Daniel Moix

Sometime this week, Google Reader will retire its many confusing sharing features, in attempt to force their small but passionate community to relocate to Google+. It's part of the company's portal-wide redesign effort that will soon affect Blogger and Gmail, where Google will be adding new features instead of taking them away. But if you're a devoted Google Reader user, however, the chore of figuring out how to recreate your old Reader experience in the absence of friending and following far outweighs the upgrades like fancy new button gradients and Google+ integration. Don't worry. We've got you covered.

Creating Reader-Specific Circles

We borrowed the term "Reader-specific circles" from Google's executioner-like blog post about the outgoing social features: friending, following and sharing. This is the full-conversion solution that Google hopes most Reader users decide to pursue. If you're familiar with Google+, setting up the Circles is dead simple, but finding those friends and adding them to the circle one at a time is huge pain. (Unless, as hinted in the official blog post, Google launches an easier export feature with the redesign.) Google+ also won't perfectly re-create the Reader sharing experience. And if you had any doubts about how badly Reader needed a redesign, the number of total steps and illustrations needed to sort everything out will dash them.

If you share items publicly in Reader, you don't have to change a thing - All of your Reader shares should be viewable by everyone following you. You just have to tell them to add you to their Circles in Google+. 

Create a specific circles for your Reader friends

1. Go to your Google Plus homepage and click the Circles icon at the top of the page (or this hyperlink). This will pull up all of your existing Circles and suggest a bunch of friends to add to them.
2. Feel free to start dragging and dropping people into the "Create a New Circle" bubble on the lefthand side, but it'll take you a while if you have a lot of people to add. We've figurd out a work-around so that you can add everyone at once.

Move all of your Reader followers and follows into Circles

1. Click on the "Share Settings" button at on the lefthand side of the page. It should be a link at the bottom of the "People You Follow" box. (You might have to click the + sign to expand the box.) It might be useful to name it "Reader Followers."
2. Click on the link for "### people are following you." This should bring up a lightbox showing all of your followers.
3. Once you see the list of people following you, open a new window with your new Google+ Circle. The only way to make sure your old followers will see your new Google+ posts is to add them one-by-one to your new Reader share circle. (Are you confused yet? It's confusing.)
4. If you want to create a different circle of people that you follow, just re-do step one--name it "Reader Follows" or something. On step two, instead of clicking on the link for "### people are following you" click the link that reads "You are following ### people." This will pull up a list of people you're following that you can then add into your new "Reader Follows" Circle. Now whenever you want to read your old followers shared items, just click the "Reader Follows" Circle on the lefthand side of the Google+ homepage.

Some Alternatives to Google Reader

If you're feeling burned by Google and want to ditch it altogether, there are a couple other RSS readers on the web that we'd recommend. However, social RSS readers have been hit hard by the successes of sharing on Facebook and Twitter so the once crowded marketplace that included start-ups like Streamy and Feed Each Other is now pretty barren. Tumblr also used to support RSS, but they axed the feature this summer. We'll be the first to say that the Reader alternatives are not great, and it might be time to admit it: RSS is dead.

Netvibes - Once a Google Reader competitor, Netvibes is a decent RSS reader with very basic sharing options: email, Facebook and Twitter. There's some bonus functionality in being able to set up Netvibes as an iGoogle-like homepage, if you're into that kind of thing. Bloglines is a very similar service.

BuzzBlaze - Earlier this year, The Next Web posted a preview of BuzzBlaze, an application that looks like a next-generation Reader. However, for now it's in private beta, but you can sign up for early access.

Google+ - As much as it hurts to admit it, Google+ is probably as close as you're going to get. Five months after launch, the social network is facing flagging traffic, struggling to keep people on the site and not making much progress with power users, like celebrities (as Twitter did) and brands (as did Facebook). But Google+ isn't finished yet. In the past few days, a small wave of new features have been splashing around in other Google products, like Reader and Blogger, and Google executives have announced that they'll soon allow pseudonyms on the site. It might even get a music store!

Roughly one year ago, a tool called Firesheep introduced a lot of us to just how easily another person on the same network as you can snoop on your browsing session and even masquerade as you on sites that require a login, like, perhaps most notably, Facebook. Here's a closer look at how network snooping works and how to protect yourself from it.

It's a long post, so I've separated it into two sections. Jump to the one you're most interested in:

• How to Get Started As a Network Snoop
• How to Protect Yourself from Network Sniffing

How to Get Started As a Network Snoop

Long before Firesheep came along and scared us all by making it trivial to hijack another user's Facebook session, another, more robust cross-platform tool called Wireshark was already allowing anyone with a little bit of know-how sniff out usernames, passwords, and authentication cookies on any computer connected to the same network as you.

A Brief Overview of How Your Computer Talks to the Other Computers (and the Internet)

In order to understand what Wireshark does, you first need to understand a little bit about how computers talk to one another over networks and how they use this information to, say, log you into a web site. (I'm not a networking expert by any stretch, so don't worry—I don't have a choice but to make this beginner friendly.)

When your computer talks to another over a network, they each send packets of data back and forth between one another. These packets do things like negotiate the connection, pass around cookies or passwords to authenticate, and ultimately do the things you want them to do—transfer files, the HTML that makes up a web page, and so on.

What Wireshark Does

What Wireshark does is sniff out the packets being passed around your network—whether they're heading to or from your computer or to or from other computers on the same network as you—and let you poke around at the data passed back and forth in these packets.

When you log into a web site, for example, your browser sends what's called a POST request to a server somewhere on there on the internet. Wireshark can capture that POST request, and if you know where to look, you can find your username and password in plain text—assuming you're logging into a site that isn't using a secured HTTPS connection, which will encrypt that information so you wouldn't be able to make sense of it. (See our previous guide to why you should care about HTTPS on Facebook and other sites for more details.)

To combat this, a lot of sites, like Facebook and Gmail, have turned on HTTPS by default for all communication between your browser and their servers. But there are still a whole lot of web sites out there that don't encrypt logins, and many that use HTTPS for logins but not for cookies.

Cookies are relatively small strings of text set on your browser by web sites. Cookies can be used to track your behavior, they can be used to keep your settings persistent on a web site, and, most importantly for this post, they can identify to servers that you've already logged in—meaning that if you hijack the right cookie, you can masquerade as someone else without ever needing their username or password. (This is what Firesheep did.)

Similar to how it can capture usernames and passwords sent over HTTP connections, Wireshark can also capture cookies for you (or some other nefarious sniffer) to gobble up toward whatever end you prefer, including to gain access to your online accounts. Also similar to the username/password situation, if a site uses HTTPS for all its connections, you won't be able to successfully sniff out and use its cookie.

So now that you know the basics, let's jump right into it:

How to Sniff Usernames and Passwords with Wireshark

In the video at the top of the post, you can see me demonstrate how to sniff out a username and password when I attempt to log into Lifehacker (which, unfortunately, doesn't use HTTPS). Here, I've rounded up a few other more detailed videos that demonstrate how to use Wireshark to sniff out usernames and passwords (you'll probably want to go fullscreen on the video).

Note: If you're capturing over Wi-Fi, you'll need to run Wireshark in promiscuous mode so that it'll sniff out all the various packets on your network (including those coming from other people's computers). This process varies depending on your device, so you may have to do a little hunting.

How to Sniff Cookies with Wireshark

This video demonstrates how to sniff out cookies, and while the site it demonstrates the process for (Facebook) now uses HTTPS by default, the same basic method would work for sites that aren't using HTTPS.

How to Protect Yourself from Network Sniffing

The kind of network sniffing demonstrated here is something anyone can do without much experience. As Mike from the password video points out: "Technology is like a gun. You can use it for good, to hunt for your family, or you can use it for bad, to rob a store." This dissection of Wireshark is aimed at education, but the fact is, anyone interested in using Wireshark for skeezy purposes need only spend a few minutes on YouTube to dig up the same information.

So now that you have a better idea of how easy it can be for anyone on the same network as you to poke around and potentially sniff out your passwords, cookies, and so on, what can you do about it? Here's a quick rundown of some of your best bets, from least practical or effective to most effective.

• Avoid working on the same network as people you don't trust: The kind of network sniffing we've demonstrated here can only be done by people on the same network as you. Keep in mind that it doesn't even have to be an open Wi-Fi network—coworkers on your password-protected work network can sniff your packets just as easily as someone at your local coffee shop.

  The catch: You probably don't want to be limited to only using the internet when you're at home or on a network where you trust everyone.

• Always use HTTPS: A lot of sites—like Facebook and Gmail—have made HTTPS the default connection, and as we explained earlier, packet sniffing won't reveal your password or cookies on a properly encrypted HTTPS connections. Other sites support HTTPS but don't make it the default, which means you often have to manually type in https:// before the rest of your URL. Some of those sites, like Twitter, allow you to set your account to always use HTTPS (for Twitter, go to your Account settings and tick the Always use HTTPS checkbox at the bottom of the page).

  Some sites don't offer an Always use HTTPS setting, which is where HTTPS-forcing browser extensions come in. The most popular is probably the HTTPS Everywhere extension for Firefox (written by the Electronic Frontier Foundation). This extension automatically directs your browser to the HTTPS version of over 1,000 sites. The catch with HTTPS Everywhere is that it only redirects sites in its list, so if you'd like to be able to redirect any site to HTTPS, you may want to check out Force-TLS for Firefox or HTTPS Everywhere for Chrome. Both of these extensions allow you to add new sites to the automatic HTTPS redirect.

  The Catch: First, lots of sites still don't support HTTPS at all, and others only support it for logins (meaning your password is safe, but your session cookie isn't). On a separate technical note, Eric Butler (the developer of Firesheep) noted last year that some sites don't correctly support HTTPS anyway, and on those sites, in order to get the full benefits of HTTPS, you'd need to manually type out the https:// part every time you visit:

  Some sites support full encryption everywhere, but don't implement it properly by failing to set the "Secure" flag on authentication cookies, negating most of the benefits and leaving users at risk. What that means is that any time you type the URL (e.g. "manage.slicehost.com") into your web browser (without explicitly typing https:// beforehand, which people rarely do) you will inadvertently leak your cookies with that first request, prior to being redirected to the HTTPS page. Slicehost and Dropbox are good examples of this mistake.

• Use a VPN or SSH Proxy (BEST OPTION): A VPN or SSH tunnel will act as the middleman between your computer and the dubiously secure servers on the internet so that everything sent between your computer and your VPN or SSH server will be encrypted—in effect encrypting all traffic that someone on your current network might want to try sniffing. I'm not going to show you how to set up a VPN or SSH server here, but I will point you in the direction of some good do-it-yourself options:
  • If you happen to already pay for access to a web server to which you have SSH access, you can use that to encrypt your web browsing session with an SSH SOCKS proxy. If you don't feel like paying, you could set up your own personal home SSH server. If you're willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $0.50/month or pay $1 one time for access to Silence is Defeat.
  • For another free option, check out our guide to secure and encrypted web browsing on public networks with Hamachi and Privoxy.
  • Android users should check our guide to encrypting all internet use on your Android phone.
  
  If you're on a Mac, I'd highly recommend installing previously mentioned Sidestep. The app automatically reroutes your traffic through a secure proxy whenever you connect to an open Wi-Fi network, and you can also turn it on any time you want from its drop-down in the Mac menu bar.
  

  The Catch: The biggest hole in this option is that at some point along the line, your VPN or SSH proxy needs to submit the unencrypted version of a request to the web server, so if there were someone sniffing packets on the same network as your VPN or SSH server, they could sniff out the unencrypted data going between the middleman and the web server.

You've still got other security concerns to consider if you want to stay safe on public Wi-Fi networks, but the above options can make all the difference for securing your browsing. The best-case scenario is actually out of your control: Web sites and services all implement HTTPS by default for any and all potentially sensitive data. Photo remixed from Anton Prado/Shutterstock.

Lifehacker's Evil Week is all about topics such as password cracking, social hacking and other questionable tricks to make sure you're in the know. Knowledge is power, and whether you use that power for good or evil is in your hands.

You can contact Adam Pash, the author of this post, on Twitter, Google+, and Facebook.

Authorities said the three-day text messaging outage was definitely responsible for a 40 percent decrease in traffic accidents.

» E-Mail This     » Add to Del.icio.us

An anonymous reader writes "There are two types of office workers in the world — those who file their emails in folders, and those who use search. Well, it looks like the searchers are smarter. A 354-user study by IBM research found that users who just searched their inbox found emails slightly faster than users who had filed them by folder. Add the time spent filing and the searchers easily come out on top. Apparently the filers are using their inbox as a to-do list rather than wanting to categorize information to find it more easily."

Read more of this story at Slashdot.

How very cool!

On computer science as a liberal art

“In my perspective … science and computer science is a liberal art, it’s something everyone should know how to use, at least, and harness in their life. It’s not something that should be relegated to 5 percent of the population over in the corner. It’s something that everybody should be exposed to and everyone should have mastery of to some extent, and that’s how we viewed computation and these computation devices.”

via Steve Jobs: ‘Computer Science Is A Liberal Art’ : NPR.

zentigger writes "At approximately 06:36 EDT Thursday, October 6, 2011, the Anik F2 satellite experienced an attitude control issue and lost earth lock, affecting C, Ku and Ka services. The satellite went into safety mode and moved from pointing to the earth to pointing to the sun. This has put most of Northern Canada in the dark as all internet and phone services come in over F2."

Read more of this story at Slashdot.

As many as 12 million computers worldwide have been infected with a highly-encrypted computer worm called Conficker. Writer Mark Bowden details how Conficker was discovered, how it works, and the ongoing programming battle to bring down Conficker in his book Worm: The First Digital World War.

» E-Mail This     » Add to Del.icio.us

Without Lord Kelvin, there would have been no D-Day.

There's some very cool science history in the September issue of Physics Today, centering around a collection of analog computers, developed in the 19th century to predict tides. This was a job that human mathematicians could do, but the computing machines did the job faster and were less prone to small errors that had big, real-world implications. David Kaplan, an assistant professor in the University of Wisconsin-Milwaukee physics department, sent the links over. He says that these machines ended up being crucial and are a big, in-your-face reminder of the complications of living in a world without calculators:

"... it was particularly important during WWII in order to properly plan beach landings, but even without the war part I found it fascinating. We take this so for granted now, that we can crank out sin() and cos() values instantly, but that was not always the case."

We're talking about predictions a bit more precise than simply saying, "the water is low" or "the water is high." Physics Today explains why the behavior of tides was so important at D-Day and why the tide calculators were so important to Allied success.

As an Allied cross-channel invasion loomed in 1944, Rommel, convinced that it would come at high tide, installed millions of steel, cement, and wooden obstacles on the possible invasion beaches, positioned so they would be under water by midtide.

The Allies would certainly have liked to land at high tide, as Rommel expected, so their troops would have less beach to cross under fire. But the underwater obstacles changed that. The Allied planners now decided that initial landings must be soon after low tide so that demolition teams could blow up enough obstacles to open corridors through which the following landing craft could navigate to the beach. The tide also had to be rising, because the landing craft had to unload troops and then depart without danger of being stranded by a receding tide.

There were also nontidal constraints. For secrecy, Allied forces had to cross the English Channel in darkness. But naval artillery needed about an hour of daylight to bombard the coast before the landings. Therefore, low tide had to coincide with first light, with the landings to begin one hour after. Airborne drops had to take place the night before, because the paratroopers had to land in darkness. But they also needed to see their targets, so there had to be a late-rising Moon. Only three days in June 1944 met all those requirements for “D-Day,” the invasion date: 5, 6, and 7 June.

From Craig S Wright, vice president of Global Institute for Cybersecurity + Research, a look at the use of SCADA systems that are connected to the Internet. You probably remember SCADA from the starring role it played in the Stuxnet worm.

For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.

(Thanks, Ashkan!)

(Image: 747, a Creative Commons Attribution (2.0) image from dannyboymalinga's photostream)

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

Read more of this story at Slashdot.

One of the big issues with computer science education is that it is not an integral part of the curriculum It is almost always an elective and doesn’t count as meeting specific graduation requirements. And then there is the whole issue of lack of teacher certification standards and standard curriculum. About the only standard in education is the Advanced Placement curriculum and it is far from universally accessible. It looks like a couple of members of Congress are trying to address these issues. (From Robert P. Casey Jr. | United States Senator for Pennsylvania: Newsroom – Press Releases.)

U.S. Senator Bob Casey (D-PA) and Congressman Jared Polis (D-CO) today introduced the Computer Science Education Act, which will help prepare Americans for the more than 1.5 million high-wage computing jobs that are expected to be created in the U.S. by 2018. The bill will help states to increase and strengthen their computer science offerings in K-12 education.

To reverse these troubling trends and prepare Americans for jobs in this high-wage, high-growth field, the Computer Science Education Act will:

• Ensure computer science offerings are an integral part of the curriculum;
• Develop state computer science standards, curriculum, and assessments;
• Improve access to underserved populations;
• Create professional development and teacher certification initiatives, including computer science teacher preparation programs in higher education;
• Form a commission on computer science education to bring states together to address the computer science teacher certification crisis; and,
• Establish an independent, rigorous evaluation of state efforts with reporting back to Congress and the administration.

It sounds good. I haven’t read the bill yet as it doesn’t seem to be in the Library of Congress Thomas database yet so I’m not ready to endorse the specifics of course. But I do like the sounds of what I read on Sen. Casey’s press release. There is no telling how far a bill like this well go and even if it passes it may be very different by that time. But at least some in Congress are aware of the issue and trying to do something about it. A while back we saw Computer Science Education Week get Congressional support. Another step in the right direction though it is too early to see how much difference that makes. CS Ed Week doesn’t force or even incent states to solve the issues we see in Computer Science Education though. When ever you force people to do anything, no matter how good it is for them, there is resistance. IF this bill starts some conversations that would be a good start. We’ll have to see where it goes from here.

EDIT: You can read the bill at http://polis.house.gov/UploadedFiles/Bill_Text_-_Computer_Science_Education_Act.pdf

Well, it took some effort, but it appears that state politicians in Missouri may have finally gotten the message. After a widespread outcry and a lawsuit concerning a law that made it illegal for teachers to "friend" current and former students on social networking sites, as well as a lawsuit and an injunction by a court which found the law to be a "staggering" violation of the First Amendment, Missouri's Senate has amended the law in question to let teachers and students be virtual friends once again. The bill still needs to be approved by the House, but it cleans up the controversial part of the bill. Schools would still be required to have "a policy" on student-teacher communication, but won't have to completely limit such activities.

Permalink | Comments | Email This Story