Monthly Archives: November 2017

It is dangerous in Uttar Pradesh to even look Muslim

Opinion: It’s becoming increasingly dangerous in Uttar Pradesh to even look Muslim

It’s as if Hindutva forces want to create a public sphere that, if not literally devoid of Muslims, is certainly devoid of Muslimness.

On Wednesday, a Muslim cleric and his two relative were assaulted and stabbed on a train in western Uttar Pradesh. This was a hate crime – the victims were picked out for their religion. Mohammad Israr, one of the victims who had received stab wounds from an ice pick on his back, head and hands said that their Muslim appearance – with namaaz caps and scarves – had irked the attackers. While the men were being assaulted, the attackers said repeatedly, “You wear caps? We will teach you to wear caps.”

This is not the only incident of Muslims in Uttar Pradesh becoming the focus because of their clothing. On November 21, a Muslim woman was instructed to remove her burqa by the police in a rally by Uttar Pradesh chief minister Adityanath. A couple of days after this, the Bharatiya Janata Party made a formal demand to the Election Commission of India, asking for special verification of voters in burqas. “Women sporting the veil should be verified if needed,” the BJP said. “For this women security personnel or women election officers should be deployed at booths.”

From these incidents, it would almost seem that there is an attempt to erase from public view the typical dress of North Indian Muslims – kurta-pyjama and caps for men, burquas for women. It’s as if Hindutva forces want to create a public sphere that, if not literally devoid of Muslims, is certainly devoid of Muslimness.

Hindutva rising

The issue of looking Muslim is not a new one or, for that matter, only confined to Uttar Pradesh. In 2015, for example, a Muslim man’s beard was pulled even as he was assaulted and robbed on a train in western Uttar Pradesh. Like the namaaz cap and kurta, the beard is also a prominent symbol of Muslimness.

In 2014, a Muslim man Mohsin Shaikh was lynched in Pune by around 25 members of a group called the Hindu Rashtra Sena. The members of the Hindu Rashtra Sena were angry about morphed images they had seen circulating on social media. When they stepped out, they spotted Shaikh, who had a beard and was wearing a green Pathan suit, slotting him as Muslim.

In June this year, a 15-year old boy named Junaid was singled out as Muslim for the cap he was wearing and stabbed to death in a train in Haryana. In Junaid’s village, in Faridabad, a district in Haryana that borders Uttar Pradesh, men are trying to look “less Muslim”, droppingobvious articles of clothing such as namaaz caps or shaving off their beard. The Telegraph found that symbols of Muslimness are now found less visible on the train route on which Junaid was murdered. Muslims think it too risky to wear their namaaz caps while commuting.

Airbrushing reality

In his 2004 essay “On representing the Musalman”, historian Shahid Amin deftly critiques the Nehruvian “Unity in diversity” dictum that represented Muslims – and other minorities – using blunt stereotypes. In government “unity in diversity” posters, Muslims are represented by a man wearing a fez cap.

Thirteen years after this essay, things have moved from bad to worse. Earlier, Muslims were stereotyped, yet – small mercies – they were still part of government propaganda. Yet, now, with Hindutva rising, there is pressure for Muslims to remove markers that are visually distinct.

This trend is particularly acute in Uttar Pradesh. Looking Muslim has resulted in a range of penalties, ranging from chastisement by the police to outright assault. This behaviour is backed up by the administration, led by a chief minister who is not only accused of communal rioting but has gone on record claiming that secularism – a constitutional principle – is a lie.

Two Nation theory

This airbrushing of Muslims from the public sphere is not unexpected. Vinayak Savarkar, the man who coined the word “Hindutva” was a firm believer in the Two-Nation Theory and postulated that in India, Muslims must subordinate themselves to Hindus.

The expectation that Muslims should be made politically irrelevant in India finds deep resonance with the BJP charge of “vote banks”, the notion that minority communities are pandered to by politians for electoral gain. But the fact of Indians voting as groups is a banal reality: voting along caste, geographical or gender lines is a common way for groups to pressure leaders to act. Patels in Gujarat might vote for reservations or a village for a new tubewell. None of this attracts censure – till the group in question happens to be members of minority communities.

Vote banks

As a result, the BJP rarely courts Muslims, preferring to rely solely on Hindu votes. In the March landslide in the Uttar Pradesh Assembly elections, for example, the BJP stitched together a remarkable multi-caste Hindu alliance, winning 40% of the vote.

Even when the BJP desires Muslim votes, its methods don’t rely on the quid pro quo that characterises India’s transactional democracy. For example, in one recent case, civic polls in Uttar Pradesh saw a BJP leader threaten Muslims to vote for the BJP. Even while asking for their votes, the BJP does not see Muslims as legitimate players in the political space. While other voters could ask for, say, roads or water works, in return for their ballots, Muslims in Uttar Pradesh are not worthy of even such a transaction.

So successful has the BJP’s pitch been on this score than even some Muslim leaders now agree that it would be better if Muslims strategically excused themselves from the political space given that it would “polarise society”.

We welcome your comments at letters@scroll.in.

Advertisements

THE TROUBLE WITH INTEL’S MANAGEMENT ENGINE

Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

 

The Beginning of Intel’s Management Engine

In her talk at last month’s CCC, [Joanna Rutkowska] talked about the chain of trust found in the modern x86 computer. Trust is a necessary evil for security, and [Joanna] contrasts it with the normal meaning of the word, for which she uses “trustworthy”. If you can see the source code for your application, you can verify that it’s trustworthy. But since the application runs on top of the operating system, you have to trust the OS. Even if the OS is verified and trustworthy, it still has to trust the BIOS and firmware. As you keep digging down like this, verifying each layer, you eventually get to some part of the system that you can’t verify and just have to trust, and this root of trust is the role that the ME is trying to play.

 

trustedstick
[Joanna Rutkowska]’s plan for a ‘trusted stick’, offloading the root of trust to a small USB device

This root of trust on the modern computer is, quite simply, untrustworthy. Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device. Secure Boot can be disabled from the manufacturer, and security isn’t secure if it’s optional, and even less so if there are exploits for specific implementations of UEFI.

 

[Joanna]’s plan for truly trustworthy computing is a simple USB thumb drive. Instead of holding data, this thumb drive contains security keys. The idea behind this ‘trusted stick’ is that the root of trust can be built from this stick, and these keys are something that you own and control and can presumably keep secret. Everything else above that is verifiable, and thus doesn’t need to be trusted. It’s an interesting idea, but right now it’s just an idea. And it stands in contrast to the current situation where Intel somehow bakes the trust into the chip for you.

What the Management Engine Is

The best description of what the Management Engine is and does doesn’t come from Intel. Instead, we rely on [Igor Skochinsky] and a talk he gave at REcon 2014. This is currently the best information we have about the ME.

The Intel ME has a few specific functions, and although most of these could be seen as the best tool you could give the IT guy in charge of deploying thousands of workstations in a corporate environment, there are some tools that would be very interesting avenues for an exploit. These functions include Active Managment Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys.

These are all extremely powerful features that would be very interesting to anyone who wants or needs to completely own a computer, and their sheer breadth makes the attack surface fairly large. Finding an exploit for the Intel ME will be difficult, though. While most of the firmware for the ME also resides in the Flash chip used by the BIOS, the firmware isn’t readily readable; some common functions are in an on-chip ROM and cannot be found by simply dumping the data from the Flash chip.

This means that if you’re trying to figure out the ME, a lot of the code is seemingly missing. Adding to the problem, a lot of the code itself is compressed with either LZMA or Huffman encoding. There are multiple versions of the Intel ME, as well, all using completely different instruction sets: ARC, ARCompact, and SPARC V8. In short, it’s a reverse-engineer’s worst nightmare.

The Future of ME

This guy wants information on the Intel ME. Also, hackaday has an istockphoto account.
This guy wants information on the Intel ME. Also, Hackaday has an istockphoto account.

With a trusted processor connected directly to the memory, network, and BIOS of a computer, the ME could be like a rootkit on steroids in the wrong hands. Thus, an exploit for the ME is what all the balaclava-wearing hackers want, but so far it seems that they’ve all come up empty.

The best efforts that we know of again come from [Igor Skochinsky]. After finding a few confidential Intel documents a company left on an FTP server, he was able to take a look at some of the code for the ME that isn’t in the on-chip ROM and isn’t compressed by an unknown algorithm. It uses the JEFF file format, a standard from the defunct J Consortium that is basically un-Googlable. (You can blame Jeff for that.) To break the Management Engine, though, this code will have to be reverse engineered, and figuring out the custom compression scheme that’s used in the firmware remains an unsolved problem.

But unsolved doesn’t mean that people aren’t working on it. There are efforts to break the ME’s Huffman algorithm. Of course, deciphering the code we have would lead to another road block: there is still the code on the inaccessible on-chip ROM. Nothing short of industrial espionage or decapping the chip and looking at the silicon will allow anyone to read the ROM code. While researchers do have some idea what this code does by inferring the functions, there is no way to read and audit it. So the ME remains a black box for now.

There are many researchers trying to unlock the secrets of Intel’s Management Engine, and for good reason: it’s a microcontroller that has direct access to everything in a computer. Every computer with an Intel chip made in the last few years has one, and if you’re looking for the perfect vector for an attack, you won’t find anything better than the ME. It is the scariest thing in your computer, and this fear is compounded by our ignorance: no one knows what the ME can actually do. And without being able to audit the code running on the ME, no one knows exactly what will happen when it is broken open.

The first person to find an exploit for Intel’s Management Engine will become one of the greatest security researchers of the decade. Until that happens, we’re all left in the dark, wondering what that exploit will be.

POST NAVIGATION

 

5 STEPS TO OPTIMIZE YOUR WORDPRESS WEBSITE

5 STEPS TO OPTIMIZE YOUR WORDPRESS WEBSITE FOR PERFORMANCE

 

Google has stated that its goal is to provide users with a great user experience and fast loading websites make that happen through increased user satisfaction. And with all the hard work you put into creating a stellar design for your website, it would be a shame if visitors bounced off before it even fully loaded.

The goal is to have your site load in less than two seconds.

While that may seem next to impossible for all of you with sites that load in fifteen to twenty seconds (and that on a good day, too), there are a few different things you can do to effectively decrease page loading times. With this in mind, in this post, we’ll walk you through a five-step process to help you optimize your WordPress website for performance.

WHY IS IT IMPORTANT TO OPTIMIZE YOUR WORDPRESS WEBSITE FOR PERFORMANCE?

Back in 2010, Google announced that it takes site speed into account in its ranking algorithms. On top of this, slower loading websites have higher bounce rates and lower conversion rates. Improving your site’s page loading times can help you retain visitors.

In addition to this, web crawlers will index a fast-loading website with optimized images faster than a slower website that has tons of large image files. Improving your site’s crawl speed can potentially increase its visibility in search engine results.

It’s pretty easy to see that speed has a huge impact on the user experience your site delivers. The good news is that there’s a host of tools out there that you can use to measure and analyze your site’s performance and take necessary steps to speed it up.

HOW TO OPTIMIZE YOUR WORDPRESS WEBSITE FOR PERFORMANCE (IN 5 EASY STEPS)

In this section, we’ll step through some of the different ways you can optimize your site for performance and recommend some useful tools and plugins along the way. As always, you should take a complete backup of your WordPress website before you begin.

STEP 1: ANALYZE YOUR SITE’S SPEED

Analyzing your site’s current page load times is the first step on the path to performance optimization. There a number of free tools out there that can help you measure your site’s load times and see how it holds up under multiple user loads.

To get started, head over to Pingdom (or GTmetrix) to begin analyzing your site’s speed. Enter your site’s URL in the URL field and select a testing location from the drop-down menu. Once you’ve done that, click the Start Test button to begin the page speed test.

Once the test is complete, you’ll be able to see the test results’ summary by scrolling down the page. It should look something like this:

We recommend Pingdom to test page speeds because, on top of giving you a brief summary of your site’s important speed metrics, it also gives you invaluable performance insights along with suggestions on how to improve your site’s overall performance.

STEP 2: USE A REPUTABLE CACHING SOLUTION

As a website owner you must have noticed that some of the largest files hosted on your website rarely ever change. These could be CSS files or high-resolution images that you use on your landing page. Caching is one way to speed up your site dramatically.

From a technical standpoint, once you enable a caching solution on your website, it’ll automatically store some of your site’s files (the largest ones that hardly ever change) on the visitor’s browser. So, when the visitor accesses your site again, the files that were cached will be loaded from their browser thus reducing the page load times.

The WordPress Plugin Directory has a handful of free, reputable caching solutions for you to choose from such as WP Super Cache and W3 Total Cache. However, if you’re looking for a premium offering then you’ll be hard-pressed to find a better caching solution than WP Rocket.

STEP 3: OPTIMIZE AND COMPRESS YOUR IMAGES

Images are everywhere. They’re great for adding value to your written content and help draw in the reader’s attention not to mention dozens of other benefits. The only downside to using images is that they take up a lot of space on your server and slow down page load times.

For this reason, it’s a good idea to optimize and compress image files before uploading them to the WordPress Media Library. If you have an image intensive site (for instance, a photography portfolio) then it’s best to install a plugin solution (such as Imagify Image Optimizer) that’ll automatically optimize and compress your images when you upload them. And for those of you who publish images occasionally and would rather not install a plugin, you can opt for the Imagify online application instead.

STEP 4: ENABLE GZIP COMPRESSION

When a visitor enters your site’s URL in their browser’s address bar, a request is made to transfer data between your site’s server and the visitor’s browser. gZIP compression enables you to decrease the size of that data by up to 70% of its original size. And when the packet of data reaches the visitor, their browser will decompress the page and display it.

An easy way to enable gZIP compression on your WordPress website is through the Optionspage. Here’s how:

Login to your WordPress website’s admin panel and navigate to http://www.yoursite.com/wp-admin/options.php. From the All Settings screen, scroll down till you see the can_compress_scripts field.

Change the value from 0 to 1 in order to enable gZIP compression on your site. Remember to hit the Save Changes button at the bottom of the screen when you’re done.

Alternatively, you can also enable gZIP compression by adding the following lines of code to your site’s .htaccess file:

## CODE TO ENABLE GZIP COMPRESSION ##
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
## CODE TO ENABLE GZIP COMPRESSION ##

STEP 5: MEASURE THE IMPACT PLUGINS HAVE

As a WordPress website owner, you probably have a few plugins installed on your site. But if those plugins don’t comply with the coding standards then they could cause security issues or be slowing down your site.

It’s important to measure and analyze your active plugins to make sure they aren’t running any processes that cause high CPU usage. The P3 (Plugin Performance Profiler) by GoDaddy.com shows you how much impact each individual plugin has on your site’s page load times.

Once you’ve installed and activated the plugin, navigate to Tools > P3 Plugin Profiler from your site’s admin panel and click the Start Scan button. After it’s done scanning, it’ll give you a concise breakdown of the results like this:

If any active plugins on your site are causing bottlenecks then you’ll need to find alternative solutions for them or contact their developers and report your issue.

CONCLUSION

Site speed is a huge ranking signal in Google’s search algorithm and if you want your site to show up near the top of its search results, you’re going to have to optimize it for performance. As an added bonus, you’ll also be delivering a great user experience.

A professional writer, digital, and brand designer, Rafay’s work is published across a number of high-authority sites and magazines. He has provided services to numerous brands across the globe and is the go-to solution provider to many reputable private and government organizations. He is also the co-founder of BloggInc. When he isn’t overloaded with work, you can find him tending the farm with his wife, furniture hunting, and being awesome at in-door badminton. More articles by Rafay Ansari
%d bloggers like this: