Showing posts with label unix. Show all posts
Showing posts with label unix. Show all posts

Friday, April 11, 2014

Heartbleed

In case you've been living in a hole for the last couple days, there's been a massive bug found in the open-source (free) server software that handles secure connections. For the lay-person, the software behind the padlock you see in your browser:
ss.png

... had a bug that would happily offer up chunks of computer memory if someone sent it the right type of message over the network, with no record of having done it.

Here's XKCD's attempt at an explanation.

Some Q&A:

What does that mean to me?

We're not sure that anyone knew about this before it was found. Maybe NSA, maybe Chinese or Eastern Europeans, or internet crooks, or maybe nobody...

But if someone did know, in the best (most likely) case, they got very little if any of your info. In the worst case, they got your username and password and any other personal information from the websites (and other servers) you've logged into in the past 2 years.

How does this compare to past security bugs?

Catastrophic: 11 out of 10.

How will I know if they got my info?

This is the best question, nobody knows. Your best bet is to check your bank accounts to make sure there aren't any strange charges, check other accounts you log into to make sure there isn't any strange activity, then do the steps below.

Note, not all sites are affected, only the ones using the open-source version of the software (hurray for free and open source).

Is it fixed? What do I need to do?

Check the list of sites here, and reset passwords on any sites that are affected. My short list of sites using the affected software: Facebook-YES, Pinterest-YES, Apple-NO (yay), Amazon-NO (yay), Google-YES, Microsoft-NO, Yahoo-YES, Gmail-YES, Paypal/Target/Walmart-NO, Intuit/TurboTax-YES (doh!), most banks-NO, USAA-YES (doh!).

Then check your financial accounts to make sure there's nothing fishy going on. But you should be doing this regularly anyway (given that some e-commerce websites are zero-margin stores selling you cheap stuff just so they can get your credit card number to sell to crooks).

Oh, and be sure to use different passwords on different websites, and don't make them easily guessed. Apple's iCloud Keychain is a decent/free option for managing passwords for Mac users (though oddly it doesn't work with all websites, incl. Google). 1Password is a better option, but expensive (and I hate having to pay upgrade fees every year, feels like a subscription!).

So is the internet broken now? Should I stop trusting computers completely? Seems like we're always finding bugs like this...

No, the internet's not broken. But are people happy about this? Definitely not. We all hate changing passwords and not knowing who has what information about us.

What this means is that software isn't perfect, and memory bugs are pretty hard to recognize and track down. It may also mean that NSA is really sneaky about this kind of stuff, but the story sounds a little more innocent than that. On the plus side, anyone who knew about this is probably either chasing bank accounts much bigger than yours, or not interested in money...

But the same way armies learn where soldiers need more armor, the software-development communities learn how to better protect against not only this exploit, but this type of exploit, so I wouldn't expect us to have problems with these kinds of bugs for long. Coders are now looking for them, and stand to make a name for themselves finding them.

Hang in there, we'll get through this.

Posted by at 6:40 AM 0 comments
Labels: , , , , , ,

Monday, September 16, 2013

Gnuplot, Mountain Lion, and Malloc errors

A quick tip for google searchers:

If your Mac crashes when exiting gnuplot, or you can't interact with your X11/XQuartz plots, make sure you have Xcode updated, then try installing from sources with this command:

  sudo ./configure --with-readline=builtin

... instead of the usual "sudo ./configure".
Posted by at 5:50 AM 0 comments
Labels: , , ,

Thursday, August 22, 2013

Mac idle flash killer

ss_cg.pngMy kids are always playing flash games on our Mac. I have nothing against flash games, of course, but when the kids want to do something else, they always go, leaving the game running on the computer.

Flash is a processor-hog, which means my computer works like crazy to keep up with it all (especially if they leave 8 tabs of Barbie karaoke going), which means the computer gets really hot and I'm sure runs like that for hours, which can't be good for it...

So -- a solution!

ss_cg2.pngI've written a small perl script that checks to see if the Mac's been idle more than 10 minutes, and if so, kills all flash processes owned by the current user. Firefox then shows a message where the flash process was that the flash process crashed and you can reload it any time.

Then I set up a launchd ("launch daemon") process to run my script every 10 minutes. So those processes will now run at most 20 minutes unattended before the script kills them.

Interested?

Only do this if you trust me and accept that there's no guarantee of anything. And if anyone you don't trust asks you to download files and install them on your machine like this, don't do it.

Okay, that all said, here are the two files you need.

Setup:

  1. Unzip those two files to your desktop.
  2. Open Terminal (Finder: Go -> Utilities, Terminal)
  3. Copy/paste this command into the terminal, and press enter:

    mv ~/Desktop/killFlashIfIdle.plist ~/Library/LaunchAgents; chmod a+x ~/Desktop/killFlashIfIdle; sudo mv ~/Desktop/killFlashIfIdle /usr/local/bin/ ; launchctl load ~/Library/LaunchAgents/killFlashIfIdle.plist; launchctl start local.killFlashIfIdle

  4. Enter your password when it asks for it.
You'll know it's working if you open a flash site, then leave the computer untouched for 20 minutes -- it should kill it.

The scripts are so tiny you can round their sizes down to zero. The commands they issue are super simple (ps, perl, and ioreg), so the odds of anything awful happening are miniscule. Still, if for some reason you want to uninstall the scripts, here's how you do it:

Uninstall:

  1. Open Terminal (Finder: Go -> Utilities, Terminal)
  2. Copy/paste this command into the terminal, and press enter:

    launchctl unload ~/Library/LaunchAgents/killFlashIfIdle.plist; rm ~/Library/LaunchAgents/killFlashIfIdle.plist; sudo rm /usr/local/bin/killFlashIfIdle

  3. Enter your password when it asks for it.
Enjoy.

Posted by at 7:23 PM 0 comments
Labels: , , ,

Wednesday, April 11, 2012

Apple working on Flashback removal tool

Posted yesterday on an Apple Support document (via AppleInsider):
Apple is developing software that will detect and remove the Flashback malware.
Posted by at 5:09 AM 0 comments
Labels: , ,

Tuesday, January 13, 2009

Password-less ssh logins

I'm not sure where else to post this, so I thought I might as well post it here.

We have a process for logging into a remote Mac or linux computer using ssh without a password. It looks something like this in the terminal:

Create a pair of rsa keys:
cd; mkdir -p .ssh; ssh-keygen -N '' -C '' -f .ssh/id_rsa
... then copy that .ssh folder to your home directory on the remote machine. Easy as pie.

But one of our users couldn't make it work. His .ssh folder contents and permissions were identical to the other users, but it still wouldn't work. We even tried copying another user's .ssh folder over and using that. Still no joy.

An obscure posting on some unix help website gave us the answer: his home directory was group-writeable. Once we did a "chmod g-w ~" in his account, and rebuilt the .ssh folder (who knows why we had to do that), everything was back in business. SSH is notoriously particular about the permissions in the .ssh folder, but apparently it is also particular about the user's home directory as well.

Somebody out there needs this, I hope they find it here.
Posted by at 7:38 PM 1 comments
Labels: , , ,
Subscribe to: Posts (Atom)

Does anyone read this thing?

views since Feb. 9, 2008