Heartbleed

In case you've been living in a hole for the last couple days, there's been a massive bug found in the open-source (free) server software that handles secure connections. For the lay-person, the software behind the padlock you see in your browser:

... had a bug that would happily offer up chunks of computer memory if someone sent it the right type of message over the network, with no record of having done it.

Here's XKCD's attempt at an explanation.

Some Q&A:

What does that mean to me?

We're not sure that anyone knew about this before it was found. Maybe NSA, maybe Chinese or Eastern Europeans, or internet crooks, or maybe nobody...

But if someone did know, in the best (most likely) case, they got very little if any of your info. In the worst case, they got your username and password and any other personal information from the websites (and other servers) you've logged into in the past 2 years.

How does this compare to past security bugs?

Catastrophic: 11 out of 10.

How will I know if they got my info?

This is the best question, nobody knows. Your best bet is to check your bank accounts to make sure there aren't any strange charges, check other accounts you log into to make sure there isn't any strange activity, then do the steps below.

Note, not all sites are affected, only the ones using the open-source version of the software (hurray for free and open source).

Is it fixed? What do I need to do?

Check the list of sites here, and reset passwords on any sites that are affected. My short list of sites using the affected software: Facebook-YES, Pinterest-YES, Apple-NO (yay), Amazon-NO (yay), Google-YES, Microsoft-NO, Yahoo-YES, Gmail-YES, Paypal/Target/Walmart-NO, Intuit/TurboTax-YES (doh!), most banks-NO, USAA-YES (doh!).

Then check your financial accounts to make sure there's nothing fishy going on. But you should be doing this regularly anyway (given that some e-commerce websites are zero-margin stores selling you cheap stuff just so they can get your credit card number to sell to crooks).

Oh, and be sure to use different passwords on different websites, and don't make them easily guessed. Apple's iCloud Keychain is a decent/free option for managing passwords for Mac users (though oddly it doesn't work with all websites, incl. Google). 1Password is a better option, but expensive (and I hate having to pay upgrade fees every year, feels like a subscription!).

So is the internet broken now? Should I stop trusting computers completely? Seems like we're always finding bugs like this...

No, the internet's not broken. But are people happy about this? Definitely not. We all hate changing passwords and not knowing who has what information about us.

What this means is that software isn't perfect, and memory bugs are pretty hard to recognize and track down. It may also mean that NSA is really sneaky about this kind of stuff, but the story sounds a little more innocent than that. On the plus side, anyone who knew about this is probably either chasing bank accounts much bigger than yours, or not interested in money...

But the same way armies learn where soldiers need more armor, the software-development communities learn how to better protect against not only this exploit, but this type of exploit, so I wouldn't expect us to have problems with these kinds of bugs for long. Coders are now looking for them, and stand to make a name for themselves finding them.

Hang in there, we'll get through this.

Mac idle flash killer

My kids are always playing flash games on our Mac. I have nothing against flash games, of course, but when the kids want to do something else, they always go, leaving the game running on the computer.

Flash is a processor-hog, which means my computer works like crazy to keep up with it all (especially if they leave 8 tabs of Barbie karaoke going), which means the computer gets really hot and I'm sure runs like that for hours, which can't be good for it...

So -- a solution!

I've written a small perl script that checks to see if the Mac's been idle more than 10 minutes, and if so, kills all flash processes owned by the current user. Firefox then shows a message where the flash process was that the flash process crashed and you can reload it any time.

Then I set up a launchd ("launch daemon") process to run my script every 10 minutes. So those processes will now run at most 20 minutes unattended before the script kills them.

Interested?

Only do this if you trust me and accept that there's no guarantee of anything. And if anyone you don't trust asks you to download files and install them on your machine like this, don't do it.

Okay, that all said, here are the two files you need.

Setup:

1. Unzip those two files to your desktop.
2. Open Terminal (Finder: Go -> Utilities, Terminal)
3. Copy/paste this command into the terminal, and press enter:
   
   mv ~/Desktop/killFlashIfIdle.plist ~/Library/LaunchAgents; chmod a+x ~/Desktop/killFlashIfIdle; sudo mv ~/Desktop/killFlashIfIdle /usr/local/bin/ ; launchctl load ~/Library/LaunchAgents/killFlashIfIdle.plist; launchctl start local.killFlashIfIdle
   
   
4. Enter your password when it asks for it.

You'll know it's working if you open a flash site, then leave the computer untouched for 20 minutes -- it should kill it.

The scripts are so tiny you can round their sizes down to zero. The commands they issue are super simple (ps, perl, and ioreg), so the odds of anything awful happening are miniscule. Still, if for some reason you want to uninstall the scripts, here's how you do it:

Uninstall:

1. Open Terminal (Finder: Go -> Utilities, Terminal)
2. Copy/paste this command into the terminal, and press enter:
   
   launchctl unload ~/Library/LaunchAgents/killFlashIfIdle.plist; rm ~/Library/LaunchAgents/killFlashIfIdle.plist; sudo rm /usr/local/bin/killFlashIfIdle
   
   
3. Enter your password when it asks for it.

Enjoy.

Google Reader: The shout heard round the internet, and what to do

For everyone who uses Google Reader, you've surely heard that Google is discontinuing it tomorrow. It will be the shout heard round the internet...

Anyway, the most important thing is that you go to this Google Takeout page, log in, then click "Create" archive. After a minute or so you'll be able to download the archive as a .zip file. Supposedly other products will let you import those files.

In the meantime, most people suggest Feedly. I've been using it for a day and it's pretty much the same, with a slightly confusing interface.

Interestingly you authenticate via Google -- basically Feedly asks Google to figure out who you are, then they trust what Google tells them), then it imports all your feeds and read/unread status. More info from Feedly on the whole transition here.

Hope that helps someone.

Dear Google

Today I realized how much I use Google Docs, and started to get scared. Your servers might crash, or corrupt my documents, or you might shut down your service. So I decided to download copies of all my documents off of Google Docs so I'll at least have something should that day come.

So I went to docs.google.com, and clicked the box above my list of documents, then I looked for something like a "Download" option. I quickly found it under the "More" menu, and immediately it offered to convert all of my documents to the new Office format, and .zip them all up and download them to my computer. It also gave me the option of converting them to PDF files.

The .zip file is 3 MB, and contains 88 files. The ones I opened look fine. Suddenly I love Google Docs way more than ever before. Flexibility of formats? No lock in? Ease of use? You are amazing.

Thank you for a terrific service. I hope the relatively few times I click on your ads is somehow worth all the value you give to me.

Warmest regards,

Bryan

Getting a new iOS device?

Just a quick tip for anyone getting a new iOS device (iPad, iPhone, iPod Touch) for Christmas:

Everyone in a single family should use the same iTunes Store account (Settings -> iTunes and App Stores), but each individual should have their own iCloud account (Settings -> iCloud).

That ensures that you all get to share the same media (videos, songs and apps), but the separated iCloud accounts lets you each have your own contacts lists, calendars, reminders, etc.

Many people make the mistake of all signing into the same iCloud account and quickly find out that their contacts and calendars, etc., all sync up and make a mess.

The harder problem is if the device is for a child, since the minimum age for iCloud accounts is 13. I can't find any recommendations for this on the net, so my best guess is to lock down the phone with restrictions, limit Safari, iTunes, iBookstore, installing apps, and explicit language -- all with a passcode that only you know. And don't install YouTube, Google Search, Vimeo, and any other video- or web-searching apps. If you want them to be able to watch videos, consider Netflix' "Just for kids", or WeetWoo (an app that's basically a directory of clean YouTube videos). You'll want to monitor your kids carefully too, remember my post about allowing a crippled mind to poison itself? Lots of mental and emotional poison on the internet, and people can be pretty awful about discerning it, especially kids.

Merry Christmas!

Wikipedia blackout

Does anyone else worry about the wikipedia blackout? Somehow the world has come together to amass the most comprehensive respository of information anywhere, and yet it is still controlled by the hands of a select few people. If they want to shut it down, down it goes.

Something feels wrong about that. The mantra of wikipedia was that information should be free, and that wikipedia was to be the sum of the best minds in the world -- that willingly and freely improving the quality of information there was contributing to the advancement of humanity itself. But now the entire repository is being held hostage by a handful of people to protest some bill in Congress that most of us know nothing about.

What if a rogue admin at wikipedia were to plant some code that at a given day would wipe the entire database and corrupt all the backups. Is that not impossible? And how many man-millenia would be lost if it happened?

Either the US government or Google should be actively mirroring the entire website so if Jimmy Wales* or one of his people goes crazy and wipes the whole thing, all that information would not be lost.

---

* Incidentally, Jimmy is from Huntsville.

Android phones come with spyware preinstalled?

Not exactly sure what all this Carrier IQ stuff (via DF, of course) on Android and Blackberry is about yet, but the smartphone landscape right now reminds me of the middle ages when marauding bands would roam over the countrysides -- "pillage and burn". Castles were principally built for safety during this period, and I imagine they were enviable places to live.

When you choose Android, you're choosing life out in the countryside, free from rules and limitations, but at risk of having 30 guys show up and dragging you out, stealing all your stuff and burning the house down (spy- and malware).

When you choose Apple, you choose life within castle walls. Doors are closely guarded, and the vast grounds are kept neat and friendly. Come and go (i.e. surf the internet) as you please, but home (your phone OS and apps) are by all measures safe. Pretty easy to be happy as long as you trust the lords of the castle.

The question a smartphone buyer has to answer is this: do I feel safe inside castle walls, or imprisoned?

Global health database

Imagine President Obama standing up and announcing a partnership with Google to build the most comprehensive anonymous health database the world has ever seen.

Google would be permitted to put ads in a small box off to the right.

Everyone in the world would be encouraged to create an anonymous account (or they could use their existing Google account if they trust Google), and input all of their health information -- i.e. diseases, medications, conditions, symptoms, diet, exposure, activities, cities lived in, etc.

Why would anyone do this?

Individuals could be completely anonymous in their inputs. It could be touted as patriotic, and scientists and doctors would encourage everyone to put in their inputs. The system would offer health recommendations and potential risks based on their inputs. They could see whether they have shots due, or if their yearly colds happen to line up with allergy season. Or if their particular symptoms have a new treatment, e.g. stomach ulcers can be cured with antibiotics now.

Google would love it, they make money any time ads are shown, and they could target the ads to your conditions. They'd get access to a massive database of coincident health conditions and could use that to improve ad targeting to others.

The gov't, hospitals, medical universities, and even regular individuals could go in and do searches and download data, such as "What percent of folks with arthritis also have strokes"? or "In what cities are cold sores most common?"

Reputable organizations could request more information from folks with a given condition, e.g. "Have you ever lived near high voltage power lines?" sent to to all folks who get migraines. Users who wish to help the medical community by answering these kinds of questions would only have to click the "Help with research" link to see/answer them.

No one's name nor address is never entered, or even requested. Fraud would be rare since there'd be no motivation for it, and it would quickly get washed out in the volumes of data. Google could investigate or weed out obviously false info.

I could see something like this changing the world.

Mountains out of molehills?

Good thing we're all worrying so much.

2009 Huntsville Christmas Festival

Enjoy this years' Huntsville Stake Christmas Festival.

Don't miss #3 and #8.

---

* If you'd like to load those files in iTunes, just go to Advanced -> Subscribe to Podcast... and paste in this link: http://harrisfam.s3.amazonaws.com/other/091220-HSVStakeFestival.rss. It should appear in with your other podcasts; depending on your settings you may have to click "Get all" to have it actually download them. Let me know if you have trouble, this is my first podcast feed. =)

Bird book

See something beautiful today.

Firefox 3.5 tip

Finding that Firefox is opening links in the current tab in Firefox instead of in a new tab as you'd prefer? Me too! =)

This seemed to fix it:

1. Type "about:config" in your browser location bar, then accept the warning
2. Right click in the window and select "New" -> "Integer"
3. Paste in "browser.link.open_external" as the name, and "3" as the value (no quotes)

If that doesn't work, type in "browser.link.open" in the filter bar, then right click on each of the preferences that match and select "reset".

That seemed to work for me.

Good luck!

Amazing bicycle skills

This guy's incredible:



FYI, his name is Danny MacAskill. He's 23, and has been riding for 12 years. Given this video, I would be very sad but not at all surprised to one day hear he'd been killed doing this stuff.

Until that happens, though, I suppose I'll just sit here and be amazed. Don't miss the part starting at about 3 minutes in. Wow.

The spam that almost got me...

Check out this email I got today at work:

I'm pretty cautious, but I just about clicked on the "To see it, click here" link.

It's a good thing I didn't, that link points to a .exe file located on a server named "mail.formens.ro". For those really not into computers, that link points to a Windows "executable", i.e. a program that very likely will do bad things to my computer. Clicking on it could have downloaded and run it (maybe with a dialog box asking me about it, I didn't want to press my luck trying it).

I think what kept me from it was seeing that "received" is misspelled. Misspellings are common in phishing and other spam emails.

The other thing is the link itself. I don't trust *any* emails I get, including the links in them -- especially HTML ones. Again, for the uninitiated, there's really two main types of emails you can receive -- plain text, and HTML formatted. HTML allows you to have formatted text with underlines, bold, multi-colored, etc. text. With plain text, it's just letters and numbers. Links in plain text emails look like this: http://www.amazon.com. In HTML emails, you can make links with pretty much any text, like this. Even worse, if I were malicious, I could make a link that looks like a link to CNN, but takes you to Amazon's webpage: http://www.cnn.com. In this case, the bad guys put a link to a trojan horse (I presume), masked as "here".

So how can you tell? Most email clients (Entourage, Outlook Express, hopefully others) will show you the real url (address) of a link down in the status bar at the bottom of the window when you hover over it with your mouse.* In this case, I did that and immediately saw that the link wasn't at hallmark.com, but at that "mail.formens.ro" site.

If you're not totally sure where the link goes, try to copy the link and paste it into a text editor (TextEdit on the Mac, Notepad on the PC), then if it looks okay, you can copy/paste it into your browser's address bar. That's much safer.

Lastly -- was I worried? A little, I still don't have a replacement Mac at work so I was using a Windows PC. Do .exe files affect Macs? Nope. =) Macs can't natively run those types of files**, so they're not really dangerous.

---

* Sadly, that does *not* always work with your browser -- malicious websites can fake the text shown in the link on the status bar. Google's search results pages even do little tricks with that text, showing you the bare link you're going to, but really linking to another google url that keeps track of which result you clicked before actually taking you there.

** ... unless you have vmware or parallels installed and run it through there.

Buying good reviews

I love Amazon's review system for researching stuff I want to buy -- but it looks like I'll have to start being more careful now, check out this story. Yep, a Belkin representative was paying people to put in glowing reviews for their products, and vote down the negative ones. Ouch.

I think Amazon should suspend all Belkin sales for 90 days as a signal to any other companies considering padding their products' reviews.

Skepticism justified

This quote on making websites accessible has stuck with me ever since I read it:

"Since [most web developers'] world consists largely of able-bodied 26-year-olds, it's very hard for them to believe that a large percentage of the population actually needs help accessing the Web. They're willing to write it off as the kind of exaggeration that people make when they're advocating for a worthy cause, but there's also a natural inclination to think, "If I can poke a hole in one of their arguments, I'm entitled to be skeptical about the rest."

"They're also skeptical about the idea that making things more accessible benefits everyone. Some adaptations do, like the classic example, closed captioning, which does often come in handy for people who can hear. But since this always seems to be the only example cited, it feels a little like arguing that the space program was worthwhile because it gave us Tang. It's much easier for developers and designers to imagine cases where accessibility adaptations are likely to make things worse for "everyone else."

- Steve Krug, "Don't Make Me Think" (emphasis added)

It's a great point. I love this concept of justified skepticism, and have been seeing opportunities to use it ever since.

For example, see this story about some religious "compound" in Arkansas raided under suspicion of child abuse. For those disinclined to religion for some reason or another, it's one more reason to feel "entitled to be skeptical" of religion altogether -- "If that's what religion makes of people, even in rare cases, keep me out of it!"

I have a feeling the Devil knows that's how people's minds work, and works hard to keep the connection between the bad apples and "religion".

When I think about religious leaders in other churches, I tend to believe that what principles we held in this life will matter far less than how well we lived the principles we had. And as long as one of our principles is to seek for and accept truth wherever we find it, God will continue to teach us.

And if the allegations are true, I'd bet the folks in that compound were not trying very hard to live their principles. Sad.

Gmail users, do this.

Someone figured out how to get into a gmail account without permission. Sound scary? Welcome to the internet.

Before you get too excited, here's what I've gleaned from the article:

• For it to work, someone has to send you a specially-crafted email with pictures in it
• You had to open that email in a browser (not in an email client like Entourage or Outlook)
• You had to "download" the pictures (by default gmail doesn't show non-embedded images in emails)
• And you had to not be using a secure connection

This just came out today, so your chances of having your account compromised are slim.

And the fix is easy. Go to Gmail, click on "Settings" in the upper right, "General" tab, and click this setting:
Your email might be a little slower, but for people with broadband they're not likely to notice. Use Google Notifier? Looks like you'll have to upgrade it...

I recommend not downloading pictures in any email you don't *really* trust. Spammers embed your email address in the image requests in their emails, so they can tell that your email address is good just by you viewing the email.

Sorry, mom, I wish the internet world was a safer place for the innocent move about. But that's why you have me, right? =)

Relaxing ride on the highway

For some reason, I just couldn't stop laughing after I saw this.

"He's texting!"

RC helicopter skills

Check out this impressive display of RC helicoptering skills.

I bet even if I had that helicopter stuck on the end of a long stick I couldn't make it move like that!

Makes me wonder if they don't have sequences of moves programmed into their controller, e.g. press the green button and the thing goes straight up 10 feet and stops, the red button and it goes down 10 feet then stops, yellow button it flips upside down and inverts the rotor blade angles, etc. If so, I bet they could design pilotless fighter jets the same way, and give them some tremendous advantages in a dogfight. That would be like having a tank in the Revolutionary War -- a real game changer.

Who knows, they may have them already.

Blank webpage tip

Given:

1. It's faster going to a webpage if a browser window is already open.


2. Most webpages use memory and processor time redrawing and refreshing, even when in the background.

So what can you do? Type "about:blank" in the location bar of Firefox or Safari and hit return. Ta-da! Blank page!

In Firefox, you can blank your screen with two keystrokes. Go to "Organize bookmarks", create a new bookmark with "about:blank" as the location, and set "b" as the keyword. Now to blank your screen, simply type cmd-L to go to the location bar, then "b" and "return". I guess that's three keystrokes, isn't it?

Still, a nice way to leave the browser ready to go without it occupying resources in the meantime.

Enjoy!