David Jack Wange Olrik

Tea. Earl Grey. Hot.

Open as in OpenSSL?

Heartbleed

As the dust settles around the Internet1, and all the sysadmins around the world is finishing the huge amount of work involved in cleaning up after the Heardbleed bug, we as users of the Internet now have an equally large work load2 ahead of us.

I’m not going to explain the nature of the bug as that have already been in great detail on numerous other sites3, what I am going to talk about is what “normal” people need to do after the techies have cleaned up.

Everything you have sent across the Internet for the past two years are potentially compromised, this includes ALL your usernames and passwords - Yes it is that bad - and if all your passwords are compromised, then you are compromised and are an easy target for any number of exploits and digital takeovers: Remember how Mat Honan got hacked.

"Catastrophic" is the right word.
On the scale of 1 to 10, this is an 11.

As you might have guessed the task at hand is changing ALL your passwords4 before someone else does, but after your service provider have fixed their systems5. Every site you use should have a unique password6, so if one password is compromised only one account is exposed. No one can remember all those passwords and nobody should try. Luckily for us there exists a ton of password managers to help us with this.

The two most prominent password managers are LastPass and 1Password with 1Password being my absolute favorite.

1Password is available for iPhone, iPad, Mac and even Windows and Android, so take your pick and start changing your passwords now!7

In 1Password on the desktop you can create a smart folder with all the password you haven’t changed8 since you started your cleanup, further more you can sort this folder by frequency9 allowing you to change your most important accounts first. - But please remember to change you email10 account first, as this account can often be used to reset11 the password for your other logins.

How to create a Heartbleed Smart Folder

Another cool feature in 1Password is the “Security Audit” section, which is a group of predefined smart folders that help you identify passwords that need to be changed12.

Remember to verify the SSL certificates
before updating your passwords.

If you want to know more about Heartbleed you can find additional information on these sites:

And for the geeks, here is a perl script you can use to test for the bug:

Happy updating!

  1. …there is still a lot of dust in the air and it’ll probably continue to be there for a while.

  2. albeit a lot less technical.

  3. This is one of the better ;-)

  4. …or at least the most important ones first…

  5. Everyone should have fixed their systems by now, if not you might consider changing provider.

  6. And have two factor authentication enabled if possible. I recommend using Authy on the iPhone for collecting all your TOTP tokens.

  7. But please wait until you are sure the service in question have been fixed, a good indicator for this is the date on the SSL certificate.

  8. I have a little over 600 passwords that needs to be changed.

  9. Please note that sites like Facebook won’t show up here as you typically don’t log in and out very often.

  10. Yes, it is not just websites that are affected, all kinds of services use OpenSSL.

  11. Just ask Mat

  12. Although the date based folders makes less sense when using 50 character password with a good mix of letters, numbers and symbols.

Paw HTTP Client

Paw

When developing Web apps you spend a lot of time in the browser, and before long you have a crap-ton of open tabs which slows the system down and is a total pain to navigate around in.

I have previously used HTTP Client when testing JSON APIs, it did the job, but to me it always felt a bit too simple1.

Someone on Twitter mentioned Paw being awesome - and boy were they right!

Paw is packed full of useful features like HTTP header auto completion, response formatting with syntax highlighting and the most useful of them all: Request grouping. Paw will sort your requests by host and HTTP method2 making it really easy to find the request you looking for in a snap.

Having an easy way to edit and execute complex HTTP requests is super awesome and saves me a lot of time. Paw can also generate code for your request, but alas no perl.

Paw comes with a selection of HTTP libraries, each of which as some shortcomings3 - the default is called “GCD AsyncSocket” provides more debugging options but is less battle-tested than the other options provided4.

Judging by the changelog on the iTunes store, the app is being improved continuously and the developer is really responsive to feature requests5.

I highly recommend Paw.

  1. …and a bit buggy.

  2. You can also sort by response code, name, URL, etc.

  3. Especially Apples own NSURLConnection.

  4. I use ASIHTTPRequest because I need it to work behind a proxy.

  5. I asked for proxy support in the “GCD AsyncSocket” library, and it should be coming in version 2.0.6.

Testing With "Latest"

Perl

A few months ago I gave a small talk at the Nordic Perl Workshop 2013, about a clever way of combining cpanm and local::lib to test your CPAN modules with the latest version of its dependencies.

I have a few perl modules on CPAN, which is mostly feature complete, and as such doesn’t need regular attention and updates, but the world around them changes all the time so continuous testing is still needed.

Pick your favorite Continuous Integration1 server and add this small script:

cpanm --local-lib=~/perl5 local::lib # Install local::lib
cpanm --local-lib=~/perl5 -q --showdeps . \ # Get list of depencencies
| perl -F~ -lanE 'say $F[0]' \ # Only use module name
| grep -v '^perl$' \ # Don't install perl
| cpanm --local-lib=~/perl5 # Install the dependencies
perl -Mlocal::lib=~/perl5 Build.PL # Create Build file
./Build test --verbose=1 # Run tests

This script will only test with installed perl, if you wish to test your code on multiple perl versions2, then I suggest you use plenv and then select the proper perl binary with plenv local <version> before installing the dependencies.

plenv local 5.18.2 # Select perl for testing
cpanm --local-lib=~/perl5.18.2 local::lib # Install local::lib
cpanm --local-lib=~/perl5.18.2 -q --showdeps . \ # Get list of depencencies
| perl -F~ -lanE 'say $F[0]' \ # Only use module name
| grep -v '^perl$' \ # Don't install perl
| cpanm --local-lib=~/perl5.18.2 # Install the dependencies
perl --local-lib=~/perl5.18.2 Build.PL # Create Build file
./Build test --verbose=1 # Run tests

You can skip the use of local::lib but using it lets you keep your “test” perls clean so you can use them to test all your CPAN modules in a known environment.

Happy testing!

  1. I picked GitLab CI as it is a lot more light weight than most of the other offerings out there.

  2. …and believe me you definitely want to test with at least the current and the previous stable version!

Oracle Instaclient Finally on OS X

Database

If you OS X to develop anything that connects to Oracle, then today is a good day!

The Oracle 64 bit Instaclient is finally available in a non crashing version on OS X!

It only took 2 major OS X releases, and one major Oracle release1 for Oracle to build a working 64 bit Instaclient, but hey this computer stuff is hard…

  1. Oracle 10.x 64 bit Instaclient never worked on either Lion or Mountain Lion.