Friday, December 19, 2008

Redeem the Time

As we close the year 2008 and come near to that time of New Year's Resolutions, here is an idea for you. If you are as unlucky as myself to have to commute every day to work, then redeem the time. I have at various times while driving to/from work listened to: sermons, lectures on philosophy, home brewing podcasts, audio books, plays, TV shows, and more. It is much more interesting than listening to the radio, and it's possible with a $30 MP3 player.

"How do you find great sources?" you may ask. Here are some tips:

  • My county library system has an online audiobook library. I can checkout and download audiobooks for free. There are WMA books, but surprisingly there are also some MP3 books!
  • Check out Project Guetenberg, in addition to the computer read books they also have human read books, and some of them are excellent quality. In particular I can recommend the renditions of Sherlock Holmes, they are absolutely wonderful...and free!
  • Find some podcasts you like. There are excellent podcasts on all sorts of topics. I have picked up podcasts on Ruby, home brewing, technology news, science, business news, and more. There are also some TV shows like 60 Minutes that have a podcast replay of the entire show commercial free. A site I like for managing podcast subscriptions is PodNova. They have a downloadable aggregator that works on Linux.

So why not listen to some of those books you always wanted to read? Jane Austen, F. Scott Fitzgerald, J.R.R. Tolkien, Lewis Carroll, Jules Verne, Charles Dickens, Mark Twain, Fyodor Dostoevsky, Voltaire...they're all here. Listen to the Bible read to you. Fiction or Non-fiction, be creative, learn a new language, or a new subject. It's easy and free.

Wednesday, December 3, 2008

All Your HTTPS Packets Are Belong To Us

Occasionally, I have to work on a restricted network, whether I'm connected via VPN to a remote desktop, or directly to a network.

I'm also in the position, at times, when I need to retrieve something from my company e-mail account, and for whatever reason (productivity drain or virus infections from pointy haired users) the network proxy automatically blocks access to any sites with the word "mail" in their domain name.

One of the easiest ways to get around this is to just use HTTPS, because all your traffic to the remote server is immediately encrypted before it is sent on the network. Only the remote server can decrypt your packets, and if anyone intercepts them, then they look like garbage. The information in your encrypted packets includes the domain name of the server, because with HTTP 1.1 the domain name is sent as an HTTP header. So the automatic proxy filter is out of luck, and I am free to access my e-mail account. (Proxies could of course block by IP address, but that just causes a mess.)

It turns out that some network proxies will automatically generate fake SSL certificates for every secure site that you access. (This is probably old news to network administrators.) The certificates look legit, they include the correct name of the site, but the issuing authority is the proxy device on the network. I can't say that this is shocking to me, I always knew it was possible, I just hadn't encountered it in the real world.

I suppose that normally the network administrator would have installed the proper root certificate on every machine on the network, but in my case I pulled up a site with a certificate that matched the site I was accessing, but was issued from an authority that I don't trust (i.e. the network proxy). Hmm...

Any normal user wouldn't have understood what was going on, but I was immediately suspicious that my machine had been compromised by some virus, or that the remote site had been compromised for phishing purposes. I'm glad that neither situation was true, but I'm left yet again with my confidential information compromised in the name of security.

Think that your credit card number, SSN, personal information, etc. is safe because your using a secure connection. Think again. The network administration team is reading everything that you send to the secure site. The classic man-in-the-middle attack. As always, the weakest link in the chain will be a human being, and now more human beings have access to your information.

It's a brave new world.