Rubénerd!

SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm, and that it's certificate issuer isn't on their black list.

I'm typing this post this evening on my beautiful 2002-vintage iBook with Mac OS X Tiger. Still going strong, definitely the most reliable and dependable system I've ever owned.

To be serious now though: it's official folks, there is now awareness of weaknesses of the MD5 algorithm used to sign secure certificates online. Sites that use the more secure SHA1 algorithm are safer, and RapidSSL is now offering it in place of MD5. Still, some are still using MD5, meaning if you connect to them you're not really using a secured connection.

From CodeFromThe70s.org:

An attack has been demonstrated yesterday that highlights the practicality of the well-publicized weaknesses of the MD5 algorithm. Essentially, any certificate signed with the MD5 algorithm may be counterfeit.

There is [...] a large number of CAs out there, and it is certain that some of them will continue to use MD5 for one reason or another.

Therefore it may be prudent to avoid, or, at the very least, not place much trust in websites that authenticate themselves with the help of MD5. After all, there is no way to automatically distinguish between a chain with a genuine MD5-based certificate signature and a chain with a counterfeit certificate.

A solution to this is a Mozilla Firefox plugin called SSL Blacklist which places a small certificate notice in the bottom right hand side of your browser that indicates whether a page is secured with SHA1 or not secure with MD5. This allows you to make informed decisions when using secured sites, and to let existing web hosts know that they should upgrade.

Even before this vulnerability was demonstrated this plugin was a useful addition to the security conscious internet user's toolkit, but this lastest release makes it indispensable. If you don't have it in other words, grab it now! This is an order!

UPDATE: Steve Gibson also goes into great detail about the exploit and the plugin to protect yourself in Security Now 177.

Your asking me for drivers for "Unknown?" Yeah, thanks!

Given I've spent the better part of the last few months defending how I was able to tolerate Windows in the past, you could be forgiven for thinking I was growing soft for the OS again. I admit I was feeling slightly nostalgic too. I remember Solitaire, I remember Reversi then Minesweeper, I remember pointless utilities such as WINVER.EXE and how Microsoft Word was called WINWORD.EXE to differentiate it from Word for DOS.

Well over the last few days I've been working to reinstall Windows XP Tablet Edition on my dad's Fujitsu Lifebook after it contracted a series of persistent spyware infections. Let's just say it completely refreshed my disgust for the platform!

Windows is an unabashed disaster. It really does have an inexcusably horrible and counter intuitive interface. While I put up with it back in the early years, it took me moving to FreeBSD and the Mac to really realise it. I mean, it is BAD.

First of all, Windows is so maddingly (is that a word?) verbose. I don't care that you can see a wireless network, I'll tell you when I want you to connect to one! I don't care that you've 74% downloaded an update, just tell me when it's done! Don't tell me I don't have antivirus software installed after I just installed Windows fresh and therefore wouldn't have even had an opportunity to do so! I don't care what the serial number for my battery is, just tell me the percentage of power remaining! Don't patronise me by instructing me to click the Finish button when I'm done a pointless three screen wizard that could have been condensed into a succinct one window screen. I know you've found nine new hardware devices given I just installed Windows, so don't automatically shove nine consecutive Add New Hardware Wizard windows that when I close one another appears! Don't perform a Windows Update, then tell me to restart, then perform another Windows Update, then tell me to restart, then perform another Windows Update!

There is an anti-virus installed, it's called ClamWin you jackarse! It's free and open source, why would you refuse to... oh wait.

Then there are the downright, head-banging-on-a-table stupid ideas. Product Activation? Someone really thought that would make a difference while proposing it in a board room somewhere... and the others agreed with them?! They really thought repeatedly asking questions for the most mundane of tasks would somehow improve security? They really thought that unzipping a ZIP file needed a wizard? They really thought Areo Glass in Vista with all it's ugly translucency and the ugly blue and green XP interface were great?

I think if someone can survive the first 20 minutes of a fresh Windows install, they're prepared for anything. What a nerve wrecking experience. And to think less than 10 years ago I used to think this was normal!

Unfortunately my fabulous father doesn't have a choice and has to use Windows for his work. He's been having fun with my 800MHz iBook G3 with Mac OS X Tiger though, he said it's so simple and easy to understand... and there are no irritating stupid popup windows or balloons! He's said the same thing with my Armada M300 FreeBSD laptop with the beautifully crafted, lightweight and simple Xfce Desktop which you can take a tour of here.

ASIDE: Fortunately once you've pulled the reins and brought the Windows Beast under control it is possible to make it a more palatable machine to use. The trick is to launch Internet Explorer to download Firefox, Opera or another browser of your choice, then going to Add/Remove Programs and removing everything. From there you can download from Firefox or Opera everything you need.

I think Windows users tend to label other things as difficult because it's just unlike how Windows does things, not necessarily because of any difference in technicality. The next person who tells me that Windows applications and hardware are easier to install than on Mac OS X or even FreeBSD will get a roaring, hearty laugh!

Whew, I needed that :). Now if you'd excuse me, I need to restart that blasted laptop. The network driver installation wizard has been sitting on the same screen at with the same 98% complete indicator for the last 45 minutes. It needs a fist through it, that'd make it work. Unbelievable.

Okay it just finished. What, Hardware Add Failed? You can't find the driver you say? I just gave you the exact location where the darned drivers are you stupid, stupid, stupid operating system! Look again!

Why can't you just add a single line to your /boot/loader.conf or /etc/rc.conf file? Because it would be too hard? Yeah, that's right... a darn wizard that fails more than it works is much more user friendly!!!

That does it, it's 2am now and I'm walking down to the 24 hour prata shop for a bite to eat and for some teh tarik. That'll cool my nerves.

I can't say I ever thought I'd be using Perl as a last resort emergency security tool. Sheesh Servage, get your act together.

My first few days back in Singapore have been eventful to say the least. I could have said they were uneventful, but that would have been inaccurate and would also have contradicted what I just wrote. And the last thing I want to do here is look ridiculous. Well, any more ridiculous than I look now walking down from my apartment building to Orchard Road while I type this post on my iPhone.

ASIDE: I used to mock people who spent more time looking at their phones than paying attention to where they were walking; now with this ridiculously useful iPhone I'm guilty of the exact same behaviour. Walking into light poles seems to be my divine punishment for this hypocricy.

Yes back to eventfulness, since coming back here last Saturday morning, I've had my first major problems with online hacking of my sites, to a degree I never thought possible. So far RubenerdShow.com and the associated subdirectories such as this blog have been the victim of 12 code injection attacks as a result of poor security standards on my webhost. I dislike it when people shift the blame onto others, but all my permissions are set perfectly and the attacks are coming from within my host's IP range, so it's a matter of lax internal security due to what I suspect is poorly enforced group permissions.

As Bruce Schneier said in his Secrets and Lies tome which I admit I've read more than three times, internal threats are often more dangerous than external ones, though they often get placed second in priority. I am a huge fan of Bruce Schneier, I even wrote about the Bruce Schneier Facts website back in 2006. Very fun distraction when all this nasty stuff is going on!

For Servage this isn't new; a quick Google search for Servage Hack returns thousands of results. Even Flickr has a couple of screenshots by people showing their sites and even the Servage host site itself being hacked.

Perhaps as a result of this or because Servage has also been caught hosting hundreds of spam and credit card fraud sites, the StarHub ISP here in Singapore has seemed to start blocking all Servage hosted material. As I sit here at Starbucks now in Tanglin Mall it seems SingTel haven't filtered it, but given Singaporean ISP's general low tolerance when it comes to abuse of their systems I worry they may be next.

ASIDE: For those interested in the attacks themselves, it seems shady Servage users have been inserting javascript into the first line of my index.php files and modifying my .htacess files to redirect to other sites. This despite all my permissions being set to allow myself to read and write, but others in the group to only read. I don't know what else I can do to block these changes.

I've written a trivial Perl script to check the modification dates of every file on the server, and if it doesn't match a list of predetermined values it deletes the hacked/modified file and restores it, then logs the change. This seems to have stopped all the attacks but it really is a clumsy measure. Servage need to get their act together, because it's not just me this is affecting.

Suffice to say, I am already in the process of moving over all my material to Segment Publishing hosting and Ourmedia instead of using Servage as well. I had kept Segpub for use only for my university blog, but they've proven themselves for their stellar reliability and great service. They do cost more than Servage, but as I've learned from this experience cost shouldn't be the primary consideration. As a student I do have a stretched budget, but if I have to pay a few dollars extra a month for peace of mind, a server running FreeBSD and my own dedicated IP address that I don't have to share with hundreds of other sites -- some of which engage in criminal activities -- I think it's worth it.

Segpub Christmas cheer!

What frustrates me is that it's my own home ISP StarHub that has blocked Servage, which means I have to use a proxy to access my own site. I'll be doing some serious cleaning up of my MySQL tables and I'll be exporting them hopefully today or tomorrow.

Interestingly enough, this blog and all the images used within are quite small. Exporting gigabytes worth of Rubenerd Shows recorded since 2005 and re-uploading them to Ourmedia will be a painfully slow process, but I think it will pay for itself pretty quickly.

Will be keeping you up to date, and thank you everyone for your patience. Because of the difficulty I'm having right now accessing this site, if you want to leave comments you may want to just email me instead.

What a great thing to be dealing with over my preciously short Christmas holiday break. Though I guess had this happened during an exam period it would have been much more disastrous to deal with. Bummer though.

This is a shorter message because I don't have much time here. It seems the reason why I haven't been able to access my blog and Servage.net over the last few days here at home hasn't been because my site is offline or down, but it seems that my webhost (and all the sites they host) is being blocked for some Singapore Starhub internet customers.

I am accessing my site now through a proxy. Google Reader seems unaffected.

This is extremely serious. I have long suspected Servage has been hosting some less than reputable sites, and with the latest code injection attacks which have been happening on my blog since Sunday on my site and on dozens of other Servage customer's sites, I suspect Starhub have taken action against them.

I will be moving all my Rubenerd Shows which collectively account for around 92% of my bandwidth onto Ourmedia, and I'll be moving my remaining sites over to Segpub (FreeBSD webhost in Australia with dedicated IP addresses, SFTP and SSH) once and for all. Perhaps this is the final wakeup call I needed to get my arse into gear and make the transition!

Servage were ultra affordable back when I thought the internet was a nice toy, but they're lack of adequate checks on what they host and these security lapses have made me lose what little shred of confidence I had in them. I don't approve of Starhub's move to block all sites hosted by them, but I can at least see their reasoning, and can somewhat understand.

Stay tuned for further developments. This will no doubt be taking me this next week to do. What are you doing for your holidays?

Often by reading just the headings for blog posts themselves I'm amply alterted to current issues and news stories from the likes of the Australian ABC, Channel News Asia and CNET which just choose to syndicate small samples of their posts rather than the whole post. When I read that "Australian Minister for Communications is a dolt" or "Clinton chosen for Secretary of State" everything else is really just filler.

Today though while reading the headings from various news sources, I was instructed by Jon Oltsik from the Enterprise Strategy Group in my CNET news feed to "Stop blaming Microsoft for cybersecurity woes."

"Painful" would be the word I would use to describe his story, which is a shame because he starts out great with his first two paragraphs. He instructs those who are thinking of cutting back on security during these difficult economic times to read the latest CSIS report and realise that as we build more infrastructure around the internet we're introducing more vulnerabilities which are ripe for attacks. He echoes his tagline "information security is far worse than you think.". I completely agree, security is too critical an area to cut back on even during tougher times.

Unfortunately, I think he starts to slip in paragraph three:

[...] I humbly submit an additional requirement to the security community: it is time to stop blaming Microsoft for the sorry state of cybersecurity. Now, I realize that this is a rather controversial request, but I think the time has come.

It certainly is a controversial request sir! Conveniently for me he's broken up his argument into three easy bullet points, which I will address in order. Why does he think we should ease off of Microsoft?

Security through obscurity
A basic Security 101 mistake

1. It's a numbers game. Microsoft's success makes it a target--no other platform has nearly as many systems connected to the Internet. The fact is that if Linux, Macs, or UNIX systems dominated the Internet, they'd be under pervasive attack, too. Would we be better or worse off? Who knows?

This argument is so old and has been so thoroughly debunked so many times, it was cringeworthy reading it here. While it is true there are more Windows clients, "UNIX" machines do in fact dominate the internet: more pages are served under open source projects such as Apache from Unix-like systems than Windows servers with IIS, and yet these Unix-like servers suffer far fewer vulnerabilities, and the ones they do suffer from are generally far less destructive when taken advantage of. So much for the market share argument.

If we play along though and assume for the sake of his argument that market share is responsible for Windows being more vulnerable, doesn't that then translate into a greater responsibility for Microsoft which they've failed time and time again to deliver on? Why were they so lax about this for so many years when they knew they were a primary target?

Windows is a flawed system regardless of their market share.

Reductio ad Absurdum argument

2. It's unproductive. I really don't understand what anyone hopes to accomplish by blaming Microsoft. Should governments single out Microsoft for some type of special security threshold? Should Windows systems be kicked off the Internet? There is plenty of blame to go around beyond Microsoft, so singling it out accomplishes nothing.

I suspected what this point was but couldn't remember the phrase, fortunately Penguinisto mentioned it in the feedback section. Reduction to the absurd attacks are dangerously close to strawmanning and don't achieve anything.

Microsoft does deserve to be singled out because desktops and servers running their software are responsible for the single largest source of security problems online, in a higher percentage than their market share would explain away. This isn't a case of being unproductive, it's the exact opposite. Microsoft needs to be held accountable given their previous performance, just as every other major player in every other industry needs to be.

Nobody is suggesting we unplug every Windows machine online by building giant radioactive zombies to trawl through every household. See how ridicules arguments get us nowhere?

"Security isn't claimed, it's proved"
-- Bruce Schneier

3. Microsoft is actively addressing past security shortcomings. Think what you will about the security of Microsoft products, but few other companies have done more to improve their software security development, employee training, and testing processes than Microsoft. Microsoft is also taking its Secure Development Lifecycle to others through its SDL Pro Network partners like Security Innovation. In fact, Redmond even contributed to the CSIS report, Microsoft Corporate Vice President of Trustworthy Computing Scott Charney is one of the CSIS co-chairs.

To use a colourful phrase from my grandfather, even if it took Microsoft this long to get their arses into gear, it is clear Microsoft is actively addressing security problems. Despite this though and your laundry list of examples, what they still lack is results.

I've been saving this topic for another post, but in brief what Microsoft really needs to do is admit to everyone that the Windows codebase has become unmanageable with disastrous results, and start fresh. Projects like ReactOS have shown it is possible to create a compatible system that's clean and lightweight, and Apple has proven you can emulate existing systems inside new ones while people migrate.

Instead of developing all the cruft, features nobody wants or uses and tacky eye candy, Microsoft needs to be addressing the problems of the NT architecture itself. I have every confidence that Microsoft is capable of this; what they lack is direction. In the meantime they can continue to be claiming progress, and people wise to them will continue to point out otherwise.

As for the order posed in the title by Mr Oltsik, we have sufficient needs and sufficient evidence to continue to blame Microsoft for their responsibility and failings in our current cybersecurity woes. What won't get us anywhere sir is putting our hands over our ears and pretending they shouldn't be.

Disqus is an external blog commenting system that seems to be all the rage thesedays, so much so that even veteran blogger Dave Winer has just started using it on Scripting News. While the concept seems like a great idea, the implementation leaves a lot to be desired.

Firstly, instead of relying on accessible web forms for users to submit their comments, Disqus uses a JavaScript hook which dynamically loads comments onto the page. I can't begin to describe what a bad idea this is, so perhaps some bullet points will help me out!

It makes page slower

Because you're making two database calls, one to your own blogging system and another to the external Disqus servers, the resulting page takes far longer to load than what a regular commenting form would. It's so bad on some blogs I read that I've simply given up posting comments on them.

It makes pages far less secure

The idea of running JavaScript from a third party on my own site scares the heck out of me, but in this case we're not talking about a potential attack vector to display photos from a Flickr page or something similar, we're talking about critical parts of your blog's infrastructure being loaded by an external server each time a page is loaded. XSS exploits are exploding, as well as any exploit discovered for Disqus with its larger surface area will affect your site. It also means security conscious people like me who use NoScript can't leave comments.

It makes pages less accessible

For people who use audible or visual aids to access content, this approach to comments is just as bad as Flash. It also means certain browsers wont be able to render the comment field at all, such as lower powered computers and mobile phones which increasingly have web browsing capabilities. Disqus provides a link to their website for such people, but it's a lousy compromise when other comment systems can work inline while adhering to web standards and accessibility.

It's a legal pickle

To quote Webby's World in their article on 8 reasons you shouldn't use Disqus: "surely it can’t be good to subject users to another privacy policy with servers in another jurisdiction. Who would be liable for any breaches in data protection?"

Comments are no longer associated with the page

This makes local and search engine per-site querying impossible because the comments are disconnected from the content they were regarding.

Comments are no longer in your database

For some people that may be fine, but I prefer having such critical parts of my blog running locally. If in the future a plugin comes along that can do something really fun or interesting with comments left by people, you're also completely out of luck.

It locks your comments into a silo

The Disqus team seem like honest people, but their service is closed and proprietary, and as of now there's no way to reliably and easily export comments out of it, then import them back into your blog if you change or mind. If they start charging for their services or start embedding ads in the future, you're completely at their mercy.

It makes pages less predictable

Because it uses JavaScript to fetch data after the page has already appeared to finish loading, you may already have started scrolling to a part on the page before everything changes. This is really, REALLY irritating!

Ultimately, it's unnecessary

Twitter integration, threaded comments, better spam blocking, they're all available with existing plugins that don't have any of these problems. In fact Dave Winer needs to use Disqus exactly because his Radio software doesn't include commenting systems or plugins to do these things.

This is why, dear readers, for your benefit and mine (our collective sanity as it were!) I will not be putting Disqus on my own blog here. I suspect it's a fad anyway, and will start disappearing in a few years when the Next Big Thing comes along. Disqus is to comments what Adobe Flash is to web pages, a little extra convenience for the target audience at a grave expense.

That's not to say the existence of services like Disqus is a complete disaster. What developers at WordPress, Movable Type and so on should be taking away from this is that some people aren't happy with existing commenting systems in their blogs, and that they'll implement self destructive plugins like this to get the features they want! I hope this means we see more innovation in the comments space.

UPDATE, 2009: Some good news, it seems the tide is beginning to turn on Disqus and other such dynamically loading comment systems. Matt Mullenwag, the head developer of WordPress, has publicly stated they're a bad idea in a post bluntly titled 6 Ways To Kill Your Community.

I hope this represents a wider trend (from the looks of it, it has) and will encourage others to leave the service for alternatives... though as I stated in the original post, for people who have got hooked to the service this might be impossible or extremely difficult.

AFTERWORD: I created this entry because I was frustrated that there were lots of guides to recover passwords in Safari (and Firefox, and Opera) on Mac, but not Camino. The procedure is about the same, but nobody had it shown anywhere as such.

One of the (many, many!) problems I encountered when I lost my phone recently was losing my password for Wireless@SG! When I signed up for the free public wifi system in Singapore I was issued a password in the form a text message on my phone. Of course, now that my phone and I have parted ways I don't have that password.

ASIDE: I really should have written the credentials down somewhere safe besides my phone! Hindsight is a remarkably powerful and largely useless tool.

As it stands now though I can still log in to Wireless@SG because Camino remembers my password and enters it in for me automagically. What I wanted to know was, is there some way to retrieve the password from Camino in a form other than a string of asterisks? As it turns out, one of the primary reasons I still keep going back to Camino (greater Mac integration and consistent Mac interface) turned out to be my saviour, in the form of the Mac OS X Keychain.

If you have a password that Camino remembers but you don't, you can retrieve it by opening Keychain Access.app in /Applications/Utilities/. You'll be presented with a list of accounts that OS X has remembered the passwords for.

Double click the site that you can't remember the password for, then click the Show Password checkbox at the bottom of the window that appears. You'll be prompted to enter your Mac OS X login credentials. Voila, your password is presented:

Of course, I changed my password shortly after!

After listening to a recent episode of Security Now I've gone ahead and purchased myself a Yubikey!

The Yubikey is a phenomenal new device that's smaller than most memory keys that when plugged into a USB port and the loan button on the case is pressed, a one time password is generated and entered. It does this on any HID enabled operating system including my beloved Mac OS X and FreeBSD without extra drivers because it shows itself as a regular USB keyboard. It's so beautifully simple!

The best part is that the API is open and accessible from a number of different programming languages such as Ruby, PHP and Python (not sure about Perl just yet).

In the coming weeks I'm going to try to implement my Yubikey into my Ruby CMS. I'm really excited!

If you install the vim text editor either from packages or ports, just a reminder from the FreeBSD Security Team:

SECURITY NOTE: The VIM software has had several remote vulnerabilities discovered within VIM's modeline support. It allowed remote attackers to execute arbitrary code as the user running VIM. All known problems have been fixed, but the FreeBSD Security Team advises that VIM users use 'set nomodeline' in ~/.vimrc to avoid the possibility of trojaned text files.

If you install lots of ports at once or just happened to have vim installed automatically because it was listed as a dependency, you may not have see that message. Take care.