SSH, Secure Shell, found to have LOTS of vulnerabilities!

This is very bad.

SSH is one of the fundamental underpinnings that makes the internet and world wide web fundamentally secure. Well, we now know that it has some serious weaknesses.

What it boils down to is compatibility. There's lots of ways to implement SSH. Think of them as a whole bunch of switches, and each switch is a different implementation. Some are strong, some are not. They're all out there so that if I use Switch A and you use Switch B, we can still talk. Very convenient, but also a bit problematic. What happens if Switch C has some weaknesses to it?

The problem is that in lots of SSH implementations, Switch C is left turned on for ease of compatibility. And unless people know and specifically turn Switch C off, and all the other known weak switches off, then there are exploitable weaknesses.

The bad news? LOTS of systems are vulnerable. From the article: "A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice."

77% support the vulnerable mode and 57% PREFERRED IT? YIKES!

The good news is that it requires a Man In The Middle attack (MITMs), and those are not easy to carry out - but they can be done. The even better news is that the security researchers have released a scanner to let server administrators know if they are vulnerable. Some SSH packages have been patched to fix this issue, others I'm sure are in process. But there is also a likelihood that some implementations are not, or that some servers are not being updated for various reasons and will continue to be vulnerable.

I don't think this represents much of a problem for users, so much as for network administrators. Unless you're a very valuable person and likely to be targeted by hackers or world powers, you're not likely to have the resources to pull this off moved against you. As I said, MITMs are not easy to pull off, and if you're not Pentagon R&D level sort of stuff, you're probably safe. But I expect Apple and Microsoft and the various Linux distros will be patching their SSH bundles to make sure everything is good in the very near future, just to make sure.

Warning about the article: it gets REALLY deep into the SSH weeds, so don't bother with it if you're not already wise into the subject.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

Speaking of computer security, Xfinity/Comcast didn't patch, 36 mil customer accts compromised

Citrix is a major player in the computer networking equipment market. And they had a major, sorry, MAJOR software flaw back in October that was exploited bigly. They patched it and announced the patch as fast as they could, and their customers patched as fast as they could.

Which brings us to Xfinity.

From the article: "Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it."

Ruh-roh!

Two weeks is far too long for a vulnerability that big to go unpatched. Care to guess what happened? Oh, I forgot. It was in this post's subject line.

To continue the article: "“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division."

Yeah. Free credit monitoring? Thoughts and prayers? There needs to be some executive job loss and demotions. But as this is Comcast, nothing will change.

Completely inexcusable.

Back in the '90s, when the I Love You email virus hit, I learned about it at about 7:15 or so in the morning. We literally unplugged our firewall from the internet as there was no patch for it at the moment. And we had no problems. You can't let shit like this go unchecked, or things like this happen.

https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/

My cooking threat modes just added another stage: ICE CREAM MAKER!

I have been wanting a good ice cream machine for some time, and last week I did it: bought a Cuisinart beast of a thing. $300, but it has a compressor, which means you don't have to freeze the bowl overnight! You can, more or less, make ice cream continuously or at a whim! (if you have cream on-hand) You want to give the machine a 10 minute rest to cool down between batches, but you can churn (pun intended) a batch every hour or so! And considering that your mix needs to refrigerate for two hours and then be re-whisked before mixing, you'll be plenty busy with staging if you want to make a bunch of batches.

Tonight I took the basic base, which is: whole milk, heavy cream, sugar, a pinch of salt, and vanilla (no cooking required), and made one major substitution: Jack Daniel's Vanilla Eggnog for the milk! Let me tell you, that base was SOOO GOOD! The original plan was to add a salty chocolate caramel swirl to it at the end, but I had run out of heavy cream after making the base - well, almost entirely out: maybe a tbsp left. While the base was chilling, I ran out to the local gas station and dollar store, but all they had was half and half, which doesn't have nearly the butter fat content required.

Scrap the salty chocolate caramel.

Russet had crawled out of the bedroom at this point from her late afternoon/early evening nap, and we discussed the idea of add-ins. I had decided on just a plain melted chocolate, which with Ghirardelli chocolate, is fine. She also wanted cookies, so I broke up five cookies into small pieces and threw them in the freezer to minimize the temperature differential (as recommended).


And now, a brief commercial. If you're at all interested in making your own ice cream, you MUST buy the Ben & Jerry's recipe book! It's available as a hard copy at a vast array of stores, you can also get an ebook version for a quite reasonable $10 from the publisher. LOTS of recipes, and it's a very entertaining read talking about the formation of B&J's and lots of fun stories. BUY THIS BOOK!

Available from https://www.hachettebookgroup.com/titles/ben-cohen/ben-jerrys-homemade-ice-cream-dessert-book/9780894803123/

Back to our normal blog post, still in progress.


The Cuisinart manual says to add mix-ins at 5 minutes before the batch is done. In this case, I went with the default 60 minute recommended timer. At about 10 minutes till, I took the warm pan of water up to a boil to melt the chocolate, and pulled the cookie pieces out of the freezer, where they'd been chilling for about an hour. It was now down to seven minutes remaining. Literally as I started adding the cookie pieces to the mix, I could hear the machine start bogging down!

I was afraid that the cookie pieces, though few had been added, were causing a binding problem. But what had happened is the mix had reached a tipping point and had undergone a sudden state change into a much harder mix! B&J recommend adding things in at about 10 minutes before the end, and that's going to be my next time mark for mix-ins.

Adding the now-melted chocolate was unthinkable, the machine was barely turning at what seemed to be about 1 RPM.

I pulled the container out of the machine, got the mix off of the dasher (paddle) into a large bowl, and started mixing in the chocolate. Which of course was much hotter than the ice cream and started melting it a bit. Still, we got two bowls for Russet and I, though mine was delayed as I got the rest of the ice cream into storage containers and into the freezer.

And the verdict?

Tres bueno!

The cookies are store-bought "cowboy cookies" made in the store's bakery, fresh as of the 18th when I bought them. Sort of a chocolate chip cookie with nuts, they're not bad but not extraordinary. The eggnog base tastes absolutely wonderful and was a great substitution, I need to pick up a couple more cartons of it before it disappears right before or after Xmas. I wonder if freezing commercial eggnog is viable....

Future plans. I've never had cookie dough ice cream. I suggested to Russet making Earl Grey cookie dough ice cream, pasteurizing the eggs for the cookie dough before I make that. She suggested just straight Earl Grey ice cream. So a couple of options there. I'm definitely going to be making peanut butter batch(es). I don't know if I have her recipe, but my mom made a seriously great PB ice cream, and I don't know if I can make it as good, but it's a great childhood memory that I aim to make a good effort towards. Of course, a seriously good chocolate. I'm also planning a blueberry ice cream and basically playing with various flavors of fruit. The machine can make gelatos, yogurts, and sorbets, so lots of experimental space to explore!

Concerns: obviously, weight gain. One advantage of the machine is it only makes a quart and a half, a nice amount for two people. And I'm not going to make more than two or three batches a month, I don't think it'll be a big problem. It'll give us time to plan what we want to try for the upcoming batch.

Lessons Learned: stock more cream! The organic heavy cream lasts a long time, but I only had one container on-hand. Which was enough for one batch of base. If I intend to do the salted chocolate caramel, I need more. Live and learn. Also, we now know that the five minute mark may be way too late to add mix-ins. Now, it's possible that the nog-for-milk substitution changed the freezing characteristics of this base, I don't know. Future batches may be fine adding stuff at the five minute mark. It's something we'll learn more about as we continue making more.

One thing that was a nice, fortuitous discovery, was that our tall Ziploc round storage containers are the exact size needed to hold a full batch of base! Absolutely perfect fit! Screw on the top, place in fridge, done. Since you do need to re-whip the base after the two hour chill, I just rinsed the mixing bowl and beater and re-used them, then they went into the dishwasher.

Lots of fun, not a difficult cleanup, and very yummy!

I will say there's one slight problem. I did refer to the maker as a beast? That's because it's BIG. It weighs 23 pounds! And it's going to take a fair bit of storage space when I move it in the morning! I didn't know it was quite as big as it is when I bought it, it was a fair shock when I unboxed it last night. Oh, also, because it has a compressor, you have to treat it like a refrigerator: if it's ever turned upside down or on its side, it has to be placed upright for 24 hours before use to let the coolant resettle. And Cuisinart products, at least this one, has a three year warranty and at least for my food processer, they were very good and quite fast at repairing it when the base motor seized up. I'm expecting to get a lot of use out of this puppy!