29 years: A typical millennial.


Key Fob Exploit for Subaru Cars

It can be frustrating to be a modern car owner from a security perspective, considering the amount of technology that are packed in vehicles nowadays. For example, out of security concerns, I’ve turned off Bluetooth in my car due to known Bluetooth exploits. Thankfully, I have a USB wired connection to use instead. All the tech in cars is great, but like a modern PC operating system, known exploits must be patched (well, if they get patched at all).

One example I’ve found of security exploits in the wild is one involving key fobs for older Subaru models. Since a key fob is essentially transmitting a short-range unencrypted radio signal, that packet can be intercepted using some off-the-shelf components. The exploit is apparently due to a flaw in Subaru’s rolling code implementation where a would-be attacker can easily guess the next code in sequence. Thus the attacker can create an exact clone of the key fob and emulate all the functions of it.

This remains unpatched/fixed, but I also understand from Subaru’s perspective that the possibility of this being abused may be remote (no pun intended) and not worth fixing at all. However, since this exploit has been made public and on GitHub, it would be unwise for them to simply ignore it.

Get ready to hear more about these kind of security concerns as our cars get more and more connected (for better and for worse).

What Could Possibly Go Wrong?

After Equifax (or “Equihax” more appropriately) fails to protect the sensitive data of 140+ million Americans, they are handsomely rewarded by the IRS (perhaps incompetence is attracted by incompetence) with a $7.25 million contract to “verify the identities of taxpayers and provide fraud prevention services.”

Nope, nothing to worry about here.

Just reason number 725 million to loathe the IRS.

The Python Journey

One of my tech goals is to become “proficient” in Python. Working in predominantly Linux-based environments, Python is a very useful language to know and work with (along with Bash). Having worked in the .NET space for so long, I never got a chance to touch Python until working at my current gig. This is a prime opportunity to learn, but it’ll certainly take a lot of study, work, and practice. I may ultimately have to pay some money up-front for good resources (I took a Python Pluralsight crash course in the past), but here is a list of free beginner resources available for those also interested:

The journey begins, but like many other programming journeys, it’ll be a somewhat long and arduous one.

iOS 11: Initial Impressions

As a end-user who cares about security, I like to stick with iOS. It may not have customizability or flexibility of comparable Android devices, but at least I know the necessary security updates come, especially when it comes to potential zero-day exploits.

What I also really like about Apple is their long-term support for older devices. For example, my wife’s four-year-old iPhone 5s and iPad mini 2 (in terms of hardware generation) get iOS 11, including many of its nifty new features and security updates. The hardware runs the latest OS admirably and it’s a credit to how far mobile processors have come since the early smartphone days.

I know there is major hype surrounding the iPhone X (and much less so for the iPhone 8 devices), but I like my iPhone 6s Plus (and iPad mini 4). Unlike my wife, who is on an iPhone 5s with battery issues, I don’t need an upgrade. Back in the day, in the height of my “gadget fever,” I would have little hesitation to spend the money to upgrade. Now considering the overall cost of a high-end device and the need to be a more responsible adult with family to take care of, as long as the device I have suits my needs and daily use, I don’t mind wringing every last drop of usefulness out of it.

When running iOS 11 on my iPhone 6s Plus and iPad mini 4, the overall performance is solid – not great compared to iOS 10. For example, the animations and first-launch speed of apps aren’t as snappy (and 3D Touch app switching is gone!) They’re running two- and three-year-old processors respectively so it’s to be expected. Nothing drastic, but it’s worth noting.

UI-wise, while the general feel is the same, Apple seems to be going all in with larger fonts similar to their redesign of the Music app last year. One look at the redesigned App Store is evidence enough.


Not a terribly big fan of it, but I understand the design choice considering they have to cater to end-users with poor eyesight as well (like me).

Features-wise, I think the iPad benefits more with this release. For example, there is the inclusion of the Files app which gives iOS a rudimentary file system to work with. It’s included on the iPhone as well, but this becomes more useful with the iPad to make it closer to a laptop replacement. Couple that with better multitasking and Split View, it’s a decent laptop alternative.


I would say I’m more excited with the iOS 11 iPad enhancements than with the iPhone. Really makes the most of the hardware capabilities of the iPad mini 4.

All in all, aside from some annoying (lack of 3D Touch app switching) and expected (slightly reduced performance) quirks, I like iOS 11 especially for the iPad (I’m sure it will really shine if you have one of those fancier iPad Pros). Some of these quirks could be easily fixed with subsequent software updates. As an owner of older iOS devices, their usefulness (and security) are extended.

Now I’m curious how the iPhone X showcases iOS 11…

Understanding SSL: Part II – The SAN

Something I learned about SSL certificates I wasn’t aware of before (while SSL experts laugh at me) is the inclusion of Subject Alternative Name, or SAN for short. In a typical certificate, you would specify the hostname via the Common Name or CN. In a typical client (browser) to server scenario, the request must match the hostname specified in the CN of the certificate to ensure a valid, secure connection. Nowadays, SAN fields are now more commonly used to specify multiple domains and subdomains in a single certificate, as opposed to having multiple certs for multiple domains. SAN certificates are also known as “multi-domain” certificates.

SAN has been around for almost 20 years as part of the X509 certificate standard, but only recently have modern web browsers taken more notice of it. For example, as of Google Chrome version 58, by default, Chrome will ignore the CN in the subject field and instead requires certificates to specify the hostname in the SAN. Firefox as of version 48 checks this by default as well. What I understand about Common Name is that it isn’t as “rigorously defined” as the SAN. On top of being an untyped field, there are security concerns with CN that aren’t apparent with the SAN. Hence, with security being top priority for browser developers such as Google, it makes sense to enforce checks against the SAN instead of the CN.

As cybersecurity gets pushed more and more into the forefront of public discussion, it’s very useful to understand these key fundamental concepts.

I still have LOTS to learn myself.