WARNING: that 13-year-old with a laptop in Starbucks just hijacked your bank account.

Note: I'm writing this up for my less tech-savvy friends ... some of you knew how to do this before it was easy ... but now it is just stupid simple and anyone anywhere can do it. For another blog on this subject (showing how someone might actually use this attack to help educate people), see this page.

You see that 13-year old kid with a laptop over there? Or that 50-something? Doesn't matter where you are ... airport, Starbucks, next door neighbor's house, hospital lobby ... if you ever log in to a web service over an insecure session (more on that in a second) someone can hijack your web accounts if you aren't careful.

How? Well here's the surprise. You see when you log in to a website like Facebook or Yahoo mail you log in once to establish your identity. And if you log in over an insecure public network (pretty much any network like those at Starbucks, McDonald's, hotels, airports would qualify) and do not use a secure web service (ie, the web site starts with "HTTPS" ... "S" being the important letter) then someone else on that same network can intercept your password in real time.

That's been known for awhile, but I bet you didn't know that someone can intercept your session even after you have logged in. Why is this important? Because many sites will direct you to a HTTPS (secure) login page ... but once you've logged in they default to normal HTTP (insecure). But that's been known for a long time ...

Even worse? This is the part that this post is about ... once you log in securely if you are dropped to an insecure web server then someone can "sniff" the network you are on and get your "cookie". A cookie is what the site sends you when you first log in. It is a string of characters that you send back to the web site whenever you view a page that says "hey, I already logged in once, just use this instead of making me enter my password for every page".

Now what this means is that someone can, while at that Starbucks/hotel/etc, scan the network and once you appear on the network and load any information from a page like Facebook (and your browser will constantly do this even if you never touch that Facebook tab again). They can take your cookie and it will tell them not only what your name is on that service but it will let them click on it to immediately get into the site as you.

Now that might not seem too bad, right? They don't actually have your password. But wait ... what if one of those services is a web mail service? If they can access your email AND they happen to know anything about your other accounts then they might be able to go to that other service and use the "I lost my password, email it to me" option. What if they know where you bank? Well if they got your real name from your Facebook session ... they can also get your credit report in the matter of a minute or two.

How is this done? Well, the ability to do this was always out there. People with enough skill could use tools to read all of the data going across that open network. So this is really nothing new to the determined criminal. But now with the release of a software package called "Firesheep" -anyone- can do it inside the Firefox web browser. This software does all of the hard work for them. All they have to do is install it (takes less than a minute) and start up Firefox. Then they just watch until your name pops up on the screen. Once they do that they can click on your name and see anything you have access to on that service.

So ... what can you do to protect yourself? (Caps below for emphasis ... I'm not yelling at you :)

1) NEVER log in to ANY site you that has ANYTHING sensitive (and plenty of people consider the ability to post their Facebook status "sensitive") on an insecure WiFi network unless that site is using SECURE HTTP (HTTPS). That was basic "public networking 101" since WiFi came out and you probably already knew that.

2) Make sure that any site you access that you don't want others to access (like ... again ... Facebook or your email) not only let you log in over HTTPS but ALSO let you browse over HTTPS.

EXAMPLE: If you log in to Facebook right now it will go over HTTPS (although they're pretty bad about letting you realize this since it doesn't show up in their login page). However once you do that you will be put onto their unsecured HTTP site. At this point, if you had been on a public network, someone could have snatched your cookie. It would only have been safe if after you logged in you had been sent directly to a HTTPS address.

... In a case like the example above, you can sometimes force the site to let you browse securely by just changing the "HTTP" to "HTTPS". However it is important to re-state the face that if you had done this after logging in while on a public network it would have still broadcast your "cookie" that one time.

4) So if you wanted to be safe in the example above you would have needed to have logged in from a private network FIRST and then continued your browsing on the public network only after having changed it to "https".

BUT

Every link and image on that page, even after you changed it to HTTPS, is using standard HTTP (at least in the case of Facebook). That means you're still not safe. It is up to you to make sure ... before you use it on an open network ... that you can safely browse on HTTPS the entire time.

If the site you need to use simple won't let you secure your session you have 2 further options:

a) You can browse over a VPN ("virtual private network"). Those will encrypt your traffic but unless you get one from work or you have a very friendly networking guru in your life you will have to pay for this service. Even an extremely simple SSL VPN or Windows-based VPN will suffice.

b) Don't browse your site from that network.

Period.

I highly encourage you to encourage your favorite sites to work on this problem. They've known about it for years and years. But now they can't just ignore it. Or rather you shouldn't let them keep ignoring it.

PS. I used Facebook alot in my examples. It was easy. Hopefully at some point after this writing Facebook will have fixed their security issues ... but even if they do that (and I'll try to remember to update this if they do so) it won't stop OTHER sites from having the same problem. I know that in the past Yahoo mail did similar stuff with secure sessions and cookies. This is because running data over HTTPS requires more processing overhead and a little more cost than open web traffic. But in these days of open networks everywhere ... it is worth that expense.

U.S. Postal Service? Shipping a Package? Don't bother.

(EDIT after I posted this the dress arrived ... 2 days late and without any warning ... the USPS never scanned the tag so we couldn't track it ... combined with the bridesmaid dresses being run over we had no way to know ... at least we got it ... but NEVER EVER ship valuables USPS)

So the U.S. Postal Service (USPS) has once again proved why FedEx and UPS are such successful businesses. Cheap != better.

Earlier this week my fiancée shipped a package via the USPS "1 day" Express. The package was in before the deadline for going out that night. When did it get there? 2 days later.

On Wednesday the person making her wedding dress shipped both the wedding dress and bridesmaid dresses via the USPS. Guess what? The wedding dress will probably never arrive.

The person shipping it got a tracking number. So Friday morning we tracked it and realized from the text that the USPS had not yet (2 days later) even scanned it into their system. So we contacted the dress maker and she swore she dropped them off Wednesday. She ended up driving to her Post Office to check on them. Nothing. Lost.

Yes, the dress maker insured the shipping, so $ aren't the problem here ... but we have 1 week to figure out a replacement for a dress that took months to have made. It was a custom design by my fiancée to fit her dreams of a Steampunk/Victorian style dress. It was looking pretty magnificent from what we could tell.

A couple of hours later we got word that the dress maker had the bridesmaids dresses. They were returned to her by the Post Office. The box had been run over by a vehicle.

Today? No word on the wedding dress. So unless it magically appears in a couple of hours it is pretty certain that both of the boxes fell off the transfer truck and the wedding dress didn't get recovered. That's actually close to a best-case scenario.

I doubt we'll ever know what happened to it. Anyone want to take bets on the USPS not bothering to investigate and just paying out the insurance? Wouldn't much matter unless they investigated by Monday. Yeah.

So in the end:

* The USPS loses $1000+ in insurance money, they won't notice that.

* The dress maker gets her money from the PO and returns our payment.

* My fiancée has to figure something out that will definitely not be what she wanted after spending months dealing with the stress of organizing things versus her mother.

Simply put: don't ship anything of value via the USPS. I haven't done it for years. I would have paid the extra for shipping if I'd known that the dress maker was going to ship USPS just to get it on FexEx or UPS. The USPS is cheap for a reason.

Jailbreaking the iPhone 3G with a modern firmware and no Apple PC

This is another of my "I'm getting old and I really don't want to forget what worked" posts. You likely won't find much of use here.

I'm trying to update my iPhone to firmware 3.1.2 (yeah, 3.1.3 is out but doesn't do much other that rip the ability to tether off the phone again). The key here is that I DON'T want to update my modem baseband as I have the cherished 4.26.08 version that is easily unlockable. I also want to have a version that I can use for tethering.

This would be (probably) much easier if I had an Apple PC for using Pwnage, but I don't. And I decided to spend 2 days figuring this out on my PC rather than going to my sister's house for 2 hours. Duh. I'm not going to bother saying how many times I downgraded to older firmwares / put the phone in a recovery loop / etc.

The key components were:

* Prebuilt IPSW file from someone else built in Pwnage. My file was "iPhone1,2_3.1.2_7D11_Custom_Restore_UNTOUCHED_500MB.ipsw". The key information is:

1. no baseband included
2. "UNTOUCHED" means "unactivated" means "works on AT&T". For now I'm not moving my iPhone off of AT&T. For now. I know, I threatened awhile back, I just didn't get around to it.
3. 500MB ... since Cydia installs to the media partition now there isn't much reason for a 1GB partition

* iReb from iH8sn0w ... this utility allows you to put your phone in DFU mode (hint: put the phone in DFU WHILE the iReb app is running) and cause a whitescreen.

* Once in whitescreen mode you can use iTunes to restore the custom firmware. This allows you to skip the errors that prevent iTunes from otherwise working.

* FAILED DON'T DO THIS: Once THAT is done I used redsn0w 0.9.3 (which includes the IPCC tethering patch) to re-break my phone. To do this, make sure you use the "Already pwned" option in redsn0w. This also gives you the option of adding a custom boot logo.

* NEXT: Install MyWi from Cydia. Launch the "Rock" application and create a Rock ID. Go to settings and enable USB tethering. I don't know if this will break once the app's trial period ends. Quite possibly ... though probably not IF you never open it again. Since I want the ability to connect over WiFi I'm going to spend the $10 on it.

The biggest problem was I wanted tethering. If I would have been happy without it I could have used sn0wbreeze and 3.1.3. I even had that working at one point. I didn't want to us other methods because I didn't want to risk upgrading my baseband.

Apple is unfortunately getting good at preventing or making much harder all the jailbreaking methods used so far. I expect it will get harder and harder to do this on my phone in the future.

If you do this ... I highly recommend keeping copies of all the files you use to do it in case newer versions change the process in the future. Please don't ask me for copies of firmwares, I'm not going there.

Open note to CNN.com regarding video ads

I emailed this to CNN.com ... but I also know that that probably gets tossed in the bit bucket. This is MY bit bucket for Google to index and all to see, even if only a few do.

The amount and length of the ads CNN.com places before video segments has become prohibitive.

* Much more of your content is video based now

* To watch even a 15 second clip (not counting replays of the same thing ... like the Stupak baby killer video) I have to watch a 30 second advertisement.

* To watch another clip I have to watch another advertisement.

Suggestions:

> Shorter clips.

> Longer clips only on longer videos

> Track how many ads I've seen recently so I don't have to see a new one just to watch another short clip. A 4:1 ratio of ad length to clip length (cumulative) is the max I'm going to go for.

> Vary the ads ... seeing the SAME ad over and over is horrible

> Seek out ads that aren't identical to the ones we see on TV

> Examine the Hulu model of letting us choose the style and length of Ad we want

Until then, I will just keep closing windows as "not worth it", and start looking for my news elsewhere. Like I just did when I was going to have to watch 30 seconds of Donald Trump and his impersonator -again- just to see if 4 servicepeople made good music. I'll never know. Or if I do know ... I'll know by watching them somewhere else.

MySpace just jumped the shark.

MySpace just jumped the shark and decided to sell user data to 3rd party firms.

I haven't used MySpace much for years now anyway, so the answer for me was simple: leave.

If you're in the same boat ... make sure you actually edit your user data before deleting your account. Change things like your First / Last name, home town, etc to "PRIVATE". Delete your photos. Message your friends and then un-friend them. If you just delete your account or set it inactive then all that does is stop you from logging it in, but in theory (who knows what their practice here will be) the data will stay in their systems. If they're going to sell your data ... give them bad data to sell.

Take this as a warning Facebook and Twitter ... if you sell my data I will pollute it and leave. I don't care if you set up ad targeting systems so that the ads I see are relevant to me, but don't be turning into the next generation of spam lists. That's not what I signed up for.