Come back on the Bloglines’ security flaw with secure feeds

Frederick Giasson

Give to Cesar what belong to Cesar. Bloglines has reviewed the previous security flaw I found in their system in interaction with secure web feeds and fixed it.

I was reviewing the posts that bloggers make on the subject and read all the comments on them. It leads me to check if the problem I found on Bloglines was always there. They fixed it.

How have they fixed it? No they did not delete the HTTPS and HTTP Authentication handling feature of Bloglines. They simply make the URL feeds with HTTP Authentication private.



We can’t change the status of such feeds; the system does not give us the possibility anymore. They are private and will remain private. It’s good news. As far as I know, there are no other problems with this feature in Bloglines.

I would like to thank the Bloglines team for their positive answer to my security flaw discovery and for their fast service fix.

Technoratie: [] [] [] [] []

Why do I read science fiction books? – The beginning of my literacy life

Frederick Giasson

As I said, I’ll gradually put texts in my bookshelf section that will tell you why I read these books. The first book I read by my own was a science fiction one called: “Les Thanatonotes”. Soon after, I read all Isaac Asimov’s books. I never read in my childhood, I was too busy to build shacks and towers in the wood. I needed to work in a book store to open myself to books. Since then, I can’t see my life without reading.

I need to thank science fiction books. They opened me to the world of literacy and helped me to see benefits in reading. When I started to read the Fondation chronicle of Asimov, I was so entertained by the story that I go through the 5 books in some weeks. I soon discover that science fiction books are far more than entertaining stories. The authors have the possibility to explore the science world with another eye. They can make their scientific fantasies a reality. They can explore the impact of such fantasies on the human society.

By example, if I remember right, Arthur C. Clark has “invented” the geostationary satellite before scientists think about building and sending them into space. Or Isaac Asimov created and popularized the word and concept “robot”. It was a contractor fascinated by his “robot” concept that built the first industrial robot for one of his factory. This is just some examples of what science fiction trend could bring to the readers and the society. It can be seem as an experimentation laboratory.

Personally I’m reading science fiction books in a quest for new ideas; to see things differently. Sometimes, when I’m reading a science fiction book, some ideas come up in my mind. Then I muse on them and see if I can do something with them. They could be, or not, in relation with what I’m reading. But the fact is there, and my goal was reached, they were trigged by my reading.

Technoratie: [] [] [] [] []

My Indian tourist visa just arrived this morning.

Frederick Giasson

Expiry date: 17 November 2005. Dah! Have I applied for a 6 months or 1 year visa? Definitely a 1 year, I paid for it! If I arrive in Delhi in September I have… 3 months? I’m not arrived in India and all my “plans” fall apart. The problem is that Indian visas start when they are issued.

I called at the consulate of Toronto and asked why I got a 6 months visa when I paid for a 1 year one. It seems that it is much more difficult to get a 1 year, so I got a 6 month. Fred… do not ask any questions and take it as it is.

So I need to bring back my plan number 2: arrive in Delhi and run at the nearest country to get another 6 month visa. Many possibilities exist: Arrive in Delhi, do the northern states of India for 3 months and go to Katmandu to get another visa. Or from Delhi to Calcutta to finish in the Bangladesh. Or run from Delhi to Colombo. There are so many possibilities… the problem is that this is not 100% sure that you get your new visa hahaha. Any ideas?

It’s what I like in traveling… you never know what will happen and where you will go. The only thing you can do is to go with the flow… the flow of events. When someone say to me: I’m planning a trip. I stare at him and start grinning.

Technoratie: [] [] []

The place of mind maps and traditional writing in the creative process

Frederick Giasson

Some days ago I had a discussion with Niall about mind maps. We were talking about the fact that mind maps are far more flexible than linear notes. However, one method could be better than another depending of you and your needs. I mused about the place of mind maps and traditional writing in the creative process.

Vincent Ryan Ruggiero in his book The Art of Thinking describes the creative process in four stages:

1. Searching for challenges

  • “The first stage of the creative process represents the habit of searching for challenges, not at one specific time, but constantly. Its importance is reflected in the fact that you can be creative only in response to these challenges that you perceive.”

2. Expressing the problem or issue

  • “The objective in this stage is to find the best expression of the problem or issue, the one that will yield the most helpful ideas “A problem properly stated,” noted Henry Hazlitt, “is a partly solved”. Because different expressions open different avenues of thought, it is best to consider as many expressions as possible. One of the most common mistakes made in addressing problems and issues is to see them from one perspective only and thus to close off many fruitful avenues of thought.”

3. Investigating the problem or issue

  • “The objective of this stage is to obtain the information necessary to deal effectively with the problem or issue. In some cases, this will mean merely searching your past experience and observation for appropriate material and bringing it to bear on the current problem. In others, it will mean obtaining new information through fresh experience and observation, interviews with knowledgeable people, or your own research.”

4. Producing idea

  • “The objective in this stage is to generate enough ideas to decide what action to take or what belief to embrace.”

Now, what are the places of mind maps and traditional writing in these stages?

At stage one, the mind maps are well designated to answer to the need. Mind maps would be created each time we face a new challenge, each time we see a problems or an issue with a certain process. What is important to remember at that stage is that we need to constantly review the mind maps we have done, we need to find links between them. It is important to find these links because it will help us to view the problems or issues with a different eye.

At stage two, mind maps are also privileged. The links previously found will help us to aboard the problem or issue with many perspectives.

At stage three, mind maps always best fit the need. However, in this case what we like is the flexibility characteristic of mind maps: their ease updatability. As Niall said, they are much easier to update than linear notes. Then we can easily update old mind maps facts with new ones.

For the stage four, I will divide it in two sub-stages: (1) the act of producing many ideas and (2) the act of defining some of these ideas. In the first sub-stage, the mind maps or free writing always have their place. We do not need to bother us with clarity; the only things we need are ideas, many of them. However, we will eventually need to clarify them, to structure them for us and for other. We enter in a stage of writing for others. In this sub-stage, we try to refine some of our ideas. We need to put a light on some of them; we need them to be reviewed by our peers. In this process we will ask ourselves many questions. We will write and rewrite our most promising ideas. In this stage, the mind maps of these ideas are here to help us to make a plan for the writing. However, they are useless for their presentation to others. Mind maps are the expressions of our cognitive process but are worthless to others and lack depth. The traditional writing will structure, refine and deepens our ideas. It will make them clear and usable for their communication to others.

Technoratie: [] [] [] [] []

Do not use the Atom Gmail service with online aggregators like Bloglines

Frederick Giasson

I study the problem of the secure web feeds since some weeks. I read a surprising post that talks about the Gmail Atom feed service used with Bloglines this morning. An idea came up in my mind while reading the post: it is not possible… can I really have access to login and password of people that subscribe to “secure” web feeds that use SSL and HTTP Authenticate with Bloglines? The answer is sadly: Yes I can.

The problem is that to use the Gmail Atom service in Bloglines, you need to build your feed’s URL like this: https://USERNAME: [email protected]/ gmail/feed/atom, to provide the user and password to the feed’s server.

All the problem is there: you have the username and the password in plaintext directly in the URL.

The first thing I then checked is if I was able to find such strings in online aggregators such as Bloglines. There is the answer:



Why do I have access to these URL? Probably because the Bloglines profile of these users are public and not private.

Then I tested if I was able to have access to these users and passwords by subscribing to the SSL and HTTP Authentication test feed on the silverorange project with Bloglines. I created two Bloglines profiles: one that the profile (Jim) and his blogroll are public and another (Todd) that will check the blogroll of the first account. The scenario goes like this:

1. Jim subscribes to a new SSL and HTTP Authentication protected feed with Bloglines. His profile is public and he does not know the consequences of what he is doing. The address he subscribe to is:

https://testuser:[email protected]/rsstest/
httpauth/rss_with_ssl_and_auth.xml

2. Todd discovers the public profile of Jim and checks his blogroll. He is lured by an entry called “Test Feed (HTTP Auth, SSL)” he checks it, likes it and subscribes to it. Then Todd see this Bloglines page:



3. Todd check more closely to this Bloglines page and remark:



Todd just discovered the user and password of a “secure” web feed. Basically he was not able to see the complete URL of the feed because it is viewable in the Bloglines system as: http://www.bloglines.com/preview?siteid=1830560. However, by subscribing to it, Bloglines shows the complete URL of the feed to the subscribed users.

This is just a test I performed with a SSL and HTTP Authentication RSS test feed available on silverorange.

Now, think about the consequences of this situation when users subscribe to Gmail or any other “secure” web feed using SSL and HTTP Authentication? The problem is real and could have many undesired consequences.

The best thing to do is not using such feeds in online services like Bloglines. Even in stand alone software it could be unsafe. I pointed out a week ago why I do not like this strategy to handle the problem of secure web feeds. This is a beautiful example of the potential problems it can lead to. You can read my article on the problem and the proposal of a solution here: Secure Web Feed Protocol.

This experience is a good example of the potential security treats that can appears when more than one system start to interact together.

Technoratie: [] [] [] [] []