Wednesday, June 4, 2014

The Upside of Yahoo Bugs

I don't have to endure those godawful trashy ads. ;-)

Saturday, February 8, 2014

How not to fix a car

Car key is jammed in the ignition. Engine won't start. We've had ongoing problems with the VATS for the last year or so. This is a common problem in these cars. Obviously that problem has progressed to jamming the key in the barrel.
So I embark on a 2 hour adventure to remove the kick-plate, intercept the wiring from the ignition and bypass the feed into the VATS chip with the appropriate resistance to fool the anti-theft system. Pretty technical stuff. 

There's a lot that can go wrong here so not something I would undertake without a good reason. Think airbag.

In the end I successfully completed the operation and for the first time in over a year the security light goes off. The VATS chip is happy. 

But the engine still won't start.  I reassemble everything and put the kick-plate back in place in the hope that that will help. No joy. 

It's then I do something I should have done at the beginning. Set aside my assumptions and check for the obvious. Oh hell. No. I didn't. Talk about stupid. 

So it turns out I didn't need a degree in electrical engineering, a multimeter, soldering iron and 2 hours to fix. Would have been easier just to move the transmission to Park. Yes. I do deserve a medal.

Stay tuned for the sequel. How to change a light-bulb by rewiring your house.

Monday, June 24, 2013


My new favorite word: Clusterbeep.

Saturday, June 8, 2013

Yahoo! Made Me a Jackass

This morning at 7:49am PST Yahoo! gave a spammer access to my account.

My account was not hacked and nobody has my password. Instead it was accessed via a "Yahoo! Partner's Application". Not one I actively authorized.
Yahoo! authorizes a broad array of internet based services, blogs, widgets and whatnots to access user accounts via tokens and credentials. They also drop copious cookies tied to your profile. Throw in an ever-growing bug-list and our accounts are fair game for the spammers. My password never played a role.

I never opted-in to open my account to any "Yahoo! Partner's Application". I'm very deliberate about my passwords and what systems I use. But I have a pretty good idea why it got added while I wasn't looking.  I also have a good idea why tens of millions of Yahoo! accounts remain vulnerable for months.

There's no such thing a free lunch. The free email providers have to make money somehow. For Yahoo! it's important that their users can range far and wide across their extended network of websites without being stopped at a login prompt.

The 800 pound gorilla in the room is that the vast majority of software has vulnerabilities which leave you at risk. This risk grows quickly as you access more systems. If an internet giant like Yahoo! decides to allow it's extended network to access your account the risk becomes a statistical certainty.

It isn't a priority for Yahoo!  that user accounts are vulnerable. It's a sad reality that it's only taken seriously when it becomes a PR problem. About 10 years back I brought a potentially devasting security bug to the attention of Yahoo and Microsoft IE engineering. I never got any followup- and a year later the bug had not been fixed.

About 100 spam messages went out from my account and now I look like a jackass. No spammer sat down and decided to relay spam via my account. No human targetted me specifically - I was just the next entry on a very long list. Maybe you are on tomorrow's list.

So the lesson here is to check your account security settings carefully and regularly for applications, credential sharing and networks that you've been opted into. Disable and remove everything you don't need or use. And remember that while most of the security recommendations these companies tell you are solid they are not going to discourage a feature that makes revenue for them even when it carries additional risk for you.

My sincere apologies to everyone who got spam from my account. This is the first time this has happened to me in 20 years of pushing these keys. I do computer security for a living so this stings me regardless of who is at fault. I should have been more diligent in checking my account settings for the creeping appearance of undesirable features.

I've reviewed the entire incident and removed all access rights to "Partner" applications (which I never enabled in the first place - thank you Yahoo!) and mobile access (which I don't use). I've also bounced the password a few times though that was not the issue here. This is pretty much all I can think of to do now.

I am going to work hard at finding new ways not to look like a jackass to those people who trust me with their email. Sorry.


Friday, May 3, 2013

Four and a half years...

Well, obviously posting regularly to this blog has not been a priority. What with new job, new house and new life I've been a tad bescheftigt.

And truth be told I find it disconcerting the extent to which personal information on the internet is now harvested, correlated, mined and ultimately, sold. I prefer not to partake.

Hope you liked the "airdog" story and photo from the airplane. So look for another exhilarating post sometime around Halloween 2017?

Friday, October 31, 2008

Lightweight is Good

Wisdom for the day:

A line of code that isn't there is a line of code that isn't broken.