Teaching & Preaching

Where do those “Recommended Friends” come from?

Have you ever logged onto Facebook to find “Recommended Friends” that you didn’t expect to see? Maybe someone you briefly met on Tinder, or a co-worker you hate? I think many people are unaware that, by default, the Facebook app on mobile devices automatically imports your contact list, continuously (this includes, so far as I can tell, every piece of information about them that you have stored).

I started noticing this a long time ago, but I sense that there are many who just assume Facebook is omniscient and don’t give it another thought. There are many reasons you may not want to give up this power, and so far as I can tell, the only way to stop importing this information is to delete the Facebook app from your phone. If anyone is aware of a specific privacy setting one can use to disable this behavior, leave a comment on this post!

If you’ve already unwittingly imported your contacts (you can see them here) and want to remove them, click here.

A tale of lost entropy

Recently, while looking at a JavaScript function intended to generate a cryptographically-secure random IV to be used in AES-GCM, I noticed something interesting which I immediately suspected was not unique to this project. Sure enough, Matt, my awesome colleague, sent me a link to a how-to article describing the process of generating random values in Node.js that included the exact same quirk.

Here is their example (with minor edits so as not to call out the author of that how-to post too explicitly):

Do you notice anything fishy?

Continue reading

You wouldn’t have a maximum account balance, would you?

I recently paid for something online using what I considered a secure online payments processor, and they asked that I provide a password to create an account to complete the transaction. You will understand in a second (if you don’t already) why I was so angry when, a few seconds later, I got this:

NOOOOOOOOO

Noooooo

random-ness.wikia.com

I couldn’t believe it. Please enter a shorter password.

Continue reading

Code red, the ship is on fire

Checking out Hacker News for a refreshing end to my work day, I was instead greeted with the worst of all tech-related bad news: Heartbleed, an exploit in popular versions of OpenSSL allowing attackers anonymous (read: no way to figure out how widely it’s been exploited up to this point) access to 64kb of memory of an affected client or server.

How bad is it? Tor had this to offer in its blog post on the subject:

If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.

Let’s play a doomsday scenario out a little bit:

  1. Attacker compromises the private key to Ubuntu’s (or any other distro’s) package repository
  2. Attacker generates their own certificate and phishes someone with write access
  3. Attacker pushes out legitimate-looking vulnerable versions of all your favorite packages, signed with the proper private key
  4. Attacker can effectively attack any machine that installs that vulnerable package

Let’s try another:

  1. Attacker gets private key for the instant messaging account for a security guy at Google, or their IRC server (thankfully, a Google employee was the one who found it, so at least they were probably first to patch against it)
  2. Attacker listens to all their communications to wait for an opportunity
  3. Attacker initiates a phishing attack using real-sounding information, impersonating an employee
  4. Attacker gets access to Google’s hosted JavaScript libraries, inserts a small keylogger
  5. Every user on every website using Google to include jQuery or other popular libraries gets keylogged

Both of these scenarios require a phishing attack to happen at some point, but even this wouldn’t be necessary. The possibilities are endless. And it’s better than a normal bug! Normal bugs are patched with software updates, and then they’re no longer an issue. Not so with this one. Every key, every password, every everything has to be assumed to have been compromised, and replaced. As you can probably imagine, that will take time.

Why am I posting this? It might seem I’m just predicting doom and giving no solutions. My hope is that you will help me in convincing all the parties affected by this to:

  1. Upgrade their vulnerable versions of OpenSSL
  2. Change all private keys that might’ve been compromised
  3. Generate new SSL certificates where necessary

This isn’t an easy prospect, and many will be slow to do everything necessary to protect against this exploit unless they have motivation to do so. Every day they wait, they potentially put millions of peoples’ sensitive data at risk.

Take it to Twitter using the #OpenSSLBug hashtag! Time is of the essence, and broad awareness is crucial.


You might want to stay off the Internet for a few days, assuming you’re not one of the unlucky few who have to go and clean this mess up.

Updates
Here is a tool to find out if your favorite sites support the vulnerable heartbeat feature, and thus probably need to do damage control. To name a few: Google, Twitter, and Instagram, although others may have simply disabled the feature temporarily, which unfortunately isn’t a complete fix.

Want to find more sites that need to be patched? Google the following, and you’ll begin to see just how deep the rabbit hole goes.

[REMOVED]

OpenSSL is trending on Twitter right now. It looks like people are starting to take notice.

For anyone running a website of their own, here’s a thread on ServerFault describing how to check your OpenSSL version and find any processes that might still be running on the old version once you’ve updated. If you’re running Ubuntu, they still haven’t released the new version, so head over to the OpenSSL site to grab the new version to compile from source. Once you’ve upgraded, restart all the services you get when running

lsof -n | grep ssl | grep DEL

When you’re ready to generate new keys and get new certificates:

Can’t remember all the keys you might need to rotate? Take these for a spin:

sudo find / -name "*.key" -type f
sudo find / -name "*.pem" -type f

This might also be a good time to tweak your webserver to use only secure SSL ciphers.

So I want to learn web development. Now what?

You might want to grab a cup of coffee

My last article about the importance of getting started on your programming education is my most-read article on Medium so far. Like anything in my life, my writing is an experiment. When I see as many people getting excited about programming as I have because of this, it excites me too, and tells me I’ve hit a nerve.

I think there’s a little more to the story that I didn’t fully flush out. So here, I want to set you on the path to writing your first line of code as quickly as possible. I don’t want to delude you: there is no getting over the fact that programming is an iterative process. I love this article, describing the process of programming through the allegory of cooking. The author describes the frustration of “just getting started” when there isn’t a clear picture of what “getting started” means. I can’t just yell at you to “GO FORTH AND CODE” without at least helping you understand what you need in order to do that.

Continue reading