Common Folk Collective » Technology

What You Need to Know About POODLE (includes a History)

DCDan — Fri, 17 Oct 2014 15:55:32 +0000

What you need to know about Poodle is that when you connect to a secure server aka https there are several protocols and versions of said protocols available to create the secure connection. Secure Socket Layer (SSL) was the first, it was created by Netscape. [Side note it’s part of why they were giving their browser away they wanted to make money selling the SSL server to businesses so that you could have secure transactions over the internet, basically before 1995 all connections to web servers were insecure.] They started with SSL v2, v1 was internal only and never released to the public. Within a year there were a lot flaws discovered and in 1996 they released SSL v3. Also to feed into your Illuminati vision of the internet SSL 3.0 draft was release by the Internet Engineering Task Force in a Request for Comments http://tools.ietf.org/html/rfc6101 The RCF are essentially the guides use by developers to implement the protocols.
In 1999 they came up with a newer protocol Transport Security Layer (TLS) So starting at this point newer browsers would first ask it the server supported TLS v1 if it didn’t then it would revert to SSL v3 (which is weaker) As TLS 1.1 and 1.2 came out this trend would continue. Where you’d start off with the best protocol and then go back and forth until you found one you both supported. This was done because a lot people don’t update their browsers or servers.

Now that you have the background. Some researchers at Google discovered a big flaw in SSL v3 which a lot of sites kept around, why you may ask? Because of motherfuckin’ Internet Explorer 6, it only supported SSL v3.

So the danger is that if the server supports SSL v3 your traffic can be sniffed. The responsibility is on server owners to stop supporting SSL v3 _but_ you can also, usually, force your browser to not accept SSL v3.

Your Email Signature

DCDan — Thu, 03 Jul 2014 19:46:56 +0000

You know the email signature that you often see something along the lines of:
“Disclaimer: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this e-mail from your system. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.”

It is complete bullshit and you should treat it as such. If you’re sending confidential information in an unencrypted manner you are goddamn negligent and it’s not my fault you don’t understand the technology you are using. Could you imagine if you put the same disclaimer at the end of phone messages or conversations in general?

Well apparently the some of the employees at Goldman Sachs aren’t very tech savvy and have used what I imagine is their immense legal department, shit tons of cash and market influence to convince Google to literally delete a message out of someone’s inbox.

This sets a horrible precedent for Gmail users as Google is now willing to delete messages from people’s inboxes without their knowledge.

If you misaddress an email the protocol should be to send a follow up message saying “Hey, I fucked up and sent you a message I shouldn’t have, it contains information that I’d rather not release, would you be so kind as to ignore/delete it and as an apology I’ll buy you a fancy dinner.”

Not really.

Sonic Poems

Knile — Sat, 22 Mar 2014 10:00:24 +0000

I sometimes worry.

Sonic the Hedgehog poetry
Together at last: Thomas The Tank Engine’s theme and DMX’s “Where My Dogs At?”
Tibetan mastiff puppy ‘sold for $2 million’ to property developer in China
The Ancient, Peaceful Art of Self-Generated Hallucination
Stupid Twitter Tricks
The Art of Maple Syrup
Discover: Awesome Tapes From Africa (previously on CFC)

Two Security Fails

DCDan — Fri, 14 Mar 2014 17:14:06 +0000

Today I encountered two security fails.
1) When chatting with Sprint customer support they need your account PIN to update your records. After the conversation is over they email your transcript with your PIN sent in the clear.
2) When signing up to pay a travel fee to gain entry to a South American country they confirm your signup by sending you your username and password in the clear.

Good job!

The Latest Apple Security Problem and What You Should Do

DCDan — Tue, 25 Feb 2014 14:08:07 +0000

TL;DR version:
If you use an iPhone or iPad update it to the latest version of iOS which came out a couple of days ago.
If you use Mac OS X (laptop), use Chrome or Firefox to browse the web until an update is released.

For the long version, I’m going to make the assumption that you have a technical background:
A bug was recently discovered in Mac OS X 10.9 that means the signing chain for an SSL/TLS certificate isn’t verified. This makes a man-in-the-middle attack possible. This is certainly big news and should be patched as quickly as possible the exploit requires the attacker to jump through a lot of hoops to exploit it. They’d have to hijack your DNS and have site that look similar enough to the real site to prompt you put in your username/password. If you’re on your home network this probably isn’t the case if you’re on public wifi it’s more likely but would involve someone first having to hack the router at the cafe and redirect it to poisoned DNS servers and have a site(s) up and running that would convince you put in your username/password, but if you’re concerned about privacy on unknown networks you are using a VPN like Private Internet Access anyway right?

FWIW this code was likely discovered because the core of Mac OS X (Darwin) is open source and the code is verifiable.

UPDATE: Apple has released an update for Mac OS X install this and all will be well.

Consider technology

Knile — Sat, 22 Feb 2014 11:00:33 +0000

Technological Austerity Manifesto
How to Lose Your Religion in 5 Easy Steps
Graffiti: 40 Years of Hacking New York City
When does a dream become a nightmare?
Del Rubio Triplets: Duchamp Found Pop Culture Object Theater
4’33″ App for iPhone
My Gay Banjo
Boognish Rising, a Ween documentary
Things That Are Cheaper Than WhatsApp

Dual Monitor Support with a Mac Mini

DCDan — Thu, 30 Jan 2014 20:43:38 +0000

This is a nerd post and it’s here because when I was looking for this information online I couldn’t find. I have a Mac mini (Late 2012 Model) It’s pretty much a stock model except that I added my own RAM to get it up to 16BGB. This is the first time I’ve bought a non-laptop computer since at least 2000 which meant the use of a single monitor. As a software developer this is unacceptable so I started looking around at monitors and I came across the ASUS PB278Q 27″. With the WQHD resolution of 2560×1440 I was pretty excited for this bad boy to arrive. My other monitor is a 24″ DELL S2409W which runs at 1920×1080.

The answer I couldn’t find online is no matter what connectors I used HDMI to DVI, Mini Display Port to DVI, Mini Display Port to HDMI, HDMI to HDMI. I couldn’t get the ASUS to work at anything above 1920×1080 depriving me of 1612800 glorious pixels. As turns out you can’t get anything above 1920×1080 unless you are using Mini Display Port to Display Port cable.

The TL;DR version is you can use two monitors at 1920×1080 one via the HDMI and one via the Mini Display Port with a HDMI out or DVI out. If you want to go 2560×1440 you can only do so via Mini Display to Display Port and the other monitor via HDMI will only support 1920×1080.

A soccer player visits an abandoned hospital, and other links

Knile — Sat, 11 Jan 2014 11:00:48 +0000

Are we back to weeks of dozens of links? At least for now.

Flexing with Flizzo
Pizza Critics #1 by Chris N Paula NSFW
A free ZIP code database
USPS regulations on live animals
“I take the chicken butt for myself.”
Go To Church On Time – the chicken wing song
Carole Anne Kaufman whistles a medley.
Spiritualized – I Think I’m In Love (Chemical Brothers Remix)
Tom Tom Club – Genius of Live
Mom Meet Mom – a social network for mothers
Civic Camouflage: A WWII Neighborhood That Never Existed
Abandoned Steam Train and Pullman Cars
Two Hours in an Abandoned Hospital
The Setup Interviews – who uses what to get things done
The Top 10 Mid-Century Menu Posts For 2012 – Gelatin, Cake and More Gelatin
Crazy Sandwich Cakes

Annoying Trend of 2013

DCDan — Fri, 27 Dec 2013 01:35:06 +0000

A trend that took hold in 2013 is putting overlays over the screen that will block your access to the page unless you give as a ransom your email address or access to your Facebook account. I treat my email address and access to my Facebook like a daughter in high school and to those sites I say.

I don’t know who you are. I don’t know what you want. If you are looking for ransom, I can tell you I don’t have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now, that’ll be the end of it. I will not look for you, I will not pursue you. But if you don’t, I will look for you, I will find you, and I will kill you.

Webcam Hack

DCDan — Fri, 20 Dec 2013 14:04:23 +0000

The webcam hack that allows for 2008 era MacBooks cameras to be turned on without the indicator light showing has gotten a lot of press. There are suggestions that people cover their webcams when not in use, which isn’t a bad idea. Though I have yet to see anyone mention a few equally as scary items. First your laptop also likely has a microphone which never seems to have an indictor light associated with it. The second is that your phone also has a camera (sometimes two!) and microphone and they rarely have indicator light and you usually carry them with you everywhere.

My webcam has a shutter so I know when it is recording.