What is an SDK vs. a JDK vs. a JRE?

The Content Management System we use at the office is written in Java, so on the development systems, we need to be careful to match the JDK version to the JRE version used by the CMS vendor. Periodically someone new will join the team, and they end up wondering what a JDK is and how is that different from a JRE?

So let’s break this down. Generally speaking, an SDK or Software Development Kit. Basically, it’s the set of compilers, debuggers, and other tools used for creating software on a given platform.

That’s basically what the JDK is.  The Java Development Kit contains compilers, debuggers and other tools for creating Java applications.

While a software (or Java) development kit allows you to create software, some software platforms also require a runtime environment. The JRE, or Java Runtime Environment is the support software that allows a Java application to execute.

(Photo from Pexels.com, used under Creative Commons Zero.)

Dropbox

So, I woke up this morning to an email from Troy Hunt, or rather, a message from his Have I Been Pwned? service. It seems that my account was one of the 68,648,009 compromised in the Dropbox breach.

From the sound of things, there’s some mixed news. The bad news is, at the time of the breach, four years ago, many passwords were still being stored as SHA-1 (MD5) hashes. The good news is that they appear to have been salted hashes and the hash values weren’t included in the breach.

Dropbox did send out an alert a few days ago saying that they had reset passwords for anyone who hadn’t updated their password in the past four years (guilty!). The email said it was done as a precaution, but didn’t go into detail about what it was a precaution again. To find that out, you had to click through and read a blog post.

I’m probably OK. My password probably wasn’t as secure as it might have been, but thankfully, the lack of salt values for the SHA1 passwords should make them quite difficult to break. And perhaps most importantly, I’ve never used that same password anywhere else.

(But yes, I changed my password to something a bit more secure. It’s now 40 random characters generated by KeePass.)

Some important takeaways:

  1. Change your Dropbox password.
  2. Don’t use the same password in more than one place.
    • Consider a password manager. I’m mostly happy with KeePass, but also hear good things about LastPass.
  3. Consider turning on two-factor authentication.
  4. Consider also signing up with Have I Been Pwned?
  5. Why are you still reading this? Go change your Dropbox password!

(Photo from Pexels, free for non-commercial use.)

Stopping Credit Card Offers

It seems like the mail includes a good number of credit card offers. Various companies seem to send offers for their special Visa or Mastercard affinity programs almost daily. It only takes a moment to run them through the shredder, and the fees for sending them help keep the lights on at the Post Office. Besides, figuring out how to stop them takes too long, right?

But Thursday’s daily email included something special! A credit card offer with the magic phrase, “You can choose to stop receiving “prescreened” offers of credit from this and other companies by calling toll-free 1-888-567-8688.” Now I’m suspicious of pretty much any offer that comes in as a spam email (These turkeys weren’t even supporting the Post Office!) but a Google search is pretty painless.

The second result was the US Federal Trade Commission’s “Prescreened Credit and Insurance Offers” page. So what do you know? That phone number’s legit.

So it turns out there are actually three options:

  1. Call 888-567-8688 and you can stop (most) credit card offers for five years.
  2. You can also stop (most) credit card offers by visiting https://www.optoutprescreen.com/, clicking the “Click Here to Opt-In or Opt-Out” button.
  3. Or you can go for the gold by visiting that same link, printing out the form at the end, and mailing it to
    Opt­Out Department
    P.O. Box 2033
    Rock Island, IL 61204­-2033

    .

Total time spent: less than five minutes.

(Image via pixabay)

Food Production

I’ve been listening to the .Net Rocks podcast for about eight months and one of the things I like is their willingness to discuss topics outside the Microsoft software platform. The monthly “Geek Out” where co-host Richard Campbell deeply researches and then discusses a technical topic is another interesting part, and always informative.

A few months ago, the geek outs turned into a series on food production, starting with the history of agriculture, and moving up to how food is beginning to be genetically modified.

If you have any interest in food (we all eat from time to time), the series provides a lot of interesting information, and delves into some of the more controversial topics while remaining neutral. Well worth a listen.

Three Minutes of Fame

Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.

Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)

So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)

Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)

The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.

One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.

How To Leave a Facebook Group Message

A friend mistakenly started a massive (50? 100?) group message on Facebook. After the initial admission of “I created this by mistake,’ people started replying (to all) that they would like to be removed (which is something you have to do yourself) and others began asking, “How do you do leave a group message?”

Below are the steps for doing this from the full version of the Facebook website. The mobile site doesn’t seem to offer this functionality and while this can probably be done from the mobile app, I don’t use it so can’t provide much guidance.

  • Click on “Messages” on the left hand side.
  • Click on the message you want to leave.
  • At the top of the screen, there’s a box labeled “+ New Message.”
  • Next to that, there’s a smaller box with what looks like either a gear or a sunburst. Click that.
  • A list of options will appear.
  • Click “Leave Conversation.”
  • Confirm that you want to leave.

Hacking a Space Probe

This is just absurdly cool.

The ISEE-3/ICE space probe was launched in 1978.
In 1997, it’s mission complete, it was sent a shutdown signal.
In 2008, we discovered it hadn’t shutdown, was still responding to commands, and still had fuel.
And it’s orbit was going to bring it near Earth in 2014.

NASA no longer has the equipment for communicating with it and decided it would be too difficult and expensive to rebuild it. (Right about now, I’m thinking about V’Ger. “The creator does not answer.”)

In March of this year, xkcd published comic #1337 with the idea of a group of online volunteers re-establishing contact.

In May of this year someone actually did it!

Some links:

According to the Rockethub page, contact was lost again on August 10, but it’s still amazingly cool that they were able to pull this off. (And for less than $200,000 to boot!)

Movies to watch during a snowstorm.

  1. The Thing – Scientists in the Antarctic are confronted by a shape-shifting alien.
  2. The Empire Strikes Back – Rebels living on an ice planet fight the galactic empire.
  3. Ice Station Zebra – A submarine crew rescues a team of scientists on the Arctic ice pack.
  4. The Day After Tomorrow – New York (and the entire Northern Hemisphere) enters a new ice age.
  5. Eight Below – A dog team is stranded in Antarctica and their trainer works to rescue them.
  6. Snow Dogs – A man from Florida inherits an Alaskan sled dog team.
  7. Balto – A heroic dog risks his life to bring medicine to Nome.
  8. The Ice Pirates – Interstellar pirates, in search of ice!
  9. The Lion, the Witch and the Wardrobe – The Kingdom of Narnia is locked in an eternal winter.
  10. Ice Age – A mammoth, a sabertooth tiger, and a sloth find a human child and set out to return him to his tribe. (Best to watch with the sequels The Meltdown and Dawn of the Dinosaurs.)

An “Impossible to Get” Guest

I managed to slip off to a con recently and ran into one of those “impossible to get” guests, but with a twist — this one wants to come to cons, for the fun of it as much as anything else.

The guest in question, and I was more than a little surprised to run into him (even more so that he wanted to talk to me!) was Lorne Greene. He wasn’t on the con’s official guest list, instead, he was there as an attendee. From talking to him, he’s interested in getting onto the convention circuit but first wanted to check out the scene in-person. (He went full-out on it too, going so far as to show up with a reasonable facsimile of his “padded-robe” uniform from the original BSG.) He’d like to start coming to cons this year and gave me a card with all the appropriate contact information.

Talking to a friend about this encounter a short time later, we agreed that it was pretty cool someone of his stature actually wants to go to cons — so many of the well-known stars price themselves out of range. I was particularly surprised though since I thought he’d passed away about 20-25 years ago.

And that’s when I woke up.

Sure, booking Lorne Greene presents a few more challenges than most guests, but the good news is that he wants to be there.

Now if I could just remember that phone number….