Spectacle is a fantastic free OS X application that gives you window control with simple, customizable keyboard shortcuts.
Category: Tech
Fred Wilson & Loic Le Meur – LeWeb’14 Paris
MySQL 5.5 and 5.6 Vulnerability
Another day, another security vulnerability.
Today Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL
To address these vulnerabilities, your database instances will need to be upgraded to either MySQL 5.5.40 or 5.6.21.
If you’re on a hosted service such as RDS, expect to be upgraded during your next maintenance window. More info can be found on Amazon’s security site.
SSL v3.0 POODLE Vulnerability
A new SSL bug was announced today – CVE-2014-3566 (SSL v3.0 POODLE vulnerability).
This vulnerability affects servers still running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementation and allow attackers with a Man-in-the-Middle (MITM) position to derive the contents of a secure payload based on responses received from requests sent from a compromised browser to a legitimate server.
One way to remedy this issue is to disable SSL 3.0 support or disable SSL 3.0 CBC-mode ciphers on your servers, but this presents significant compatibility problems with older browsers (specifically WindowsXP users who browse using Internet Explorer 6). Instructions on how to disable it on NGINX can be found here.
The other option (recommended by Google among others) is to make use of TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Unfortunately TLS_FALLBACK_SCSV is currently a draft extension to SSL/TLS and has not yet been accepted into OpenSSL or made it’s way into major browsers other than Chrome.
You can use GeoTrust’s SSL Tool Box to detect if SSL 3.0 is enabled on a web server.
HipChat 3.0
HipChat rolled out a huge update to their Mac client today (other platforms will be following soon) that features a number of great changes including a brand new, lightweight UI and so far, I’m really digging it.
I was a big fan of the previous UI over competitors such as Slack and this update makes using HipChat even better.
Some other changes in this update include emoticon autocomplete, unread message counts and new presence icons. You can read all about it on their blog.
KPCB Internet Trends 2014
Mary Meeker’s annual presentation is out…
Fred Wilson at TechCrunch Disrupt 2014
Fred posted this as his VOTW over the weekend so I’m doing the same. Well worth the 20 minutes if you can spare it…
Heartbleed Bug
You’ve most likely heard about the Heartbleed bug by now. If not, patch your servers and then read up on it at heartbleed.com.
Amazon, RedHat, Ubuntu, Heroku and the majority of software and infrastructure providers have issued guidance on the issue so a quick Google search should provide a link.
You can test your servers over at http://filippo.io/Heartbleed/.
In addition to patching, some good additional steps to take are as follows:
- Invalidated all sessions previous to the patch
- Reissue your private key and SSL certificates
- Reset the passwords and keys used to communicate to databases and other infrastructure
Be sure to check with your software / infrastructure providers for extra steps they’re requiring / suggesting.
HipChat vs Slack – Part 2
UPDATE – If you’re interested in the HipChat Server beta, you can apply here.
UPDATE 2 – HipChat is now free for unlimited users. Read more here.
Both HipChat and Slack continue to evolve their product offerings with the most notable improvement being HipChat’s recent beta release of video chat and screen sharing. Here’s a quick rundown of the two offerings with a few important distinctions highlighted.
| HipChat | Slack | |
| Cost | ||
| Pricing | $0 per user (unlimited users, no limitations)$2 per user (HipChat Plus which includes video calling and unlimited, searchable message history) | $0 per user (unlimited users, but limited to searching latest 10k messages, 5 integrations, 5GB file storage)$8 per user |
| Contract | No | No |
| Features | ||
| Persistent Rooms | Yes | Yes |
| Private Rooms | Yes | Yes |
| 1-to-1 Chat | Yes | Yes |
| Video Chat | Yes | No |
| Screen Sharing | Yes | No |
| File Sharing | Yes | Yes |
| Search | Yes (launches browser) | Yes (native) |
| Multiple Accounts | No | Yes |
| Google Authentication | No | Coming Soon |
| Guest Access | Yes | Coming Soon |
| SSL | Yes | Yes |
| UI Language | English Only | English Only |
| Self-hosted Option | In Beta | No |
| Extensibility | ||
| API | Yes | Yes |
| Integrations | Lots | Lots |
| Integration Limit | No | Yes (maximum of 5 on free plan) |
| Platforms | ||
| Mac, Windows, Linux, Android, iOS, Browser | Mac, Android, iOS, Browser | |
SHA-1 vs. SHA-2 SSL Certificates
If you’re thinking about moving to a SHA-2 hashing algorithm for your SSL certificate, remember that it will break in IE6 and all versions of IE on Windows XP prior to SP3. So if you’re supporting users on older machines / browsers, you’ll need to stick with SHA-1.
More information is available here.
Ramblings on startups, NYC, advertising and hacking (mostly Python) 