Mark Percival

I was messing with my Raspberry Pi via ssh tonight and wanted to quickly stash a file to gist.github.com.

One option, I can install the command line gist tool.

But wouldn’t it be nice if you could just curl the content of the file directly to Gist

$ curl --data-binary @README.md http://cist.herokuapp.com/read.md
#=> https://gist.github.com/32d1b11087f326a9653f

Much better. If you want to run your own curl to gist bridge, see the code at https://github.com/mdp/cist

The WSJ published an article this morning on China’s growing military power. It was accompanied by a very enlightening infographic.

But after taking a quick look at it, I found a couple issues. First off, it vastly overstates both red ‘battle tanks’ and red ‘combat-ready aircraft’ by a wide margin. More disturbingly, the “attack helicopter” section ignores the fact that there are nearly twice the number of red helicopters.

Then they chose to leave off the number of “Combat-ready submarine attack troops”. Keep in mind, China is currently embroiled in a dispute with Japan over the East China Sea islands. If the tensions escalate to military action, it’s highly likely that China’s combat-ready submarine attack troops could swing the balance into China’s favor.

I’ve updated the infographic accordingly. Keep in mind it’s still 100% accurate.

The Original:

My improved version:

I’ve been using this for a while. It’s actually amazingly resilient. Open up my laptop at a coffeeshop, and within a couple seconds I’ve got my tunnel up and running and services connected.

So Evernote got hacked. Suprised? I’m not.

First off, let me quickly note that I actually use Evernote on a daily basis and like the product very much. It’s great for taking notes and stashing the digital cruft I inevitably accumulate; email receipts, travel confirmations, snippets of articles, all go into my Evernote account. I even hacked up a script to send my Github Gists into Evernote so I can search them more easily.

That being said, let me show you how little Evernote cares about security. None of this stuff is groundbreaking or new, but taken together, I think it shows a clear disregard for their customers privacy and data security.

1. Evernote’s CEO Phil Libin said two factor was a few months away back in October, then reiterated it was coming in December. Evernote 5 gets a big release, still no two factor.

We’re still waiting, and it’s been a frequently requested feature. Maybe this public breach will fix it, but should a company like Evernote be so reactive? This is a company that tells you ”How to Do Your Taxes With Evernote.” They clearly want you to feel comfortable storing sensitive documents with them, but they don’t want to spend any effort on security.

2. They actually used SSL as a selling point in the past

They fixed this some time ago, but I think it shows their mindset quite clearly. Let me remind you again, this is a company that recommended storing your tax documents on their service… And would then sync them unencrypted unless you paid. That’s downright irresponsible.

Their current CEO, Phil Libin, was in charge when this was used as a selling tactic in the past.

3. Evernote still uses 64bit RC2 for encrypting notes

“This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval”

Ugh, totally, so many forms! Look, I’m no encryption export expert, but Dropbox seems to have figured out the “complex process”. And last time I checked, Apple was shipping laptops globally with the option to encrypt your home directory, and it’s not with a block cipher that was successfully attacked in 1997. Figure it out guys.

4. SSL Sign in isn’t enforced

Give it a shot. Send someone a link to the non-SSL sign in and it won’t flip them over to SSL. It will also accept your credentials via non-SSL POST. So fire up SSLStrip and head down to your local coffee shop.

Update: As Paul Butler pointed out on HN, even if they did redirect you to HTTPS, there’s no real way to stop someone in the middle from keeping you on HTTP. I’ll strike this one, as it’s pretty nit picky. But I’ll add one in it’s place :)

4.  They don’t use HSTS to enforce SSL

Dropbox does it. Twitter does it. Evernote should too.

Correction March 5th, 2013: Someone pointed out I got the date wrong. LeWeb was in December of 2012, not April.

If your looking to import your Github gists into Evernote and make them searchable, this is your starting point.

The code is quite brittle, but it does the job, as I’ve been running it for around a year. Not something I’m looking to spend much time on, but feel free to run with it on your own; it’s MIT licensed and such.

Find out more at: https://github.com/mdp/GistEvernoteImport

To build the networks, recruiters slip into China to woo the few North Koreans allowed to travel there, provide cellphones to smuggle across the border, then post informers’ phoned and texted reports on Web sites.

Serious drip coffee

These private attorneys, unaccountable to the public, are making decisions about which cases to go after that directly affect their own personal wealth. Steven Kessler, a New York attorney and author of a treatise on state forfeiture laws, says he’s never heard of anything like it. “This is scandalous,” Kessler told me in a phone interview. “It’s blatantly unconstitutional.”

Surprised? Not really.