There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.
has released a stunning data visualization map of internet attacks. It shows a fraction of the scope of constant threats affecting countries today. You can see penetration attempts in real time over services like http (web servers) and smtp (email servers), and more.
This bookmarklet is useful to view source in Safari on Apple’s iPad. There is no built-in menu tool to do this in iOS, unlike with all desktop browsers. Oh why, Apple, do you drift ever further from user-centric software development?
A fine solution is to create a bookmarklet, which is a piece of JavaScript saved as a bookmark. When you want to see the source of a web page, just click the bookmark and the source of the page is displayed. I was inspired by this bookmarklet by Rob Flaherty, but it has a few shortcomings. To improve upon the bookmarklet concept, I created my own version with a few more bells and whistles:
On April 8 I was notified by WiredTree, our hosting company, that their servers had been patched against a newly discovered (and serious) flaw in the SSL encryption technology which underpins secure browsing over https.
It is called the Heartbleed bug.
Our servers were not affected, as they ran CentOS5 and did not use Litespeed. Other sites which did use LiteSpeed were affected.
An article on Thursday explains how the bug crept in the Open Source software.
Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.
That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.
Friend and colleague Bob Manley let me know about FOAP, a web service that is building a market for photographers to sell their local, real-live photos to companies looking for stock photography.
The idea seems interesting; take a photo, achieve a minimum score of community votes, then its eligible for sale in the marketplace. You get $5 out of the $10 selling price.
Target’s had a big red target leveled at its data systems recently; the intrusion and theft of over 100 million consumer credit & debit card information is almost the largest in history.
It’s website features a notice to consumers; but strangely, 2 seconds after the home page loads, an ad overlay obscures the warning text and link.
Purposeful or by accident, it’s a big oops on top of the disaster.
See the site 1 second after load:
The Target website shows theft message at page load
And 2 seconds later:
Target homepage after 2 seconds; the warning is covered over
Intentional or by accident?
Does the law require companies to disclose breaches? As an aside, most States do not require the companies disclose successful network breaches to their customers. A law firm has published a useful chart to track State-by-State requirements.
Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements. Lawyers, compliance professionals, and business owners have told us that the chart has been helpful when preparing for and responding to data breaches.
Apple has always decided what it thinks is the best experience for its Mac users, even against conventional wisdom or established, known user preference. This has been frustrating for power users through the years, from lack of two button mice to the latest reductionist “flat design” trend in iOS7.
The latest “we know better” feature is the automatic document auto-saving (with no warning) in its home-grown applications, like Preview, TextEdit or the iWork apps. I don’t want to recall how many original photos have been destroyed after a session of quick exposure experimentation.
Good news: you can completely disable the auto-saving via this terminal command:
defaults write com.apple.Preview ApplePersistence -bool no
Read the new Ars Technica review of Google’s $179 Moto G — it outshines any other low-cost Android phone. It is an unlocked, off-contract phone perfect for teens or non-power users.