Posted on 2014-04-16 by Savanni D'Gerinel
Lillis Business Complex, University of Oregon, Eugene, Oregon. 2014-02-13, f/4, ISO 400, HDR 1/100s:1/400s:1/25s, 16mm
During my trip to Eugene, of course, I walked over to the University of Oregon. Their entire campus is the most beautiful college I've ever been on, and the architecture of their business school contributed the modern element. Fortunately for me, the school was open and very quiet that day, and they did not much mind (or possibly even notice) a stranger wandering through.
Posted on 2014-04-12 by Savanni D'Gerinel
These three critters are constant joy (and constant frustration) in my life. I know one day I'll have to live without them, but right now I am grateful that I get to spend most of every day with them.
From top left to top right, the cats are Ghost, Sapphira, and Washburn. In the bottom pictures, the affection you see between Sapphira and Washburn, and between Ghost and Washburn, is a rare event. Washburn wants that, the other two are just a little too catty.
Posted on 2014-04-09 by Savanni D'Gerinel
Note: this article is mostly for my friends, not for the internet at large. If you don't know me, there are probably better sources of information out there for you. Especially if you are technically inclined. Basically, I am writing this for a non-technical demographic that I know and interact with.
But, at the bottom of the page, I'm going to post every link I used while researching this.
Okay, I made a very brief mention on Facebook that there is a major security problem out there. I already understood the magnitude of the problem but was curious as to progress in repair and recovery.
One of the awesome things about the internet is that something this fundamental gets so much attention so quickly that it usually gets fixed within a day.
Who is vulnerable?
Most web browsers have a little icon to indicate whether a particular web page is encrypted. It is usually a closed lock, and my particular version of Firefox puts it right next to the website address. It is unobtrusive. Significantly too unobtrusive in my opinion.
https is in the address block, instead of
http, the page was encrypted before being sent to you. Additional protocols, such as
smtp over ssl/tls,
imaps, and others I don't know of are also encrypted. All of these services are impacted.
If you don't see that icon, or you see
http, or you are connecting to
imap, the website wasn't secure to begin with. This bug is not relevant because everything there was already in the clear.
Note: some secure websites will not be vulnerable, but you will not know unless you run the test tool or they tell you. If they used a different SSL library, they will be subject to a completely different set of errors, but not this one. I mention this because I just discovered a statement from my bank that they fall into this category (and the test I show below indicates they are safe).
What got lost?
First, what we know for sure is that the private key for every service was vulnerable. I'm not sure what other claims of vulnerability I believe, but that is critical.
Once the private key is exposed, all encrypted data received by or served from that website is exposed. As a short list that means...
- all transmitted passwords
- all web traffic
- all email traffic (though, arguably, this is never safe to begin with)
- all VOIP traffic (Skype, Webex, etc)
And, to get more specific
- Your online banking password
- Your online financial services password
- Your Google password
- Your Facebook password
- Your Amazon password
- ... and so on and so forth ...
In other words... almost every website that handles your money. Again, you can't know because you don't know what tools are in use inside the guts of the company's computer infrastructure. Although, some people have deployed tools that you can use to run tests, and the tools will tell you very quickly whether the problem is (still) there.
This vulnerability appeared in the code in early 2012. It was announced on Monday. We can never know whether the people who announced it are the only ones to have discovered it. So, we have to assume that the last two years of internet traffic is basically in the clear. We know for sure that everything was in the clear starting with Monday and extending until systems get updated.
In reality most internet traffic has probably been lost. There's a staggering amount out there and almost no organization can keep up with it. While we know that the encryption infrastructure will break on occasion, I don't think there was any reason to believe that the entire system would come caving down on our heads like this.
Well, except for the NSA. Edward Snowden has been showing us for the last year that they are actively working to subvert our encryption infrastructure. They may well have known about this and exploited it themselves.
What can I do?
Ignore those services that were not protected to begin with.
Every website should be forcing you to change your password now. Google hasn't done so, but I'm hoping that they will. I find it distressing that no Google services have told me about this.
Once a service tells you that they have been repaired, Change Your Password. If they don't mention it at all, change your password but do not use the same password you use anywhere else. Assume that the password is still vulnerable.
If you own a website and an SSL key for that website, you may not have to do anything. Start by going to this test page and entering the full address of one of your SSL services. If it comes up green, cool! If not, you need to update OpenSSL and run the test again. Once you are sure that the site has been protected, you must revoke your key and deploy a new one.
Actually, I need to do that revoke/redeploy part. Fortunately I'm the only one who uses my key. Unfortunately, I did not know about the test before running an upgrade, so I have to assume I was running a compromised system, too. sigh
- Here’s a list of websites allegedly affected by the Heartbleed bug
- Change your passwords
- Ars Technica
- List of vulnerable websites as of 2014-04-08 00:00:00 UTC
Important: Google (and possibly some of the others on the not vulnerable list) were vulnerable at one point. Some of the articles I've linked have listed Google as being a significant part of the effort to fix this bug. Some sites are listed as "No SSL". You could think of this as a code word for "always vulnerable", but that is because they never expected to be to begin with.
A final note
I've read up enough technical information about this problem to know that it is the kind of simple coding error that gives programmers nightmares. It is a simple mistake introduced by one person, reviewed by at least one other, and then never noticed by the remaining people on the project or looking at the code afterwards. And, ultimately, it really sucks to have your name on such a thing.
When performing in the open in our society, few will congratulate you on a job well done, but the entire world will want your head if you make a mistake that costs them money. This is why vulnerability requires courage.
Posted on 2014-04-03
I use BTSync to keep all of my devices at home synchronized. I have an Ubuntu laptop computer, an Android cell phone, and an Android tablet, though it will soon be an [Ubuntu Touch] tablet. BTSync is a synchronization application built on the Bittorrent protocol, which is designed to do peer-to-peer synchronization. When your bandwidth to the internet is severely restricted, this can be critical.
Most synchronization clients have to go through some other server, and that is inevitably owned by some third party out there in the cloud. This means that if you want to sync some music from your laptop to your phone, your laptop first has to push it up to the server (using a bunch of upstream bandwidth) and then your phone has to download it (using a bunch of downstream bandwidth), ignoring the fact that they can communicate with one another directly.
Anyway, hopefully your laptop has been firewalled. But, nobody has documented anywhere that I can find exactly which exceptions need to be made to your firewall so that BTSync can actually work. Through trial and error, I have found that this set of rules works:
Port 61230/tcp, allowing connections in from anywhere Port 61230/udp, allowing connections in from anywhere Port 3838/udp, allowing connections in from anywhere
In Ubuntu, using the
ufw firewall application your commands would be:
ufw enable ufw default deny incoming ufw allow 61230/tcp ufw allow 61230/udb ufw allow 3838/udp
On Ubuntu, this will set up your firewall rules for both IPv4 and IPv6. Of course, if you are entering these commands through an ssh shell, there is a reasonably good chance that you will get disconnected after saying
ufw default deny incoming. Not guaranteed, but these rules don't allow for incoming ssh connections. If you need that, add the following SSH rule before the
default deny rule.
ufw allow ssh/tcp
Posted on 2014-04-02
This space, while empty, is adjacent to a variety of other spaces that are not empty even on a Sunday night in Austin. I actually had to dodge cars (in the sense that cars were frequently passing in front of me to ruin the long shots) to get this one.
Posted on 2014-03-26
Doug Sahm Hill, Austin, Texas. 2013-06-23, Sony NEX-7, f/4.5, ISO 200, 6 seconds, 23mm. Copyright Savanni D'Gerinel, 2013
"Look up. What do you see?"
"Is this a trick question?"
"In a sense. There is something very important up there."
"Well, all I see is the moon, a few stars, and the people on that hill. Oh, there is an airplane, too."
"Let's look at the people. What do you actually see?"
"You don't really see people. You just see their shapes. Areas of light in the sky that the people are blocking. You are seeing an actual absence there. Now, look between the stars and tell me what you see."
"All I see there is empty space."
"Exactly. Empty space is a thing. It is just as real as the people who are on top of the hill cutting shadows out of light. Normally we just ignore the empty space, saying 'nothing is there'; but that nothing is something real. It introduces distinction between things, but if you think of it as a real thing, you see how it also carries the relationships between those things."
"Are you always like this?"
"I did write in my profile that I like to go deep."
"Honestly, I didn't read your profile. I just thought you looked cute. And watching the moonrise sounded like a good first date."
Posted on 2014-03-24
Yes, I removed everything. The whole website is gone. Technically, I saved it away for reference. But, really, it's gone.
Welcome to my new home!
Almost two years ago I had a dream of moving off of Wordpress and onto software of my own making. Through a couple of years of training, ignoring the project, playing video games, making stabs at it, and starting over, I finally created some website software that I really like. Super stripped-down is an understatement. It does exactly what I want, does not require the abomination known as PHP, and shouldn't have any openings for system compromises.
It's also not feature complete, but you won't notice that for quite a while.
Some of my old content will come back. I will re-publish all of my photographs at an accelarated rate, while interspersing new photographs as I add them. Since I now have a professional website, I will keep this website restricted to my photography, general musings, the occasional rant, and (probably) pictures of my cats.
First photograph on Wednesday.