Category: Tips & How To’s

Categories
Apps Tips & How To's Websites

Gawker Hacks [update: no Digsby]

If you missed it, Gawker Media’s username/password database was hacked and paswords decrypted! This is very very bad. Lifehacker, has a comprehensive post about the compromise.

They only left out one little piece of info, your password may have been exposed even if you’ve never logged in to a Gawker site. Multi-IM client Digsby is owned by Gawker and Digsby username/passwords are also in that database! Seriously, this is bad. No more blogging after midnight…This was totally incorrect, my apologies. I didn’t read the email very well (or possibly at all). Thanks for the comments from the Digsby team. I incorrectly made the connection based on the password Gawker had on file; it was an old password I was sure I had only ever used for IM clients.

Again, if this is the first you’ve heard this, here are the important links:

Categories
Culture Tips & How To's

No “Gate Rape” for Canadians…yet.

With all the talk of enhanced pat-downs/sexual assault/gate rape being conducted by the TSA at US airports (in the event that you wish to opt-out of the full body scan), I was wondering what the Canadian Air Transport Security Agency’s policy might be. Typically we seem to follow US rules fairly closely up here.

CATSA’s web page describing the full body scanning process does not even mention the option to opt-out. Their “Physical Search” page states the following:

A physical search may involve a Screening Officer using a wanding technique with a device that detects metal objects. During a physical search, a Screening Officer performs a visual search and a search through touch to ensure that a traveller is not concealing anything under his or her clothing.

Sounds pretty benign.

So I thought I’d ask Reddit for their experiences. A user named SwifferWestJet who seemed to know what they’re talking left a helpful comment. Essentially, the pat downs are “traditional.”

Categories
Tips & How To's

How To: Watch Hulu in Canada. A New Method.

In August I posted a method I found for watching Hulu in Canada (or anywhere outside of the US for that matter). Unfortunately, that method was a little complicated and Hulu fixed it a few days after Lifehacker posted about it. Last Night I found a new hole and this one’s a fair bit simpler. Here’s a handy instructional video.

The Firefox modify headers extension can be downloaded here: https://addons.mozilla.org/en-US/firefox/addon/967/

Check out the reddit discussion for more details.

Categories
Apps Tips & How To's

Firesheep: A Valid Reason to Fear WiFi or How To Hack Your Wife’s Facebook

Just in time for Halloween, a developer by the name of Eric Butler has released Firesheep – a truly terrifying security tool. It’s so simple to use it makes script kiddies look like rocket surgeons. All you have to do is install the Firefox extension, that’s it. With the extension installed at the click of a single button you can collect any session cookies floating around the WiFi network you’re connected to and use those cookies to browse any website the victim logs in to. To reiterate, if you’re on a public (or unsecured) wifi hotspot anyone else on the network has the ability to view your Facebook account, without any technical knowledge at all.

As you can see in the screenshot. Firesheep gives you a nice list of all user logins you’ve collected, including their profile pictures for your convience; clicking one logins you in to the social network as that user, giving you full access to everything they have access to.

While this type of attack has always been a vague hypothetical possibility and there have always been tools available to take advantage of this sort of exploit, it is has never been this simple. It’s the equivalent of putting a “give me money” button on the side of an ATM. Facebook, Twitter and friends are going to have to take notice.

What Not To Worry About

  • Private WiFi. If you know and trust everyone on the WiFi network you’re connected to at home or at work, you probably shouldn’t worry too much. You’re still just as vulnerable to the attack on a private or encrypted WiFi connection. But without open access to the general public, it’s a lot easier to catch the person messing with your account.
  • Passwords. This exploit works without ever knowing your password. No respectable website stores your password in plain text and even if someone gets into your account, most websites will not allow a user to change the password without entering the current password.

How To Protect Yourself

Firesheep is taking advantage of the fact that your session data is being sent over wifi in plain unencrypted text. The only effective protection against this is full end-to-end encryption using HTTPS aka SSL. A lot of websites like banks or government services enforce HTTPS connections due to the sensitive nature of the transactions. Most social networks may offer HTTPS if you type it into the address bar (ex. https://facebook.com/ or https://twitter.com/), but since encryption slows down connections somewhat and is a little more taxing on server hardware, no social networks require you to connect with HTTPS. I suspect this will change within the next couple of weeks, if not sooner. In the mean time there are some steps you can take to make your browser use https.

  • If you use gmail, they provide a handy setting to force gmail to always use a secure connection. Details here. Enable this if you haven’t already. This is not necessary, gmail went 100% SSL earlier this year.
  • For other sites always include the ‘s’ after https when logging on to a website. This should work with any major website. Update your bookmarks now.
  • Right now, I’m serious…
  • ….
  • Unfortunately, updating your bookmarks is not enough. Even when you log in via a secured connection Facebook and many others do not continue to send your traffic over secured links as you click around the site. Meaning, as soon as you leave that first httpS page, your may begin to expose your session details.
  • If you use Firefox, Techcrunch has an article on configuring Force-TLS an add-on that forces sites to use HTTPS. Details Here.
  • If you use Chrome or Safari, there are a few Greasemonkey extensions you can install that do similar things. This one covers a lot of sites. Take a look at the directory for more.
  • Do not user Internet Explorer.

That said…

If you’re wondering who that neighbour with open WiFi has been messaging on Facebook, it’s never been easier to find out. Download the extension (disclaimer: don’t actually do this, it might be illegal).

Categories
Tips & How To's Websites

How To: Watch Hulu in Canada. The Definitive Guide.

Update, November 6th, 2010:

The method in this post no longer works. But, I’ve found a new workaround.

Disclaimer: The method described below almost certainly violates Hulu’s Terms of Use. I do not know the legal ramifications of breaking these TOU. I am not suggesting that you actually follow my fictional instructions.

I’ve finally cracked the nut on watching Hulu in Canada. At the time of writing, this method is 100% successful; I’m confident the method also works internationally, but I have not been able to get any corroboration. Before you read on, let me warn you that these instructions require basic tinkering skill on OS X, Linux and routers; advanced tinkering skill on Windows. At the bare minimum, you’ll need to know how to open a command prompt/terminal window in your operating system.

Instructions:

  1. Open Firefox. The workaround requires a Firefox add-on, so unfortunately the method is Firefox-only at this point in time.
  2. Install the “Modify Header” add-on, download it here: http://addons.mozilla.org/en-US/firefox/addon/967
  3. Configure the add-on using the instructions I previously posted for watching Comedy Central in Canada. Here’s a quick reference image: http://imgur.com/Feb4 VERY IMPORTANT NOTE: The IP address referenced in the instructions “12.13.14.15” is being actively blocked by Hulu, You’ll need to replace it with a known American IP address. Ask an American friend for their IP or see Appendix A for instructions on how to find a US IP address. The address you use should not affect the method, it’s merely being used to trick a portion of Hulu’s geo-location algorithm.
    NOTE: These settings interfere with other sites that you WANT thinking you’re from Canada. You can always disable the rule in modify headers when not using Hulu.
  4. Block port 1935.
    This is the real breakthrough I came across. Turns out Hulu’s flash video player attempts a direct connection to your computer via the RTMP port to verify your real IP.  When you block this port it the falls back to HTTP allowing the video to play. Blocking ports is fairly straightforward on Mac and Linux, but looks to be somewhat difficult on Windows. See Appendix B for complete Port blocking instructions for all OSes.

Notes:

  • If you are able to navigate Hulu.com, load a video and watch the commercial but then get a blank player or an error message afterwords, then you have not properly blocked the port.
  • If you are not even able to navigation Hulu.com, you have misconfiguration the modify headers plugin, or you are using an IP address Hulu is actively blocking.
  • This work-around also works for other sites that have video players powered by Hulu on the backend. Discovery Channel for example.
  • It’s likely that non-Hulu-related restricted video websites may use a similar RTMP verification method will not function. You may want to disable the Port block when not watching Hulu. See Appendix C for instructions.
  • It’s unclear whether the holes that allow this workaround are a bug or a feature. My guess is that closing them my results in certain IP on US soil to be blocked inadvertently.

Thanks to Jason Pollock, who’s slashdot comment pointed me in the right direction; and the Reddit /r/Canada community – especially MarshallX and got_milk4 – who helped me out with my initial instructions.

Thoughts about Hulu:

In the past I’ve had some limited experience checking out Hulu in hotel rooms on trips to The States, I’ve generally been impressed by it and I’m sure I’ve written about my impressions in previous TV posts. After a few days of “real world” usage, I’ve changed my mind a little. I no longer see Hulu as this Holy Grail of online TV watching experiences that Canadians could only dream of. It’s not a real alternative to torrenting and it’s only somewhat better than Rogers On Demand or the various individual Canadian network TV experiences.

The selection of available shows is (I hesitate to say “terrible,” Hulu has a metric tonne of content) not great, I was not able to find full episode of any recently aired show I wanted to watch. As far as I could tell, if the show is new Hulu only has short clips. On the other hand, I was able to find full series of shows I’d have difficulty finding in torrents or elsewhere online – like Sliders and Firefly. Hulu’s movie selection is not even worth mentioning.

Aside from the selection, I was astonished by the amount of ads. Full length shows typically have a 15-90 second pre-roll ad, plus network ID, plus 15-60 second interstitial ads during the show at broadcast TV; due to the heaps of praise Hulu generally receives in the Tech media, I was under the impression that they served little to no advertising. Granted it’s less than regular TV, but more than I’d accidentally watch on a PVR and it’s more than the 0 I’d see in a torrent.

The TV industry needs to find a better way to make money.

Appendix A. How to find a US IP address.

As I mentioned above in step 3, the X-Forwarded-For header requires a valid US IP address. It’s best if you use a unique-ish IP address, instead of the ones listed in my example. There are 2 simple ways to find a US IP address.

Method 1)
Ping a known US domain name, record the result. For example:

PING google.com (74.125.95.104): 56 data bytes

Downside: it’s hard to know for if the server that responds is actually located in the USA. If it works, run with it.

Method 2)
Pick a random valid IP address for a known US Organization. A few examples:
AT&T: 12.0.0.0-12.255.255.255, 32.0.0.0 – 32.255.255.255
MIT: 18.0.0.0-18.255.255.255
Xerox: 13.0.0.0-13.255.255.255

Downsides: none

Appendix B. Blocking Ports.

This is the tricky part. If you have a router or firewall that gives you a simple interface for blocking ports, I’d suggest using it, rather than OS-level configuration. Anyways, here are the instructions for various OSes:

Mac OS X:

sudo ipfw add 0 deny tcp from any to any 1935
sudo ipfw add 0 deny udp from any to any 1935

Third-party firmware routers (Tomato, DD-WRT, OpenWRT):

iptables -t nat -A PREROUTING -p tcp --dport 1935 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 1935 -j DROP

Windows XP, Vista, 7:
See section 3 of MarshallX’s stellar Google doc for instructions. Based on comments I’ve seen on the Reddit post, this method is a little finicky.

Linux:

iptables -A INPUT -p tcp --dport 1935 -j DROP
iptables -A INPUT -p udp --dport 1935 -j DROP


Appendix C. Undoing the Block.

Mac OSX:

If these are the only firewall rules you’ve ever added:

sudo ipfw delete 00100
sudo ipfw delete 00200

If you’ve got other rules in the firewall run:

sudo ipfw list

Output will look similar to this:

00100 deny tcp from any to any dst-port 1935
00200 deny udp from any to any dst-port 1935
65535 allow ip from any to any

Use that first number as the ID for the ipfw delete command.

Windows: Delete the policies and filters you created (the ones with “Hulu” in the name).

Linux: you’re on your on. I think you run the same commands you use to block the ports, instead of “DROP” use “ADD”. But I can’t guarantee that.