Archive for February, 2014

I’m usually kinda lax on installing OS updates, but I just came across the iOS 7.0.6 announcement. It’s pretty scary:

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Apparently this allowed a certain category of attackers (“with a privileged network position,” so not just anybody) to see or modify data ostensibly protected by SSL. How could the session not be properly validated?

I don’t see many details online yet (look at the CVE site later) but now that a patch is available there will presumably be more discussion soon.

In the meantime, I’d be making with the updating…

Just found this, some mostly unnamed researchers have looked at the patch and determined OS X has the same problem. Ouch.

Apple security flaw could allow hackers to beat encryption

Update the Second: Well isn’t this interesting…

Apple’s SSL/TLS bug

The issue is a programming error, one that circumvented a necessary verification condition with an errant line of code. Every single programmer ever has made this error at some point, sometimes after an embarrassingly large number of years of professional work.

The hard part is making sure something or someone in your process catches it before it ships, because even the best programmers get tired and miss something. And that is a subject for an entirely different blog.

Ars Technica’s Lee Hutchinson has only posted the first installment, but this looks to be a seriously good piece on self-hosting email:

How to run your own e-mail server with your own domain, part 1

He starts off with a good dose of reality: it’s a lot of work, and when you screw it up you can make your online life really miserable really quick.

If you want to run a Linux mail server, either on your own physical server or a virtual hosted one, start reading. I’m collecting parts for my new server and I expect this to be useful even if I’m running OS X.

If you have never considered running a mail server, I’m not going to try to talk you into it. Maintaining your own for a few users is smaller in resources than a corporate server, but only somewhat smaller in complexity. You might, however, want to read how it works just to understand how email can be so broken.

I’m not typically a joiner on the whole change-your-userpic/post-this-banner thing, but I wanted to mention the upcoming day of online protest against surveillance. To participate, you can find info on the The Day We Fight Back website.

I’ll be honest, when I first heard of it it sounded like a movie promo. Didn’t Independence Day have a tagline like that? Anyway…

Just changing your Facebook picture isn’t going to accomplish a whole lot, but a few things I’ve seen encouraged are much more practical:

First, and most important:

Write your Senators and Representative and tell them (politely) what you think about the NSA getting all up in everyone’s business. (They are doing it to everyone, including your Senators and Representative. You could mention that.)

If you are a US citizen, this is the single most useful thing you can do (presuming you don’t also have a boatload of money to follow it up with.) If you are in California, we have the special pleasure of being represented by Senator Feinstein, the chair of the Senate intelligence committee. And, no, I haven’t exactly been agreeing with her statements on this topic.

A comment on sending emails to politicians is in order, however: use an email address you don’t mind being forever subscribed to their mailing lists. Because you will.

Second, use HTTPS wherever possible (and if you run a website, get a cert and enable it for your users.) Most people don’t use encryption, and some law enforcement agencies have straight up said they consider encrypted communications to be suspicious on that basis alone. The more we do it routinely, not only the less unusual it is but also the harder it will be to lump everyone in as a terrorist-by-association.

Getting certs for my domains has been on the to-do list for a while, although I admit I haven’t done a whole lot about it. Paying for yet another thing is kinda annoying, so I haven’t gone that route. I tried to get a free one, but ran into problems because I don’t use the “correct” email as my domain contact. (You wouldn’t either, if you had a choice: spam galore.) One of these days I’ll figure that out.

Putting a banner on your site or posting to your own social media accounts is only valuable if it has the chance of encouraging someone else to do one of the above. Write your own tweet, blog post, interpretive dance, whatever, if that is your thing. Awareness is important, nothing starts without it. But action is what changes things. And technologists have for too long ignored how politics works.

I wanted to comment on this, because it’s kinda scary: someone’s personal domain was hijacked to get at his twitter account. Ars has a discussion about what happened, and the user himself did basically everything right. It was the employees of various companies (mainly his domain registrar) that facilitated the attack.

Picking up the pieces after the @N Twitter account theft

I use a personal domain for some of my email, so that hit close to home. My registrar allows me to “lock” my domain settings, basically meaning nobody can change anything until I login and unlock it. Would that have stopped something like this? I hope so. But even the best measures are not always successful at thwarting a determined attacker.

Now I’m going to get on an airplane, have fun contemplating the implications.