Ssh-agent is a great program that lets you add the password to your SSH private key to memory, and then you don’t need to type in the ssh key passphrase every time. The basic usage is that you start BASH as a child of ssh-agent, and then use a program called ssh-add to prompt you for the password and store it in memory.

On OS X, there’s a GREAT program called SSHKeychain that handles this, storing the password in your OS X keychain, so it’s really seemless.

On Linux, you need to type in “ssh-add” manually every time you want to store the key, and after that your SSH sessions will be seamless.

However, I’m always forgetting to do that, and thus getting prompted for the password. Too many seams. I added the following code snippet to the end of my .bashrc file, and thus, every time I open a bash shell, it checks whether ssh-agent has any keys in memory. If it does, the shell starts as normal. If ssh-agent doesn’t have any keys in memory, it prompts you for the password. Simple, and as seamless as I can make it.

## Add key to ssh-add if it has not been added.

ssh-add -l &> /dev/null
SSHADDRESULT=$?
if [ "$SSHADDRESULT" -ne "0" ]; then
ssh-add
fi

UPDATE 2008-07-02: Here’s a much more succinct way of writing that:

ssh-add -l &>/dev/null || ssh-add

I’ve written an introduction to SPBS, and the reasons I’m writing it here, at http://code.google.com/p/spbs/wiki/SPBSIntroduction

NOTE: I have only experienced this on the Vancouver Sun section of Canada.com. I’m currently out of different IP addresses to try. I’ll try again from home to see if the rest of Canada.com is infected.

How I found The Problem: I followed a link from Bynkii.com to a Vancouver Sun story that Bynkii discussed. My browser was immediately hijacked. I visited the site again, and found no errors. I then tried from a laptop connected to our company’s wireless network (completely separate from our internal network, and through a separate ISP) and saw the hijack again. That time I got screencaps. Visiting the site through the wireless again showed no problems, leading me to believe that this displays one time per IP address. Trying multiple browsers did not result in another browser hijack, and neither did clearing cookies, making me think it’s recording IP address and attacking once per IP address.

Details:

The first time you visit Canada.com, your browser will flash through a few redirects, and then the following popup will appear:

Note that hitting either Cancel or OK appears to have the same result — you can’t get out of there. Your browser will then appear to scan your hard drive for viruses. It’s all theater; it’s not actually doing anything at this point:

It will then pop up a message (in an Windows-style message box — not sure how it did that):

If you’re on a Macintosh, it will then offer to download an EXE file. I’m not sure if it will automatically download and run the file on a Windows machine, because I’m not about to try.

I uploaded the downloaded file to virustotal.com, and it found a variety of badness there, general consensus seems to be that this file isn’t so bad by itself, but will once installed download and install an additional slew of malware and trojans of unknown potency. (I was unable to find really definitive information about this file; I’m open to suggestions for better places to look.)

File Install-MnBhY2lmaWM-a2V5aW4-a2V5a received on 11.08.2007 03:28:07 (CET)

Antivirus	Version	Last Update	Result
AhnLab-V3	2007.11.8.0	2007.11.08	-
Authentium	4.93.8	2007.11.07	could be infected with an unknown virus
AVG	7.5.0.503	2007.11.08	Generic9.HLR
CAT-QuickHeal	9.00	2007.11.07	-
DrWeb	4.44.0.09170	2007.11.07	-
eTrust-Vet	31.2.5278	2007.11.07	-
FileAdvisor	1	2007.11.08	-
F-Prot	4.4.2.54	2007.11.07	W32/Heuristic-119!Eldorado
Ikarus	T3.1.1.12	2007.11.08	Virus.Win32.Renos.AE
McAfee	5158	2007.11.07	BraveSentry
NOD32v2	2645	2007.11.08	Win32/Hoax.Renos.PY
Panda	9.0.0.4	2007.11.07	Suspicious file
Rising	20.17.22.00	2007.11.07	-
Sunbelt	2.2.907.0	2007.11.07	-
TheHacker	6.2.9.119	2007.11.07	-
VirusBuster	4.3.26:9	2007.11.07	Trojan.Renos.Gen.2

Additional information
File size: 31288 bytes
SHA1: ef6fce7ad9a01d6cabb84bffc3bddee6f43bfe4e

I submitted this to the Internet Storm Center, along with a malware sample, and e-mailed webmaster@canada.com with a warning.

Update November 15, 2007: Wired just wrote about the issue; apparently it affects a number of different sites, as the hijack script was distributed via the Doubleclick ad network.

Update November 16, 2007: Wired wrote about the issue again, quoting me this time.

There’s very little payoff in stealing 20 servers (the amount stolen in the recent robbery) for the hardware value — this is most likely about stealing the DATA on the servers. Most people in the market for rackmount servers wouldn’t buy them off trucks, and so you’ve got a crime with serious time and very little payoff if they were stealing hardware. I wonder how much valuable data (including credit card numbers) was stored on those boxes?

Eckels took umbrage at reports that their facility had been robbed four times in the last two years:

One of the biggest mistakes is that people are talking about four robberies. A robbery means than property has been seized through violence or intimidation. C I Host has technically only been robbed twice in two years. The other two were break-ins where things were stolen, but not robberies.”

Umm. That doesn’t exactly make me feel better. Although the facility’s staff probably prefer the burglaries — their night manager was repeatedly tasered and “struck with a blunt instrument” during the most recent robbery.

I don’t have the rights to copy it, and it’s generally rude to hotlink someone else’s images, so you’ll just have to click the link to see it. But it’s worth it for a real belly-laugh of geek humor.

If you see “https://” in the address bar, that connection is generally secure. In many cases, you can make an insecure connection secure by adding an “s” in the address bar and hitting “enter.” (Whether or not it works depends on the site’s web server configuration. Some aren’t set up to support secure connections.)

Google redirects you to a secure https connection while you’re logging in, but sends you back to http for everything else. So if you use Google Mail (aka gMail) without doing anything to secure it, any eavesdropper can read all your mail. This is not a huge problem on a wired connection, but if you’re using any kind of wireless connection, you should be concerned — and if you use an open wireless connection, you should be alarmed.

The “add an ’s’” trick doesn’t always work with gMail, as I’ve noticed it switching back to http seemingly at random.

You can get around this by bookmarking https://mail.google.com/mail — if you start there, Google will leave the entire session protected.

Another solution is Mark Pilgrim’s Grease Monkey extension to Firefox, GMailSecure. It automatically redirects from http://mail.google.com to https://mail.google.com — nicely solving this problem. Typing just “gmail.com” in the address bar first redirects to “http://mail.google.com/mail” (because of Google) and then redirects from there to “https://mail.google.com/mail” (because of GMailSecure).