Author Archives: daniel

Citylink: Poor security

Interesting article from The Age about Melbourne’s Citylink (Transurban) falling foul of a Google Chrome error: There’s no space like Chrome

Leaving aside the introduction, with its very amusing description of Google Chrome OS as:

an internet-infused operating system for computers that takes on Microsoft’s MS-DOS

… it talks about the Google Chrome browser refusing to connect with the Citylink web site due to an SSL error.

I tried to connect (I have an account there) and sure enough got an error when trying to logon.

Here’s the detail from Google:

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to setup a secure connection but, due to a disastrous misconfiguration, the connection wouldn’t be secure at all!

In this case the server needs to be fixed. Chrome won’t use insecure connections in order to protect your privacy.

You may find that the site works in other browsers. This is because other browsers, unknowingly or intentionally, work around the broken servers. But this doesn’t change the fact that the servers have a glaring security hole and should be fixed.

Technical details

This error message is triggered if the SSL/TLS handshake attempts to use a public key, smaller than 512 bits, for ephemeral Diffie-Hellman key agreement.

For website administrators

If your website has this problem, either:
1. use a 1024-bit (or larger) Diffie-Hellman key for the DHE_RSA SSL cipher suites, or
2. disable all DHE SSL cipher suites.

The Age article seems to assume that Citylink must use a 1024 bit key… but then, if the writer thinks Google Chrome OS is trying to compete with MS-DOS, it’s clear he may not be the most IT-savvy person.

My reading of the error is that it’s a combination of the DHE keu agreement and the small key that is the problem. I’m not a net security expert, but that’s what point 2 appears to be saying.

It’s certainly not the case, as implied in the article, that they must use a massive 1024-bit cipher key — I’ve just logged into the Commonwealth Bank’s site, and all is working fine with their 256 bit key.

While Citylink/Transurban might be whinging that they’ve done nothing wrong, given all the other secure sites I use with Chrome are working perfectly, the conclusion I come to is that indeed there is a misconfiguration on their end.

It’s important that they get this right. After all, one wouldn’t want personal information being transmitted insecurely. It could get picked up by a passing Google Streetview car doing packet sniffing!

Update 10:45am: The reference to MS-DOS has now been removed from the article, which now reads: an internet-infused operating system for computers that takes on Microsoft.

It also no longer says Only one browser was available… in 2000, but has been changed to say One browser was dominant.

Doctor Who games

The Good Game reviewers have spoken:

‘a steaming pile of garbage’. The first real Doctor Who game on the DS isn’t just bad; it’s one of the worst misuses of a license I’ve seen.

…and…

Set a few hundred years after the DS game, Return sees the Doctor and Amy investigating some strange signals coming from the vicinity of Jupiter. They come across the strangely deserted SS Lucy Grey. They then have to fight for their lives against shoddy gameplay mechanics and one of the worst cameras I’ve endured in years.

Sounds like they both pale in comparison with the PC games put out earlier in the year. What a shame.

Domain Registry of America scam

I’ve been neglecting this site recently, but over on my main blog I’ve got a new post about the Domain Registry of America scammers which you might enjoy.

Previously on this topic: 12/4/2005: Dear Mr Gullible

I hate the Mighty Mouse

Apple Mighty Mouse We’ve got an iMac in the PTUA office which I use on the odd occasion. I’ve gradually got used to the world of MacOS, but one thing I still hate is the Mighty Mouse.

There’s something about the feel of it — the non-buttons, and the scroll wheel in particular. I hate the feel of it. It feels really uncomfortable in my right hand; it leaves my fingers tingling in a most unpleasant way. And it’s not much better in my left hand either.

I don’t recall having this kind of reaction with any other mouse. And I don’t even understand why this one feels so bad to me.

It’s odd. Anybody else had the same sensation?

(Pic credit: Wikipedia)

Geek news

Video from SBS TV news: Nintendo Entertainment System turns 25.

Benoit Mandelbrot has passed away.

Yahoo groups spam

On a couple of Yahoo Groups I’m on, we’ve noted spams coming through from long-time members in the last week or two.

The good news is there’s no need to panic. Most probably a spammer out there has worked out that person X posts to list Y, and is forging emails from them from a remote location. Which means it is unlikely that X’s computer has been compromised. (Though of course it’s good practice to have virus protection and regularly do scans.)

If you’re an Admin of a Yahoo Group, you might like to check the Posting settings (group management / Group Settings / Messages / Posting and archives). There is a Spam Filtering option which I believe is switched off by default (it might be a newly added setting).

On the groups I’m on, we had spam coming through, but setting the Filtering on seems to have prevented more of it.

Thanks a lot, Apple

I was using a USB drive to move copy files from a Windows box onto a Mac.

Easy enough; plug it in, copy the files over.

Then I plugged the drive back into a Windows computer. What do I see? Oh, delightful, MacOS added some hidden directories for Trash and Spotlight.

Apple Spotlight directories

Harumph. Annoying, but no biggy I guess.

Wait a sec, what’s inside those directories? A bunch of stuff, it turns out:

How about: .Spotlight-V100 \ Store-V1 \ Stores \ [long hex string] … and inside there, about 2Mb of junk.

Now, I could understand that if I’d copied anything from the Mac back onto the USB drive, thus it might have needed all that stuff to do the wonderful Spotlighty things in the future.

But just copying stuff off it? Why make that assumption and dump all this crap on it? Particularly hidden, so many people wouldn’t even spot it.

Oh well, it’s in keeping with the iTunes bloatware philosophy of dumping heaps of software onto your PC that most people don’t need. Ed Bott’s updated his guide to avoiding that with iTunes 10:

Apple still gives its customers a monolithic iTunes setup program with absolutely no options to pick and choose based on your specific needs.

Why is that important? When you run the iTunes setup program, it unpacks six Windows Installer packages and a master setup program, which then installs nearly 300MB of program and support files, a kernel-mode CD/DVD-burning driver, multiple system services, and a bunch of browser plugins. It configures two “helper” programs to start automatically every time you start your PC, giving you no easy way to disable them. It installs a network service that many iTunes users don’t need and that has been associated with security and reliability issues.

And you wonder why I dislike iTunes with a passion that burns like the fire of a thousand suns?

It’s a must-read if you’re installing iTunes on Windows.

How to fix YourTV.com.au’s annoying Sydney default

I quite like the YourTV.com.au web site. The TV guide it displays is quite usable, and can be customised to show your correct channels.

But why does it keep forgetting your region every few weeks, and reset itself to metro Sydney?

Your TV Sydney default

Very irritating. (Well, if you live outside metro Sydney.)

Using your web browser, you can check the cookies. This article describes how, in various browsers.

That’s where the problem is: it looks like the “TvFixGuide” cookie, which seems to hold details of what region you’re in, is only set for a month.

Your TV cookie

It doesn’t look like either browser allows you to extend the time range of the cookie, or otherwise modify it. I suppose there’s legitimate reasons for that.

It is possible to hack it by deleting the cookie, setting your computer’s clock, say, a year into the future, before going back to the site and setting the option.

Yep, it seems to work:

Your TV cookie modified

Don’t forget to set your clock back afterwards.

iTunes not up to date

Downloaded the latest iTunes 9.2.1.

Installed using the less-bloat method (for people like me who just want to use it to manage an iPod):

Extract the components from the iTunes setup EXE…

AppleApplicationSupport.msi /passive
Quicktime.msi /passive
iTunes.msi /passive

All good! All up to date!

I decided to fire up Quicktime and make sure none of its stupid tray icons were configured to run all the time, wasting my memory and CPU. What do I find?

Quicktime out of date

Quicktime is out of date — it tells me. It’s only 7.6.6, and you should be running 7.6.7.

Oh, bravo Apple — can’t even keep their own software up to date.

Win95 turns 15

I posted this on my personal blog because I thought it would be of general interest:

Windows 95 is fifteen years old today.

Donkey Kong on 12 different 80s platforms

Part 1: Atari 2600, Intellivision, Colecovision, NES, Commodore 64, IBM PC (DOS), Apple II

Part 2: Vic 20 (dodgy emulator?), TI-99/4A, Atari 8-bit computers, Amstrad CPC, ZX Spectrum, Atari 7800

With adaptions from an arcade original that had a screen that was higher than it was wide, there’s an obvious compromise to be made between the clarity/resolution of the characters, their aspect ratio, and the number of girders to the top — eg compare the Atarisoft Commodore 64 version with the Ocean one. Some versions look very squashed.

Most surprisingly good I reckon was the TI version.

Via Retroist