Hacker in Berlin. Follow me on Bluesky, my Mastodon is down. captnemo.in/contact/ Aspartame maximalist.

Berlin
What I was taught in school: - Mitochondria is the powerhouse of the cell What I should have been taught in school: - How to file an RTI - How to file taxes without an Aadhaar - How to topple a fascist government
33
475
1,730
Thought I'd look at the @Truecaller app to see what changed to cause the bug (diff between 10.40.7 and 10.41.6) Likely was just a accidental bug (see screenshot), but I found more interesting stuff. Thread.
24
348
470
Been reporting this to @UIDAI since Jan '17. Giving up hope on it ever getting fixed, so public disclosure: captnemo.in/blog/2018/09/15/… Credits: @sanitarypanels #aadhaar #13footwall
10
164
296
Hotstar doesn’t let paying *VIP* users watch content with English Audio and that’s the stupidest pricing differentiator I can think of. (Thread)
37
37
300
I wrote an open letter to @Cloudflare. CloudFlare's vendor (Airtel) keeps blocking websites hosted on GitHub Pages for no reason without a court-order in India. This has been ongoing for years, and developers deserve an answer. github.com/captn3m0/hello-cl… (Please RT)
16
164
290
Hey @Google if you really care about the environment, can you please support Pixel devices for more than 3 years instead? There’s 10M+ Pixel 3 devices that are destined for landfills this October as they reach End of Life - maybe start there.
The Google Pixel 6 won’t ship with a charger theverge.com/2021/8/17/22628…
7
39
235
tl;dr: India needs a Data Protection Law, and it needs it badly.
11
91
233
Perennially depressed because the Controller of Certifying Authorities in India doesn't have a valid certificate for their website.
6
62
224
Our incredible journey at electoral.bond has come to a close. The Supreme Court has declared Electoral Bonds as unconstitutional, and our legal money laundering scheme will be shutting down.
6
20
218
31,815
I wouldn't have launched this today, but @FinMinIndia has picked the dates as 1-10 April, so ¯\_(ツ)_/¯ Go buy a (tax exempt) Electoral Bond from your nearest SBI Branch and sell it for cash! please dm if you you'd like to buy electoral bonds in bulk. buy-sell-electoral-bonds.car…
12
98
192
👋 It's my birthday today. I'm not a birthday person, but this year I'm doing a fundraiser for @internetfreedom 🎉. I'll be matching donations made to IFF today so you can double your impact: internetfreedom.in/double-yo… (Please RT)
20
91
186
India’s collective refusal to stand up against Aadhar has gotten us to the point where we’re celebrating life-saving surgeries on newborns being dependent on @UIDAI’s blessing.
Our VLE Ramana from Amalapuram Town, Andhra Pradesh done a Sishu Aadhar Enrollment to 4 days born baby in ICU, who has diagnosed a hole in heart, for immediate surgey Aadhar is mandatory, so our VLE RAMANA did a great job, and shown the humanity. @dintya15 CSC VLE CAN DO#
6
64
190
👋 It's my birthday today. I'm not a birthday person, but this year I'm doing a fundraiser for @internetfreedom🎉. I'll be matching donations made to IFF today so you can double your impact: internetfreedom.in/double-yo… (Please RT)
19
86
171
47,072
You don’t need 2 ring lights and a DSLR to join work calls. If Jeff Bezos can join calls with the governor of Washington with a laptop camera, so can you!
16
8
171
This PR from @UIDAI yet again proves how Aadhaar is malleable beyond any scrutiny. (Now withdrawn: pib.gov.in/PressReleseDetail…) A thread on the history of how this has changed over time.
UIDAI cautions of sharing photocopy of Aadhar @UIDAI pib.gov.in/PressReleasePage.…
3
108
168
Why you shouldn't use <input type=number> blindly for OTPs. Accidental scrolls will change the number before submission. Always better to use <input type=text pattern"=\d{6}" minlength=6 maxlength=6> cc @Kuvera_In
3
16
149
Are you a security researcher outside India? Do you hate getting geoblocked to Indian government websites? Well, I made a proxy for security researchers outside India to access Indian government websites without resorting to shady VPNs. github.com/captn3m0/sanskari…
8
35
135
If you remove a user from your CoWIN account, the success message reads: >Individual Deleted Successfully 😂😂😂
4
10
124
The @UIDAI portal (portal.uidai.gov.in) has been down since the @thetribunechd story. Critical National Infrastructure they said, remember?
7
131
110
A thread on WorldCoin, it's parallels with Aadhaar and why such a project can't work.
Introducing Worldcoin, a new cryptocurrency that will be distributed fairly to as many people as possible. Details about how it works: worldcoin.org
1
45
107
I wrote a blog post on my encryption setup! Covers passwords, 2FA, U2F, recovery, and failure plans. Includes general suggestions for everyone. captnemo.in/blog/2020/01/04/…
9
32
108
Please take regular backups of your cat.
2
7
104
Take a BT speaker with you to the store and play a pre-recorded message to imitate the Paytm soundbox. Teenagers across India discovering replay attacks 😂.
6
9
107
Cleaned up the desk for the photo.
8
99
When you see a 10x shift in any metric, be very skeptical. Here's a thread on what actually changed. (1/n)
Some one pls tell @sherryontopp The Sheila Dikshit govt left behind a huge debt. The Arvind Kejriwal has almost cleared off the loans by now. Outstanding liabilities: End-2014: 32,531.8 cr End-2019: 3,406.4 cr (Source: RBI)
2
33
95
Wondering if @zomato will be notifying affected customers for the Dominos Breach. Zomato passes latlong,address,mobile number to Dominos. I'm impacted, despite never signing up for Dominos.
7
13
95
Proud to announce our pivot to foodtech.
10
4
93
Most of the joy in building PCs comes from the "lego for grown-ups" attribute (it was super-fun figuring out what goes where, and splitting hairs over how we were running fan cabling). But I love PCs for another reason: the magic of standards and interoperability. A thread🧵
Assembled a new desktop from scratch over the weekends, took >8hrs but learnt so much doing it after ages and boy things have changed! Thanks @captn3m0 for the help. The outcome is beautiful!
2
9
89
The @SlackHQ meetup is booting up at @Razorpay office. 🤞
4
1
87
IRCTC already monetises your data by embedding ads and trackers from third-parties. Now they’re going a step further and segregating “monetisable” passenger datasets. Also, reminder that IRCTC encourages Aadhaar linkage heavily so it’s a perfect surveillance dataset.
🚨ALERT: Hey train travellers, your data will soon be monetised by the govt. & that too, in the absence of a data protection legislation! @IRCTCofficial has uploaded a tender to appoint a consultant for digital data monetisation.🧵on what this means. 1/8 irctc.com:8080/IRCTC/downloa…
48
89
Sab mar jayenge bas Aadhaar bachega
2
19
88
Pilgrimage complete. (The NeXT Computer Tim Berners-Lee used to create the WWW)
1
1
85
Re-ran my @BLRFoodCensus code again, and here are some *early and rough* stats: Total restaurants: 14665 Temporarily closed: 546 Permanently closed: 9111 Still open: 5008 #Bengaluru has lost 2/3rd of its restaurants. (Data via Zomato)
4
18
75
If you are trying to get rid of WhatsApp, might I also suggest taking the time to setup adblockers everywhere. Uninstall the FB/Insta apps and use the web versions where you can block ads. FB stops making money if you stop seeing ads.
2
26
81
3 Servers still serving the UIDAI portal: 103.58.114.102, 103.58.114.101, 103.58.114.19 @UIDAI doesn't even know how to take their _vulnerable portal_ down correctly. paste.ubuntu.com/26351836/
4
73
77
Amul pays taxes.
In 1946, a DAO was started with milk as a NFT. We call that Amul today. Lol. Co-operative society hi hai yaar DAO.
4
78
Aadhaar went from “Yes/No answers only” to “No such thing as a Aadhaar Card” to “Aadhaar Xerox is valid KYC” to “Official Aadhaar PVC Card” to “eKYC” and now “CKYC” over the span of a decade. I do not trust a profit-seeking malleable ID system, and neither should you.
3
33
72
Remember the @ixigo data breach that happened in 2018? Looks like @EaseMyTrip has bought a copy and is using that for advertising. This email was only ever used to purchase tickets on Ixigo.
5
25
76
I'm now running a DNS-Over-HTTPS Resolver from Bangalore. Faster than both the Google and CloudFlare resolvers within Bangalore (Tried on Airtel and ACT so far). Doesn't log/filter/block and leak information. captnemo.in/doh/
3
20
66
Cool tools promotion thread. (Stuff I use and like, mostly dev/cli/linux stuff): github.com/ericchiang/pup pup is jq for HTML. Pipe your HTML and parser/filter it on the terminal. If you do a lot of web scraping - this is very nifty.
2
27
74
@getwalnutapp also seems to have a SDK! Pretty cool stuff: credit scoring, parsing SMS. Their regex list is so much fun to read.
8
21
70
Excel files transferred over SFTP is all of FinTech. How do those transfers trigger? Yep, cron jobs.
Cron jobs are the duct tape that hold the Internet together.
2
6
66
@IKEAIndia seems to be shipping to Bangalore now. Seems like they're shipping straight from Hyderabad, but cool nonetheless.
6
5
69
Currently running at home: 5 iOS 3 Arch Linux 3 macOS 2 Android 2 Raspbian 1 OpenWrt 1 OpenBSD 1 Ubuntu 1 Windows
7
1
64
20
62
Thanks to the upcoming elections, and freshly raised seed round, proud to announce our new domain: electoral.bond You can buy Electoral Bonds across 29 SBI Branches till the 10th of January.
I wouldn't have launched this today, but @FinMinIndia has picked the dates as 1-10 April, so ¯\_(ツ)_/¯ Go buy a (tax exempt) Electoral Bond from your nearest SBI Branch and sell it for cash! please dm if you you'd like to buy electoral bonds in bulk. buy-sell-electoral-bonds.car…
4
19
63
Unpopular opinion: So many breaches could have been avoided if Elastic and Mongo didn't think of security as an "enterprise" feature.
4
7
64
If you've ever received any SMS with any of these words, Walnut read it: salary sal credit deposit reimb debit Complete list: paste.ubuntu.com/p/XD4tYcDFg…
4
34
62
"A private company running a centralized closed-source infrastructure that decides whether or not you're human" sounds straight of out Blade Runner. This is not the future I signed up for. ~FIN~
6
15
61
Disclaimer: Not a product person. Fuck capitalism. End thread.
6
1
60
Umm what?
2
4
56
Lots of great feedback (and questions) after my talk #IndiaFOSS The project is up at github.com/librefin-in Slides are here: docs.google.com/presentation… (See speaker notes for a rough transcript). If you’re interested in contributing, drop me a DM.
4
17
60
Check your risk: If Google suspends your account permanently today, can you recover from it?
8
29
56
If you've ever wondered what happens to your data when a company gets acquired: My GoZefo (acquired by Quikr 2019) email is now getting marketing emails from Commonfloor (acquired by Quikr 2015).
2
6
57
We crossed 2Lakh! 🎉 To all of you who donated today - thank you! This has been my coolest birthday ever. There’s still an hour to go!
👋 It's my birthday today. I'm not a birthday person, but this year I'm doing a fundraiser for @internetfreedom 🎉. I'll be matching donations made to IFF today so you can double your impact: internetfreedom.in/double-yo… (Please RT)
3
4
57
72% of Pixel 3's estimated lifecycle emissions are from its manufacturing. By forcing customers to get a new device via planned obsolescence, Google is putting their profits before our environment. Source: Google's sustainability report for Pixel 3 storage.googleapis.com/manne…
2
12
52
This is a natural consequence of designing and promoting an ID system with zero liabilities or checks. When UIDAI told the parliament to put “Aadhaar printouts are valid KYC” in the law, they knew the consequences - they just didn’t care.
Replying to @adityakalra
I didn’t know there was an Aadhar involvement here too. @UIDAI. The photo, date of birth, Aadhar number are all incorrect. I am redacting the number anyway. Only thing used here which relates to me is the name. The Bihar address too is wrong, of course. @IncomeTaxIndia
1
32
56
My colleague when he found out I didn't study CS in college.
8
54
Spent 5 minutes reversing the app. Some findings: - The backend is running over HTTP (hp.gov.in/uidreport) - It allows viewing of upto 100 records at a single time - It uses MD5 (not sure exactly where)
Building your (local) surveillance state? There's an app for that.. play.google.com/store/apps/d…
2
79
54
Looking to buy boardgames in India, but outside of Amazon? I made a list: forum.reroll.in/t/where-to-b…
3
10
53
When your dream job was BuzzFeed but your parents wanted sarkari naukri.
Today we will be launching 5 big things that will impact your life! Any Guesses? via @TRAI #TRAIBIG5
3
25
54
Was that the production database?
give me a horror story from your specialty in five words or less
1
1
53
My new SIM is linked to someone else's Aadhaar.
7
46
53
Who hosts the Indian Government cyberspace? The chart shows (% of unique IPs that GoI domains point to, counted by the entity/AS that they belong to). The biggest here is obviously @NICMeity, which takes up 51%
1
21
51
Broken footpaths and hate speech.
₹ 1.69 trillion Direct Taxes paid by Bengalurigas, second highest in the country after Mumbai!! What do taxpayers get in return??
1
3
51
Just realized that more than 100 other small banks relying on Yes Bank for maintaining NEFT/RTGS/IMPS will be badly affected. Search for YESB0 at npci.org.in/national-automat… for a partial list. (132 banks on that list + 100s more)
2
32
52
Home for Diwali, and we recently got a Airtel Broadband connection, so I extended @squeal's work here. Here's a list of 1300+ blocked domains for Airtel Broadband users: github.com/captn3m0/airtel-b… (Not exhaustive, due to how censorship works)
I published a list of over 2,700 websites known to be blocked on @ACTFibernet's network. While not completely representative of all blocked websites, this list may still be of use to those attempting to research the scale of web censorship in India: github.com/qurbat/act-censor…
3
24
50
New Dark Pattern just dropped. Make a checkbox greyed out to make it look like it is disabled.
1
15
50
Wiki wishes you a happy Sunday!
3
49
90 days later Total restaurants: 14467 (-198) Temporarily closed: 510 (-36) Permanently closed: 9237 (+126) Still open: 4720 (-288) Changes in parentheses.
Re-ran my @BLRFoodCensus code again, and here are some *early and rough* stats: Total restaurants: 14665 Temporarily closed: 546 Permanently closed: 9111 Still open: 5008 #Bengaluru has lost 2/3rd of its restaurants. (Data via Zomato)
4
12
49
So it turns out that Credit Scoring is so important to Truecaller that they’ve just bought Messai.in (Website updated just now)
Thought I'd look at the @Truecaller app to see what changed to cause the bug (diff between 10.40.7 and 10.41.6) Likely was just a accidental bug (see screenshot), but I found more interesting stuff. Thread.
8
18
45
They claim to be completely "offline credit scoring engine", but this doesn't change the fact that users installed Trucaller to block phone calls. Not to get a score against their mobile number.
3
20
49
Replying to @captn3m0 @NCResq
UPI is cool, not because its online (NEFT/RTGS/IMPS was online), but because it figured out a loophole to the RBI 2FA guidelines while being mobile-first. When in doubt, remember that all fintech innovation is regulatory bypass.
5
13
49
My Google migration checklist: - Mail -> @MigaduMail - Stock Android -> LineageOS + #microG - Play Store -> FDroid + Yalp Store - Google Play Music -> Airsonic - Google Sync -> Radicale - Drive/Docs -> Looking - Google+ -> Seriously?
3
4
47
A customer that pays you at gunpoint isn’t your customer - you’ve created an artificial frustration where there was none to force them to pay. Make them delighted at the upgrade. Not angry.
2
4
47
Replying to @captn3m0 @_swanand
UPI also takes some questionable assumptions that don't work across the world (mobile number as Primary Key, linking all your bank accounts, routing everything through a non-government entity).
1
4
48
So much FinTech innovation in India is just finding the right loopholes. Wallets became popular because you could bypass 2FA to make transactions. UPI bypasses Beneficiary addition and waiting for 30 hours (and sometimes days) before making a payment.
Replying to @jaseemabid
@jaseemabid @jackerhack @Paytm Because of RBI 2-factor guidelines. Wallets are a hack around the 2-factor rule.
2
10
48
Bus takes a stop somewhere in Haryana (en route to @hillhacks). Me: Lacha paratha? Waiter: No Me: Stuffed Naan? Waiter: Will take time. Me: Kya milega? Waiter: Sir, Uttapam ya Dosa try karo.
5
2
43
However, the old Aadhaar printouts, letters remain as valid as always. No statement from UIDAI asking users to upgrade. The world's largest Identity Program has ever-shifting security and privacy guarantees, but there's no accountability from UIDAI. ~FIN~
5
11
47
Cleaned my keyboard this week. Too much cat hair = missed keypresses. Pre-photos (Inclusive of Cat Tax)
3
1
46
The virus is taking the weekend off, nothing to worry.
#COVID19 #vaccination sessions would not be scheduled on this Saturday and Sunday because of IT system transition from Co-WIN 1.0 to Co-WIN 2.0 trib.al/dGcjUtY
4
9
43
Replying to @_swanand
For banks, slow payments and bank transfers are a feature, not a bug. (The slower money moves, the more money you can make). But there's enough pushback from regulators and public that it's happening. See FedNow for eg.
1
3
46
Replying to @RitaG74
No, IIT Roorkee does not stand by this. Hundreds of IIT Roorkee alumni have signed this open letter taking a #StandAgainstCAA Not in my name! forms.gle/WLJ764jePvy3bMfZ7
11
38
After serving Hyderabad, Mumbai, and Pune, IKEA India is now delivering to..... ... ... Ahemadabad.

ALT Obama What GIF

10
1
43
I found out recently about Fingerprint publishing printing beautifully typeset classic hardcovers. I spent too much tracking all of them down, so here's a thread. (Some links are affiliate)
5
9
44
Nobody: Mom:
1
44
Disclaimer: I'm not an economist, but I'm good at hunting down figures and calling out bullshit. The tables cited earlier come from rbi.org.in/Scripts/AnnualPub…. See Statement 18 and 19. ~FIN~ (11/11)
4
41
TIL Calibre was born because Sony released a frustrating ebook reader 😂. #IndiaFOSS
5
44
I ran @18F /pulse on Indian Government websites to see how many of them support HTTPS. A quick summary: Total Websites: 14183 Total Live Websites: 11710 (82%) Websites with Valid HTTPS: 4753 (40% of all live websites) Raw Dataset for now: docs.google.com/spreadsheets…
3
11
40
ITT: People with no idea about what a blockchain is. Repeat after me; Blockchain solves the double spending problem in a trustless ecosystem. If your problem involved trusting someone (certificate issuance, identity management, records, supply chain) - blockchains are useless
Blockchain is one helluva technology. Yet, almost 15 years later it still feels like a solution waiting for a problem. What are some real at-scale problems (other than crypto pls!) that blockchain can solve way more elegantly than other existing technologies?
2
4
42
For all the fancy UI CRED has, it doesn’t even pick the right keyboard for typing card numbers.
3
2
43
Thanks to everyone who worked on this. Visit speak.sarkar.icu
27
40
Not bad for a side-project born from a rant 😁 Screenshot from Google Search Performance report for endoflife.date Clicks: 33.1K Impressions: 814K
3
2
39
If you're looking for boardgames to gift, I added a search feature on the @ReRollBLR website: reroll.in/search It searches across all boardgame stores in India at once. (Built using Google CSE, feedback is welcome) Recommendations: boardgamegeek.com/geeklist/2…
Looking to buy boardgames in India, but outside of Amazon? I made a list: forum.reroll.in/t/where-to-b…
3
6
40
Decided to open the @NCIIPC (National Nodal Agency for Protection of Critical Information Infrastructure) site. Fun facts: - It doesn't have HTTPS - They don't have any update on #meltdownspectre vulnerabilities yet. - They have a hit-counter on the site! I rest my case.
8
49
37
This is a dick move @FreeCharge (Disabling the email input field in a unsubscribe form). Do you really hate your customers that much?
7
34
38