Enforcing SSL

Somehow destiny brought me to StartSSL, a company that provides free SSL certificates. This prompted me to replace all existing CACert certificates and enforcing SSL on all publicly available entry points: blogs, bug tracker and git code repository.

If you have previously added the CACert root certificate to access my website, please remove them now as public entry points no longer requires that, and new entry points will be added with similar StartSSL (or other free services’) certificates.

Build Debian Almquist Shell (dash) for OS X (GNU bash ShellShock part 2)

Even after pushing bash to 4.3.26, the aftershock of ShellShock (pun intended) is still there, as a developer commented that even the bash43-026 patch is still a “whack-a-mole” job.

Since my other main operating system is Ubuntu and the 3rd most common used is Debian jessie/sid, I am replacing /bin/sh with dash, Debian Almquist Shell, at least for now.

Continue reading “Build Debian Almquist Shell (dash) for OS X (GNU bash ShellShock part 2)”

GNU bash ShellShock bug and how to fix it on OS X

Update: A new bash patch is released as bash-4.3.26. This article is updated to include the new patch.

Recently another UNIX bug broke out: ShellShock bug in GNU bash, the most commonly-used UNIX shell. It allowed arbitrary code execution. which is bad.

Test code, if you want to check:

env "() { ;:}; echo gah" bash -c "echo test"

If you see both gah and test, your system is vulnerable! Read on!

Continue reading “GNU bash ShellShock bug and how to fix it on OS X”

VyRT Hacking (Part II): How Hackers Finds out Your Password, Quickly.

Before I say anything on this post, I hereby urge you to change your VyRT password immediately, as well as any services that shares a same password with it, NOW! Read on to see why.

This is going to be the most disturbing part of this series on VyRT hacking. Brace yourself when reading.

After the hacker dumped the database of VyRT, they can start dwelling in their lair of evil and start figuring out your passwords. If you are technologically savvy you may start to think that it would take them forever to figure out those securely hashed passwords one by one. No, think again before proceeding.

Continue reading “VyRT Hacking (Part II): How Hackers Finds out Your Password, Quickly.”


If you came to my website recently, you should have noticed that my website now have SSL enabled, but the certificate may not be trusted.

Settig up SSL is trivial, but setting up SSL with a trusted certificate is difficult and expensive.

I dont have all those spare money. That is why I used a free (but trusted by free software community) CA, CACert (http://www.cacert.org/) You can visit their page for their root certificate and trust that. That will automatically make your browser trust my website.

China Telecom EPON device, IPTV and TR069

After reading Wesley’s post about their problematic, data stealing router, I want to rant about mine.

In the neighbourhood I am living in, the only ISP is China Telecom.

For those who want a broadband connection, Telecom’s standard issue CPE is a combined EPON/Router device. ¬†The device establishes EPON and PPPoE connection for you, have built-in DHCP server and Wi-Fi access point, and seems to be a good all-in-one CPE.

Continue reading “China Telecom EPON device, IPTV and TR069”