Heartbleed Status

Heartbleed is the name of a recently disclosed vulnerability in the widely used security software called OpenSSL, which is used for securing web communications.

What makes Heartbleed so venerable is the way it stays completely undetectable and is very easy to exploit. Cloudflare posted a challenge for people to extract the private key from their intentionally vulnerable server, and it was just a matter of time before someone managed to break it.

What makes this possible is the ability to send a malformed request to a TLS extension called heartbeat, which makes the server respond with arbitrary memory data up to 64k. It can contain anything, such as user passwords and even the private keys used to secure the connection in the first place.

xkcd provides probably the simplest way of explaining what the Heartbleed is all about in xkcd 1354.

If you are not running your own site, you won’t have to bother with patching the software and issuing new certificates. You will however need to change your password on affected sites, and Mashable provides a list of popular sites and their current status.

Bruce Schneier writes about Heartbleed and his post contain links for further reading and discussions and is well worth a browse.

Flickr Turns 10: The Photo-Sharing Site’s Rise, Fall and Revival

It’s hard to imagine an internet without Flickr, but 10 years ago was the first time the service saw the day of light.

Earlier photo sites were mostly concerned with letting you put your pictures in front of friends and family. Flickr did that, too. But from the start, it was building a community of photo lovers around the world who wanted to share images with other photo lovers, as well as thousands of special interest sub-communities. It was about storytelling.

Through thick and thin, the community has always been one of Flickr’s primary strengths. There is an insane amount of groups catering to every nuance of photography to the intricate details of architecture and the joy of snapping that perfect family photo.

According to Spiering, today’s Flickr has more than 10 billion photos (vs. more than 250 billion on Facebook — but who ever said quantity trumps quality?). It hosts 1.8 million groups, which are being joined by 50,000 new members a day.

Stats like this really put things in perspective and it says something about the serious infrastructure and engineering that stands behind the site.

I have been a pro member for years and enjoy the automatic uploading of photos through the Flickr iOS app on a daily basis. Together with Flickring I can instantly access any photo I have ever taken with my iPhone and my regular camera. It is perfect as a replacement or in combination with iCloud.

Gust is Ghost for WordPress

Ghost is a recently released blogging platform based on Node.js and probably a direct competitor to established platforms such as Medium.

screenshot-2

According to the author of Gust, Ghost was in its conception thought to be a WordPress plugin but morphed into an entity of its own, and this is where Gust comes in.

At the begining, Ghost was supposed to be a fork of WordPress. Then there was a talk of a plugin, that would give a next-generation admin panel for WordPress. But in the process it became a new blogging platform, built on Node.js. This plugin is an attempt to bring the nice and clean admin panel of Ghost back to the WordPress ecosystem.

I gave it a go in my test WordPress installation and I am really impressed by it, given its early stage in the development process. Just a couple of iterations more adding support for featured image, post format and custom fields, and I could probably use it.

screenshot-3

Its strengths lie in the realtime Markdown preview pane, which works really well. It currently doesn’t reflect the current website theme though, which may or may not be an issue.

Divvyshot – photo sharing for the rest of us?

Divvyshot is a photo sharing site, fresh off the presses. Even though the name is hard to remember, the website is quite the opposite.

Divvyshot has taken a somewhat different approach to photo sharing where albums are thought of as events, and multiple people can easily contribute to them. Imagine a wedding where there will probably be lots of cameras and people taking photographs. Now imagine that everyone upload their photos to the same Divvyshot event, where all photos easily can be downloaded and shared. It is a very simple way to gather all photos in one place, even for non-techies.

If you are familiar with other photo sharing sites like Flickr, you will most immediately spot quite a few differences. The first thing you will notice is the website itself, with its simple and grey theme, yet stays very stylish and functional. All actions have icons with no visible labels, although they show descriptions on mouse over. It might not be completely user friendly, but you get the hang of all buttons after a while.

Nice features like directly importing photos from Flickr are done very well and work great most of the time. There are sharing features, where one can send photos to Flickr, Facebook and link to Twitter. It is also possible to download all photos in one click, which is very handy in the wedding example above.

So will I switch over to Divvyshot from Flickr? In short, no. A longer answer is that Flickr has a huge community, thousands of external apps, an API, integration with Aperture and Lightroom. I will however try it out on my parents and other people who might find Flickr too daunting but still want to easily share photos with friends and family.

Have a look at my Divvyshot account for sample albums.

OpenID and why it matters

openid-logoLogging into websites have always been a pain if you want to stay somewhat secure. One could either use the same username and password everywhere or choose from a few remembered passwords. The next best thing is to use some kind of password manager, such as the one built into most modern web browsers or perhaps 1Password.

Another way of looking at online identities is the concept of one central hub – you. Think of it as your “home”, a place for your identity. This identity could then be used to authenticate you on any supported site, without requiring a password or even a username, provided that all required information has been entered into the central hub profile beforehand, such as your full name and username.

This is exactly how OpenID works! It acts as a central hub for your online identity and lets you login to all OpenID enabled websites without having to come up with a new password each time (or worse, use the same password). What makes OpenID work is simplicity; it is not that hard to grasp or explain the concept of an online identity hub and using an URL to identify yourself with.

A huge benefit of OpenID is that it is completely decentralized. This basically means that anyone can set up their own OpenID provider, and there are already lots of open libraries available to make this as painless as possible. This means that if you don’t trust anyone to hold your personal identity, just get a domain name and set one up for yourself, and use any type of authentication you want to identify yourself to your own hub. You can even use X509 certificates or OTP for this purpose if you want.

As for security, make sure to use HTTPS for the provider to protect against man-in-the-middle and replay attacks. The other important security issue are phishing attacks, where users would enter their credentials on a third-party server instead of their own. Using client certificates or making it mandatory to already be logged in before executing a request would however make this a non-issue. Other than that, the ordinary web problems remain, such as bugs in the OpenID libraries and other attack vectors.

If one would be able to gain access to your OpenID provider, he would have access to all authenticated sites. To put this in context however, look at your email account. If one were to gain access to your email, he would undoubtedly have means to access most of your sites anyway because of the password recovery feature.

Chances are that you already have an OpenID identity without even knowing! Lots of big websites provide this service, and it is even possible to roll you own as mentioned above, or even install a plugin for you very own WordPress blog to enable this feature. If you have your own fancy domain but no means to setup an OpenID provider, fear not, there is support for delegation, meaning that you can delegate the authentication to another provider, while still providing your own domain for authentication to the target website.

Instapaper, or how to read stuff later

I recently came across a service on the great web called Instapaper. It solves the ancient internet problem of wanting to read long articles when one just haven’t got the time. Everyone has probably thought:

I’ll just save it and read it later…

It’s not easy to manage all these links and texts without any kind of system. This is where Instapaper comes in.

Instapaper is best used from a bookmarklet in your browser. It can be used both on a computer and a mobile platform such as an iPhone. It could look something like this:

Bookmarklet

It’s very easy to add a site to the reading list. Just navigate to the page, click on the Read Later bookmarklet and boom! To view the reading list and to actually read the articles, there is of course a website which looks something like the following. It has an archive for read items, and it has the ability to extract just the essential text from the websites.

Instapaper

I find the site best used as the Home Page of the browser. This way you see the reading list as a reminder everytime a new browser window is started.

If you have an iPhone, you will get a bonus! There is an app in the App Store which syncs with Instapaper on the web and makes it easy to manage and read items in the list.

Instapaper iPhone Instapaper iPhone

The Instapaper iPhone app website has more information on how to use it.

[Instapaper] [iPhone App]

Dreamhost adds unlimited bandwidth and disk space for all

If you happen to be in the Dreamhost Panel and clicked on Billing -> Manage Account, you might have seen that it is now possible to upgrade to unlimited bandwidth and disk space — for free!

Just click the link and accept the agreement. It basically states:

  • Everybody on your account is using their full email address only to check and send email with their mail client.
  • Everybody is only ftping/sshing to your domain, and not a server name directly.
  • Nobody on your account is using .procmail or .forward files.
  • You don’t have /home/.SOMETHING/username anywhere in your files at all… you should change it to just: /home/username

If you choose to accept, you will be placed in queue to be moved to their new server environment, and will immediately receive unlimited bandwidth and disk space!

Should you choose to register a new Dreamhost account, use promo code JOCH1 to get $40 off on your hosting.

Google Knol — The new online source for knowledge

Google just released a new web application called Knol. It is used to make it easy to share knowledge through article and in-depth guides. The service puts a strong emphasis on authorship, and every piece of information has one or more names behind it. From the announcement:

Knols are authoritative articles about specific topics, written by people who know about those subjects.

An article may look like the following, which is a guide on how to backpack.

How to Backpack

How to Backpack

Much like Wikipedia, it is possible to make changes or at least propose them, since it is possible to modify the permissions for the written articles.

Collaboration permissions

Collaboration permissions

Support for Adsense is also built-in, which makes it possible for authors to actually make money from the content they publish on the site. If any significant amount of money will be generated by this is another question.

It is very easy to begin writing a new Knol. The interface looks like the following and features a light-weight WYSIWYG editor.

Write a new Knol

Write a new Knol

Knol might become a competitor for Wikipedia in the future, but I see it not as a competitor, more an enhancement to the online knowledge base. Since there is a real person behind each article, the contents is consistent and could be very reliable if written by a person knswledgable in the particular field.

WordPress for iPhone released

WordPress for iPhone has been released, making it super easy to post to your WordPress blog on the go!

There have been reports on the iPhone crashing when using international characters such as åäö, but it will surely be fixed soon.

I will write a review when I have the opportunity to try it myself.