Rubenerd

This post originally appeared on the Annexe.

We’re all alright! We'lre all alright! Hello Wisconsin!

And here be the reason why I use my disposable Gmail instead of my regular mail account to register for websites!

I, along with a ton of other people, got sent this email a couple of days ago.

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers.

OUCH!

We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.

Scary stuff. I'd be interested to know who comprises "Mozilla staff" in this case, and for how long it was public.

The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don’t need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

Done and done. Yikes.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

To their credit, at least they disclosed this issue to their users instead of sweeping it under the rug. I hope lessons have been learned, and this doesn't happen again.

Amusing anecdotes

This whole thing reminds me of a time I was doing a week's work for a relatively large IT firm that will remain anonymous, and their ticket system were validating users with plain text versions of their passwords. My first thought was "didn't people stop doing this in the 80s?" and secondly, that I was glad I didn't have an account with them.

Then there are time times I've forgotten my passwords for sites, but instead of sending me an email with a reset token or the like, they send me my password, indicating they have it stored in a database. Last time that happened it was something trivial like a creaky old forum, but suffice to say I left there quicker than that strip club I was tricked into going to for my 19th birthday by my room mates at the time. Hey shaddup, I was scared.

You don't need a degree in cryptography to know you never store people's passwords! Kudos to Mozilla for not doing this too ;).

There are at least five things wrong with that picture. The most glaring thing is… there's an Outback Steakhouse in Millenia Walk [sic] in Singapore, and it has American flags outside. Then again that could be a mistake on the restaurant's part, in which case there's nothing wrong with this picture whatsoever.

Photo from FreakingNews.com. Another photo and site for which I have no recollection on how I found it. Like a boss, most likely.

This post originally appeared on the Annexe.

Tasty too :D

In Singapore the weather is always 32C/90F with afternoon showers, so I never needed something like this, but in Sydney this has rapidly become the most useful utility I've installed in a while! ^____^

Meteorologist is a free weather program for Mac OS X. It allows users total control over their weather viewing, including simultaneous interlaced weather reports from multiple weather locations, weather alerts, and much more.

Features

When you install Meteorologist.app, it places a small icon in your Mac's menubar that displays the temperature and weather conditions for a city of your choice. Clicking it brings up a menu that tells you other fun weatherish things like wind speed, air pressure, dew point, visibility, hammerspace and the like, along with a colour weather map and three day forecasts.

Given this is an American app the default is to display data in Fahrenheit, MPH and the like, but its easily customisable in the same options screen you use to choose your city or cities. Its also less accurate than the weather app I use on the iTelephone that gets its data direct from the BOM, but its good enough.

There's a joke in there about Singaporean book shops being The Bomb, but I'll refrain.

GNOME: 1, Mac OS X: 0

Given I spend half my life on Macs and the other on various open source *nixes, I've come to really appreciate the simple weather status notification in GNOME, and have been frustrated by the Mac's Dashboard weather widget alternative.

I still think OS X should provide this functionality built in (as part of the clock, as GNOME does) but in the meantime this app works great.

While attempting to find information on the dietary requirements of dust bunnies, I came across perhaps the most epic website of all time.

The filename says his name is Darren

Firstly, may I say, just straight off the bat, out of left field, out of nowhere, right off the cuff, putting it out there, shouting out loud, mentioning in passing, that I've never been that dusty before. That is enough dust to cover someone from head to toe, or toe to head as the case may be. In this case it could be both, judging from the degree of dust coverage.

Needless to say, that's a lot of dust, and I've never had so much on me before personally. Dust is fairly soft I've been lead to believe, but from experience I can attest to the fact the stuff contains a fairly high degree of materials that cause me convulsions of the nasal cavity. That's what a sneeze is, right?

To think it causes that with just a small amount thrown into the air from vigorous activity like vacuuming or dusting, if I were covered from head to toe as this poor gentleman is I'd be sneezing so violently and regularly I'd probably start setting off security alarms in cars parked around the block.

Fortunately through the use of some Dustless Technologies, our friend Darren here seems to be dust free which is a tremendous relief. I hear its really hard to wash and keep dust clean, easier to just not have it I've always thought.

Don’t read this part

If you’re all alone
With dust on ‘ur phone
Who ya gonna call?
Go Dustless!

You can start reading again

I digress, but some of this stuff on the Dustless Technologies website is pretty cool. Their flagship product appears to be a vaccum cleaner device you can attach to hardware such as angle grinders. That way, while you're… grinding… the dust and splinters that are generated get sucked into the vaccum cleaner instead of going into the air that you're breathing as you're dong this stuff.

My personal favourite, because of the name, is the DustBuddie:

The DustBuddie Dust Shroud captures up to 99% of the dust created by a hand grinder – before it escapes into the air. Designed to be used with the Dustless Wet Dry Vacuum, this dust control shroud fits most hand grinders and is quick and easy to install. With its brush skirt, adjustable height, and removable front lip, the DustBuddie performs smoothly and accurately.

See, I go to their website and have every intention of just talking about a guy covered in dust, but I end up talking about their products. Shrewd geniuses. They even have a link which at this stage I have no choice but to include now, you see.

This is the third time I've mentioned industrial cleaning product on this site, for no reason.

This post originally appeared on the Annexe.

This post originally appeared on the Annexe.

My experiment with using Google Public DNS and OpenDNS is over, and I'm back to using the Optus ones. Behold an incredibly long rant on DNS.

Weasel word warning

Hey, that's some fancy alliteration if I may say so myself. And those last three words had a lot of "s" sounds in it, like Severus Snape. I gave up on Harry Potter after Goblet of Fire left me yawning so much I nearly broke my jaw. True story.

Lat……………. ency

There are two problems with using services such as OpenDNS and Google Public DNS (referred to henceforth as just Google in this post). The first is the obvious issue with latency; when you're accessing a DNS server in a distant country you'll [virtually] never get the same performance as a server running locally, especially so if its at your ISP. Well, unless your ISP really, really, really sucks, and particularly in Australia this isn't a far out possibility. Needless to say, APC and other magazines that sound like surge protector manufacturers have had articles discussing the issue of latency.

This isn't the focus of this post so I won't go into this aspect of it for too much longer, suffice to say my pings were on average two significant figures shorter when using my ISP's DNS servers than Google and OpenDNS.

Okay, what’s the real issue?

The second isn't a technological problem with the services themselves, but rather the way some people talk about them. Much like many of my American comrades have to endure the frustration of hearing about body scanners taking naked pictures without much talk at all about the inherent safety risks that intense radiation presents, people only seem to discuss the issue of open DNS services being speed.

The question is: do you trust Google, OpenDNS or your ISP? Or perhaps a more pertinent question: out of Google, OpenDNS and your ISP, which do you trust the most?

What do I mean by trust? I'd answer you, but I hate rhetorical questions, mainly because I can never spell the word rhetorical.

Trust issue one: Tinfoilhatism

Particularly in the UK where services like Phorm have become infamous (notorious you could say), ISPs have realised they can milk their customers out of more money by turning DNS into another source of revenue. Ah I hear you say, do they pass those savings onto you? Tee hee, you're funny ;).

Some ISPs use DNS to hijack 404 page requests so instead of getting an error message from your browser, you get a page laden with ads, and a search engine box that gives referral money to the ISP. Its a minor annoyance for end users, and it wrecks havoc with services and software that rely on receiving a 404 to confirm a resource is unavailable. Some ISPs allow you to disable this behaviour, fortunately mine does. I wish they just didn't do it in the first place.

The more invasive form of this, and I consider it a brazen form of man-in-the-middle attack, is when ISPs actively mine the data that you're accessing online, and uses it for their own devious purposes. Advertising. Selling to intelligence agencies. Performing illegal electronic wire taps without an opt in. Having your IP addresses being resolved by a DNS server outside their control wouldn't stop this, but anything to make their lives more inconvenient and their logs more confusing is always a plus.

So we come to the question, do you trust that your ISP isn't performing this nonsense, or would you rather rely on OpenDNS or Google? Both are freemium outfits (AFAIK) but I can't help but think they'd be doing something sneaky to their free users. OpenDNS even hijacks 404 error pages by default too!

Trust issue two: Maintenance

One would think that by using DNS as a revenue source they'd hopefully invest more time and money in the DNS servers themselves, as I suspect many are running on cheap old boxes in basements gathering dust. DNS is a very unsexy, if necessary service that ISPs provide, not at all like that cool mirrored content that some ISPs still count towards quotas (COUGH Optus COUGH) and selective on-demand video and whatnot that's easy to advertise and makes a mockery of net neutrality. But that's for another post.

Because DNS is so terribly unsexy, many ISPs that run obligatory DNS servers simply don't enforce stringent security protocols when it comes to maintenance. DNS spoofing is real and is being actively performed in the wild, and while there are technological solutions (aka: marketing speak for patches) an alarming number of said servers are still vulnerable.

When looked at from this angle, I would think a service like OpenDNS (and to a lesser extent Google) who's very existence is dependent upon delivering reliable, secure DNS resolutions would be at the forefront of keeping their servers patched and bolted down. If an ISP in Australia has a botched DNS server, it affects their customers. If OpenDNS were to botch one of theirs, people around the world would be messed up, to afford ourselves the use of sophisticated networking parlance.

Good grief, that was an ordeal

Inevitably with me, despite generally erring on the side of caution with my refusal to use Chrome (Chromium and WebKit are just fine) and arming Firefox to the teeth with security and privacy extensions, I decided the risk that Optus is doing something fishy was worth it for the vastly improved performance. Besides, we'll be churning to Internode once this latest bill cycle is over, and I most certainly trust them more than Optus!

This post originally appeared on the Annexe.