Just in case you think that man-in-the-middle attacks are just for the victims of Lenovo’s shenanigans, there’s this
.@mountain_ghosts Such as this lovely device, which goes by the Orwellian name of an "SSL Visibility Appliance": https://t.co/TEmLfOTZnt
— Nick Stenning (@nickstenning) February 21, 2015
You’ve almost certainly heard about the astoundingly stupid actions on the part of Lenovo. Forget about the security implications for a minute. What this boils down to is that Lenovo sold out their customers for a few pieces of silver by installing adware that, despite Lenovo’s protestations, no customer would want. Think about that for a moment. You pay good money for a relatively expensive product and the company selling it to you purposely makes it less useful than what you thought you were buying: unwanted ads pop up and other software stops working.
But of course security is the main story here. The adware, SuperFish, works by intercepting the victim’s HTTP stream so that it can inject ads. That’s bad but even worse is that it also snooped on SSL/TLS (HTTPS) connections by waging a man-in-the-middle (MITM) attack. It’s as if Lenovo had never heard of what happened when sony tried something like this. The spying on encrypted connections is arguably illegal and you can be sure there will be law suits, perhaps from the states as happened in the Sony case. Regardless, Lenovo’s reputation has suffered significant, perhaps mortal, damage.
But it gets worse. The MITM attack was effected by installing a self-signed certificate to act as a trusted CA certificate. Of course, if SuperFish could use the certificate, so could anyone else. SuperFish encrypted it but, obviously, the key to the encryption had to be in the binary in order for SuperFish to use it. It took Robert Graham no time at all to recover the key and decrypt the certificate. That means that anyone using an infected laptop at a coffee shop or some other public WiFi hot spot is subject to being hacked.
Lenovo’s reaction to all this is appalling. The best interpretation is that they’re clueless about the security implications. The more likely explanation is that they’re in CYA mode. Lenovo continues to insist that SuperFish represents no security problems despite Graham’s definitive demonstration to the contrary. As I said, expect law suits.
UPDATE: certificated → certificate
UPDATE2: I just don’t understand this. Lenovo has proven they don’t care about their users or their safety. Why would you reward them with your trust or money?
UPDATE3: Here’s Robert Graham again putting the lie to Lenovo’s “theoretical concerns” with an actual working exploit. If you’ve got one of these laptops, you need to take action immediately.
The government and others are fond of telling us that we must give up some privacy to ensure our security. Paul Downey reminds us of a truth worth remembering.
"Anyone who makes you choose between privacy and security wants you to have neither"
— Paul Downey (@psd) February 7, 2015
ace-jump-mode Over at elisp solves problems, Daniel Gempesaw tell us something I didn’t know: it’s possible to limit the scope of ace-jump-mode. By default ace-jump-mode will find the matching characters in all open windows and frames.
Gempesaw likes to keep related buffers in a frame and wants to limit ace-jump-mode to that single frame. Others want to limit it to the current window, and still others, I suppose, are happy to find all the matches as the default does.
If you’d like to limit its scope, it’s merely a matter of setting an option. Head on over to elisp solves problems for the details.
Artist mode is one of those things I learned from Bernt Hansen’s excellent Organize Your Life In Plain Text! introduction to Org mode. I’ve used it in conjunction with ditaa to produce simple but finished block diagrams from ASCII diagrams.
I haven’t used it for so long that I’d pretty much forgotten about it but then I came across this excellent video from Rob Rohan on using artist mode. It takes a bit of practice to get as fluid as Rohan is with it but it’s not really hard.
A Rohan points out, artist mode is also useful for adding diagrams to your source code comments or other places where the ASCII art is good enough or even preferable. If you’re like me, you probably won’t use it all that often but sometimes it’s exactly what you need. It’s especially nice in conjunction with an Org mode code block where you can have it produce a nice diagram for your output while keeping all the source in your Org mode source file.
Handy:
A neat way to get all of your buffers reverted to a branch's state, is to go to #magit and type 'g'. #emacs
— Pericles Theodorou (@PericlesTheo) January 30, 2015
A while ago I wrote about coding some Elisp to grab the URL of the current Web page and turn it into an Org link. It doesn’t seem like it would reduce friction by that much but it really has made linking in my blog posts much more efficient. So much so that now I hate to make links to the site and then to a particular post like
abo abo over (or emacs has a nice video on using Hydra.
because now I have to switch focus to Safari to cut the site name of the blog and then paste it into a link just like I used to do for links to individual posts.
So I looked for some URL parsing functions in Emacs and found url-generic-parse-url that breaks a URL into its constituent parts. I used that to modify jcs-get-link to return a link to just the host name if it’s called with the universal argument:
(defun jcs-get-link (hostp) "Retrieve URL from current Safari page and prompt for description. With the universal argument, return a link to the host only. Insert an Org link at point." (interactive "P") (let* ((link (read-from-minibuffer "Link Description: ")) (result (shell-command-to-string "osascript -e 'tell application \"Safari\" to return URL of document 1'")) (urlobj (url-generic-parse-url result)) (host (concat (url-type urlobj) "://" (url-host urlobj)))) (insert (format "[[%s][%s]]" (if hostp host (org-trim result)) link))))
It’s a bit of a hack because the host name may not be the same as the site name so the new function may not give the right site link. Ironically, an example of this is Irreal. If you want the address for the blog itself, it’s http://irreal.org/blog not http://irreal.org as the above code returns.
Still, this problem isn’t that common and even handling it as a special case is still less friction that changing focus to the browser.
Devin Chalmers has some words of wisdom for startups:
"Your password contains invalid characters." No, your startup contains incompetent engineers.
— Devin Chalmers (@qwzybug) December 15, 2014
Nick Selby already told them but apparently they didn’t listen.
Remember Karl Voit from the Sacha Chua chat that I wrote about previously? Voit collects data on just about every aspect of his life and stores it in an Org file. If you haven’t watched the chat yet, be sure to take a look. You’ll be amazed.
The other half of collecting all that data is being able to search it. Voit has lots of homegrown tools for that but he also makes use of the built-in Org tools:
Advanced searching in #Orgmode http://t.co/etyXQEvx1u is *very* important to know for users of #Emacs. #PIM
— n0v0id (@n0v0id) February 6, 2015
His tweet points to this excellent Worg tutorial that describes how to extract data from Org files. The methods are surprisingly flexible, and although the syntax can be daunting they’re well worth learning if you collect any data at all into Org files. It’s worth reading through the tutorial if only to see what’s available. You can always check back for the exact details when yo need them.
Voit is an expert on data collection and retrieval and it’s worth studying his methods and software. You’ll be a lot more proficient with data if you do.