A security vulnerability was discovered in GitHub this week that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. Although there was no known malicious activity using this exploit, they are taking the responsible step to email all their users that have SSH keys associated with their account to verify and approve them before they can be used to clone/pull/push repositories over SSH.

The GitHub audit page looks like this:

Here’s a quick reminder of how to get the fingerprint of your SSH public key using the ‘ssh-keygen’ command. Use the name of your local public key file that you want to check.

ssh-keygen -lf id_protodave_github.pub

The resulting fingerprint will look like:

2048 b5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:2f  protodave@github (RSA)

If this fingerprint of the local trusted copy of your SSH public key matches the one GitHub shows you, then you are safe to click “Approve”.

Here’s a tip if you are having trouble connecting to github using Eclipse/Egit with a recently generated SSH key pair…

Read More »

I recently needed to do some manual word wrapping (and possibly hyphenation) of strings in JavaScript and found some interesting code projects:

• TypeSet – an implementation of the Knuth and Plass line breaking algorithm using JavaScript and the HTML5 canvas element.
• “wordwrap” for JavaScript – A port of PHP’s wordwrap function.
• Hyphenator.js – client-side hyphenation of HTML-Documents

DKIM For The Masses

Google announced today they have added the ability for Google Apps customers to sign outbound email using the DKIM (DomainKeys Identified Mail) standard.

You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.

It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar Google has some specific instructions for popular domain hosts.

Checking your work

Here’s a quick tip how you can check to make sure you created the record properly and it is being served…

Read More »

Photo Credit: Flickr/Jerry Pank

I launched a new WordPress blog for a client a few months ago and have been watching as comment spammers find the site and do what they do best, leave spam. As the first few spam comments started coming in I would flag them then manually copy/paste the source IPs and URLs to the built-in WordPress “Comment Blacklist“.

Over time I obviously started seeing some duplicates and I noticed bursts of spam from certain IPs or linking to specific spam URLs. I was curious to see what these top IPs and URLs were, as they would seem the best candidates to include in the blacklist.

So, let’s dig around in the database a bit…

Read More »