Interviewing for full-time is quite different than what my Co-Op interviews have prepared me for. For one thing, companies are much more interested in having you come on site, which is pretty cool in that I've gotten to see a lot of different work environments, but also has the downside of keeping me busy flying all over. Fortunately, I've managed to get the remaining 2 west coast companies I'm interviewing with to co-ordinate so I don't have to make separate trips out :) I was a little worried with job hunting during this economic slump, but it seems like most technology companies are still hiring (albeit maybe not as many people as before). Having the Amazon offer has made the whole process much less stress-full in some ways, but in other ways its made my schedule a lot more packed since the deadline is the end of this month.
Saturday, November 22, 2008
Friday, November 21, 2008
Oddly enough a lot of people from Ottawa end up going to the University of Waterloo (or at least they seem to, in the Math/CS segment). Apparently, I am so far out of touch with Ottawa that I didn't know about the creation of a new brewery (called beaus) (complete with blog). Kevin was kind enough to bring down a big (~2L) jug of "Lug Tread" which was surprisingly good. So that this isn't a total non-sequenter with the rest of what I write, I wonder what sort of challenges they faced doing a startup and how those compare to tech startups? And now back to that free beer....
Once again, Yahoo! has made a slight mis-step with protecting their users' information. In my attempt to enable interoperability between pcfspam & Yahoo! Mail, I uncovered another problem with the most recent Yahoo! Zimbra Desktop. The new Zimbra Desktop (build 1344) uses the same login methodology as the web login, which is already known to be replayable. Unfortunately, unlike the web login, it doesn't notify the user in the event of an SSL certificate mismatch. This makes Yahoo! Zimbra vulnerable to a man-in-the-middle attack, exposing both usernames and passwords.
To reproduce this bug, simply download Zimbra desktop & set your host file (/etc/hosts) for login.yahoo.com to point to your local machine (127.0.0.1) by adding:
Alternatively, you can configure bind and add the Yahoo! zone:
; BIND data file for the fake yahoo zone
yahoo.com. IN SOA localhost. root.localhost. (
;@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
yahoo.com. IN NS ns1.yahoo.yahoo.com.
login.yahoo.com. IN A 127.0.0.1
login.yahoo.yahoo.com. IN A 127.0.0.1
ns1.yahoo.yahoo.com. IN A 127.0.0.1
. Then start an SSL webserver (I used apache) on port 443 and take a look at the access log to see the request:
127.0.0.1 - - [21/Nov/2008:00:27:39 -0500] "GET /WSLogin/V1/get_auth_token?appid=0YbgbonAkY2iNypMZQOONB8mNDSJkrfBlr3wgxc-&login=albertsanchezo&passwd=kingof HTTP/1.1" 404 401 "-" "Jakarta Commons-HttpClient/3.0"
You can clearly see the variables login & passwd contain the username and password. It should be noted that no warning message was shown to user and this was done with a self-signed cert for a localhost.localdomain. A malicious attacker would have to exploit only one of the many DNS poisoning vulnerabilities and pass the authentication information through to be able to capture the usernames & passwords of a large number of Yahoo! users. While you can see that I didn't bother passing the information through, you could also get a similar effect with squid (or another proxy) and still allow authentication to complete.
The impact of this is much lower than the previous vulnerability with Yahoo! Zimbra desktop, but is still serious as it exposes usernames & passwords with only a trivial amount of effort.
At the time of the writing Yahoo! security has been notified.
For anyone from Yahoo! reading this, I'm still waiting for the shirt I was promised from the first time I reported a vulnerability, but its all good :)
Monday, November 17, 2008
I seem to be getting a reasonable amount of blog comment spam (especially on the older posts). I've allready enabled captchas, but that apparently isn't enough. Since there aren't many comments I'm turning on comment moderation. I will let anything through which isn't spam.
Tuesday, November 11, 2008
So I upgraded my main laptop to Ubuntu 8.10 (). The initial estimated upgrade was approximately 8 hours, so I headed into campus (where the main csclub & Canadian ubuntu mirror server is) and did my update in about 30 minutes instead.
This rest of this month is incredibly busy with trying to finish up interviews before the Amazon deadline.
After this weekend I'm hoping to have a working CLI port with login functionality for Device Scape on the OpenMoko.
Sunday, November 02, 2008
In what came as a bit of a surprise my latest device scape build seems to be working pretty well. It successfully selected the correct network, and did the automatic login at a Starbucks in NYC. I've got another round of code cleanups to do, and there is only a CLI interface at present, but I'm hoping to have some ipkgs ready for testing soon. If you're interested in taking them for a spin, send me an e-mail ( firstname.lastname@example.org ) and I can send you the freshest bits :)