SuperFish – Race to the Bottom

Earlier this morning it was reported that Lenovo is installing adware to their new laptops. This piece of adware is called SuperFish, and it basically MITM’s your connections — including secure ones — and inserts ads into webpages you visit. This in itself should be alarming and is an extremely scummy thing to do, but now things have taken a turn for the worse. Yes, it can get even worse.

Since Lenovo has installed a root CA of their own on the computer, they can basically make your browser trust any site they want by using the CA to create certificates for them. But now everyone can. A couple of people have already extracted the private key from the adware app and bruteforced the terrible, inexcusably bad password. A password of only 7 characters in length, consisting of nothing but lowercase a–z characters. komodia. Really, that’s it right there.

So now anyone can create certificates that new Lenovo machines automatically trust. Shame on you, Lenovo.

And yes, I know Lenovo is not directly responsible because they didn’t make the adware, but they shouldn’t have added some in the first place. At the very least they should have had oversight, because this is complete buffoonery. Hopefully some heads will roll as a result. This race to the bottom where laptops are preinstalled with bloat in ever increasing crappiness must stop.

In case you are using a Lenovo computer and want to check if you are vulnerable, try going here. If you get a security warning from your browser, you are safe. If not, douse your computer in some holy water and go make an angry call to Lenovo support.

Nurina – The Elixir URI parser

I had some free time this weekend, so I decided to pick up on an old piece of code I wrote back when I started learning Elixir. It’s a URI parser I called Nurina (the word nurina is Finnish and means grumbling or complaining — it sounded funny and it contains the word URI). It’s not really a well put together piece of code but more of a learning excercise. I also decided to avoid using regular expressions entirely and instead used pattern matching to parse the whole URI — an additional challenge.

Read more…

Pitot on OpenRepos

As my first OpenRepos release ever, Pitot is now available for download there. You can find it here.

This is just a temporary step to get the app available for people until it is accepted in Harbour, the Jolla app store.

nicd.nytsoi.net In Memoriam

I removed my old blog at nicd.nytsoi.net today and pointed Nginx to serve a permanent redirect to this site instead. The old blog served me from my days on the once free webhost 3rror.com, to my first webhotel and from there through three different VPS installations to where we are now. When I started, WordPress wasn’t the household name it now is and the web was very different. I wrote for years about stuff I saw, did and felt…

And I’m glad the blog is gone. Because that shit was embarrassing. Funny how your opinion of your own cleverness changes when time passes. Also I got fed up with updating WP every two weeks and fearing that the next time I visited, it would’ve been replaced with greetings from my friendly neighborhood hacker group. Aaand I had stopped posting somewhere in 2011.

RIP in pieces.

nicd.nytsoi.net

Pitot released

Pitot — my SailfishOS GPS/GLONASS speedometer app — has reached a state where I’m confident to release it for others to use. You can download the RPM in the BitBucket repository.

Some screenshots showing the basic functionality below:

Screenshot 1

Screenshot 2

Screenshot 3

Some notes about the accuracy when using with the Jolla phone:

  • It takes a long time to get a location when you are moving. This is due to the phone’s GPS being pretty bad. I don’t know of a way to alleviate it in the app.
  • Jolla’s speed readings come rounded to around 0.25 m/s. So for example when walking, the app will report 4.5 and 5.4 km/h but nothing in between. To my knowledge this cannot be changed from the app either.

The app is feature complete and I’ll just wait until QtPositioning is allowed in Harbour to publish it. There’s still one little problem, the font is really jagged and ugly. I tried following a Jolla employee’s instructions in setting the text’s renderType to Text.NativeRendering but it seems to have no effect. I’ll take a better look at that later. (Also the logo is quite ugly, but I’m bad at graphics, so any help on that would be much appreciated!)

If you encounter any problems, I’d appreciate bug reports or even pull requests in the BitBucket repository!

Life in a Bitcoin Mine

An interesting look into a chinese Bitcoin mine and what working there is like. It’s funny to think that since the video was made, all that hardware has probably been made obsolete and replaced already.

Now, if I could just find my Bitcoin wallet with the 0.07 BTC I mined a while ago, I’d… have enough money to buy some candy. :)

Стоп Хам

“Stop a Douchebag” - is a Russian youth movement that attempts to enforce the road traffic regulations in Russia.

This is seriously great stuff. I’ve selected one video here, but you can see many more on their YouTube channel. In case you want to see idiots get what they deserve, this is the right channel for you.

Code from Finland

My work laptop got its first sticker today — a Code from Finland sticker. I think it’s a nice idea of marketing that we do our work in Finland, employing Finnish people and boosting the domestic economy. Kind of akin to the Key Flag Symbol for other products.

Code from Finland

You can check koodiasuomesta.fi for more info.

Disclaimer: I work for Vincit Oy, where the idea originated. But there’s currently over 90 companies on board.

SailfishOS: Pitot

First post of undoubtedly many to come in my SailfishOS adventures. This time it’s to tell about a small app I made during the weekend.

Pitot is a simple GPS/GLONASS speedometer for Sailfish. It will display the current speed of the device in big letters on the screen. It has a few different units, including kilometers per hour, meters per second, miles per hour and even knots.

Screenshot 1Screenshot 2

It still needs some polish and a good smart cover. Also, it can’t be released in the Jolla Harbour yet, since it uses QtPositioning to get the speed.

Having used it a couple of times, it seems that the Jolla phone’s GPS is really terrible, though, since it takes ages to get a speed reading and when you do, the readings jump up and down even though your speed is constant. It also seems the resolution of the speed readings is too bad for trying to measure walking speed – I either get 4.5 or 5.4 kph, nothing in between.

Hopefully I get enough time to finish it next weekend. Now I’ll have to be off to work!

Vtigercrm

I just literally opened this site about an hour ago and I’m already getting scanned for vulnerabilities.

blog: 62.210.248.36 - - [01/Feb/2015:20:25:10 +0200] "GET /vtigercrm/test/upload/vtigercrm.txt HTTP/1.1" 404 162 "-" "curl/7.29.0"

Isn’t the Internet amazing?