Category Archives: Uncategorized

Three Minutes of Fame

Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.

Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)

So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)

Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)

The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.

One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.

How To Leave a Facebook Group Message

A friend mistakenly started a massive (50? 100?) group message on Facebook. After the initial admission of “I created this by mistake,’ people started replying (to all) that they would like to be removed (which is something you have to do yourself) and others began asking, “How do you do leave a group message?”

Below are the steps for doing this from the full version of the Facebook website. The mobile site doesn’t seem to offer this functionality and while this can probably be done from the mobile app, I don’t use it so can’t provide much guidance.

  • Click on “Messages” on the left hand side.
  • Click on the message you want to leave.
  • At the top of the screen, there’s a box labeled “+ New Message.”
  • Next to that, there’s a smaller box with what looks like either a gear or a sunburst. Click that.
  • A list of options will appear.
  • Click “Leave Conversation.”
  • Confirm that you want to leave.

Hacking a Space Probe

This is just absurdly cool.

The ISEE-3/ICE space probe was launched in 1978.
In 1997, it’s mission complete, it was sent a shutdown signal.
In 2008, we discovered it hadn’t shutdown, was still responding to commands, and still had fuel.
And it’s orbit was going to bring it near Earth in 2014.

NASA no longer has the equipment for communicating with it and decided it would be too difficult and expensive to rebuild it. (Right about now, I’m thinking about V’Ger. “The creator does not answer.”)

In March of this year, xkcd published comic #1337 with the idea of a group of online volunteers re-establishing contact.

In May of this year someone actually did it!

Some links:

According to the Rockethub page, contact was lost again on August 10, but it’s still amazingly cool that they were able to pull this off. (And for less than $200,000 to boot!)

Raspberry Pi Beginners Guide

Another entry from the land of “So I can find it later….”

Setting up the Raspberry Pi set was easy enough, and installing Chromium (the open-source version of Chrome) only took a single command (apt-get install chromium). When I was using it to post “Hello World” on Facebook, I discovered that the @ and ” keys were reversed (the physical keys were in their usual locations, but their behaviors were backwards). OK, the keyboard mapping isn’t set for the US. (The Pi and the drive image I’m using are both from the UK.)

I was pretty sure I could fix it via the configuration program that runs when you boot the first time, but there were two problems: (1) the configuration program only run automatically on the first boot and (2) I couldn’t remember the command.

Searching for raspberry pi configuration program led to the link RPi Beginners which looks to chock-full of useful information if (like me) you’re just getting started with Linux and/or the Pi. (For example: Backup your SD card.)

By the way, the configuration program is raspi-config; you’ll need to run it as sudo raspi-config.

Installing Ubuntu without pae

From the land of “things I might want to refer to later….”

My old Dell Inspiron works fine except for a missing ‘R’ key. Windows XP is showing more signs of age than the notebook, so time to put another OS on it.

I’ve been using Ubuntu in such situations, but my attempts at installing both 12.04> and Lubuntu (lightweight Ubuntu) have both ended with a message about the hardware not supporting the required pae extensions.

Physical Address Extension (aka pae) is an Intel technology which allows a 32-bit operating system to access more than 4 GB of RAM. (A quick read suggests it essentially hands each application a 4 GB chunk of memory, similar to how programs on the 80286 and earlier chips were able to address more than 64 KB at a time by combining a 16-bit memory address with a 16-bit segment address — and by revealing that I know about this, I’ve probably dated myself quite handily.)

Another quick search on Google turned up a relevant pair of AskUbuntu Questions describing how to install a non-PAE version.

In a nutshell:

  • Download the non-pae netboot image mini.iso. This is a bare-bones installer which downloads the selected packages during the installation process. (Obviously, this requires a broadband connection.)
  • Burn the image onto a CD* and boot the computer from that.
  • Accept the default values for most of the prompts. You’ll need to supply a userid and password. My experience is that it’s faster to select the keyboard layout from a list then to go through the prompts for “detection.” (Faster for a standard US keyboard anyhow; your mileage may vary.)
  • At the final screen, when prompted for packages to install, be certain to select a desktop (e.g. Ubuntu Desktop) unless you plan to do everything from the command line.

* The Inspiron’s CD drive is getting old and unreliable, using UNetbootin to make a bootable thumb drive worked perfectly.

DRM and Monopolies

I miss Rob Pegaroraro’s contributions to the Washington Post’s technology coverage. Instead of the Apple Rumor du jour that passes for Tech Journalism in most places, he digs into policy angles.

He makes some interesting points in his story “Overlooked E-Book Chapter: DRM Makes Monopolies.” Notably, the fact that once someone buys an e-reader (e.g. a Nook or Kindle), they’re not likely to buy e-books from competing vendors. Why not? Because the Digital Rights Management (or rather, Digital Rights Restrictions) prevent you from reading a book from vendor A on vendor B’s hardware.

He does overlook two loopholes though. First off, you can buy two e-readers. If you have lots of money. (In which case, please share some with me!) Or you can buy a tablet computer (iPad or Android) and download the free Kindle and Nook e-reader apps. You still can’t read the books from one store in the competing stores’ app, but at least you only have to buy one piece of hardware.

But it’s still not convenient. And, as Pegaroraro points out, your rights to the book are sharply limited. With a physical book, once you’ve read it, you can put it on a shelf, sell it or give it away. With an e-book, it’s yours forever.

Is Your Computer at Risk?

If you have 10 minutes to spare, read about The Virus That Really Will Kill Your PC.

If you only have 5 minutes, the super-condensed version is that there’s a virus which may have altered your computer’s settings and if you’re infected, your web browser and email will stop working on July 9. To find out if you’re infected, visit http://www.dns-ok.us/. If the page shows up with a green background, then you’re in the clear (or at least, you don’t have this particular problem). A red background however means your internet connection will stop working in July.

The linked article is worth a read. In short, the FBI busted some bad guys who were hijacking people’s internet traffic by way of a virus that changes DNS settings. (DNS is the system that turns human-friendly address – such as www.thatblairguy.com – into computer friendly IP addresses.) For the time being, the FBI is running the DNS server the bad guys had been using, but that won’t go on forever.

The interesting question to me then is how does that web page work? Viewing the page source, there’s nothing but static HTML.

It turns out The Good Guys are taking advantage of the compromised DNS to set up an “eye chart”. If your computer is using a safe DNS system, then www.dns-ok.us resolves to an IP address where the “green light” page is displayed. But if your computer is using an unsafe DNS system (the one the bad guys put in place), then www.dns-ok.us resolves to the IP address of the “red light” page.

Thoughts on Blocking Malware

A friend just got her computer back from “the computer doctor.” Evidently it had been compromised with a root kit (the really nasty sort of software that runs at such a low-level your anti-virus software can’t see it). She uses three different anti-malware tools and was quite surprised that none of them caught it.

The problem with anti-virus software is it can only protect you against problems that are already known. The bad guys are constantly looking for new ways to attack your computer and the anti-virus programs are playing catch up. I’m not saying don’t use anti-virus software (the free version of Avast has saved me several times), just don’t count on it as your only defense.

So, is there any 100% guaranteed way to stop malware? Well, you could always unplug your computer from the Internet and never use it to access any USB drives or CDs, but that’s not exactly practical. And if you do stay online, even visiting only “known safe” sites doesn’t help much, since even legit sites get compromised on occasion.

But there are a few things you can do to help your odds. None of these approaches is 100% guaranteed to keep you safe, but they should help.

The Basics

This is “the usual stuff” you hear any time someone talks about how to stay safe online. It seems obvious, and yet it bears repeating because it’s easy to get careless:

  • Don’t open attachments you weren’t expecting, not even from people you know and trust. Maybe that attachment from your friend Bob really is the really important document the email says, but if you weren’t expecting it, you have no way of knowing.
  • Be skeptical of clicking links in unexpected emails. Your bank isn’t going to tell you to click a link to verify your account information. (If something like this ever does turn out to be legit, you need to change banks.)
  • Don’t download pirated software. Aside from the legal issues, pirated software frequently contains malware.

Slightly more Difficult

Beyond the basics, there are a few other things that are easy enough to do, but don’t always make it into the “How to stay safe” discussions. Most attacks against your computer are targeting the applications you run, not the operating system. (Running Windows isn’t as risky as reading a PDF file with Acrobat reader.)

  • Use a browser other than Internet Explorer. Microsoft’s made a lot of progress with the safety of Internet Explorer over the past few years. But even though IE recently dropped below 50% of the total browser market, it’s still the single most popular browser out there and therefore the one most likely to be targeted in online attacks.
  • Keep your system up to date. Not just the Windows/Mac/Whatever Operating System patches, but also the software you use. Use Microsoft Update instead of Windows Update to get patches for Office. Install Secunia’s Personal Software Inspector tool to find out what other software on your computer is out of date.
  • Uninstall software you don’t use. The more programs you have, the more likely you are to have something which has security problems. Bonus: You also save disk space!
  • Run “alternate” software. The more widely-used a given program is, the more tempting a target it becomes for the bad guys. Instead of Acrobat Reader, use Foxit Reader. Instead of Microsoft Office, use Libre Office (fully compatible documents, but also available for free.)
  • Uninstall Java. Most home users don’t need it, and older versions were not only laden with security problems, but the updates didn’t remove the older versions.
  • Don’t run as the Administrator. When you set up your computer, reserve the main account for software installations and the like. Create a second, less-privileged login ID for day to day tasks.

Security journalist Brian Krebs talks a bit more about keeping software up to date and what to install or delete in his: 3 Basic Rules for Online Safety

Going for the Gusto

Wanna go really hard-core?

  • Uninstall Flash (or install a flash blocker so that you have to approve any Flash scripts that run).
  • Install NoScript (same idea).
  • Don’t do any online banking with a Windows machine, use a Linux live CD instead. (For a business, I’d consider this one an absolute must.)
  • Use a third-party DNS provider. Both Open DNS and Google Public DNS provide a facility where you change a couple system settings and if you then attempt to access a site which serves up malware, they’ll block the connection.

The Takeaway

There are no magic bullets. None of these suggestions will provide absolute protection for all users. What might be overkill for one person’s situation might not be nearly enough protection for another. But by choosing the practices which make the most sense for you personally, you can tilt the odds a bit more in your favor.

Bonus Reading: Get a Mac/Switch to Linux

In most discussions of online security, someone inevitably replies “Get a Mac!” or “Switch to Linux.” It’s a bit like going to a concert and someone yelling, “Play Freebird.” It’s a wonderful song, and a few groups have done great covers in response, but it’s not always the best fit.

But if the suggestion is inevitable, I may as well be the one to make it and bring up some of the tradeoffs.

Switching to a Mac may actually make sense for some folks, but don’t make the switch thinking you’ll be invincible. At the annual CanSecWest security conference, there’s a “Pwn2Own” contest where security professionals attempt to break into computers running the latest versions of the Mac OS, Windows and Linux. The first one to succeed, wins the computer. Every year, the Mac is the first system compromised.

Now that’s what happens at a security conference. Macs are less common than Windows computers; so the bad guys have to work harder to find them. It’s much easier to attack the more common computers.

But malware targeting Macs has been cropping up too.

Other concerns with switching to a Mac:

  • You’ll have to buy all your software again. Assuming a Mac version even exists. Otherwise, you might have to look for an equivalent program.
  • Despite the marketing pitch, a Mac doesn’t always “just work.” Just two weeks ago a co-worker returned a Mac Notebook that was downloading over his WiFi at just 1/10 the speed of Windows computer. (Apple’s support wasn’t able to resolve the problem.)
  • You may encounter problems with incompatible file formats when sharing files with people who use Windows. Particularly if the programs you were using on Windows aren’t available for Mac and you had to switch to something else.

Linux tends to be the most secure OS of all (as noted earlier, most of the problems these days are the software you run on top of it). The main downfalls of Linux are:

  • Availability. Yes, it’s free to get a copy, but you still have to find where to download it, burn a CD, and install it. Although this is getting easier, it’s still not a set of tasks the average home user will be comfortable with.
  • Commercial software. Few software vendors on Windows or Mac have Linux versions of their software. Some do, but most do not. You’ll generally have to find an open source equivalent, and then work out how to share files with others who are on Windows or Mac.