Recipe: Spanish-Style Breakfast Casserole

Spanish Style Breakfast Casserole

More breakfast food! This is a nice hearty breakfast casserole that will fill you right up. I’ve made it a couple of times since going paleo and loved it both times.

If you’d like, you can make this recipe ahead of time, up to the point where it goes in the oven. Refrigerate it over night, and in the morning, cook for a bit longer (about 15 minutes) in the oven.


  • 1 pound sweet potatoes
  • 1 green bell pepper, sliced
  • 1 large onion, quartered and sliced
  • 2 tomatoes, finely chopped
  • 2 garlic cloves, thinly sliced
  • handful black olives, cut into smallish pieces
  • 2 tbsp olive oil
  • 3 eggs
  • parsley, optional
  • salt
  • ground black pepper
  • smokey paprika


  1. Wash, peel, and cube the sweet potatoes into about 1 inch pieces. Parboil them for 10 minutes in lightly salted water, until tender. Drain and set aside.
  2. Heat oil in a large frying pan over medium heat.
  3. Cut the olives in half. Or in 4 when using large olives.
  4. Cook the onion for 2 minutes, add the bell pepper strips and give it another 3 minutes before adding the garlic.
  5. Add the tomatoes and reduce heat to low. Cook for about 10 minutes to give the tomatoes a chance to lose their juiciness and soften the other vegetables.
  6. If you’re using parsley, finely mince it.
  7. Place the potatoes in a 9×13 inch casserole dish. Top with the vegetables and olives, then season with a sprinkle of salt, some pepper, and paprika to taste.
  8. If you’re making this to finish the same day, use the back of a spoon to make room for the eggs to go on top, then crack the eggs into it.
  9. Bake the casserole at 450°F for roughly 10 to 12 minutes, until the eggs set. The eggs should be fairly dry on top, but the yolk will remain runny.
  10. Remove from the oven and sprinkle parsley over the top.


Continue Reading

Recipe: Loose Breakfast Sausage

Paleo Loose Breakfast Sausage

Breakfast foods are a great way to start any day. And it isn’t hard to make breakfast paleo. One of the first recipes I made was for this loose breakfast sausage, that is really just seasoned ground turkey. I especially like it because you can leave it in the fridge all week and just pull it out when you need it – making only as much as you need.


  • 1 tsp smoked kosher salt
  • 1 tsp black pepper
  • 1 tsp dried sage
  • 1 tsp dried thyme
  • 1/4 tsp dried rosemary
  • 1/4 tsp ground nutmeg
  • 1 pound ground turkey


  1. Grind all spices together.
  2. Mix the spices with the meat and let sit for an hour or two after mixing to blend the flavors.
  3. Cook in skillet over medium high until browned.


Continue Reading

Going Paleo

On January 2 of this year, I decided it was time to change my diet. I was raised vegetarian, then pescatarian. It wasn’t until age 14 that I first tasted chicken (KFC, btw) and it went on and on from there.

Since starting at Mozilla (in 2007), I’ve gained quite a bit of weight and I couldn’t seem to shake it. Sure, I lost about half the weight just by living, but indulgences kept me from losing the rest.

After looking around at various diets and lifestyles, I decided on one that made the most sense to me, the paleolithic diet. Now, there are a bunch of different ideas of what this means and I’ve struggled a bit along the way, but I’ve tried to maintain a fairly strict paleo diet, incorporating some baked goods (using paleo ingredients).

(A small example of leeway is something like soy sauce, which isn’t paleo and I don’t use. However, there’s a substitution for it called “coconut aminos.” No caveman had anything like coconut aminos, but many consider it “paleo” because it’s made from coconut and salt. I use it from time to time, but not in excess.)

There’s generally a guiding principal you should follow with any diet and that is: do what’s right for you. Many people “cheat” on their diets and it’s something I found myself doing too. An eight day vacation (and a four day trip to visit my family) resulted in a vacation from paleo. Hello bread, dairy, soy, rice, and more! And I gained weight and felt much worse because of it. These aren’t the cheats that anyone should be doing.

But occasional dark chocolate, which still contains sugar just not as much? That’s acceptable as a treat.

In any case, a number of my blog posts going forward will be devoted to paleo recipes that I’ve tried and work for me. Some of them will veer from a strict paleo diet, but they are what works for me.

Continue Reading

Timeline of Comodo Certificate Compromise

There’s been a lot written about the most recent Comodo certificate compromise including two Mozilla Security Blog posts on the topic, but I have yet to see a concise timeline of the events. As a former Mozilla security release coordinator, I’ve been following this topic closely and wanted to write up my thoughts, as well as a full timeline.

A good write up of the issue is available on the Mozilla Security Blog, as well as on the Tor blog, where Jacob Appelbaum did excellent detective work to find this issue long before it was publicly disclosed. I also want to mention bug 642395 in which details are emerging about a hacker claiming to be responsible for the compromise.


      • 15 March, 18:00-20:00 – Certificates issued.
      • T+0d, 0h, 15m – Comodo revokes certificates.
      • T+1d, 1h, 32m – Mozilla informed of issue with initial list of certificates.
      • T+1d, 4h, 33m – Google lands initial fix in Chrome’s tree.
      • T+1d, 13h, 29m – Mozilla bug filed.
      • T+1d, 21h, 59m – Comodo confirms most major browser vendors aware of the issue.
      • T+1d, 23h, 44m – Chrome update with initial fix available.
      • T+2d, 1h, 38m – Mozilla lands initial fix on main development trunk and Firefox 4 branch.
      • T+2d, 13h, 29m – Comodo informs Mozilla of two additional certificates to block.
      • T+2d, 15h, 33m – Mozilla lands additional fix on main trunk and Firefox 4 branch.
      • T+2d, 19h, 59m – Google lands additional fix in Chrome’s tree.
      • T+3d, 16h, 45mConfirmation that Apple is aware of the issue.
      • T+3d, 23h, 20m – Mozilla lands initial fix and additional fix on Firefox 3.5 and 3.6 branches.
      • T+6d, 17h, 44m – Firefox 4 with fixes available.
      • T+7d, 6h, 30m – Firefox 3.5.18 and 3.6.16 with fixes available.
      • T+7d, 7h, 12m – Mozilla announces certificate issue, without details.
      • T+7d, 20h, 44m – Microsoft issues fixes.
      • T+9d, 1h, 16m – Chrome update with additional fix available.
      • T+9d, 19h, 23m – Mozilla announces details of certificate issue.

Some notes about the above timeline:

      1. All times in UTC.
      2. T+0 is 15 March, 20:00 since that’s seemingly when the last certificate was issued.
      3. The “initial fix” listed is a patch blacklisting the initial 7 certificates that Comodo informed vendors about.
      4. The “additional fix” listed is a patch blacklisting the additional 2 certificates that Comodo informed vendors about.
      5. Details about when vendors other than Mozilla were alerted to the issue are hard to find.

There’s a lot to say about this event, much of which has already been said. Before talking about timeline, I think it’s important to call out Comodo for both their good and bad work in this instance.

To save face, Comodo could have simply revoked the certificates and dealt, in private, with the RA that issued the certificates. Those outside of the open source world know how hard it is to come clean, publicly, for something that can be kept private. Kudos to them for contacting browser vendors and ensuring a fix made it out fast.

That said, this isn’t the first problem Comodo has had. Previously Comodo allowed issuance of a certificate, allowing domain verification to be done by their RA.

(I could also mention bug 526560 but that wouldn’t be entirely fair to Comodo since other CAs are doing the same thing. While this is blatantly against Mozilla’s CA Policy, Mozilla has decided not to enforce such issues. The open bug on enforcing section 7 is 567193.)

Of course everyone is focusing on Comodo right now. I’d like to focus on the browser vendors and their reactions to this threat.

From the timeline, it’s fairly clear that one browser vendor has taken the longest getting this issue fixed. No surprise here, that vendor is Apple. I yearn for the day when Apple takes security seriously. Unfortunately, I think I’ll be yearning for a long, long time.

It’s also clear that Google responded fastest, issuing a fix to its users less than 48 hours after the attack. While we don’t know for sure when they were contacted, we can assume it was around the time Mozilla was contacted. It’s clear they went into overdrive and released a stable version of Chrome blacklisting the bad certificates less than 24 hours after being informed of the issue. Sadly, Google didn’t know that Comodo would later realize they had failed to disclose two additional fraudulent certificates to browser vendors. They issued a fix for those two certificates seven days later.

Mozilla has often worked that fast to fix critical security issues, but in this case didn’t. While they quickly decided to rebuild the Firefox 4 release candidate to include the blacklisted certificates, it still took a full six days before a fix was in the hands of users, in the form of Firefox 4 and later Firefox 3.5.18 and 3.6.16. During this time, all users were theoretically at risk.

Comodo has said that there is no evidence of any of the bad certificates being used in the wild, based on their OCSP responder logs. Of course, OCSP pings can be stopped with a MitM attack, something any state-driven attack – as Comodo claims this is likely to be – could easily do. (Read more on revocation and its shortfalls.)

Mozilla also decided not to disclose this issue publicly until a fix was release. They have since apologized for waiting so long but I think the bigger story is how long it took to get a fix out in the first place. While Google jumped to protect Chrome users, Mozilla waited almost six days before issuing a fix to users.

Attacks like this are often targeted at a specific group of users and this one was likely the same. We will likely never know all the details but there are a few questions and takeaways from this event that we should look at closely and take very seriously.

      1. Revocation clearly doesn’t work right now. At what point will browsers fail on revocation errors?
      2. Mozilla has always held openness and security as two of its main mantras. In this instance, they failed at both, not informing users of a targeted attack immediately and not issuing a security fix for almost six days. Sometimes waiting for everyone else isn’t “responsible disclosure.”
      3. Comodo has never had full control over its RAs – something likely true of many CAs – and is increasingly causing critical security issues for users worldwide. The larger your network of RAs, the larger your threat vector.

I’m actually a bit disappointed at Mozilla’s performance during this event and I hope they take such compromises more seriously in the future. Regardless, there are lessons to be learned at each step of the way by all parties involved.

Continue Reading