The OpenSSL heartbleed bug was a serious kick to the Internet's collective
This video provides a quick overview if you want the details.
In summary, an attacker could craft a payload with a fake size (up to 64k) and
trick openssl into sending a random chunk of server memory. WTF?!
To understand how bad this was I spent a minute hacking on this script
that was going around.
I pointed it at login.yahoo.com (which is no longer vulnerable) and tried to see
if I could catch a username and password flying by. I had one within 30 seconds.
That's how bad it was; you could read random parts of the server's memory which
may contain passwords, private keys, or whatever else OpenSSL was
processing for current site visitors.
I had stolen someone's credentials. Game over, right? How do you protect
yourself against something as bad as this? ...
Oh, hey! I almost forgot I have a blog.
Well, the colors are annoying to me and my comment system sucks
but, meh. I wanted to write a quick note about where
you can find stuff I write.
David Lowery wrote a piece on how downloading music is hurting musicians (which is a response to Emily White's piece on admitting to not buying music). Here is my response.
Music is a really interesting "product," especially when distributed digitally for $0.001 cents per download (production costs: bandwidth, storage, etc). The real production costs are for the time put in by the artist, studio fees, and creativity. Besides the creativity part, that formula sounds a little bit like the FDA drug market, right? It costs about $0.001 cents to manufacture a pill so the hefty price tag goes to recoup the money spent on drug research. Or does it? Yeah, selling drugs is a messed up industry...
In this article, a coffee shop entrepreneur laments a more "celebrity" entrepreneur who launched a similar startup but got more traction.
His conclusion: "The difference between the guy in the coffeeshop and the celebrity entrepreneur isn’t just press connections, money, and experience; ultimately it is this combination of factors."
I don't think this is true. A successful startup has very little to do with money and connections...
At ORD Camp last weekend Ben Huh led a discussion about how we -- a group of geeks and artists -- can save the Internet. We won the fight against SOPA and PIPA for now but those laws will just sneak in through some other bill. Will wikipedia be there to black out again in protest? The fight is nowhere near from over and we have to get organized...
Most people at Mozilla are remote so each quarter we sync up face to face as a group for an all-hands meeting. There are over 600 employees! We of course sync up in smaller groups more frequently but this is a chance to see what's going on across the entire Mozilla horizon.
So what's happening at Mozilla? We're on the cusp of a huge shift towards an open web platform. That is, something more than a web browser -- something you can run "native" apps on. There's a lot of work left to do, of course. Here is a random dump of interesting projects in the works...
The release of Google Plus presents a unique opportunity to open up the social web. Why? Because it's a compelling product -- it's intuitive and fun with innovative features like circles, hangouts, sparks, etc. In many ways it's a clone of Facebook but that's just a reinforcement of what Facebook (and before that, Friendster) got right. If Plus continues to succeed then the optimist in me envisions this as a golden opportunity! ...
A few services have been popping up lately that let you stream music from any
computer or device (the so called "cloud"). Amazon just released theirs,
uncreatively named Cloud Player.
I'm pretty excited about this one because it's the first I've seen to actually
offer sane, reasonable pricing ...
When I got my first Android "smart phone" it felt like a slow, hard-to-use computer
on dial-up Internet. Now I use an Android G2 (HTC Vision) which
I'd call a pretty snappy, easier-to-use computer. I can't say I do much on it
besides calls, texting, and Twitter but I'm excited that
Firefox Mobile has just been released. You'll need a newer Android phone (arm v7)
to install it and it's going to eat up a whopping 14MB (plus caching)
but, hey, Firefox is now mobile! ...
Firefox 4 has launched! If you want to watch the whole planet
upgrade in realtime head over to
glow.mozilla.org (built by @potch, @jeffbalogh, and others!).
If you haven't already downloaded Firefox 4 then what are you waiting for?
After that, join the twitter party by using the #fx4 hashtag in
Firefox 4 is about to ship! And it contains a massive amount of
these hot new features and how important Firefox is to the international
community but first, this.
In the next week millions of people will begin upgrading to
Firefox 4. A large number of them will be upgrading from Firefox 3 so
they'll be disappointed to learn that when you type a name or phrase into the
Awesome Bar it no longer takes you directly to the website you are looking
for. Technically this feature was called Browse By Name but most people
probably understand it as performing a "feeling lucky" search in Google. The
forums and support site are already filling up with complaints.
Don't worry! The feature was just disabled, it wasn't removed entirely...
The Internet was invented so that data could be decentralized and liberated.
Well, so much for that idea.
With the rise of services such as Facebook and Twitter we are back to the
original mainframe problem: everything is stored and controlled by a central
authority. Ironically, today's "to the cloud" meme is making us depend
on central authorities even more.
So what about data privacy? In this centralized
model we go about our online lives constantly posting data to all these different
servers that we trust...
Firefox 4 is near the end of its beta cycle but what is so special about this
release? Why not see for yourself on the new demo site, the Web of Wonder
(requires Firefox 4 beta but some demos do work in Chrome and Safari).
I'll be honest, as a web developer, the new power of HTML5, CSS3, SVG, WebGL, etc
totally blows my mind...
Fudge, the python mock tool, goes 1.0! You can grab it with
pip install -U fudge or directly from PyPI. This marks the end of a
long incubation period where the community and I used Fudge in real world scenarios to see what
worked and what didn't. I'm sure there are many more improvements to make but as of
1.0 I'm very satisfied with what we've accomplished. This is thanks to its small but vocal community of users, to all contributors
and to everyone who pointed out flaws...
As web developers we are faced with this problem: how do we scale up our code to handle high traffic? A lot of time and engineering goes into this problem -- time to simulate the traffic we expect and add servers to our cluster, cache heavy database access, etc, in anticipation of the load. Time is precious. This time could be spent optimizing the usefulness of our web product and creating interesting content. No one really congratulates you when a website works, they expect it to work.
When Google App Engine was released their pitch was...