Feeds:
Posts
Comments

Posts Tagged ‘internet’

I know this is slightly old news, but I still wanted to talk briefly about it.  Near the beginning of March, GitHub users received this message via email.

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

. . .

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

. . .

Sincerely, The GitHub Team

The following is a rough sequence of events that led up to the official notification of the users.  All times are in PST.

March 1
3:14 AM
Homakov opens Rails issue 5228 for mass assignment vulnerability. [source]
March 2
6:10 AM
Homakov tests the vulnerability by opening an issue “from the future”. [source]
Homakov's Future Issue
March 2
10:07 AM
Issue 5228 is closed. [source]
March 3
3:19 PM
Issue 5228 is deemed not a Rails issue. [source]
fxn's Comment
March 4
8:49 AM
Homakov fully demonstrates the vulnerability by committing to the Rails master branch. [source]
Homakov's Commit
March 4 GitHub suspends Homakov’s account. [source]
March 4
9:53 AM
GitHub fixes the vulnerability on their site. [source]
March 4
12:31 PM
GitHub posts an entry on their blog informing the public of the exploit. [source]
March 4
1:56 PM
Homakov describes the procedure for the exploit on his blog. [source]
March 4
4:20 PM
GitHub posts another blog entry detailing Homakov’s reinstatement, as well as amendments to their security policy. [source]
March 4
4:22 PM
Homakov’s account is reinstated. [source]
March 7
10:22 AM
GitHub sends out an email informing all users that their public keys have been frozen and will be unusable until manually approved. [source: email]

This is a classic case of hacker discloses vulnerability by exploiting vulnerability.  Opinions often vary as to whether or not this is an appropriate method of disclosure.  The intentions of the responsible parties have to be called into question, as well as the level of severity of the exploit.  In this case, many argued that Homakov tried to report the issue but was brushed off, leaving him with no other way to call attention to the vulnerability.  Others argued that he was trying to inform the wrong people, or that he simply should have refrained from exploiting the security hole himself.  In any event, the damage (if it can be called damage) was extremely minimal considering what could have been produced by a malicious attack.

As stated in GitHub’s blog post, the final verdict was “no malicious intent”, and Homakov ultimately had his account restored.  After reading through loads of comments, the general attitude of GitHubbers seems to be one of praise rather than condemnation, but it’s certainly an arguable issue in the way of ethics.

When, if ever, is it okay for hackers to act on a vulnerability in order to demonstrate flaws?

Read Full Post »

Part two of a two-part focus on Gmail.

It’s said that disorganization is a sign of genius.  I guess I’m not a genius—not when it comes to work spaces.  If it’s a place where information is stored, I generally keep it organized, whether it’s my desk, my hard drive, or my email inbox.  And thankfully, with a Gmail account, it’s ridiculously simple to keep order in what can otherwise be a chaotic stack of virtual correspondence.

The following is by no means the be-all, end-all method to organize your mail.  It’s just how I use some of the available tools to make my mail-checking quick and efficient.

Here’s a basic inbox setup.  A few messages—some read, some unread—from various senders.  For the sake of simplicity, I’ll be sticking to the Classic inbox style.

Inbox Before Filter

Inbox, before filtering (click to view full)

It’s not incredibly messy, but there’s enough here to demonstrate how I use filters, labels, and label settings as a sort of ad hoc filing system to split up and organize my mail.  I also eschew email hoarding, making sure instead to delete and archive.  Old mail that will serve no future purpose gets cleared out, and mail that needs to be kept goes into the archive, leaving behind a clean inbox—the goal.

The first thing to do is determine how specifically you want your mail sorted.  You may want some messages filtered at the domain level, such as twitter.com for all your Twitter notifications.  Alternatively, you might want something more specific, like davidwebb@pseudomail.com for only messages from your friend David Webb at the pseudomail.com domain.

Once you’ve chosen how you want your mail filtered, you can create a label that will be applied to all the messages that meet your chosen criteria.  In this example, I’m going to filter emails that come from Google, so I’ll create a label called Google.

Note: Remember that although labels are similar to folders, they don’t work exactly the same way.  In many other email services, a single message can only be in one folder at any given time, whereas in Gmail, a message can have multiple labels applied to it.  You can also think of Gmail’s Inbox as a permanent label, i.e., one that can’t be deleted, that gets applied to all your mail by default.

Click on the settings gear at the top right corner of the inbox and select the Settings option.

Gmail Settings

Settings (click to view full)

In the Settings screen, select Labels.  You’ll be presented with an overview of your current label configurations.  Click the Create new label button, and in the popup that appears, enter the name for your new label.

Creating a Label

Label creation (click to view full)

There is an option that allows you to nest your labels, but again, for simplicity, we’ll leave that option alone for now.

Note: There are several other ways to create the exact same label.  You can even do it on the fly when creating a filter.  I’ve just done it through the basic Labels screen to show you where you can go to view and manage all your labels at once.

Once your label is created, you’ll see it in the list on the left side of the screen, under the Compose button.  Now you can set up your filter.  While still in the Settings screen, select Filters.  Click on Create a new filter.  The search bar will drop down to allow you to specify your criteria.  Since I want to filter mail from Google, I’ll put the domain google.com in the From field.  I could specify criteria for the other fields as well, but because I want to target all Google messages, I’ll leave those fields blank.  Click Create a filter with this search.

Note: If you’re unsure of the domain that you need to enter, open an existing email that you’d like to filter, find the sender’s address, and look at what’s after the @ symbol.  Occasionally, you’ll find emails coming from subdomains as well, such as mail.pseudomail.com, but for the purpose of filtering, subdomains can be used the same way as domains.

Now you can choose what happens to the emails that match your criteria.  This is where you’ll use the label that you just created.  From the Apply the label drop-down list, select your label.  The check box should check itself off automatically.

Creating a Filter

Filter creation (click to view full)

There are also a few other options available, such as marking the mail as important, or making it immune to the spam filter.  An option I like is Skip the Inbox (Archive it).  With this checked, the filtered emails will only show up under the new label, and not under the inbox.  I use this on my filters because it keeps my inbox that much cleaner, and since I recommend archiving emails that you intend to keep anyway, this option saves you a step when reading your mail.  Check off the option to apply the filter to any matching emails that it has already found, then click the Create filter button, and you’re pretty much done.  The inbox now looks like this:

Inbox After Filter

Inbox, after one filter (click to view full)

The email that was filtered remains in an unread state, but no longer appears in the inbox.  Instead, the new label is displayed in boldface and indicates the number of unread messages (1) to which it has been applied.  If I hadn’t checked off Skip the Inbox, I’d see this:

Without Skipping the Inbox

Without skipping the inbox (click to view full)

The email is displayed in the inbox with its label visible, but the corresponding label in the list also indicates that there is an unread message.  This can be a bit confusing, because at first glance it looks as though there are three new messages when, in fact, there are only two.  That’s one reason I prefer to skip the inbox.  You can also color code your label, or choose to have it hidden from view if it has no unread messages. To view these options, click the down arrow that appears when you place the cursor over the label. I encourage you to play around with the label settings to find the setup that looks and works best for you.

A few filters and labels can dramatically clean up your email workspace.  That, combined with more liberal deletion of messages, can even leave you with an empty inbox, at which time you’ll see a little cheerful word from Google.

Empty Inbox

Empty inbox (click to view full)

As I said earlier, there are many other options available to promote inbox cleanliness.  To find out how to use things like stars, importance markers, inbox styles, nested labelling, etc., you can either check out Gmail Help, or just experiment with your settings.

If you missed part one (A Brief Overview of the New Gmail Interface), it can be found here.

Read Full Post »

Automattic needs to draw more attention to the secure login page on WordPress.com.  It exists, so why not direct users to it? There are support pages on configuring your dashboard to run through HTTPS, which is fine, but as long as the login process remains unencrypted, some information is still left exposed.

ADSL router with Wi-Fi (802.11_b-g)If a user blogs through an unsecured Wi-Fi hotspot (as many travelling bloggers might do), all it takes is someone sniffing while the user logs in for his or her account to be potentially compromised.

Many popular online services offer links to their secure login pages right from their home pages.  Some email services, such as Gmail and Hotmail, have even defaulted to HTTPS.

Until Automattic provides a link to make the secure login page more obvious to users, you can navigate to https://wordpress.com/.  And don’t forget to update your bookmarks.

On a related note, Twitter seems to be in the same boat.  You can navigate to https://twitter.com/ to get their secure login.

 
Image: Asim18 via Wikimedia Commons under GFDL

Read Full Post »

Do you often find yourself searching on Wikipedia? Or eBay? Or Amazon? Isn’t it tedious to navigate to the site, click the search field, type in your term, and hit Enter every time? What if there was an oh-so-simple, one-step method you could use to get the job done with a few swift keystrokes?

If you use Mozilla Firefox, there’s a handy little feature built into the browser called a Keyword Search. If you already use it, I’m sure you’ll agree that it’s a time-saver. If you’ve never heard of it, I’ll explain what it is and how you can start speeding through your searches.

A Keyword Search allows you to take any website that has a search field, and use that search directly from your Firefox address bar by typing something like ebay digital camera, or some similar combination of keyword and search terms.

We’ll go through the following steps, using Amazon.com, to set up an example Keyword Search.

  1. Go to the website for which you want to create a Keyword Search. In this case, http://www.amazon.com/.
  2. Right-click inside the search field, and in the context menu that pops up, click “Add a Keyword for this Search…”.

    Firefox Keyword Search Context Menu

     

  3. You’re now presented with a New Bookmark dialogue. In the Keyword field, type a sequence of characters that you will use to access the website’s search feature and click Save. For Amazon, I’ll use ama, so that when I want to search for something on Amazon, I’ll simply have to type ama kindle or ama northanger abbey, etc. into my address bar.

    Firefox Keyword Search New Bookmark Dialog

 
And that’s really all there is to it! Now, when you want to search, all you have to do is type your keyword and search terms into the address bar, like so:

Firefox Keyword Search Term

 
The results appear just as if you had performed a normal search through the website.

Firefox Keyword Search Results

 
You can use any keyword you like, but for the sake of speed, it’s a good idea to keep it short. You could use something like shop if you prefer a keyword that resembles an instruction (shop headphones). I usually like to use shortened versions of the site name so that I always remember which site the Keyword Search is linked to. You can always change your keyword later, too. It gets saved as a bookmark, so all you have to do is right-click it in your Bookmarks menu, go to Properties, and change the keyword. Once you start amassing lots of Keyword Searches, you might even want to store them in their own folder to keep them out of the way of your regular bookmarks.

Here are some Keyword Searches that I use.

def
Dictionary.com

syn
Thesaurus.com

wik
Wikipedia

yt
YouTube

imdb
Internet Movie Database

mb
MusicBrainz

map
Google Maps

You may occasionally run into a hiccup, but they’re rare. For example, Dictionary.com has trouble understanding Keyword Searches that contain spaces. This is because spaces are not allowed in URLs and are encoded as %20. Dictionary.com unfortunately doesn’t translate a %20 back into a space before performing the search, so if I were to type def ruling class into my address bar, I’d get a search for ruling%20class which, as you can imagine, doesn’t return the page I want. Luckily, two-word dictionary terms don’t seem to come up too often.

You might also notice that Google Maps doesn’t respond well to Keyword Searches at first, giving you a blank page with nothing but a text field. Thanks to a tip from GreySquare Blog, you can just go into the properties of your Google Maps Keyword Search, and remove the string &source=s_q&output=js from the URL, changing the entire URL from something like this:

http://maps.google.com/maps?f=q&source=s_q&output=js&hl=en&geocode=&abauth=3183ad6f%3AjAdGUOnAnWmBtnF-BPdW_nNNmkE&q=%s

to this:

http://maps.google.com/maps?f=q&hl=en&geocode=&abauth=3183ad6f%3AjAdGUOnAnWmBtnF-BPdW_nNNmkE&q=%s

Aside from those two minor anomalies, I’ve experienced relatively smooth sailing with Keyword Searches. They take only seconds to set up, and if you’re a frequent searcher, you’ll love the blazingly fast access to search results that they provide.

Read Full Post »

%d bloggers like this: