Nik's Blog

Geekery, witty insights, software (of dubious quality) and more!

security

Access authenticated feeds in Google Reader using Yahoo Pipes

Random Observations

As I’ve mentioned before, I’m a Google Reader fanatic. Nothing else handles RSS as smoothly as it does.

The one gigantic failing of Google Reader is that you cannot receive password-protected feeds that request user authentication. I think that sucks. A lot.

So I created a Yahoo Pipe to work around this failing.

Just go to the appropriate pipe and run it. It will prompt you for the feed’s URL, your username and your password. Enter all that information, and you’ll get your own private URL you can use in Google Reader (or any other http:auth-challenged RSS reader).

Warning! Feeds accessed in this way are open to everybody, so if you’re using NewsGator or Bloglines or some other service that shares your feeds with the world, be sure to set the feed un-shared. Otherwise you might get your private access summarily cut off when it’s determined that your personal password is effectively being broadcast to the world. Also, your Yahoo Pipes URL will contain your login and password, so even if you’re okay with giving the world access to premium content, you may not be so pleased about sharing your password with the same unwashed masses. You have been warned. Caveat RSS reader.

Hardening your Mac against hackers

Stupid Mac Tricks

Cocoia Blog hosts a great two-parter on how to make your Mac virtually impregnable to the common thief or hacker. While a lot of these measures will seriously impair your ability to easily use your Mac (such as turning of Bonjour networking entirely), they will also make you quite a bit safer.

If you have sensitive documents on your computer, these are things you should, at the very least, consider implementing.

Cocoia Blog Howto: A more secure OS X before Leopard

Online peace of mind with GlowWorm FM Lite

Stupid Mac Tricks

I’m a long time fan of Little Snitch, which is a nifty application from Objective Development that lets you monitor and restrict which applications and processes can access the internet. This gives maximum protection from spyware and other malicious software which “phones home” for any reason.

On the Mac, Little Snitch has been without competition for quite a while. But it looks like things are heating up.

GlowWorm FW Lite is a new freeware utility which does much the same thing. Like Little Snitch, you can create fairly complex rules (such as allow an application access to only certain destination hosts, or allow a program access over a single port to any host or various other combinations). I haven’t tested it in detail, but it appears to work quite well, and the price is hard to beat.

As for whether you need this, well, that depends on how much you care about knowing which programs contact which servers, and also how diligent you are about security. For me, I find the peace of mind this kind of utility provides is well worth it. Even innocuous calls to home base are sometimes inadequately disclosed, and this keeps me aware of them.

Hash a Pass: No panacea

General Geekery

Hash a Pass was recently featured on Digg.com and is an interesting idea. Using a master password and a Javascript implementation of the SHA-1 hash algorithm, you can generate a secure and un-guessable password, and then simply re-generate it when you need it again.

A nifty trick, to be sure, but does this really make you safer?

Here’s an example of how it works: I set my master password to my super-secure 133t password of ‘p@22w04d’. Then I generate a password for, say, Apple.com. So I type in “apple” as the parameter and it generates the wonderful password of ‘EZbqNhEK’, which is really a pretty strong password.

When I then go back to Apple, I can go back to hashapass, and enter the same two keys, and get the same password. End result: Lots of cryptographically strong passwords which I don’t have to remember! All I need is my master password!

Here’s the question, what does this protect me against?

Anyone using the same algorithm can re-create any of my passwords by entering the two keys. The key for each site/password I want to maintain will necessarily have to be easy to remember (such as the site’s domain name or title). So, if they can guess my master password, it will be trivially easy to get at anything I’ve registered for.

What it does protect against is the possibility that one site’s passwords will be leaked/cracked/stolen, and that my password which I use there (and everywhere else) will be tried in a dozen sites, given the thieves access to everything.

It’s not a huge benefit over storing or memorizing passwords, as I still need to remember which sites I’ve used hashapass for, and remember what key I used for the site. (Again, the domain name becomes the most likely input.) This is roughly analagous to having all your passwords stored in an encrypted file/database with a single “master password” to unlock all of them.

Is it better than using the same password on every site? Undoubtedly yes. But it’s hardly 007-grade security. Indeed, it’s probably safer to use a product like Web Confidential to keep a variety of passwords and just look them up when you need them. Yes, someone gaining the file and the master key will have the keys to your kingdom. But with hashapass, they only need the master key; the “database” is right there online.

Subscribe to RSS - security

@inik

inik: RT @thinkprogress: .@komenforthecure head says responses to Planned Parenthood decision are "very favorable." If your response is unfavo ... >
inik: @FluidApp I'm getting errors in a Fluid app Gmail and can't use chat either. Any ideas? >
inik: finished Five Children and It by E. (Edith) Nesbit et al. and gave it 5 stars http://t.co/mspysk1B #Kindle >
inik: How to use an obscure shell command to let your AppleScripts and shell scripts output rich text. http://t.co/3Y9dAHiH >
inik: Nicholas "Nik" Friedman TeBockhorst http://t.co/I6kGmcDg >

more

Google+

I love Seth's quote at the top. I think that's my new motto.. ; )

Powered by Plu.sr >
Griping about OS X Lion? Here's two nifty tools that replace a variety of poorly supported third party tools: Command-line and Automator access to video and audio conversion. Super easy to use, and very flexible and supports any format that Quicktime can encode/decode. (So Perian is a must-install if you want to handle DivX/3viX, etc.)

Yes, ffmpeg, Handbrake and... >
Fix Google Reader's horrible new interface with this user script! Now it fits nicely on my MacBook's small screen. >
Happy 11/11/11 11:11:11! >
What makes this ad awesome is not the true-to-life irony, because the idea is hardly innovative, but rather the excellent execution. Reminds me a bit of that excellent Nutri-Grain spec commercial. Quick delivery, good actors, hit all the high notes. Love it. >

more