Tuesday, 15 April 2014

Heartbleed - Hype or Holy S#it?!

There are many articles describing the Heartbleed vulnerability (CVE-2014-0160), best summed up by this XKCD comic http://xkcd.com/1354/

In short - If the target server is vulnerable, it will return chunks of information stored in memory that it shouldn't. From a security standpoint, this is really bad

Heartbleed has received a lot of media attention over the last week, a lot more than what the standard run-of-the-mill newfound exploit gets. But is it worth the hype? The majority of articles on the topic covered the theory and the resolution. So what about in practice? How easy would it be to successfully locate and exploit a server to obtain sensitive information?

In about 30 minutes I had myself an answer. Turns out it wasn't that hard at all.....


- Locate a target server, Google "Secure login", or "staff login", or similar. They're usually protected with SSL (HTTPS).

- Confirm the site is vulnerable to Heartbleed via any number of online testing sites.

- Download and compile publicly available exploit code on your platform of choice. (Kali Linux is a good choice)

- Run the exploit against the server, then 'strings' the output, searching for anything interesting.....

# strings out | grep password
browserName=Explorer&browserVersion=8&operatingSystem=Windows&userName=██████&password=██████&x=36&y=7@

user_id=███████&password=██████&browser=Microsoft+Internet+Explorer&browserName=Explorer&browserVersion=8&operatingSystem=WindowsR4




Done. Valid user names and passwords straight from a "secure target server" itself.

Note: This is probably the least technical example of how Heartbleed can be exploited in the real-world. This is just the tip of the iceberg. You can bet the professional cyber-crims are all over this like nothing else, and with an arsenal of tools at their disposal.

In theory AND in practice, Heartbleed is very, very serious. If a website you're responsible for is running a vulnerable version of OpenSSL you DO need to act. If you're a user, you'll need to ensure your host isn't vulnerable, then change your password(s)!

https://shanemiller.net/


Wednesday, 9 April 2014

Bike Build: Specialized Shiv Elite A1... with some mods.

While waiting to get back on a stealthy Shiv TT rig again after my ''van Summeren" moment on Richmond Boulevard, I pulled the trigger on a budget TT bike, a Specialized Shiv Elite A1 Apex.

The budget-minded Shiv Elite features a lightweight alloy frame with UCI-legal airfoil tubing, a stiff carbon fork, and our Hydroformed Alloy Aerobar for wind-cheating speed and solid handling. The SRAM Apex 10-speed drivetrain adds reliability and efficiency.

Out-of-the-box pretty.... A good starting canvas.
These bikes hit the market somewhere around the $1500 mark, then dropped to $999, and if you're lucky you'll find one lower than that. I've pointed a few people towards these rigs in the past and they've been happily TTing away on them.

Everything comes in one massive box, wheels and all, partially assembled. Thanks to the guys at The Ride Cycles, the first thing I did in the workshop was to disassemble everything to start the build from scratch with my own parts. I had a plan to squeeze more speed from the budget-beast.

I'm very happy with the result. I was able to set this up with the exact measurements from the Shiv. The basebar is a little higher, but the arm pads are spot on for height.

Done!

Swapped out parts:

Groupset: SRAM Apex -> Shimano Dura-Ace 7800/7900 mix.
Cranks: SRAM S150 -> SRM Wireless Ant+ 175mm.
Brakes: Tektro -> Shimano Ultegra Rear, TRP T925 Front.
Brake Levers: TRP TL720 Aero lever -> Shimano Dura-Ace BL-TT79 Carbon.
Saddle: Romin Evo Comp -> Specialized Sitero.
Stem: Specialized EliteSet -> 3T -17degree 110mm.
Headset: 20mm spacer cone -> Replaced with low profile spacer.

Modifications:

Basebar: Kicks removed from outside/brake levers to flatten the front end.
TT bars:  Shortened to meet 2014 UCI regulations (80cm from tip of lever to center BB). Mounted underneath the basebar. 
TT pads: Slammed on top of base bar. Secured with longer bolt into the TT bars on the underside.







Tuesday, 1 April 2014

AGF Gran Fools' Prank

As a passionate critique of social media shenanigans, I promised someone I'd pen some words if this turned out to be an April Fools' joke. It was. So here we go.....

I've competed in the AGF Gran Fondo for the past two years. While it is as hectic as any A Grade race up the front barrelling down the Great Ocean Rd, and in recent years the 'timing cheating' tactics have ruined the competitive side of it - it is still a very well-run event in a unique location. I'd call it a 'must do'.

To my surprise, and that of 1,000s of others, an email was sent this morning, April 1st, confirming all entries were sold out. This was confirmed via their official Twitter account too. 

Bugger!
Double bugger!

Note the date, yes, April Fools'. But this WAS an official email communication from the foundation. If this was a practical joke or a hoax, I fail to see how shutting the doors on the event to 1,000s of people is a good marketing ploy? This is the complete opposite of what they should be doing, right?


Keeno was a buy-in ticket holder to an audience of 9,000+

As I ate breakfast, I had a good chuckle at the April Fools' post over on Cycling Tips. Smart, witty, funny. They got it right. Then I spent the next few hours wondering how an event that struggled to reach capacity last year could sell out so soon, and what we'd be doing that weekend in September instead.

Turns out at around 12pm, it was all shits and giggles at AGF and their newly appointed marketing company, Jump Media. It was an April Fools'! Entry is now OPEN! Wasn't it funny to disappoint everyone by slamming the door... then confusing them by announcing entry is now open? No. You honestly can't tell me there weren't a thousand other gags they could have pulled? Jump Media my finger is pointed at you. What the hell were you thinking?!


I feel sorry for whoever they convinced at AGF that this was a good idea to run with. It wasn't. How could something that may turn people away from the event ever get approved? Who sold them that? Who agreed to it? Didn't we all learn a thing or two from those 'painted models' only a few months ago? Pissing off a large portion of your target market isn't ideal. "Oh, it was in good taste".. or "Oh, April Fools" doesn't quite make quite make an apology.



First impressions count. Regardless of the three subsequent emails and many Tweets I've received indicating that AGF 2014 entries are now open, there is still that initial disappointment that I won't be taking part this year. This isn't the case, I will be there to support AGF and everything they do for cycling... but it might take a few weeks for this stench to subside.

Jump Media, if you're still a client of AGF, it is a miracle of epic proportions. I hope the PR tidy up was included in the consulting fees. I don't think it was fair on them to have to deal with this.

So you got me AGF, well done. However I think you've been fooled if you've paid Jump Media a single cent for this PR failure.


To register for the 2014 event: http://www.amygillett.org.au/amysgranfondo2014

Tuesday, 11 March 2014

Don't worry mum, I'm ok.

My ride on Richmond Boulevard came to an abrupt halt on Sunday morning. A recreational rider pushing his bike stepped out from a traffic island, glanced in my direction, saw me, then stopped. I thought for a moment he wasn't going to stop.

Then he took another step, pushing his bike right into my path as I rode past. I was soon flying though the air and on my arse from 48km/h.

Classic plodder plough graph. No time to even coast!

Old mate "thought he had enough time" to wheel his bike across in front of me and was very apologetic.

A few passers by were a little stressed at seeing what happened and the resulting blood loss. Once I was on my feet, I took names and numbers and limped home to the shower to scrub out the dirt.

Reverse aero test - passed!

With an elbow the size of a tennis ball and limited arm movement, I went to Box Hill Hospital for scans. Two minutes after walking in I'm on a stretcher and in a neck brace. Turns out that slight twinge in my neck from smashing my helmet was cause for concern. 5 hours later and x-rays of the damaged bits, I was given the all clear. Just meat damage. No collarbone break this time around. Happy days.


The equipment assessment was as expected: Helmet DOA, wheels out of true, shoes scuffed, kit ripped up, and the Shiv TT frame has stress cracks on the downtube and two snapped seat stays. Shiv #2 on the carbon scrap heap......



F'ck you cycling. I'm still here. You're going to have to try harder.

Tuesday, 4 March 2014

Aero Road Helmet Testing - Round 1 (Prevail, Evade, Melb Bike Share)

Aero road helmets have been WorldTour trendy for a while, with most teams sporting an aero version of their standard road helmet. Aero road helmets from Giro, Kask, Specialized, Bell, POC, even Lazer with their GladWrap covers are all seen in the peloton.

Googlering away for aero road helmet reviews, I found a lot of reviews based on looks, weight, price, yet not a lot of data. Some manufacturers published their own data to make the sell. I don't trust any "data" published by the same company trying to sell me something. I'm interested in the proof. Independent tests. The actual benefit of something being sold as a performance enhancer, or to use a term to better increase the SEO of this post, a marginal gain.
  
The only true test would be a wind tunnel, an indoor velodrome, or some funky iBike paired with a power meter. Without any of these, I waited for a very calm day and ran a number of five minute power tests at different speeds on an outdoor velodrome (Packer Park) and flat section of road (Richmond Boulevard).
  
Yes I wrote the results down! Never trust technology, much. :)
Equipment: Road bike (as pictured). Standard road wheels. Short sleeve onesie 'crit suit'. Quarq power meter (zeroed before each test). Garmin 800 head unit.  No gloves. No shoe covers. Water bottle on the down tube.

Helmets: Specialized Prevail (M), Specialized Evade (M), Melbourne Bike Share (M), and Limar Crono (L). The Crono TT helmet was added to the mix to make sure my testing was working, it should score lowest on each test.  

Method: 5 minute intervals maintaining a set speed. Static position on the bike (hands on hoods, slight bend in elbows, standard road position). 

Tests 1&2: Velodrome. 38km/h and 43km/h.

Test 3: Road. 41km/h out and back. Pausing the data recording for the u-turn.

Click the image to load full size.

Conclusions: For me, I'll keep wearing my Prevail for training, it'll be a harder workout. Is an Evade worth it? Yes compared to a Prevail. Absolutely not compared to a $5 Melbourne Bike Share helmet.

I really wasn't happy with the two velodrome tests. Even with next to no wind, my speed/cadence/power was oscillating every 10-15 seconds from the bends to the straights. The averaging takes care of this, however I don't think it was truly representative of real-world conditions.

Test 3 on the Richmond Boulevard produced some very interesting data, a massive 16W difference between the Evade and the $5 Melb Bike Share helmet at ~41km/h. This needs to be investigated more.

Further Testing: More road testing. More helmets. I definitely need more data on the Evade vs MBS battle. I'll use the Prevail as the control and not bother with the Crono. Round 2 will be very interesting.

Steele von Hoff - Winning national championships and hearts.... in his aero road helmet