New “Improved” Site


Hrmph. So they managed to disappear my last post, and now my blog looks really generic. I liked the way it used to look, thankyouverymuch.

Then I discovered that while Word on my laptop somehow knew the right password, I didn’t have it written down anywhere. Used to just be easy to reset, but now I can’t link my Live ID to the site without it, and I’m dead in the water.

Option 1 was to go write an app that would go do CryptUnprotectData on what’s stored in the registry on my laptop, but I couldn’t remember if we used any entropy, and I don’t have source access from home (in an attempt to keep myself from working too much). I could try it, but then I remembered that most of the blogging protocols just send the password in the clear, and while that’s completely ridiculous for a protocol invented this century to do that, it came in handy.

Having an actual firewall as my gateway, I could then just pop up a network monitor, go make a post, and sniff the traffic. Voila! There’s the password, now I’m back in business. Comes in handy being a hacker.

I should make a tool to export blog settings, and then import them back again into a different system…

So now I’m able to post from home again, which is a bit nicer – real keyboard instead of laptop keyboard…

I suppose the next project is going to be to sort out how to customize the appearance of the site again. Now on to what I started out to post about to begin with –


Comments (1)

  1. Surely the next project should be to implement some form of acceptable security on the blogging API at blogs.msdn.com? Considering that many posts would come from shared Wifi hotspots in places like PDCs, Black Hat, and so on, this seems fairly fundamental.

    Just sayin'. 🙂

    Andrew

    [dcl] Yep, it does seem that way. Maybe the link to Live IDs is the start of that. Most of the blogging protocols have exactly the same problem, and hence most of the blogging sites have the same issue. So the thing to do is to not post to your blog from BlackHat. I have no idea how secure or not Twitter, Facebook, etc are – haven't looked into it.

    I do notice that managing the site all seems to now be via Live ID, and that's currently (to the best of my knowlege) a reasonable auth protocol. Even so, I'm not doing the actual changes over https that I can tell, so even if the auth is good, it is probably not smart to go admin the blog from BlackHat, either – a MITM attack there could certainly happen.

    That's not _my_ next project though – my job's Office, not to solve MSDN's blog security.

     

Skip to main content