2014-02-22 15:27:36 -0500
If you weren't already aware, Apple released iOS update 7.0.6 yesterday to patch a hole in their use of SSL/TLS that could allow an attacker to compromise encrypted communications. If you haven't updated your iOS devices you'll want to do so as soon as possible. A little bird tells me OS X updates are on the way next week, although I imagine that's no surprise and I've seen it speculated elsewhere.
There's a great explanation of the bug here by Adam Langley, but I'd like to point out an interesting comment by John Gruber on Daring Fireball where he links to Langley's post:
I don’t want to start a coding-style war, but I think this bug would not have happened if the code had been written using curly braces after the if statements.
I think there's no doubt about that. A little while ago I gave up my stubborn use of BSD-style in my C and Objective-C code and now wherever I see it I cringe a little and then go about fixing it up to be more "proper" in my mind. It's a nuisance, but worth it. For some time now, I think perhaps at the recommendation of Zed Shaw in his online book Learn C the Hard Way, I've been making sure to always use braces to encapsulate anything depending on an if statement or other conditional to avoid scenarios like the one that caused Apple's exploit. Other rules I now keep are no more braces on the next line, and avoiding blank lines. This gist should give a good example of what I mean, even though it's a bit silly:
I even use braces to encapsulate the branches of switch
statements these days! I like to zap blank lines because I think it forces me to review code more closely; it's harder to skim and encourages me to keep things nice and DRY.
A minor aside: Learn C the Hard Way is really great even if you know C already. Worth a couple of hours, it's a fun read and good for tightening up your skills.
Update: I also avoid assignment operators in if statements, and I tend to keep conditional expressions very explicit. This way I know what in my code above, self.fugeez
is a BOOL, or returns that type. If I want to check that a pointer is nil, then if (self.fugeez == nil)
, not if (self.fugeez)
. If I want to test that my BOOL fugeez
is false, then if (self.fugeez == NO)
, an explicit comparison. Just makes it easier to see what's going on later. I'm not quite as religious about this, but I'm trying to stick to it and adjust where I see my old ways.
2014-02-17 14:39:01 -0500
As a follow-up to the original Zetetic.Security library that adds PBKDF2 and BCrypt-based HashAlgorithms to .NET, we're pleased to announce the release of Zetetic.Security 1.1.0.0, which provides options for greater work factors when generating password hashes.
The original hash implementations use 5,000 rounds of PBKDF2, and a BCrypt work factor of 10^10. The 1.1 release adds support for 64,000, 128,000, and 256,000 rounds of PBKDF2, and BCrypt work factors from 10^11 to 10^16. As before, the best way to use these hash algorithms is by installing Zetetic.Security to the Global Assembly Cache, and updating machine.config to register the new classes. (Hint: you can find the path to the effective machine.config file in System.Runtime.InteropServices.RuntimeEnvironment.SystemConfigurationFile).
Once installed and registered, the new HashAlgorithms can be used in code as per the following sample (I wrote this one in LinqPad for simplicity's sake):
Of course, bear in mind two important caveats before updating your applications to use any new password hashing strategies:
1. .NET MembershipProviders don't have any way to know what HashAlgorithm generated any particular user's hashed password in storage. Therefore, changing the hash algorithm will cause your users' logins to fail until they reset their passwords.
2. A stronger hashing algorithm is likely to eat up significantly more CPU cycles. Plan accordingly so that applying 10^16 rounds of BCrypt doesn't open the door to a denial-of-service attack (or blow your AWS or Azure budget!).
Download from Github
View on NuGet
2014-01-28 15:12:23 -0500
At our STRIP meeting today we discussed providing more regular, up-to-date information about what versions of STRIP are currently available and what's on the way, a sort of status page. We haven't decided exactly how we'll implement this but for now we'd like to provide an update here on the blog.
STRIP for iOS 2.2.0 - Released - Jan 22, 2014
Minimum iOS version: 6.0
- Features a new interface customized for iOS 7
- Various bug fixes, minor feature improvements
- Sync-compatible with 2.1.0
- Crashes on sync with Google Drive on 64-bit devices
STRIP for Android 2.2.0 - Released - Jan 22, 2014
Minimum Android version: 2.1
- Various bug fixes, minor feature improvements
- Sync-compatible with 2.1.0
STRIP for Windows 2.1.0 - Released - Nov 12, 2013
Minimum Windows version: Windows XP
- Updates encryption engine to SQLCipher 3
- Increases PBKDF2 key derivation from 4,000 to 64,000
- Requires min version 2.1.0 for sync
STRIP for OS X 2.1.0 - Released - Nov 12, 2013
Minimum OS X version: 10.6 Snow Leopard
- Updates encryption engine to SQLCipher 3
- Increases PBKDF2 key derivation from 4,000 to 64,000
- Requires min version 2.1.0 for sync
STRIP for iOS 2.2.1 - Submitted
Minimum iOS version: 6.0
- Awaiting review from Apple
- Fixes crash on 64-bit devices during Google Drive sync
2014-01-27 15:53:13 -0500
This Tuesday night, January 28th 10pm EST, Tempo and other web systems will be temporarily unavailable while we perform critical patch updates to ensure the stability of our services.
This maintenance outage will also affect the Tempo API, the the Connect website, and the site for Codebook.
Down time could last up to 1 hour, however we believe it will be completed much more quickly. If you need to get in touch with us for any reason, please don’t hesitate.
2014-01-23 12:12:54 -0500
We just released STRIP 2.2.0 in the iTunes App Store and the Google Play store for Android. The iPhone and iPad versions feature a new interface adapted to iOS 7, and both iOS and Android versions bring various bug-fixes, stability improvements, and minor feature updates and adjustments. We're quite curious to hear what our customers have to say about the new look, so we'll spare you the screenshots and ask that you go check it out and tell us what you think.
Compatibility:
STRIP 2.2.0 is sync-compatible with all versions of STRIP 2.1.0. For iOS versions, the new minimum OS version is iOS 6.0. For Android versions, the minimum OS version remains Android 2.1.
iOS changes:
- Clean, elegant new iOS 7 style user interface
- 64 bit support for newer iPhone and iPad devices
- Allow sorting of field labels alphabetically
- Moves auto-lock settings to encrypted database
- New preference to clear pasteboard on exit
- Allows masking of note fields on entry view
- Fixes issue where backup database might not properly be removed
- Fixes issue authorizing Drive sync with 2-step authentication
- Fixes keyboard switching login bug
Android changes:
- New integrity check feature in Settings
- Secures STRIP from screenshot capture during application switching
- Various bug fixes and stability improvements
Download the latest:
Note: Amazon 2.2.0 version update may take a little while to appear in the Amazon App Store for Android, if it's not available now please check again later.