Apple totally screwed up SSL with a fundamental bug in their certificate checking implementation in both MacOS 10.9 and iOS 7. Every consumer iPhone, iPad, and Macintosh running recent versions of their OS is vulnerable. My understanding is SSL certificate checking basically does not work and any secure site can be spoofed with a man-in-the-middle attack. It’s about as deep a flaw as it goes. There’s a patch for iOS out but not yet for MacOS. You can test if a browser is vulnerable here.
The bug boils down to a simple typo in the code, the good ol’ C gotcha that indentation doesn’t match control flow. Bugs like that happen in C. What’s alarming is Apple didn’t catch the bug; not with a lint tool, not in code review, not in unit testing, not in integration testing. No aspect of Apple’s software development process caught this bug before releasing it to millions of users. That’s terrible engineering practice; in a critical security library it’s outright negligence.
At the moment MacOS users are entirely vulnerable and there’s no fix. In the past Apple has taken many weeks to fix critical bugs in things like Java, hopefully they’ll be faster here. Using Chrome instead of Safari will insulate you from malicious web servers, Chrome wisely has its own SSL implementation. But a whole lot of other Mac software is relying on the broken certificate library, presumably including Apple’s own software update system.
Nice of Apple to publish the exploit before the fix.
Above is the forecast for near Grass Valley, CA for the next two days. Time goes from left to right, each row is for a different sky condition: cloud cover, transparency, seeing, and darkness. Also the temperature, humidity, and wind for your backyard comfort. See the legend for details, but basically dark blue is good. Once you learn to read this presentation you can quickly tell if it’s likely to be a good night to look at stars in thousands of locations. Looks like it'll be clear but relatively poor tonight.
These charts are derived from a more traditional map forecast prepared by the Canadian Meteorological Center. Their site shows you maps of things like cloud cover by the hour. The Clear Dark Sky site basically samples the pixels at a specific location and displays the time series as a strip chart. Simple and useful. The mysterious seeing forecast is particularly idiosyncratic to astronomy, an experimental forecast of how bad atmospheric distortion is likely to be.
The “angry rainbow” palette is the colors you get when you set saturation and value to 100% and then spin the hue wheel. From bright red #ff0000, briefly through yellow, a long linger in #00ff00 green, longer still around dark blue #0000ff, and finally back to red via an eye-searing trip through purple. The term “angry rainbow” isn’t in common usage but I’m doing my best to spread it. I got the term from someone else, maybe another student at the MIT Media Lab? (See also: angry fruit salad).
The angry rainbow is always the wrong palette for data visualization. It’s too bright, too colorful, and too reliant on non-uniform hue discrimination. But it pops up all the time, from random weather maps to heatmap examples to NYTimes work sketches. It seems to be the default palette for various visualization tools, no doubt because it’s easy to generate in software. I’ve certainly been guilty of using it myself, somehow it’s always at my fingertips.
So what’s a better choice? Honestly, almost anything. Even knocking saturation and value down to about 80% gives a more pleasing result. If you have continuous data try plotting it with varying brightness instead of hue, or narrowing down to a red/blue color ramp (properly interpolated) instead of the full rainbow. if you want to do it right consider a ColorBrewer scale; the D3js implementation is a fine place to start. If you roll your own palette, work with colors that are not fully saturated and not fully bright. Think carefully about whether hue is really the thing you want to vary.
Angry Rainbow Dash by Uxyd
RSA Security (part of EMC) was one of America’s most respected security companies. Thanks to Edward Snowden, we now know the price of their reputation: $10 million. For that tiny sum RSA sold out their customers, deliberately installing a compromised random number generator in their core security library BSafe at NSA’s request. For $10M, a company’s reputation destroyed.
The nature of NSA’s sabotage is worth looking at in detail. We knew back in 2006 that Dual_EC_DRBG, a NIST standard crypto random number generator, was fishy. That algorithm has baked into it an arbitrary constant; two Microsoft researchers figured out that if an adversary had chosen that constant, then the numbers were predictable and any system built on it was insecure. Snowden’s leaks confirmed in Sep 2013 that this backdoor had been placed. And now in Dec 2013 we know the price: $10M. (Interestingly, one old-school cypherpunk knew the price back in September).
It’s worth noting that RSA’s complicity with NSA is not their only enormous security black eye. Back in 2010 their flagship SecurID two factor login system was also widely compromised, it’s assumed by the Chinese government trying to get military and commercial access to US and European interests.
Open source ends up looking good in all this mess. NSA has probably attacked other random number implementations. There was a weird push from Intel to get Linux to completely trust their undocumented hardware generator, something resisted by the Linux team (thankfully). And OpenSSL, the open alternative to RSA’s library, doesn’t use the compromised algorithm (although their code has had its problems).
I remain indignant that NSA is willfully going around deliberately sabotaging the security of core Internet components. Even if you believe it’s good for NSA themselves to be able to break all encryption, it is so dangerous to have back doors like this hiding in systems. NSA is actively undermining everyone’s security.
YouTube Center is good software. It’s an unofficial browser extension to make YouTube work better. Works in most browsers; for Chrome you download the Opera .crx file and drag it into the Tools/Extensions page.
What does it fix? #1 thing is it lets you disable DASH playback, the nonsense YouTube implemented a couple of years ago. In theory DASH makes videos play faster and more efficiently; in practice it’s the crap that makes it impossible to pre-buffer a video or seek backwards while playing. YouTube Center also does a good job at resizing the video window to use more of the screen, so that a 720p video actually has a 720 row high window to play in. I also use it to prevent auto-play and to select the video resolution I prefer.
The main drawback is that there are too many configuration options, many of which you don’t need. Classic hackerware; the author lets you configure everything, so it’s up to the user to tune the few things they really need to set.
I’ve used a few “fix YouTube” extensions in the past that were flaky or broke when YouTube changed something. This one seems to be working for me. I don’t understand why Google’s let their video product get so crummy that it’s necessary to hack it like this.
Here’s something ugly, the whois response for pirate book site readanybooks.net. Below is an extract of the interesting parts that both MacOS and Debian’s whois display.
$ whois readanybooks.net Domain Name: READANYBOOKS.NET Registrar: XIN NET TECHNOLOGY CORPORATION Whois Server: whois.paycenter.com.cn Name Server: RICK.NS.CLOUDFLARE.COM Billing Contact: Name : li xiaoing Email : firstname.lastname@example.org <script src= "http://img2.xinnet.com/d/js/acmsd/thea178.js"> </script>
Huh? What’s an HTML tag doing in this whois response? And under what circumstances might that script tag be executed? I can imagine a naïve Web interface just injecting that script wholesale into my browser. Every way I load the referenced script it seems benign (right now), but that’s an attack vector waiting to happen.
The Elgato Game Capture HD is good hardware. For $150 it captures HDMI video and audio from a game console and writes it to your computer’s hard drive. I bought it because Grand Theft Auto V was so astonishly beautiful I wanted to capture some of what I was seeing. There’s nothing particularly game-specific about the product, I think it’d work to record any unprotected video source.
The device is an HDMI passthrough. HDMI in, HDMI passed through (no delay), video also compressed and sent via USB to a computer with (few seconds delay). The native output format is an MP4 container with H.264 video and AAC stereo audio. The capture software is remarkably good; simple capture controls and live streaming to sites like Twitch. There’s even an easy little editor for extracting excerpts and uploading to YouTube or whatever.
There are a few drawbacks. The device doesn’t seem to support surround sound and only allows stereo input, so no surround sound is possible via HDMI. Also it has to be powered even to pass through video. Between those two hassles I don’t feel like I can leave my game console plugged into it all the time, so instead I’m swapping cables when I want to use it. Also it can’t quite do 1080p at 60fps, not a problem quite yet but soon to be one.
Still for $150 it’s a pretty capable video encoder. If you need a cheap way to capture HDMI, it’s worth a look.
Every time I travel I refresh my apps designed to be used when the iPhone is offline. These apps all cache data so I can use Wikipedia or a map without a WiFi or cellular connection. I started doing this because international roaming data was so expensive but the apps are now good enough that I think I will use them even when I’m home. Cached data = fast! Here’s the best of the lot, I believe all these apps are available both for iOS and Android.
ForeverMap 2: OpenStreetMap. Download a few hundred megabytes and have a map of a whole country in your pocket. Routing too! Map data quality varies based on OSM coverage (it’s great in US and most of Western Europe). The rendering and usability of the app is fantastic. They also have a turn based navigation program I haven’t tried. I’m amazed Apple hasn’t yet bought Skobbler to help fix their maps problem.
Wiki Offline: Wikipedia. Download 4GB of English Wikipedia once, read forever. The formatting is finally good enough that most articles come through unscathed. Only thing missing is the pictures. Being able to wikidive without waiting for network is terrific.
Triposo: travel guides. Triposo scrapes open data sources like Wikipedia, Wikitravel, OSM, and Flickr and then compiles it into a usable offline travel guide on your phone. It’s great for answering the question “what are the three things I should see in this town, and where should I have lunch?”.
Ascendo dictionaries. There's a zillion low quality free translation dictionaries out there, this one seemed to have a decent German database and work well offline.
Another reason to end passwords as a method of authentication is the poor usability of strong passwords on mobile devices.
Sorry if this is stating the obvious, but the lack of usability of strong passwords on my iPhone and iPad is a big part of why I don’t log into sites on mobile devices.
Google has reduced itself to outright spamming users to promote its products. Here’s a screenshot of an email I got today about Google’s failing payments product, Google Wallet. Note the footer, the email is marked “You have received this mandatory email service announcement to update you about important changes to your Google Wallet account”. What are those important changes?
In summary: four ads for Google products, one ad for random other companies that happen to use Google Wallet, and zero important changes. I guess I should block email@example.com?
It’s cliché now to point out how disappointing Google, Inc. has become. But this seems bad even for the trend. All that’s missing is the “+1 on Google+” button.