Profile cover photo
Profile photo
Aaron Gable
429 followers -
Renaissance Man
Renaissance Man

429 followers
About
Posts

Post has attachment
Photo
Add a comment...

Post has attachment
The new Google logo.
Google’s look, evolved
Google’s look, evolved
googleblog.blogspot.com
Add a comment...

Post has attachment
Add a comment...

Post has attachment
Animated Photo
Add a comment...

Post has attachment
A selection of photos (really only curated for quality, not facial expression) of my fellow tour-mates on our wonderful Rotorua Canopy Tours (http://canopytours.co.nz/) adventure!
PhotoPhotoPhotoPhotoPhoto
Rotorua Canopy Tours, 2015-02-21, 10am
117 Photos - View album
Add a comment...

Post has attachment
+Mike Elgan , that's why my Nexus 4 homescreen looks like this:
Photo
Add a comment...

Post has attachment
A collection of photos of all the lovely people at Recess :)
PhotoPhotoPhotoPhotoPhoto
Drift Creek Alt Blues Recess 2013
136 Photos - View album
Add a comment...

Post has attachment
"The consensus of the team is that these are water-transported gravels."

http://www.ustream.tv/NASAJPL
Add a comment...

Post has shared content
Well, that's exciting. And for what it (isn't) worth, I don't have the bug-fix +Amber Yust is reporting -- my password field is still populated, rather than filled with "value=__USE_EXISTING__".
Note: This is not a password leak - you don't need to go and change your password on every site you use. Just change your Pandora password to something that isn't used elsewhere. Pandora have at least partially patched the issue. But it's still a good idea to use different passwords for different sites.

---

If you have a Pandora account, I highly recommend using a throwaway password for it (assuming you don't do so already).

Why? Because Pandora doesn't one-way hash their passwords. If your account is logged in on a computer, anyone who sits down at that computer can go and look up your password on Pandora's settings page.

Attached is an image that shows what that settings page looks like upon load - I haven't manually entered anything into the form fields and I don't use Chrome's auto-fill; the text in the fields is populated by Pandora.... including the plaintext of the password.

Things like this are why I wrote a blog post about how to do web app auth correctly:
http://codingkilledthecat.wordpress.com/2012/09/04/some-best-practices-for-web-app-authentication/

Thanks to +Dan Boger for bringing this up.

---

Edit: Also just discovered that their password-reset tokens aren't single use. You can reset the password of an account multiple times with the same reset token link...

Also, since Pandora allows you to just change the password field and hit "Save", if you come across someone's logged-in computer, you can just change their password even if Pandora didn't tell you what it was. (The right way to do this is to require the user to enter their current password along with the new password, and pre-fill none of the fields.)

---

Edit 2: It has been pointed out in the comments that even though the password itself appears to be fetched over HTTPS, the page it is inserted into is not... and thus a man-in-the-middle attack is possible to retrieve a user's password by injecting a script into the main page that reads it from the DOM, if you have control of the upstream (e.g. if you're the owner of a public wireless network or the like).

---

Edit 3: It has been further observed that Pandora appears to store the password using local storage in encrypted form and then load it into the password box locally. While this does indicate that they probably don't send unencrypted passwords over the wire, it doesn't change the fact that it is trivially easy for someone to walk up and look at your password.

---

Edit 4: Let's be clear: this isn't about how Pandora stores passwords in their database. As investigation has shown, it is quite possible that Pandora doesn't use plaintext passwords server-side. (The only entity that could definitively answer that question is Pandora.) The issue being raised here centers on the fact that it is trivially easy to recover the plaintext form of the password stored *client-side*.

---

Edit 5: Pandora has now at least partially patched this; the password field now contains "__USE_EXISTING__" by default unless changed.

#security   #pandora
Add a comment...

I'd like everyone to take a trip back in time with me. Back in time to when Myspace was the biggest social network around, and Facebook was just starting. I remember when Facebook had only just expanded from a select set of East-Coast schools to suddenly allow anyone with a recognized .edu email address, and my sister got her account. Shortly thereafter, it expanded to allow high-schoolers, and then I got my account.

Back then, I avoided Myspace like the plague. It was the biggest, it was the flashiest, a bunch of my friends had accounts... but it wasn't what I wanted. It was (frankly) ugly, cluttered, and didn't present information in any way that was useful to me. I waited, and when Facebook was opened up to me, it was worth it. Facebook was clean, pristine, professional. It was a small, select group of people, all within a few years of age of each other, creating a single, cohesive environment. It was exactly the social network that I wanted.

But since then, in my opinion, Facebook has gone downhill. It wasn't any one specific thing -- opening enrollment to anyone, adding features like chat, games, and apps, or the long series of privacy concerns. But, on the whole, the Facebook experience has declined.

And now I think it is time for a new social network. So far, from what I've seen, Google+ seems to be that. And I know I haven't seen everything yet. In a time when Facebook has become messy, cluttered, and no longer serves my needs, Google+ is the product that seems clean, pristine, and professional.

Sure, some time down the line, maybe another service will come along that will bump Google+ off, and everyone will call it the latest and greatest, and we'll have yet another social network mass migration. But until then, I'm going to continue to use Google+, and I'm going to like it.

I hope you all do, too.
Add a comment...
Wait while more posts are being loaded