ExpanDrive

Jeff posted about the SSL vulnerability described at Black Hat this year. And he’s right: It is scary.

But rather than calling this an SSL bug, even though it sort of is, I would call this another new application of the same persistent and recurring security problems that exist in most low-level libraries and applications, due to reliance on the C language and its standard libraries. The assumption that anything string-like can be treated as a zero-terminated array of characters is pervasive not just because it’s simple, but because C is more or less the only language environment that is universally supported on every platform, from 8-bit microcontrollers up to highly-concurrent multiprocessor systems, and it supports only three basic data types (four, if you squint).

This bug, like most of the other important security threats of the past thirty years, boils down to that: Lacking a strong and expressive type system, C not only permits but encourages its programmers to sacrifice correctness, safety, robustness, testability, and maintainability in favor of some highly underdeveloped and ill-measured ideas about “performance”. Much of the infrastructure of the Internet is built out of this garbage. Robert T. Morris, Jr.’s SMTP worm in 1988 was only the first in a long series of large-scale exploits, yet even today, the same practices that made that worm possible are being deployed in new software.

It is absolutely possible to write correct, safe, robust, testable, maintainable, and high-performance code in C. But to do so requires an enormous amount of discipline and attention to detail on the part of programmers, and most of us (myself included) simply do not have the discipline, the knowledge, or the attention to detail that it requires. As a result, most of the C code you encounter in the wild is unmentionable dreck. The fact that it compiles at all is more a testament to the inhuman patience of compiler writers, than to its status as working or worthwhile code. And, to paraphrase an old saying, anybody who considers C for high-level application development at this point in history, is in a grievous state of sin.

In a sense, C is a kind of technological land mine: Easy to deploy, very powerful, and highly effective for solving certain kinds of problems. However, once it’s buried in the ground underneath your project, it can be very dangerous to those who walk in your footsteps. There’s a good reason the United Nations has a convention banning land mines; perhaps it’s time software developers considered a similar approach.

I’m kind of shocked there isn’t more news on this Major SSL vulnerability:

Certificates for authenticating SSL communications are obtained through Certificate Authorities (CAs) such as VeriSign and Thawte and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL.

The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “\0″ in the name.

This is rather scary and has big ramifications for the security of most websites. There is now no easy way to for an average user to feel confident they are actually securely communicating with the service they intend to.

SSL is important for two primary reasons. First and foremost, it provides a secure channel for communication. But secondly, it makes a pretty reasonable guarantee that you’re securely communicating with the server that is listed in your browser’s address bar. With this vulnerability, it’s possible [although difficult, still], for somebody to masquerade as the server in your address bar and allow you to securely communicate with them. Yikes.

For many people two numbers is a reality. And while some people might be okay with one number which serves both for work and personal – I am not. Up until Google Voice, this basically meant two handsets. Two handsets suck unless you’re one of those goofballs toating around a man-purse. Even then it sucks.

Google Voice on the iPhone, with an application that lets you dial – like GV Mobile by Sean Kovaks, lets you accomplish the impossible: you can stop carrying both a personal cell phone and a work cell phone. It’s now possible to have one GSM phone with two numbers, two voice mailboxes and the ability to dial out or text from either number.

About 8 months ago I transitioned my business number over to a Google Voice account. Google Voice includes an important feature which lets you choose if the caller id sent to your handset is your Google Voice number or that of the caller.

now all incoming calls on the Google Voice account ring as “ExpanDrive – mobile” on my iPhone.

This allows me to filter calls based on availability – but perhaps more importantly, answer with the appropriate greeting. It’s lame to always answer with a business greeting for any unknown number – and you can’t just answer a work number with “Hello?” Additionally, Google Voice gives you the luxury of two voice mailboxes. When you don’t pick up, calls that came in on your Google Voice number go to your Google Voice inbox – and your personal to your AT&T inbox.

What really makes this a feasible solution for fulltime use is a dialing application. Without this the ability to dial out on either number, you always dial from your personal number. You can receive calls on your business number, but you can’t make them. Customers or partners with whom you’re trying to develop a relationship will always have your personal number. That is a recipe for disaster.

GV Mobile lets you dial from Google Voice number directly from your handset. If you’re not familiar – it goes like this. You open GV Mobile and thumb through your contacts or enter a number – hit call. GV Mobile initiates a Google Voice call – which rings your handset – you pick up. As you pick up it dials the other party, showing them your Google Voice number on their caller ID. It is awesome.

As you might imagine, I’m fairly dismayed that Apple is pulling all Google Voice apps out of the app store. While I am sure that somebody, if not Google, will create a web-based dialer that serves the same purpose, it is quite unsettling that Apple is pulling all of these apps off the market – because they mean a lot to guys like me.

Poor, lonely <font>. You were irritating to use, and so you were kicked out of the treehouse in favor of stylesheets by HTML 4.01. But cheer up <font>; you can still be extremely annoying! Just try a Wikipedia vanity search, with a few of your pedantic modifiers thrown in for good measure—let’s use <font face=cursive size=50>:

Not only that, <font>, but your old and even more annoying buddy <table> is back in the game, too. And when you two team up,  there’s almost no limit to the amount of carnage you can create:

This works across browsers, though there are obvious differences in how they render the horribly mangled code these querys will produce. It’s the best lesson in input santization since since Little Bobby Tables.

If you’re good, you can theoretically purpetrate some serious mayhem with this bug—and considering how widely MediaWiki is used around the web, that could be a real problem.

In reality, though, the trickery is probably limited by the abilty of your dirty, dirty inputs to generate search results; without those, it looks like most of your code modifications get cancelled.

That having been said, I endorse using this exploit only for your own personal amusement, not serious destruction. You have been warned.

I got a new (June 2009) MacBook Pro recently. It performs reasonably well, but I ran into two beefs that a lot of people seem to be having:

• the built-in audio stopped working after I installed the EFI firmware update.
• there’s no friggin’ Enter key (instead, a second Option key has been added).

Because the MacBook Pro ships with an unconscionably small 160GB hard drive, I wanted to pull the replacement 500GB HD directly out of my old MacBook and use that. I figured this would surely result in some disastrous driver issue, but Jon Shea insisted that everything would be fine.

Yet, immediately after installing the Bluetooth and firmware updates, the only sound I could get out of my computer was the startup chime. Checking the Sound preference pane, I found:

Built-in sound in was similarly absent:

This isn’t the jammed optical connector that plagued the previous edition of MacBooks, and it seems to be happening to quite a few people. The standard solution is to archive and install from the restore disks, but that takes a long time, and restore disks aren’t something you’re likely to have access to on the road.

My short-term solution? Plug in a USB amp or microphone. Yes, it costs you a USB port, but if you’ve got one around, it works immediately. What’s really crazy is that the USB amp I used when this problem came up was from a PowerMac G4 Cube. Why the MBP recognizes a decade-old, one-off part with no hassle at all, but not the hardware architecture its software is custom-tailored to support, is beyond me.

Then there’s the second option key. Don’t ask me why on earth Apple thinks I need a second option key when I barely use the first—probably Steve Jobs loves keyboard symmetry as much as he hates buttons. Anyway, I think Enter is awesome because it doesn’t carry the burden of an old typewriter carriage return, and my 1st gen white MacBook had one—but now it’s been replaced.

So if you want to submit a form, send an IM, record a transaction in Quicken, or any number of things that you don’t want to muck up with accidental line breaks, you’ll need to do some key remapping. There a plenty of options out there, but I’ve had the best luck with KeyRemap4MacBook. While other options like Ukulele offer easier access to special characters and custom key layouts, KeyRemap is perfect for altering the various function keys—just a simple SystemPreferences pane, plus cool support for hackbooks and no-BS text editors like Emacs and Vi.

ExpanDrive v2.0.3 will add support for Snow Leopard, but until then we are offering a modified ExpanDrive v2.02 for those who have started to run Snow Leopard full time. Please consider this beta software and not that it has not yet been heavily tested. You can download here

The first line of text translates to “Stalin’s secret weapon.”

http://toyster.ru/forum/showthread.php?t=1277

Kind of incredible.

The Tour Divide is a mountain bike race along the continental divide from Banff, Alberta to Antelope Wells, New Mexico (on the border with Mexico.) It’s “self-supported”, which means that you can’t pre-arrange any outside help, though you can buy food and bike parts as you go. And it’s “one-stage”, meaning there’s no rest off-the-clock (unlike that wimpy Tour de France bike race).

This year’s winner, Matthew Lee, finished the 2,745 mile course in under 18 days. It rained on 16 of those days. There’s a great interview up on Outside’s blog. Here’s my favorite snippet:

There are certain elements you have to try not to think too much on: comfort, eating well, sleeping well, safety. All those cares are cast with the winds. You establish a new, temporary regime on day 1 and just stick with it religiously. When the alarm on your wrist watch beeps at 4:40am, you don’t roll over. not even once. you sit up, rip the sleeping bag off and suddenly you’re freezing! The only solution is to get dressed. Then the only way out is to saddle up and ride. This forced routine is the key to success. If you get up and go, the biking takes care of itself. after about an hour you start to feel okay. the soreness is masked, the beauty unfolds before your eyes, perhaps a bear gives you a shot of adrenalin.

“For filmmaker Michael Bay slow motion and badassery are part of a complete breakfast.”

I got to pull apart some bolts with an Instron strain tester in college, but this looks way more fun. Here’s video two and three.