషుగ్గా ఉంటుంది. శ్రీకృష్ణదేవరాయల పక్కన తెనాలి రామలింగడు ఉన్నప్పటి మజానే పెసరట్టు ఉప్మా పక్కన అల్లప్పచ్చడి ఉన్నప్పుడు వస్తుందన్నది నా ప్రగాఢ విశ్వాసం.

గతవారంలో ఒకరోజు సాయంత్రం అత్యవసర పనులన్నీ చక్కబెట్టుకుని (ఆఫీసు మెయిల్సు, స్వంత మెయిల్సు, ఫేసుబుక్కూ, ట్విట్టరూ వగయిరాలు చక్కబెట్టుకుని అన్నమాట) కొంచెం ఫలహారం తినే పనిలో పడ్డాను. ఎదురుగా మాంచి పసందుగా క్రిస్పీ చికెను వింగ్సు కనిపించాయి. వాటితోపాటు నంజుకోవటానికి సహజ సిద్దమయిన బార్బీక్యూ సాసు కూడా ఉంది. కానీ తిండి విషయంలో ప్రయోగాలు చెయ్యకపోతే మనం మనమెందుకవుతాము. అటూ ఇటూ చూసి ఎదురుగా కనపడ్డ అల్లప్పచ్చడిని మనదయిన రీతిలో పలచగా (ఇంచుమించుగా బార్బీక్యూ సాసులా కనపడేలా) కలిపాను. సోఫాలో చేరగిలబడి కాళ్ళు టేబులుపై పెట్టుకుని టీవీ చూస్తూ ఫలహారానికి ఉపక్రమించాను. అల్లప్పచ్చడిలో ఒక చికెను వింగుని బాగా తిప్పి నోట్లో పెట్టుకోగానే అప్రయత్నంగా “మహాప్రభో” అనిపించింది.

ఈ “మహాప్రభో” వెనుక ఒక విషయం ఉంది. శుభసంకల్పం సినిమాలో రాయుడు పాత్ర వేసిన కళాతపస్వి విశ్వనాధ్ గారు ఒక సన్నివేశంలో దాసు (కమల హాసన్) చేసిన చేపల పులుసు రుచి గురించి చెబుతూ “మహాప్రభో” అంటాడు. ఆ సినిమా చూసినప్పటినుండీ ఏ తిండి పదార్ధం చాలా బాగున్నా నాకు మహాప్రభో అనిపిస్తుంది.

అలా మహాప్రభో అనిపింపచేసిన చికెను వింగ్సూ అల్లప్పచ్చడి కాంబినేషను ఫలహారం క్షణాల్లో ఖాళీ అయిపోయిందని వేరే చెప్పక్కర్లేదనుకుంటాను. మీకుగనక ఇలాంటి ప్రయోగాలు ఇష్టమయితే మీరు కూడా ప్రయత్నించండి.

authbind vs iptables on AWS

Here is a short description of the scenario I was working on. I am using a standard AWS AMI to run tomcat (tomcat7, to be specific.) The default configuration of AWS AMIs (and many other off-the-shelf unix based servers) is such that tomcat (or any other program that runs with a non-superuser credentials) can’t bind to privileged ports. However, tomcat needs to use these privileged ports (443 for TLS and 80 for standard HTTP) to serve public facing pages.

Making tomcat run as superuser is really a bad idea (the why question is beyond this article.) So there are a few tricks to make tomcat work on privileged ports.

authbind

There is lot of mindshare around authbind when it comes to hosted environments. The manpage of authbind describes how authbind can be used to make a program bind to sockets on privileged ports. However, if you are using a standard AWS AMI, you may have some challenges using authbind. Also, for automated environments (read Chef) in AWS, I felt authbind is more complicated to work with.

iptables

Port redirection using NAT features of iptables is very simple and straight forward. However, it requires an additional configuration on tomcat to use proxy mode on privileged ports.

Here is the NAT configuration using iptables.

sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
sudo service iptables save

Once this is done, all inbound traffic on 80 will be redirected to 8080. The same is the case with port pair 8443 and 443. This way, tomcat can still bind to port 8080 for HTTP and 8443 for TLS while serving incoming connections on 80 and 443 respectively.

When a client program queries the port information from tomcat, it should respond with port 80 and 443 instead of 8080 and 8443. To ensure that, one can use the proxy support feature of tomcat. Here is the additional configuration in tomcat connector settings in server.xml

<Connector port="8443" proxyPort="443" .../>
<Connector port="8080" proxyPort="80" .../>

Other Considerations

There are better ways to handle this port redirection when you have front-ending loadbalancers and/or proxy servers in place. Having proxy/loadbalancers solves helps mitigate more issues than just solving the redirection problems. However, the iptables approach is better than authbind approach when you are using a single server on AWS without lot of additional infrastructure and configurations in place.

Data Insurance: to Limelight and Mainstream

In contrast with other essential elements of human life like death and taxes, the history of insurance has been very short. However, in terms of evolution, the concept of insurance has been constantly changing and continuously embracing new domains. Insurance of properties, life, health, beauty, athletic talent and limbs are very trivial now. Data insurance, which has been limited once to multi-billion dollar corporates and that too for limited scenarios, is now taking center stage.

The drivers for data insurance existed for quite some time, but they haven’t proliferated into human life and organizational practices as it happens now. The key drivers pushing the trend towards data insurance are the protections we need against data loss, data compromise and data misuse.

Organizations, as they evolve in their presence over web, social networks and mobile applications, are capturing more and more data. The rest of the discussion in this article focuses on two categories of this data.

  • Acquired data: All the customer information, employee information and any other user information collected directly or indirectly from the users constitutes this acquired data. By nature, this class of data is highly likely to have sensitive information that includes personally identifiable information (PII), credit card information, etc.
  • Generated data: All the housekeeping, analytics and user behavior data in an organization falls into this category. This data is very vital in delivering  better user experience to both end users and internal teams. This data is mostly generated by an organization’s web/mobile applications that interface with end users and may be augmented with data inferred from other user interactions like support calls and email exchanges.

Any compromise on acquired data leads to a very big exposure – loss of face, legal tangles and/or customer loyalty issues. The data compromises detected at companies like Target and Home Depot are leading to customer unrest, loss of loyalty and severe financial implications from legal consequences.

Any compromise of generated data makes an organization limp (often heavily) in their business process. Generated data compromise mostly leads to inefficiencies and exposure of the secret sauces to competition.

The impact of a compromise on generated can’t be taken any lightly when compared to the impact of acquired data compromise. The generated data may also include intellectual property related items that could hurt a company in the long run when that data is compromised.

Digital (or digitized) data captured by humans also is increasing in its prominence,  value and the risk of compromise. Whether it is personal pictures of celebrities or tax data of individuals, the risk associated with any compromise of this data is increasing over time. As the data access avenues are increasing (e.g. health data accessed via a wearable device), the potential for compromise of personal data is also increasing.

Given all this increased focus on data and its risks, we see a bigger shift towards insuring the data by corporations and individuals. Data Insurance is taking new paths that are less traveled by insurance companies in the past. Data Insurance packages now contain and cover a wide variety of data sets.

Just like humans undergo a set of prerequisite tests before taking a new health insurance package, data sets might undergo certain audits that cover the access controls and security risks associated with this data. We may also see a trend towards re-audits during renewals of data insurance to re-validate the access controls and risks.

The key factor in Data Insurance is determining the value of data. Human life insurance packages usually cover sums like 5x annual income. Vehicle insurances usually cover up to the Bluebook value of a vehicle. Coming up with valuation for data is not that straight forward though. The valuation process might differ greatly between acquired data and generated data. Unlike constant depreciation of a vehicle’s Bluebook value, the value of data may either decrease (data that becomes stale over time) or increase (with volumes or with increased sensitivity of same data) over time. Data Insurance companies and the insured organizations/individuals will often be re-evaluating the value of data to optimize costs and minimize the impact of exposure.

In summary, here are some of the primary factors by which data insurance evolves:

  • Categorization of data
  • Valuation of data
  • Data audits

As data insurance hits mainstream, all these factors experience market growth and some sort of standardization beyond what we have today.

 

 

libressl

Libressl (http://www.libressl.org/) is a recent fork of OpenSSL. The goal of libressl is to provide a more secure alternative to openssl and the developers who forked the code feel that openssl is beyond repair at this point. Quoting from libressl website,

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

The best documentation of libressl features (or default configurations) can be found in the release notes from 5.6 version of OpenBSD. Looking at the list, this is an impressive push towards securing the implementation by default. Without worrying too much about the backward compatibility, some of the lesser secure configurations and protocols are simply left out from the implementation.

By dropping support for a bunch of hardware engines and platforms, libressl probably has less things to worry about. For example, dropping support for big-endian i386 and amd64 systems liberates it a bit. With classic adopters of big-endian architectures evenutally becoming bi-endian, there is not much to lose here, in my opinion. However, reusing the standard C library routines like malloc() and snprintf() could take an interesting turn. Dropping kerberos support is interesting too – don’t we still have a lot of academic community working on it?

I like changes like dropping SSLv2 support and stopping the use of current time as random seed among a few others.

There are several discussions in the past on which of these opensource SSL implementations are better. Being a legacy implementation, OpenSSL at this time requires a considerable set of configurations to make it secure. From that view point, libressl might look better in terms of its out of the box readiness for a more secure implementation. However, in the world of automated deployments and continuous integrations, recipes exist to configure openssl to avoid less secure protocols and algorithms.

I am not sure at this point whether libressl will surpass openssl in future in terms of adoption, but sure I am glad to see a drive towards being “more secure by default.”

 

Swachh Bharat Campaign: My Thoughts

Now that (apparently) the initial euphoria around the Swachh Bharat initiative has died down and people are settling back to their normal course of action, here are my thoughts on this great initiative.

The Swachh Bharat initiative is my long term wish for India come true. The moment I set my foot on western hemisphere almost a couple of decades ago, I realized how different surroundings can be made to look like. After relocating back to India a while ago, lack of cleanliness has been one of my big pain points that I have been trying fix across the board.

The Swachh Bharat initiative by our Prime Minister Shri Narendra Modi is right on spot and we all should thrive to see a clean and green India. However, just like many of the good initiatives, this one might make people get carried away in executing it the wrong way.

For an initiative to get popularity, we either need to document widespread participation or measurable results. Some popular initiatives get their popularity due to participation and others get popularity due to socializing of sustained results. Often, people take the first route and document the participation. Three hundred people posting their pictures on a social networking site for an event gets an event more popularity than documenting the fact that three thousand people actually participated in it.

People seem to be more inclined to post their participation in Swachh Bharat by clicking a few pictures while cleaning up a road or premises. I haven’t seen anyone posting a picture of a road or premises that stayed clean over a period of time.

In other words, instead of fixing the symptoms, we should fix the root cause and make sure that the symptoms don’t show up time and again. That is the best sustainable path to success.

For Swachh Bharat to become a lifestyle (not just an initiative), we need to focus on the following:

  • Reducing the opportunities to make any road or premises unclean. For example, Indian Railways came a long way in keeping many platforms and stations in clean state when compared to 15 years ago. The train tracks, compartments and some stations are not clean enough yet, but we have seen a good improvement recently. All they did is to force every vendor to keep a trash bin next to the stall and increased the number of general purpose trash bins. This led people to eventually get to the habit of using the trash bins than platforms to dump the waste. We need to take similar approach to ensure that people participate more in keeping things clean than making things clean.
  • Ensuring that people understand the importance of keeping things clean. We need to slowly, but surely, eradicate the “not my job” attitude when it comes to keeping public and common places clean. Some part of it comes from forced legislation (I like the positive impact of “No smoking in public places” rule) and rest of it should come from people’s belief and passion. This is where politicians and celebrities can help by taking the message to masses. I like a celebrity’s picture of cleaning a road, but that should somehow translate to a message that keep things clean first.
  • Clean up – This is how the initiative is currently being perceived in mass media. Even though it is a good start, it should slowly get to the back stage and give room to the other two focus points mentioned above. Clean ups should be regular, can even be voluntary by people who are no way in that role, but shouldn’t be just momentary.

In summary, I want to see Swachh Bharat to become a lifestyle than an being an initiative by our Prime Minister. We all should focus on keeping places clean than cleaning up places as an aftereffect. That way, we can head to seeing a sustainable Swachh Bharat.

Shellshock bug and the risks

Bash, the quarter century old shell utility on almost all popular unix based systems, is found to be vulnerable. The exploit works by injecting specially crafted values into an environment variable and using it to invoke a shell command. Once the exploit gets to that level, there is hardly any limit on what can be executed as part of the shell command.

The problem gets worse for the fact that many of the day to day usages of the network facing services have potential to use bash internally. For example, CGI scripts on web servers, convenience utilities offered by network routers and any other limited command execution tools might be the key vulnerability public and guest access private networks. Mitre warns that sshd with ForceCommand is a potential attack vector.

The bug is being termed as Shellshock bug or bash bug. RedHat’s security blog article is one of the earliest articles that discussed the Shellshock bug in detail. Robert Graham of Errata Security is the best known tracker of the issue and has ongoing observations and comments on his blog/twitter account.

Here is how you can check if the current bash is vulnerable on your system. If it prints vulnerable on the first line, then patch your bash package.

$ env x='() { :;}; echo vulnerable' bash -c "echo test completed"
 vulnerable
 test completed

For web servers, here is the test suggested:

$ curl -i -X HEAD "http://sometestdomainhere.com/" -A '() { :;}; echo "Warning: Server Vulnerable"'

The output looks somewhat like the following listing. If it contains “Warning” text, then it is highly likely that the web server’s bash is (and cgi’s based on bash are) vulnerable. This test doesn’t assure that the system is not vulnerable. You may still have other CGIs run with bash that are vulnerable.

HTTP/1.1 200 OK
Date: Fri, 26 Sep 2014 02:51:52 GMT
Server: Apache
X-Powered-By: PHP/5.4.32
X-Pingback: http://sometestdomainhere.com/xmlrpc.php
Link: <http://sometestdomainhere.com/?p=14>; rel=shortlink
Content-Type: text/html; charset=UTF-8

Since the Shellshock bug existed for quite a while, all versions of bash that are currently out there in active usage are likely to be vulnerable. Patching some of these devices might be trivial, but there still might be several other devices that are hard to patch.

  • Servers that run services like web/ftp might be vulnerable if the CGI scripts end up using bash. Invoking bash from PHP code is considered not vulnerable, unless there are ways to circumvent input parameter validations of the PHP code. The RedHat article mentioned above has links to instructions on how to fix this on RedHat variants of linux. For Ubuntu, this is a good thread to follow.
  • Desktops that use network facing services like DHCP over wireless and sshd are vulnerable as long as these services internally use bash commands or bash as the shell for the session. There are still discussions on whether Mac OS X DHCP is vulnerable or not, because Apple modified its DHCP and claims that the DHCP utilities don’t use bash internally. Mac OS X branched version 3 of bash and does its own updates to the shell. There are instructions on how to patch OS X, tailored more for unix admins (and requires xcode) than normal users.
  • There are some suggestions on renaming bash to a different name, but that might break more things than fixing them. Use this technique with utmost caution.
  •  Beyond Desktops and Servers, devices like internet routers may have vulnerabilities due to utilities and services they offer. For these devices, waiting for vendor released patches is the best option, but explore the possibility of turning off these convenience utilities.

Errata Security also has notes on wormable nature of the Shellshock bug. So patch your bash package as early as you can.

Upcoming AWS / EC2 instance reboot

If you are using AWS and EC2 instances, a reboot of most those instances is on the horizon. Amazon’s AWS informed of this reboot that is scheduled between 02:00 GMT on September 26th and 23:59 GMT on September 30th.

Read more about this reboot on Gigaom and Rightscale. Technical Forums on AWS and other sites are already buzzing with lot of traffic, discussing the potential impact and how to ensure that the services are not impacted.

Given the urgency and magnitude of the instances that are impacted, it looks like the patch is going potentially going to address a security vulnerability. The actual details of the patch and the issues that are fixed by it will be known around October 01st.

Summarizing various discussions on related forums, here is a quick summary of what to watch out for during this AWS / EC2 instance reboot

  • The reboot is not limited to any single availability zone. It spawns across all the availability zones
  • Good news is that the EC2 instances on all availability zones are not rebooted at the same time. So if your instances spawn across multiple availability zones, you are on a relatively safer side.
  • The reboot does not impact instances of the type T1, T2, M2, R3, and HS1. However, if the patch fixes issues on these instance types too, then you might be on your own. We will know more around October 1st.

Here are a few quick checks for those who are getting impacted.

  • Check your mailbox for a notice from AWS and it is likely to give more details about the reboots, impact and schedules
  • Ensure that the key services on your instances are configured for auto restart when the system boots up. It looks silly, but I have seen code that takes good care of newly spawned instances but doesn’t address reboots that well.
  • Ensure that your network paths (non-Elastic IPs, Route 53 entries, S3 buckets) survive reboot of the instances.
  • For those whose instances are NOT rebooted by AWS, watch out for the issues fixed by AWS during this reboot and evaluate their impact on your instances. Take corrective measures as soon as possible.

For those who can afford to be heroic enough – why wait till AWS reboots your instances? Reboot these on your own in each availability zone and test the resilience.

బాపు

బాపు: చిన్నప్పుడు ఆయన గీతలు ఆయన్ను మొదటిసారి పరిచయం చేసాయి. క్లుప్తంగా విషయాన్ని చెప్పడమనేదానికి ఆయన గీతలు నిలువెత్తు ఉదాహరణలు. మనం ఈనాడు గొప్పగా చెప్పుకునే minimalist design ను ఆయన ఎప్పుడో గీసి చూపించారు. సంస్కృతావిష్కృతులైన ప్రబంధనాయికలకు బాపు బొమ్మలు సరియైన తెలుగుసేతలు.
ఆయన సినిమాలు రేడియోలో వినడం చిన్ననాటి మరపురాని అనుభూతుల్లో ఒకటి. ముత్యాలముగ్గు, మంత్రిగారి వియ్యంకుడు, భక్త కన్నప్ప, పెళ్ళి పుస్తకం, వంశ వృక్షం, రాజాధిరాజు, మనవూరి పాండవులు లాంటి సినిమాలు వినోదాన్నివ్వటంతోపాటు మానవ, సామాజిక సంబంధాలను తార్కిక, మానవీయ దృక్కోణాలలో ఎలా చూడాలో చూపించాయి. ఆయన తీసిన సంపూర్ణ రామాయణం ఒక మహాకావ్యాన్ని మూడు గంటల్లోకి సంక్షిప్తం చేసిన దృశ్య కావ్యం.
బంగారానికి తావి అబ్బటమనేదానికి బాపూరమణలు ఒక మంచి ఉదాహరణ. సాక్షి వ్యాసాలనుంచి కోతికొమ్మచ్చి వరకూ వాళ్ళు అల్లిన పడుగుపేకలు తెలుగు పాఠకులకి వాళ్ళిచ్చిన పట్టువస్త్రాలు.
బాపు ఇక లేరనగానే మొదట స్ఫురించింది ఈయన రమణగారి దగ్గరకు వెళ్ళారని. విశ్వనాథవారి విష్ణుశర్మ ఇంగ్లీషు చదువు నవలలోలా ఈయన వెళ్ళి ఆయనను తీసుకొని వస్తే ఎంత బాగుణ్ణు?

Photo Caption Competition

I am running a photo caption competition for a select group. Here is the photo:

Photo for Caption Contest

This photo is a selected entry for TCPC‘s Chayakriti-2013. I clicked this picture in 2012.

Here are some suggestions:

  • Give both a photo caption and a writeup/description about the picture.
  • Limit the photo caption to less than 10 English words
  • Limit the writeup/description to 100 English words

Email Transit Security Needs Better Adoption

Email transit security is not a new concept, but it deserves more attention in terms of adoption and practice.

Email has become the key component for information access – every online service identifies you through your email id. All online transactions (not just financial transactions) have one or more transactional email sent to you. Examples of transactional emails are – file share notifications, password reset mails, shipment notifications and account information change notifications. Despite not having direct financial information, all these mails have potential to compromise the security of an individual or company’s information.

We all take ample care while accessing our emails over a secure connection using tools like Thunderbird, Outlook or web based secure access. These secure connections ensure that  email is accessed securely from a mail server to a client device like desktop or phone. However, what is the assurance that the mail actually traveled from the sender to the mail server in a secure way?

Securing email during transit is not a new concept. There are enough protocols and processes in place for ensuring email security during transit. However, email security during transit isn’t adopted by all major service providers and organizational senders. This poses risk to the information carried over by emails to individuals and organizations.

Google’s safer email campaign and email transparency report focus on documenting metrics and best practices related to email transit security.  A couple of pictures on this page describe how TLS helps ensure security of email in transit.

Adoption of TLS for email transit security is not a unilateral fix by one or more ISPs. When email is hopping between two ISPs, it requires both the ISPs to agree upon the use of TLS for transmitting the email. So none of the ISPs or individual organizations can claim that they send/receive all their emails over a secure channel. At the time of writing this article, only 74% of mails from Google are accepted by recipients over secure connection. That number is much better, when compared to the 54% mails received by google from other ISPs over secure connection.

There are several techniques employed by eavesdroppers to make meaningful information out of even non-confidential content.  Ensuring email transit security helps an organization in the long run. Even if security of mail content is not of prime concern for an organization today, it is highly recommended that the email is sent securely during transit. That way, the organization is not giving away information easily to the eavesdroppers.