More from: Technical

FitBit Fit

Picture of John looking at his FitBit eWatch

Me reading my FitBit eWatch

My better half and I use a “watch” known as the “FitBit” to track our exercise and easily see what SMS or email just made our cell phone bleep without needing to fish the phone out of our pocket. As long as I can just see if I really need to stop right now and look at the phone I have been content, but these life hacks using the FitBit sound really neat. Not so sure about security implications of sharing devices across different web sites, but the results are very interesting.

In email today from

Your Fitbit account doesn’t just have to be about tracking your daily steps and counting flights of stairs—although those are great stats to know! By thinking outside the box, users have come up with some pretty incredible life hacks involving their Fitbit devices. For example, did you know that with IFTTT (a website that lets you connect two different apps or devices), you can tell your smart coffee maker to begin brewing when your tracker or smartwatch notices you’ve woken up in the morning? And that’s just the start. (Read on their web site for six more imaginative ideas at

Microsoft vulnerability exposes all Windows machines

Be certain to apply all patches to your windows installations. Apparently this bug has been known since last fall and allows an attacker to move laterally through your network.

From Dark Reading today in email:

Attackers can exploit newly discovered critical crypto bug in CredSSP via a man-in-the-middle attack and then move laterally within a victim network.

 A serious vulnerability found in Microsoft’s Credential Security Support Provider protocol (CredSSP) could allow a hacker to gain control of a domain server and other systems in the network.

Researchers from Preempt unearthed the previously unknown remote code execution vulnerability, which affects all versions of Windows, and reported it to Microsoft in August of last year. Microsoft today issued a fix (CVE-2018-0886) for the protocol as part of its Patch Tuesday release.

For more details check the original article at

Cloud Providers compromise Domain Security

This just in via email from More information is available here:

Cloud provider vulnerability causes Let’s Encrypt to disable SNI domain validation

A major issue with some cloud providers allowed the unauthorized issuance of Let’s Encrypt certificates. Although the issue clearly lies with the cloud providers, Let’s Encrypt nevertheless has decided to disable the corresponding validation method.

Frans Rosén discovered that he could use the SNI validation method from the ACME protocol ( to issue certificates for domains hosted on certain cloud providers. He explicitly mentions Heroku and Amazon CloudFront.

TL;DR: I was able to issue SSL certificates I was not supposed to be able to. AWS CloudFront and Heroku were among the affected. The issue was in the specification of ACME TLS-SNI-01 in combination with shared hosting providers. To be clear, Let’s Encrypt only followed the specification, they did nothing wrong here. Quite the opposite I would say.

The core of the issue is that these providers allow users to upload certificates that the system will serve automatically to TLS requests with the corresponding server name. The ACME SNI validation method uses temporary certificates that end with .acme.invalid.

After the issue was reported, Let’s Encrypt almost immediately disabled the TLS-SNI-01 validation method. Let’s Encrypt subsequently decided that, with a few exceptions, it will stay disabled. The newer TLS-SNI-02 method is vulnerable as well. A new TLS-SNI-03 method that considers this problem is being developed, but for the time being users should switch to either the HTTP or the DNS validation method.

UI Cause of Hawaii Missile Scare

When salespeople started calling themselves “web designers” web sites became little more than confusing, over packed, repositories for cartoon graphics: lots of color and little clearity. Clean, usable, UI design is one where the human using the interface, hence User Interface, easily knows what to select.

No more than seven (7) actionable items should be on any screen (where the menu counts as one item). No menu should have more than seven (7) choices and there should not be more than three (3) levels to any menu object. Choices should be logically arranged, following international norms and standards (in apps for years we have had File, Edit, View, … Help but sadly there is still not enough cross site predictability on web pages for even menus ending with … About Us, Contact Us, Privacy Policy). “Artistic License” belongs on artistic entertainment web sites, not on business sites employees use to get work done.

From a recent solicitation email from

On an otherwise quiet Saturday morning, the State of Hawaii learned the hard way about the consequences of relying on a poorly designed user interface (UI).

An employee at Hawaii’s Emergency Management Agency triggered an emergency alert last Saturday indicating that a ballistic missile was about to hit the islands.

Your first impulse might be to blame the employee for creating this statewide false alarm. But in the discipline of User Interface Design, there is no such thing as user error. Well designed software should anticipate the needs of its users, provide clear warning messages when users are about to take drastic actions, and make errors easy to catch and reverse.

Take a look at the remarkably confusing UI that caused the error:

The employee accidentally clicked “PACOM (CDW) – STATE ONLY” instead of the similarly named option “DRILL-PACOM (DEMO) STATE ONLY”, creating massive panic until a follow up message 40 minutes later revealed it was a mistake. offers their web site UI programming course description at for those who might be interested.

Meltdown attack targets Intel processors

For some reason I have felt the preference to buy AMD processors in all my builds for the last decade. I am not against Intel – I used Intel and Motorola processors from the 1970’s onward. I do use liquid cooling and other after market heat sink arrangements which causes me to prefer the socket arrangements for AMD because I feel the AMD is more mechanically solid, but I could identify nothing really significant in my mind that caused this preference. Here is one more little nudge in the AMD direction.

From Information Week’s Dark Reading

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. “If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure,” the researchers wrote in an FAQ about the attacks. “Luckily, there are software patches against Meltdown,” referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.