Archive for the ‘Technology’ Category
I know this is slightly old news, but I still wanted to talk briefly about it. Near the beginning of March, GitHub users received this message via email.
A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.
While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.
. . .
Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.
. . .
Sincerely, The GitHub Team
The following is a rough sequence of events that led up to the official notification of the users. All times are in PST.
|Homakov opens Rails issue 5228 for mass assignment vulnerability. [source]|
|Homakov tests the vulnerability by opening an issue “from the future”. [source]
|Issue 5228 is closed. [source]|
|Issue 5228 is deemed not a Rails issue. [source]
|Homakov fully demonstrates the vulnerability by committing to the Rails master branch. [source]
|March 4||GitHub suspends Homakov’s account. [source]|
|GitHub fixes the vulnerability on their site. [source]|
|GitHub posts an entry on their blog informing the public of the exploit. [source]|
|Homakov describes the procedure for the exploit on his blog. [source]|
|GitHub posts another blog entry detailing Homakov’s reinstatement, as well as amendments to their security policy. [source]|
|Homakov’s account is reinstated. [source]|
|GitHub sends out an email informing all users that their public keys have been frozen and will be unusable until manually approved. [source: email]|
This is a classic case of hacker discloses vulnerability by exploiting vulnerability. Opinions often vary as to whether or not this is an appropriate method of disclosure. The intentions of the responsible parties have to be called into question, as well as the level of severity of the exploit. In this case, many argued that Homakov tried to report the issue but was brushed off, leaving him with no other way to call attention to the vulnerability. Others argued that he was trying to inform the wrong people, or that he simply should have refrained from exploiting the security hole himself. In any event, the damage (if it can be called damage) was extremely minimal considering what could have been produced by a malicious attack.
As stated in GitHub’s blog post, the final verdict was “no malicious intent”, and Homakov ultimately had his account restored. After reading through loads of comments, the general attitude of GitHubbers seems to be one of praise rather than condemnation, but it’s certainly an arguable issue in the way of ethics.
When, if ever, is it okay for hackers to act on a vulnerability in order to demonstrate flaws?
Part two of a two-part focus on Gmail.
It’s said that disorganization is a sign of genius. I guess I’m not a genius—not when it comes to work spaces. If it’s a place where information is stored, I generally keep it organized, whether it’s my desk, my hard drive, or my email inbox. And thankfully, with a Gmail account, it’s ridiculously simple to keep order in what can otherwise be a chaotic stack of virtual correspondence.
The following is by no means the be-all, end-all method to organize your mail. It’s just how I use some of the available tools to make my mail-checking quick and efficient.
Here’s a basic inbox setup. A few messages—some read, some unread—from various senders. For the sake of simplicity, I’ll be sticking to the Classic inbox style.
It’s not incredibly messy, but there’s enough here to demonstrate how I use filters, labels, and label settings as a sort of ad hoc filing system to split up and organize my mail. I also eschew email hoarding, making sure instead to delete and archive. Old mail that will serve no future purpose gets cleared out, and mail that needs to be kept goes into the archive, leaving behind a clean inbox—the goal.
The first thing to do is determine how specifically you want your mail sorted. You may want some messages filtered at the domain level, such as twitter.com for all your Twitter notifications. Alternatively, you might want something more specific, like email@example.com for only messages from your friend David Webb at the pseudomail.com domain.
Once you’ve chosen how you want your mail filtered, you can create a label that will be applied to all the messages that meet your chosen criteria. In this example, I’m going to filter emails that come from Google, so I’ll create a label called Google.
Click on the settings gear at the top right corner of the inbox and select the Settings option.
In the Settings screen, select Labels. You’ll be presented with an overview of your current label configurations. Click the Create new label button, and in the popup that appears, enter the name for your new label.
There is an option that allows you to nest your labels, but again, for simplicity, we’ll leave that option alone for now.
Once your label is created, you’ll see it in the list on the left side of the screen, under the Compose button. Now you can set up your filter. While still in the Settings screen, select Filters. Click on Create a new filter. The search bar will drop down to allow you to specify your criteria. Since I want to filter mail from Google, I’ll put the domain google.com in the From field. I could specify criteria for the other fields as well, but because I want to target all Google messages, I’ll leave those fields blank. Click Create a filter with this search.
Now you can choose what happens to the emails that match your criteria. This is where you’ll use the label that you just created. From the Apply the label drop-down list, select your label. The check box should check itself off automatically.
There are also a few other options available, such as marking the mail as important, or making it immune to the spam filter. An option I like is Skip the Inbox (Archive it). With this checked, the filtered emails will only show up under the new label, and not under the inbox. I use this on my filters because it keeps my inbox that much cleaner, and since I recommend archiving emails that you intend to keep anyway, this option saves you a step when reading your mail. Check off the option to apply the filter to any matching emails that it has already found, then click the Create filter button, and you’re pretty much done. The inbox now looks like this:
The email that was filtered remains in an unread state, but no longer appears in the inbox. Instead, the new label is displayed in boldface and indicates the number of unread messages (1) to which it has been applied. If I hadn’t checked off Skip the Inbox, I’d see this:
The email is displayed in the inbox with its label visible, but the corresponding label in the list also indicates that there is an unread message. This can be a bit confusing, because at first glance it looks as though there are three new messages when, in fact, there are only two. That’s one reason I prefer to skip the inbox. You can also color code your label, or choose to have it hidden from view if it has no unread messages. To view these options, click the down arrow that appears when you place the cursor over the label. I encourage you to play around with the label settings to find the setup that looks and works best for you.
A few filters and labels can dramatically clean up your email workspace. That, combined with more liberal deletion of messages, can even leave you with an empty inbox, at which time you’ll see a little cheerful word from Google.
As I said earlier, there are many other options available to promote inbox cleanliness. To find out how to use things like stars, importance markers, inbox styles, nested labelling, etc., you can either check out Gmail Help, or just experiment with your settings.
If you missed part one (A Brief Overview of the New Gmail Interface), it can be found here.
Part one of a two-part focus on Gmail.
Google has quietly introduced an updated interface for their Gmail service. In their paradigmatic try-out-before-roll-out procedure, the new interface is currently available as an optional upgrade, but will become the standard for all Gmail accounts at some point in the near future.
An immediately noticeable aspect of the upgrade is conservation and improved management of screen real estate. Elements of the interface have been changed to either free up space on the screen or make better use of the space you’ve got—a sure benefit for those who aren’t yet surfing on 23-inch LCDs.
The toolbar above the inbox is now dynamic. For example, if you don’t have any mail selected, you won’t have the Delete option (among others). The end result is an interface that looks a lot cleaner and less cluttered.
In the same space-saving vein, there are three new options available that affect the structure of the Gmail screen as a whole. The options have been trendily named Comfortable, Cozy, and Compact. As you can probably guess from the names, they give users a choice as to how much spacing is provided between elements on the screen, almost like a predefined zoom value. Comfortable is the most spacious of the three, while Compact keeps everything small and tightly knit, leaving Cozy as the happy medium. The spacing, in turn, affects how many emails you can see at one time in your inbox. I prefer the Compact option, myself, because with a service like email, I like being able to see a lot of information at once without having to scroll. Switching between the three options is effortless, so it’s easy to decide which one works for you.
A feature that I was happy to finally have is the movable separator between the labels area and the chat module (which has been merged with the gadgets module). I never chat while logged into my Gmail account, so I always found it annoying that the chat module took up space that could have been devoted to my rather extensive list of labels. I was frequently clicking the “More” option to view the rest of my labels in a little pop-up menu. Blech. Now, there’s no problem. I can simply drag the chat module to where it belongs: neglected, in the bottom corner of the screen.
My one real gripe is Google’s removal of “create your own theme”. There are still plenty of premade themes to choose from, many of them sleek and attractive, but I’m the type of person who always likes to modify layouts and colors, especially for a service that I use often. I tweak layouts wherever I’ve got them, from my operating systems to my blog, and, until recently, my Gmail account. Although the choice of colors (or lack thereof) doesn’t really detract from Gmail’s usability, it was still a nice option to have. As I stated in a feedback response to Google, the inability to customize the theme isn’t a deal-breaker for me—I’ll still continue to use the service. But boy, does it bug me.
Overall, the interface has changed for the better. It’s more polished, and the usability has become further streamlined. Unless you’re intent on keeping your customized theme for as long as humanly possible, I recommend giving the new look a go. Just click the little floating label in the bottom right corner of your Gmail screen.
If you don’t like it, you can revert to the old one—at least until Google decides to make the change final. For more information and a full list of details regarding the changes to the interface, check out Google’s About page for the new look.
Coming up soon: part two of my focus on Gmail. I’ll be talking about simple ways to keep your email organized, and why a clean inbox is pleasant to use.
Posted in Blogging, Opinion, Technology, tagged aircrack, automattic, blogs, hotspots, http, https, internet, internet security, online security, packet sniffers, postaweek2011, security, sniffing, ssl, tls, twitter, wi-fi, wifi, wireless, wordpress, wordpress.com on August 8, 2011 @ 6:41 PM| Leave a Comment »
Automattic needs to draw more attention to the secure login page on WordPress.com. It exists, so why not direct users to it? There are support pages on configuring your dashboard to run through HTTPS, which is fine, but as long as the login process remains unencrypted, some information is still left exposed.
If a user blogs through an unsecured Wi-Fi hotspot (as many travelling bloggers might do), all it takes is someone sniffing while the user logs in for his or her account to be potentially compromised.
Until Automattic provides a link to make the secure login page more obvious to users, you can navigate to https://wordpress.com/. And don’t forget to update your bookmarks.
On a related note, Twitter seems to be in the same boat. You can navigate to https://twitter.com/ to get their secure login.
Image: Asim18 via Wikimedia Commons under GFDL
Posted in Media, Technology, tagged blu-ray, cinema, corruption, downloading, downloads, dvd, film, film industry, gfk group, market research, movie industry, movies, mpaa, music, music industry, piracy, pirates, postaweek2011, report, riaa, television, tv on July 20, 2011 @ 9:11 PM| Leave a Comment »
People have been saying it for a while. The film and music industries have not crumbled due to piracy. They continue to flourish.
An interesting article on Geek.com talks about a report that was created by research company GfK Group for an undisclosed client. The report was initially intended to further the negative view of media pirates but, in fact, showed that pirates are generally better customers than their straight-and-narrow cousins.
The gist (although I encourage any readers to check out the original article) is that movie pirates don’t just download. They spend a lot on DVDs, Blu-rays and cinema tickets. Likewise, music pirates spend money on music because they like music.
From the article:
The conclusion of the study is that movie pirates are generally more interested in film and therefore spend more money and invest more time in it. In other words, they make up some of the movie industries best customers.
This makes perfect sense to me. If a person downloads a certain form of media, it’s probably because they’re keen on it. I’d be lying if I said I haven’t downloaded a few movies and television shows, but I also consider my hard copy DVD collection to be quite large and my cinema attendances common.
Now, the question is . . . who commissioned the report. I think we all have a pretty good idea.
Also from the article:
The reason given for shelving [the report] was that the contents proved “unpleasant.”
Original article: Geek.com