Password Change, Why?

Heartbleed OpenSSL bug is currently main computer topic of main-stream media. And they all offer same idiotic advice - change the password. I am not saying that “change the password” mantra is useless. No, it is bloody dangerous.

Let’s see what bug does first: it simply allows attacker to read (semi)random 64K block of memory it should not see. And it allows it to repeat that attack until it has all the data it wants. If leaked blocks contain a cookie, somebody can impersonate you. If they contain user name and password, attacker just got a jackpot. If they contain private SSL key, attacker is in heaven.

Based on that fact, password change seems reasonable. But think again. Practically only way OpenSSL might have your password in its memory is if you sent it to him in the first place. When was the last time you actually sent password for e.g. GMail? Answer is a long time ago. Only piece of data server can have for you is your cookie that keeps you logged in. And you can reset that one with a simple logout. But that is not the dangerous part.

If you change password on server that is still compromised, you are putting it in OpenSSL’s memory at that exact moment. In essence, you are giving away your newly created password directly to an attacker. And, since password is freshly changed, you probably wont change it for a while. It is WORSE than doing nothing.

For safety first approach log out of any important service you are using. That way you are preventing somebody using your login cookie. Then go and CHECK whether site is compromised. Once you know host is not compromised any more, log in again. And ONLY THEN think about changing the password.

If host is still compromised, do not log onto it. I don’t care what is the service it offers. Either it is important (e.g. bank website) or it is not worth the risk.

PS: To summarize: I am not against the password change - it is probably a wise move since this bug has been out for last two years. I am just against doing it irresponsibly, without checking whether site has been fixed first.

PPS: Since you are changing passwords anyhow, be intelligent and use different password for each site.

PPPS: Seems as a good time to turn on two-factor authentication (if website has it).

Windows 8.1 Just Keeps on Getting Better

Let’s face it, Windows 8 was a hell for desktop users. It took until Windows 8.1 for things to be better. It wasn’t anything big - for me it was mostly boot to desktop that made it worthwhile update. There were some bumps left but nothing that bothered me on daily basis.

Microsoft is going further with Windows 8.1 Update. First major thing that awaits is proper Start Menu. It’s look is similar to what we used to have since Windows XP with a side made of Metro tiles. Since Desktop will be default for non-touch PCs (currently you must change a setting to get it), finally a desktop user can work without ever going to (mostly useless) tiles.

Speaking of which, they are suddenly not annoying that much. First of all, gone is annoying right-click behavior which would open menu at screen’s bottom. While not a problem for touch, desktop users had their mouse travel miles and miles for no good reason. Finally menu will open right over tile as logic dictates. It will take some time for other “modern” applications to update their behavior but it will no doubt happen.

For couple of useful metro applications welcome change is possibility to have them in taskbar. Not only that that makes them pinnable but it also allows for preview window interaction. And when you select them you will be greeted with titlebar. It doesn’t offer anything more than what you could do now, but it does allow closing without hitting Alt+F4.

Major feature that will make developers happy is possibility to target Phone, Tablet and Desktop with same code. If this gets executed correctly it will be best thing that happened to Store and it might make WinRT development actually a worthwhile task. Experience with last platform that promised the same (WPF anyone) is making me cautiously optimistic since platforms might drift apart already in next revision.

Manufacturers will be happy with free Windows license for anything smaller than 9" and lower memory usage on RT platform. It still remains to be seen whether this will result in cheaper devices but at least nobody will blame Microsoft for high prices any more. Licensing for “normal” Windows remains pretty much the same.

Of course, nothing of this has been released yet and thus it is a subject to change. There is more than enough time to screw make things more “touch-friendly”.

PS: Yes, I know that Modern UI interface is not called Metro anymore…

PPS: To see all these features in action and more, you can watch BUILD 2014 keynote.

No New Post Here

I had the every intention of writing April Fools’ post here. But then I noticed a prank that was so much better than what I have planned.

Source of History

If anything, Microsoft likes to keep its source code well hidden from a public view, even to the level of reading other people mail while mocking Google’s privacy policy (the pot calling the kettle black :)).

So it came as a surprise that Microsoft released MS-DOS 1.1 and 2.0 together with Word 1.1a source code to the The Computer History Museum. While these sources are far enough in past to be completely useless for anything competitive, I find them a precious part of history and very well worth checking.

MS-DOS source is particularly dear to my heart because it shows just how much functionality can be fitted in just 28 KB. Assembly code is quite annoying to follow (things tend to look a bit ugly when optimized) but it is well worth reading because of the comments. Not only they will help you understand code but, if you are old enough to have any DOS experience, they will also bring you on a memory lane stroll.

Since I was a stubborn WordPerfect fan at the time of Word 1.1a, its source didn’t evoke same level of emotions in me. But I definitely found some parts amusing to see. Especially document titled 86fun.doc that lists some facts only programmer can think of as a fun.

I find both programs miniatures well worth checking and remembering. Thanks Microsoft!

NAS4Free in the Role of Syslog Server

In my network there are multiple *nix devices, most notable of them being my file server (NAS4Free) and my router (Asus RT-AC56U). Nice thing about their common ancestry is that both support syslog logging. Since I already have a proper reporting in place for my file server, I started thinking about getting my router messages there too.

Well, as luck would have it, there is already a syslog server present within NAS4Free. Only reason why it doesn’t work is that it is explicitly disabled in /etc/rc.d/syslogd. Following line is the culprit:

syslogd_flags="-8 -ss"

In full NAS4Free installation it is simple to edit that file. In embedded, some “trickery” is needed. In System -> Advanced -> Command scripts I added a new PostInit entry:

sed -i -e 's^syslogd_flags=".*"^syslogd_flags="-8 -a 192.168.1.0/24:*"^g' /etc/rc.d/syslogd ; /etc/rc.d/syslogd restart

Purpose of this rather long command (ok, two commands) is to do a string replace of default flags with ones allowing the whole 192.168.1.x range to use it as a server (you could define single server too).

There are additional steps that could be taken, e.g. adding host name into /etc/hosts or getting syslog to save my router messages into separate log file (configurable in /etc/syslog.conf). However, as far as my needs went, I was perfectly fine with this.

[2018-07-22: NAS4Free has been renamed to XigmaNAS as of July 2018]