OpenSSL’s New Vulnerability – Are Your SSL Keys Safe?

The Heartbleed Bug – has potentially compromised up to 66% of web servers.

TL;DR XKCD

Researchers at Google and a private security firm Codenomicon have a revealed a new vulnerability in the OpenSSL security used by Apache and nginx Web servers. These technologies are so popular, that this issue – dubbed the Heartbleed Bug – has potentially compromised up to 66% of web servers. Noting that these vulnerabilities have been gaping open for nearly two years, as of the 1.0.1g release of OpenSSL. This has left many websites vulnerable, with no way of knowing whether their private keys were compromised during this window.

The Heartbleed bug is not a man-in-the-middle attack. It exploit’s OpenSSL’s handling of TLS’s heartbeat, which is an encrypted portion of the connection. The reason it leaves no traces is not because it can’t be detected, but because it’s just not logged by OpenSSL. Theoretically it could be logged, though there may be too many false positives that diminish any usefulness logging would have.

Attackers apparently also have control (or at least influence) over what 64KB of memory they can capture, and can keep requesting more memory with each heartbeat (so the 64KB limit isn’t that limiting).

Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. -Codenomicon

Heartbeat can be disabled in OpenSSL, but only via a recompile – in which case you might as well apply the new patch anyways.

Sources:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Broken Digital Pocket Scale – Troubleshooting and Repair

This is an off-beat post, and has nothing to do with websites or the digital world for that matter. I’ll be going through the steps I used to fix a broken pocket scale that was gifted to me – I get a lot of, “If you can fix, it it’s yours” gifts.

This 50.00g digital scale stopped working for an unknown reason, and the top suggestion for fixing these scales is a re-calibration. Unfortunately, this digital scale could not be calibrated – likely a result of the problems it was already having. After further inspection I realized the scale still accurately measured negative values. At this point the, “if it’s broken and destined for the garbage, I had might as well see how it works.” Was running through the back of my head.

Check the video out for a quick little tutorial and walkthrough of how I got my scale back in mostly working order. Step-by-step below.

  1. Remove the top plate of your scale to gain access to the mounting points of the weight surface.
  2. In my case there were two Phillips screws
  3. Flip the scale and remove the battery cover to reveal the second mount point
  4. Remove that pair of screws and set them aside as well
  5. Under where the weigh platform was, flip the sensor bar
  6. Re-attach all components

The kicker is, now when I lift the weighing platform, it shows me a proper positive number – reversing the fix brings the problems back. Does anyone with more knowledge of digital circuitry have an explanation for this rogue resistor?

The Resume Carpet Bomb

I have never understood carpet bombing applications, why not go talk to managers and see what thy want to hear before applying? I’ve always had much better success when I go out of my way to see the needs of a company and tailor my applications/resume to their needs.

Fortunately I haven’t had to do this since my teenage years.

Once you have enough industry work under your belt, and a few good connections – you can typically traverse an industry with a good word and strong portfolio.

Stop Youtube from Asking to Use Your Real Name

UPDATE: Unfortunately, this doesn’t quite work anymore.

So you’re sick and tired of Youtube’s popup asking, “Do you want to use your real name with your Youtube channel?” No? How about the part where when you check ‘no’ and are greeted with, “Okay, we’ll ask you again later.

Here’s my quick tip to keeping your Google account separate from your otherwise anonymous Youtube account.

For this you will need a modern browser like Chrome, Firefox, Safari, etc. (which you should have anyways… please?) and the Ad-Block Plus Extension. It’s simple as far as implementation and will only take a minute after you’ve installed the extension.

How To

Going into your Ad Block Plus settings by right clicking on icon will open a dialog.

ad-block_Chrome

Go to the custom filter list in the options panel and select, “Manually edit filters” and add the line: ||s.ytimg.com/yts/jsbin/www-linkgplusdialog*

Click for a larger view.
Click for a larger view.

Don’t forget to add the “||” as they act as a catch all for http://, https://, and www prefix, which saves you from making three or four rules for one blocking.

Bonus: Block Video Annotations

||youtube.com/annotations_invideo*
Adding the line above to your custom filters will hide annotations in all Youtube videos, even while logged out.

Subtle Patterns Plugin – Free

pattern-blog-image
Look at all of those patterns!

 

update: The link in my article still works. Subtle Patterns has changed it’s format to a paid plugin, individual patterns are still available. Due to the pay to play nature of the photoshop plugin, they’ve removed links to the collection download. 

I wanted to share a resource I’m completely infatuated with: Subtle Patterns. This website aggregates free to use subtle patterns, and shares user contributions to the rest of the community.

The best part of this website? They don’t make you jump through hoops to get their files! No sign-up, emails, or other crap no one really wants to deal with (why do you think my comments are registration free?). Even better, they have every pattern available for free, in a master pattern file. The default photoshop patterns suck (pardon me), and loading up this free subtle patterns download  really gives you a great choice of patterns to integrate into your design work.

I had a user email me with some questions on installing subtle patterns into Photoshop. It’s really simple, just follow these steps:

  1. Follow the link above and download the subtle-patterns SubtlePatterns.pat.zip file
  2. Open the archive (zip) and extract (drag/drop) the SubtlePatterns.pat file into your file system
    • Note: C:\Program Files\Adobe\Adobe Photoshop CSX\Presets\Patterns is ideal
  3. Open Photoshop and click ‘S’ to open your stamp tool
  4. Switch to the pattern stamp tool if Clone Stamp is active by holding your mouse button down on the Stamp tool icon
  5. Activate the pattern dropdown in the top ribbon, usually below the help menu
  6. In the top right corner of the window, there is a gear icon – clicky clicky
  7. Pressing load patterns will open one final dialog
  8. Locate your pattern files and load them through this dialog
  9. Enjoy the Subtle Patterns Plugin – Free Download

Backup Link In case the github link goes down.

This About Sums up Data Providers Today

Amazing designs with household objects. [VIDEO]

Via: http://www.wimp.com/householddesign/

I just wanted to share this video with you guys. Design has so many mediums and this guy illustrated wonderfully how simple things can come together with the right type of planning. Note the type part, bad planning isn’t going to get you good results all too often. Cheers!

Untethered Jailbreak with “evasi0n – iOS 6.0-6.1.2 Jailbreak” on a Windows PC

Jailbreaking iPhones is nothing new, nearly any and all handheld apple devices have had a crack of some sort available since  2007. Software based cracks started popping up in 2008, with a lot of the early work being done by George Hotz.

The actual jailbreak process is extremely straightforward. Only a few steps are required…

We’ve come a long way since the early days, with the ability to jailbreak in under five minutes, as well as with a one click solution through your iOS device’s browser. Despite the ease of use, the more recent iterations of the iPhone have closed the security breach that allowed for websites like www.jailbreakme.com to work. For that reason, I’ll be using the evasi0n – iOS 6.0-6.1.2 Jailbreak to free an iPhone 4 16gb running OS 6.0.1 baseband 01.59.00*. The phone is carrier locked and the owner will be leaving for Europe shortly, and they need an internationally functioning phone.

download_evasi0n_jailbreak

Preparing to Jailbreak

There are a few requirements before you can begin unlocking an iOS device with the Evasion Jailbreak.

  1. You need a suitable machine to perform the jailbreak with, supported operating systems include: Windows, Linux, and Mac OS.
  2. iTunes needs to be installed on your computer of choice.
  3. Your iOS device needs to be updated to at least iOS 6.0
  4. You need to have downloaded the Jailbreak executable, available here.
  5. An extraction tool to get the files from the download, I suggest WinRAR by RARLAB.
  6. You should back up any device before you jailbreak, should something go wrong.

Jailbreaking Process

The actual jailbreak process is extremely straightforward. Only a few steps are required to successfully jailbreak you iOS device using the evasi0n jailbreak.

Requirements

Ensure you meet all of the requirements listed above. Install iTunes, backup your iOS device (iPhone 4 in this case), and download the jailbreak tool.

Extract

Extract the executable file to your desktop (or wherever is convenient) for later use.
Extract the executable file by dragging and dropping onto your desktop (or wherever is convenient) for later use.

Connect

Connect your iPhone or other Apple iOS device to your computer via usb/proprietary connector. Ensure your computer recognizes that your device is plugged in.

Run

jailbreaking-process-zachary-melo

From this point forward, we will not be touching iTunes or the iPhone until explicitly told to do so. Double click on the evasi0n icon that you’ve extracted and allow the program to run (if a dialog box appears). You will see the image above (less the bits about being jailbroken already), and if you read carefully – you’ll see that evasi0n is already scanning your phone’s software to see if it’s compatible. If everything is good, you can proceed with the one-click install of the jailbreak. Simply click on the button to the right and let the program do it’s thing.

In about five minutes you will be prompted to unlock and press a new icon on your apple device. After doing so, the device will power cycle several times. At this time, you can boot up Cydia App manager, which will again reboot your system. Cydia allows you to install third party applications on your Apple device, you are now free to download unapproved apps and tweaks not officially approved by Apple. This includes the tool we’ll be using to break our carrier sim-lock.

Carrier Sim Unlocking

UltraSn0w

Open Cydia and tap on the Search icon, and search for UltraSn0w – download and install this package. From here we will need to add an additional repository to our Cydia application. To do this we:

  1. Open Cydia’s home page by closing and opening the app
  2. Tap on the Manage icon found in the bottom bar
  3. Tap on the Sources button in the middle of the screen
  4. Tap on the Edit button found in the top right hand corner of your screen
  5. Click on the Add button that appears in the top left of the screen
  6. Type into the text box, http://repo.iparelhos.com”
  7. Tap the Add Source button
  8. Once the operation completes, tap the Return to Cydia button found at the bottom of your screen (you may have to scroll)

Go back to your Cydia home screen and pull up the search function again by tapping the Search icon found in the bottom right corner of the screen. Search for Ultrasn0w Fixer for your OS version, and install this application. In my case, I’ll be using the Ultrasnow Fixer for 6.0.1.

That’s all, you should be unlocked and ready to go. If this doesn’t work, chances are your baseband version is too recent. If that’s the case, you’ll have to visit http://www.unlockboot.com/2012/10/jailbreak-ios-6-iphone-4-iphone-3gs.html for a tutorial on how to use RedSn0w.

Following RSS Feeds with Mozilla Thunderbird

So I know many people see the RSS feed logo on a daily basis and have no idea what it does, or why it exists. RSS stands for rich site summary,  and does exactly what the name implies – provides a detailed summary of what is happening with a blog, news feed, or website in general. Most people use RSS because it can streamline a user’s daily news. Instead of visiting all of the blogs I enjoy to check for new content, or signing up for newsletters, I can have news and posts piped right into my RSS client. In this case I’ll be using Mozilla’s discontinued Thunderbird mail and feed client. I love the program as a free offline mail program, for it’s scheduling ability, and feed following, did I mention it was free? Get it here.

This is an RSS icon, you've undoubtedly seen it before.

This is an RSS icon, you’ve undoubtedly seen it before.

  1. Start by launching Mozilla Thunderbird
  2. Press alt to bring up your menu bar
  3. Navigate to File > New > Other Accounts…
  4. Select ‘Blog & News Feeds”
  5. Next
  6. Name your feed, I choose names based on how it will help me sort the feeds
  7. Next and finish
  8. In your left bar you should now see your new account, click on it
  9. Center top of your screen, click on “manage subscriptions”
  10. Paste or type in your feed URL
  11. Finish by clicking add
  12. Browse your new feed by clicking on it’s name in the left panel
  13. Double click a post title in the center window to open it in Mozilla Thunderbird