George V. Reilly

Old Presentations

I uploaded some pre­sen­ta­tions to Speak­erDeck.com tonight.

Here are various pre­sen­ta­tions of mine at Speak­erDeck.com and SlideShare.net:

USB Charge-Only Cables and Condoms

Thanks to Tom Limoncelli, I became acutely aware of USB charge-only cables and condoms. If you plug your phone into an unknown computer to charge the battery, you run the risk of having your phone hijacked by malware. USB transfers data as well as elec­tric­i­ty and you're es­sen­tial­ly giving the computer un­re­strict­ed access to your phone.

Certain USB cables are charge-only and will not pass data. There are also “USB condoms”, which are inserted between the cable and the computer. They not only block data, but they can po­ten­tial­ly charge the battery faster, as they can switch the device into a fast-charging mode. I've ordered a pair from Amazon, as we're continue.

HTTPS for GitHub Pages Custom Domain: Not Yet

This website, http://www.georgevreil­ly.com/, is hosted at GitHub Pages. It's actually https://georgevreil­ly.github.io/ but I've configured the former as the “custom domain”, so the latter is un­con­di­tion­al­ly redirected to the custom domain.

GitHub Pages gives me free, fast hosting and an easy pub­li­ca­tion model: I commit the latest changes to my master branch, I push the branch to GitHub, and seconds later, my site is updated. I'm using Acrylamid to generate the content from re­Struc­tured­Text source on the blog branch and ghp-import to commit the HTML to the master branch.

GitHub Pages supports HTTPS as of June 2016, but not for custom domains. There are some hacks but I don't feel like using them. I'm continue.

Homograph Attacks

During an internal training exercise today, as a sort of one-man Chaos Monkey, I de­lib­er­ate­ly broke a test system by changing a config setting to read:

itemfinder.url = http://test-іtemfinder.example.com/

The correct value should have been:

itemfinder.url = http://test-itemfinder.example.com/

What's that, you say? There's no difference, you say?

There is a difference, but it's subtle. The first i in the URL is 'CYRILLIC SMALL LETTER BYELORUSS­IAN-UKRAINIAN I' (U+0456), not 'LATIN SMALL LETTER I' (U+0069). Depending upon the font, the two is may be visually in­dis­tin­guish­able, very similar looking, or the Cyrillic i may not render.

This is an example of an In­ter­na­tion­al Domain Name Homograph Attack. There are Greek letters and Cyrillic letters that look continue.

Keybase

I was sent an invite to Keybase a few weeks, which I accepted tonight.

Keybase Wants To Make Serious Encryption Accessible To Mere Mortals explains:

From a cryp­to­graph­ic standpoint, PGP is rock solid. In practice, using it is very messy. Its complexity has deterred the vast majority of people who might otherwise benefit from using encryption.

The first problem is es­tab­lish­ing a valid identity, especially with other people located oceans away. The second is dis­trib­ut­ing public keys without nefarious types posting al­ter­na­tive keys that appear to be registered to the same person. ... The third issue is getting people to install and use PGP software.

I can now be reached via https://keybase.io/georgevreil­ly. I've proved my continue.

LastPass and Diceware

My LastPass browser plugin just upgraded itself to v4.0. For several years, I've been using LastPass to manage all of my passwords. I have literally hundreds of passwords. I can't even remember half the sites, much less the usernames. With LastPass, I can maintain a strong, distinct password for each site, which is robustly encrypted and backed up in the cloud, and I get good browser in­te­gra­tion and adequate Android in­te­gra­tion. We also use LastPass at work for our individual use and to share cre­den­tials.

There are still a handful of passwords that I have to remember and type, including the master password for my LastPass account, laptop passwords, and GPG passphras­es.

I've continue.

Security 101 for Developers

The Cozi Tech Blog needed some love, so I wrote a post a couple of weeks ago on Security 101 for Developers.

Odds and Ends #4

Mis­cel­la­neous links.

Odds and Ends #1

Herewith several articles that I've read lately for which I'm not going to write individual posts.

Printf %n

In my post about Printf Tricks a couple of years ago, I mentioned that "%n is dangerous and disabled by default in Visual Studio 2005."

I got email today from someone who was porting a large codebase to VS 2005. He was getting an assert from %n and he needed a way to get past it. He intends to fix the uses of %n when he has a chance.

I spent several minutes digging around in MSDN and came up with set_print­f_­coun­t_out­put. Wikipedi­a's Format string attack page led me to Exploiting Format String Vul­ner­a­bil­i­ties, which describes in detail how %n (and %s) may be exploited.

In short, if you continue.

Previous »