I uploaded some presentations to SpeakerDeck.com tonight.
Here are various presentations of mine at SpeakerDeck.com and SlideShare.net:
Thanks to Tom Limoncelli, I became acutely aware of USB charge-only cables and condoms.
If you plug your phone into an unknown computer to charge the battery,
you run the risk of having your phone hijacked by malware.
USB transfers data as well as electricity
and you're essentially giving the computer unrestricted access to your phone.
Certain USB cables are charge-only and will not pass data.
There are also “USB condoms”,
which are inserted between the cable and the computer.
They not only block data, but they can potentially charge the battery faster,
as they can switch the device into a fast-charging mode.
I've ordered a pair from Amazon,
as we're …continue.
This website, http://www.georgevreilly.com/, is hosted at GitHub Pages.
It's actually https://georgevreilly.github.io/
but I've configured the former as the “custom domain”,
so the latter is unconditionally redirected to the custom domain.
GitHub Pages gives me free, fast hosting and an easy publication model:
I commit the latest changes to my master branch,
I push the branch to GitHub,
and seconds later, my site is updated.
I'm using Acrylamid to generate the content from reStructuredText source
on the blog branch
and ghp-import to commit the HTML to the master branch.
GitHub Pages supports HTTPS as of June 2016, but not for custom domains.
There are some hacks but I don't feel like using them.
During an internal training exercise today,
as a sort of one-man Chaos Monkey,
I deliberately broke a test system by changing a config setting to read:
itemfinder.url = http://test-іtemfinder.example.com/
The correct value should have been:
itemfinder.url = http://test-itemfinder.example.com/
What's that, you say? There's no difference, you say?
There is a difference, but it's subtle.
The first i in the URL is
'CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I' (U+0456),
not 'LATIN SMALL LETTER I' (U+0069).
Depending upon the font, the two is may be visually indistinguishable,
very similar looking, or the Cyrillic i may not render.
This is an example of an International Domain Name Homograph Attack.
There are Greek letters and Cyrillic letters that look …continue.
I was sent an invite to Keybase a few weeks, which I accepted tonight.
Keybase Wants To Make Serious Encryption Accessible To Mere Mortals
From a cryptographic standpoint, PGP is rock solid.
In practice, using it is very messy.
Its complexity has deterred the vast majority of people
who might otherwise benefit from using encryption.
The first problem is establishing a valid identity,
especially with other people located oceans away.
The second is distributing public keys
without nefarious types posting alternative keys
that appear to be registered to the same person.
The third issue is getting people to install and use PGP software.
I can now be reached via https://keybase.io/georgevreilly.
I've proved my …continue.
My LastPass browser plugin just upgraded itself to v4.0.
For several years, I've been using LastPass to manage all of my passwords.
I have literally hundreds of passwords.
I can't even remember half the sites, much less the usernames.
With LastPass, I can maintain a strong, distinct password for each site,
which is robustly encrypted and backed up in the cloud,
and I get good browser integration and adequate Android integration.
We also use LastPass at work for our individual use
and to share credentials.
There are still a handful of passwords that I have to remember and type,
including the master password for my LastPass account,
and GPG passphrases.
The Cozi Tech Blog needed some love,
so I wrote a post a couple of weeks ago on
Security 101 for Developers.
- Male fruit flies, when drunk, become much more likely
to court other male fruit flies.
Or, Oh God, I was so drunk ...
- Health insurance companies are making out like bandits in Washington
Herewith several articles that I've read lately
for which I'm not going to write individual posts.
Bruce Schneier has railed for years against security theater,
ostensible security measures that have little real effect,
but are performed to be seen as doing something
— airline security being the most wretched example.
Patrick Smith wrote a good piece on
airport security follies at the NYT airline blog.
We should all be protesting loudly at this nonsense,
but no-one does because of the fear of ending up on a no-fly list.
Also in the NYT, Harold McGee wrote a particularly interesting
article on the hidden ingredient in cooking, heat.
That’s the basic challenge:
We’re often aiming …continue.
In my post about Printf Tricks a couple of years ago,
I mentioned that "%n is dangerous and disabled by default in Visual Studio 2005."
I got email today from someone who was porting a large codebase to VS 2005.
He was getting an assert from %n and he needed a way to get past it.
He intends to fix the uses of %n when he has a chance.
I spent several minutes digging around in MSDN and came up with
set_printf_count_output. Wikipedia's Format string attack page
led me to Exploiting Format String Vulnerabilities, which
describes in detail how %n (and %s) may be exploited.
In short, if you …continue.