Category Archives: Internet

mosquitto connection refused

Hi all, if you’ve just upgraded mosquitto server on some flavour of linux and wondered why all your mosquitto subscribers and publishers on your network have just started failing, you may have fallen foul of this:

the new mosquitto 2.0 requires a ‘listener’ be configured to the ports required, or else it will only listen to the localhost:1883.

So if all your clients start failing after, edit the configuation and add the following line to the top:

“listener 1883”

See the post here for more information: https://mosquitto.org/documentation/migrating-to-2-0/

Varnish nsca logging on systemd system with x-forwarded-for

So, you have a Varnish server running systemd, which is behind a reverse proxy for SSL like nginx, and you can’t work out how to make varnishncsa log IP addresses from a specified header? Well, it’s a bit of a pain in the neck really. You need to override the systemd service file, which is like systemd’s version of the init scripts. Due to it being systemd, this is not just a case of editing a file…

For Debian, you can use the service file below, and paste it into
/etc/systemd/system/varnishncsa.service

Once done, you need to reload systemd’s service listing itself;
$ systemctl daemon-reload

Congratulations, you now have varnishncsa logs including the visitor’s real IP address, as specified by Nginx. Change the name in “{X-Forwarded-For}” to change the header name, for example if you want CloudFlare’s view of the client’s IP address, use “CF-Connecting-IP”

[Service]
 RuntimeDirectory=varnishncsa
 Type=forking
 PIDFile=/run/varnishncsa/varnishncsa.pid
 User=varnishlog
 Group=varnish
 ExecStart=/usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log -D -P /run/varnishncsa/varnishncsa.pid -F '%%{X-Forwarded-For}i %%l %%u %%t "%%r" %%s %%b "%%{Referer}i" "%%{User-agent}i"'
 ExecReload=/bin/kill -HUP $MAINPID

 

SetEnvIf https (Tell apache we’re behind a reverse proxy handling SSL)

This is complicated, but I need to remember this, so I want to put it somewhere. You need to add this to apache config / .htaccess file to get apache to correctly set the HTTPS environment variable when the backend is secure. It trips based on the X-Forwarded-Proto header being ‘https’.

SetEnvIf X-Forwarded-Proto "https" HTTPS=on

Attention span

Ran across this interesting video the other day, thanks to YouTube recommendations. Tl;dr version, internet-addicted humans have (possibly) screwed their attention spans, thanks to unrestricted access to the internet.

I’m not sure. I’m pretty reliant on the internet for my social support structure, and use it to (try to) help others, with what I can.

I’ve not really found that my attention span has seriously been diminished via the internet, though I certainly do find myself checking twitter more than I probably should. I read an interesting study/article which I can’t find right now that posited that humans are designed to always seek out new information, since it’s valuable to the clan. Found yourself whiling a few hours away on Wikipedia? Same article mentioned twitter as a source of potential endless new things, leading to it’s potential addictive nature.  Whilst looking for it, I did find this more modern article, which discusses why twitter’s addictive, and how missing empathy feedback loops might be being impacting twitter’s troll problem. An article to think on another day.

Personally, I try to read everything everyone I follow on twitter writes, which means I have to be particularly strict about who I follow. To be honest, there’s plenty of voices on twitter I’d love to read more from, but who just tweet too damn much for me to be able to keep up. I’ll end this ramble with just a few interesting people on twitter;

  • @swiftonsecurity — Computer security, microfiction
  • @jimrossingol — Game development, rt’s interesting left leaning politics
  • @dannilion — Sufferer of a particularly nasty disease leaving Danni bedbound

Price of cow manure in Nova Scotia

fishing cove, nova scotia

So, I didn’t know what to blog about today, so I asked a friend, and he said that. Huh, I thought. That’s actually kinda weirdly interesting. Let’s ask the googles.

Google tells me, you can buy 1.5 Kilograms of it in a nice plastic bag from home hardware for $3.49 (Canadian dollars). Or, I did find, you could get goat manure for free! But you’ve gotta collect it yourself.

A bag of cow shit. Yes, really.

TBH, I didn’t even know where Nova Scotia was, or in which country. I mean, I’d heard the name before, but couldn’t put the name to a place. Canada! Wikipedia tells me Nova Scotia is the second most-densely populated province in Canada with 17.4 inhabitants per square kilometre (45/sq mi).

So there you go. That’s today’s blogpost, a random fact about cow manure in Canada.

Though, it turns out that Nova Scotia is one of the places that suffered an “interesting” past due to British colonial activities, namely the forced relocation of french colonists, costing the lives of thousands, not counting the torn histories of tens of thousands.

Whilst trying to find a good image for this post, I came across the one above, of Peggys cove. Now I wanna actually go there, just because it looks pretty! Probably never going to go, but one can dream!

.. Please, save me from myself. Ask me interesting questions I can answer and blogpost about, help me keep keep blogging daily. I’ll try to answer (almost) anything within reason.

I mean, I could tell you about my day, but it was mostly just normal, relatively boring to relate sysadmin stuff. I did have to help a client with a slightly gnarly DNS thing, but that was just knowing how the timeouts work, not sure there’s anything interesting to post about there.

Is gnarly spelt gnarly or knarly? I kinda want it to be spelt knarly, but the spell checker reliably informs me it’s gnarly. Shame. I’m going to stop typing here. Bye!

I’m irate, and I can do nothing. Here follows Swearing.

Re, Syria, refugees, crisis, fuckwits, and general shittyness. Minddump. Rant. Sweaing. Unfiltered.

Local facebook group currently discussing why Syrians aren’t forming guerrilla bands and trying to take back their country. Especially all fighting-age men. They seem to think that a country with rapidly being-bombed-to-shit infrastructure can even support guerrilla-style civil-war fightback. They think Assad and his goons would welcome civilians arming up and trying to fight for one of the factions. Isn’t that what started this shitstorm in the first bloody place?

I’m looking on, where at last count 12 fucking countries, including my own, is interfering there, bombing various factions they don’t like, providing weapons to who they do, because apparently no-one learned from what happened with Afghanistan? It’s a religious nightmare over there, and there is no good answers, but berating people running from the absolute mess for not “stopping and fighting” is about as much use as telling a fish it must swim in air.

ARGH. These people are idiots! Do they think weapons grow on trees! Do they think civilians, people like me, would be able to trust one of these factions enough to throw in with them? Do they think, under their “Men should stay and fight!!!!!” rule, that the men maybe want to get their family out of danger?

I don’t know any solution. I don’t know how I can help, bar trying to support those fleeing, so they don’t die of starvation or drowning whilst trying to simply survive. I don’t know what I can do. I’m supposed to just say “Oh, no, the people who sound/look/think a little differently from me, they’re bad, they should go away!”? Fuck that.

… I should probably stay off my local facebook group.

Heartbleed, the media, and passwords. I might be annoyed.

This is a rant. It’s a long one. I’ve not proof-read it much, there’ll be mistakes.

Opening

So, unless you’ve been hiding under a rock of late, you’ve heard about Heartbleed. Heartbleed is a bug in one of the core programs used in the open-source world to keep secret those things you need, like credit card details. This particular bug is important, because it can leak information that shouldn’t be leaked, like credit card details. Just click the link above, it gives a really good basic idea as to how it works. It mainly affects those things protected by SSL.

So, now that everyone knows what it is, why is it important? The information leaked can be anything that the computer (hence -forth called “server”) responsible for keeping the website involved on the internet has in it’s memory. That can include, requests for websites, file transfers, emails, ssl certiticates, ssl keys, credit card numbers and passwords.

Passwords, memory and maths

Now that last one, that’s the one the media, and certain people, have been shouting about. This bug has the small potential to leak passwords. However, this is totally not as serious as it sounds. Passwords are only kept in plain text for a short time – normally, as long as it takes to hash them (one-way-encrypt), and check them against a database. So, your passwords aren’t sitting out in the open, for anyone to steal. Additionally, you have to have entered your password within a second (or two at the latest) of someone using this bug to pull information from a server. As problematic as this bug is, it’s limited. It lets you get 64 kilobytes of information from the server memory. That sounds a lot, till you remember that modern servers have up to 16,777,216 kilobytes, or 262,144 blocks of 64KB. Even servers a few years old (and in server terms, that can be really quite old) have 4,194,304 kilobytes, or 65,536 blocks of 64KB. So, someone has to have managed to use this bug, to grab exactly that block at the right time, to get your password. Also, trust me, we would notice if someone started reading that much information out of our servers constantly. It would be obvious something was wrong. Additionally, not every server is vulnerable to this weakness. Those running IIS, or an older (but still patched) version of operating systems used to host websites remain safe. It’s something like 2/3rds of sites, and crucially, only those 2/3rds of servers setup for SSL.

So, why all the “RESET ALL YOUR PASSWORDS!” screaming? There is a small chance of grabbing an SSL key. Now, due to the way this bug works, this is more likely than other things to have happened. Why is the key important? It’s the set of random numbers that says you ‘own’ a certificate. So in theory, it can be exposed. Why is this a problem? With the key, you can pretend to be the person for whom it was created — if you got google.com’s key, you could pretend to be google.com. Now, this *still* isn’t that easy to use, you basically have to perform a Man In The Middle attack, which is hard, and complex, and will only get you really limited information, depending where you can do it.

No, this is not as serious as it sounds

So, why have I been tweeting lots saying you shouldn’t rush out to reset all your passwords? Three reasons. The first; the likelihood of anyone actually getting your password is really, really really small. Remember, there’s that (at best) 65,536 places your password could be, and only 2 seconds to find it before it vanishes. Per affected website. Add that to the fact that these bugs are hard to find, and using them to get information is hard. Using them to get useful information is also hard – all the bug comes back with is a load of data you have to run through conversion routines to get anything out of. Additionally, due to the way this data is stored, there’s no guarantee it’ll be easy to match your password to your username, which is crucial if you don’t want to have to guess usernames.

My second reason is one of worry about the affect telling those who aren’t used to strong password security will have. You’re going to be telling people to dump every single one of their current passwords and start again. It’s already really bad – the top 2 passwords of last year were “123456” and “password”.  So, though I have no studies on this, I would bet, with hard cash, that forcing those not using good passwords to reset their passwords with fear, will weaken passwords as a whole. I suspect that we’ll find a lot more weak passwords, and a lot more passwords shared amongst websites in the next few batches of password leaks.

Finally, my third reason. Evidence. We’ve had no evidence of large scale, source-less password leaks recently. Hackers, especially some of the nicer ones have a habit of dumping their finds publicly, and a large-scale capture of passwords would show up in activity around the internet. Additionally, passwords aren’t the only thing heartbleed can expose. It can expose credit card numbers. And the credit card companies do not like sites to whom they’re traced back a hack. In fact, they have a habit of forcing said companies to go through a rigorous, lengthy, and painful auditing process, to find out exactly *how* the passwords leaked. The security community would have heard of these audits turning up nothing, of credit card data vanishing out in any significant quantity, or even the audits would have thrown up the bug.

Media

So, this password thing. It’s being pushed by the media, and by the guys who created the ‘heartbleed’ website as a much bigger impacting issue than it really is. Now that the bug is out in the open, script-kiddies will start using the heartbleed website, as will advanced state agencies. I’ve heard some rumours of people seeing internet-wide scans originating from state agencies, shortly after the bug was announced. So, it’s important that it’s patched quickly, it’s a big problem for the tech community, but with the low chance of password exposure, it’s not that important. So, why are the media saying “CHANGE ALL YOUR PASSWORDS”. Two reasons mainly, first is that’s a far better headline than “There was a bug. We’ve fixed it.” The second, is that that’s the response we, the hosting & security community, have ingrained as ‘the’ response to any sort of compromise. Yahoo got hacked? Change your passwords. last.fm got hacked? Change your passwords. So, when they hear about this hack, which they do not understand, they fall back on the thing they know, and since this bug affects ~60-70% of ssl protected servers, they think “ALL” instead of just a limited set.

Responsible Disclosure – how not to do it

In my opinion, the heartbleed release is a perfect example of how NOT to do responsible disclosure, no matter what certain lucky parties claim. First, create a website with inflammatory content. Then, get those who have insider access to patch. But crucially, don’t inform operating systems before you make it public. Don’t let anyone know in the security teams of Ubuntu, Debian, RedHat or SUSE. You know, just the people who actually have to *create* and *deploy* the patch to the millions of affected servers. Don’t let big publishers or sites know (Yahoo, BBC, Facebook). Instead, publish your site, and wait for the shitstorm to hit, as the media companies take this up, shout about it, and make customers scared.  Now, in a boon, the debian OpenSSL team got a patch out for this bug, 30 minutes after they had a bug report. But they didn’t have a bug report when heartbleed went public. No, the bug was reported hours later, after the viral-news effect had got around to someone who knew where and how to report a bug in debian’s bug tracking system.

Other, big bugs

You know, there’s a package that runs a good 22% of the internet. In the past week, they published a really critical bug, one that allows remote authenticated access to their sites. This package? WordPress. The bug will allow an attacker to gain administrative-level access to any wordpress site. In actual damage terms, this bug will cause me far, far, far more grief, and likely our customers, than the heartbleed ever will. Heartbleed was patched out in our network in the space of a few hours, with some minor services taking maybe a day or so. If we’re not running a vulnerable version of WordPress on our network, this time next year, I’ll eat my hat. If some clever black-hat hasn’t written an automatic compromise bot, to exploit this within the next few months, I’d be very surprised.

Another package that had a critical security patch in the past week? Just an addon to wordpress, that a good proportion of wordpress sites also use; Jetpack. They found that they had another remote-access, post, and privilege escalation bug in their code. Again, this single bug will cause us far more trouble in the long term, simply because people won’t upgrade.

Other, easier ways of loosing your password

Every now and then, someone’s website gets hacked, crap gets uploaded. We trace it back to their computer, using their login details. What happened? Though we’ve never been able to say with 100% certainty, they were probably infected with a keylogging virus, that saw them typing in their (s)ftp login details, and which automatically used said details to deface their site. That has become less common in the last year, but it was almost a weekly occurrence only last year.  How did the keylogger get installed? Simple, our customers either didn’t have anti-virus, weren’t maintaining it, or actively ignored it’s alerts. They click on links in emails they’re not expecting, open files in emails they’re not expecting, and get infected. Just this week, something has been quite determined to infect me – sending me ‘delivery notes’, asking me to ‘print a zip file’. The ‘zip’ file was a Microsoft Excel .xls file, and likely not an xls file, but something quite nasty.

Internet cafes. Ever used one to pick up your email? There’s a good chance that someone knows your email account password — those computers often have keyloggers installed, or have someone on the same network watching the net traffic, or intercepting it. Use that same password on paypal? Oh well, say goodbye to your money. Ever used a public wifi connection? You know, one of those unencrypted ones on your iPhone? Your iPhone logs into your email accounts without encryption? Say goodbye to your username and password.

In closing

Is heartbeat serious? For webhosts, yes. For users, in the brief period after heartbleed.com went live, till our servers were patched? Yes. Now? Not really. It could have been a lot better, and it could have been a lot worse. Hopefully, this will give the OpenSSL guys more resources to stop any future bug like this slipping through the net. Do you need to reset your passwords? Only if you connected to a vulnerable https:// site, in the brief period that the bug was around. Better would just to watch your bank statements, something you should be doing anyway. Use 2-factor authentication if you can. Use a password manager, my favourite is Keepass, with it’s database stored on Dropbox, and a key file stored elsewhere. Use separate passwords for every site, and don’t try to remember them, just auto-generate them using keepass’s algorithms.

[UPDATED]Useful Firefox addons

2009 vs 2013 Useful Firefox [Browser] Addons

Originally I wasn’t really into add ins then i got into trying loads of add ins and eventuallyi have whittled it back to the few firm favourites/favorites for the americans.
[i was going to del fav bit but then I noticed that my firefox dictionary is still set to US because of it (which is what happened back in 2009 too haha)

ubiquity beta addon for firefox – run, send email, new calendar event, update twitter.
have not tried this yet. Read about it here:
http://www.ghacks.net/2008/08/26/mozilla-labs-ubiquity-is-a-firefox-killer-application/
or at mozzy labs: http://labs.mozilla.com/2008/08/introducing-ubiquity/
[2014 Ubiquity has died, but you can still install the addon (download using the bitbucket link)]: https://addons.mozilla.org/en-US/firefox/addon/mozilla-labs-ubiquity/

Favourites/remember this website

Tag sifter

Taboo – one click remember this, timeline

Readitlaterlist.com Now Getpocket.com – my cuurent fav  [2014: Still using it today]

Foxmarks

Tabs

Duplicate tab

Tab kit [Plus]- organizer of tabs

[2014 I haven’t used this in a while]

[New for 2013: Firefox: TooManyTabs                                            https://addons.mozilla.org/en-US/firefox/addon/toomanytabs-saves-your-memory]

Testing this one right now!

[2014 Tab Manager]

Awesome enables Tabs of Tabs (another tab bar above so you can group tabs into projects, subjects etc)
however not available for latest firefox and the other versions are buggy/not working. 🙁

[New for 2014: Chrome: OneTab                           http://www.one-tab.com/ ]                           

There really is one tab to rule them all!Fold all open tabs down to one and free all that memory. Edit what’s ‘open’, leave it just as a single tab, or reopen (one by one or all).

I NEED to test this one when I switch back to Chrome!

Session Manager – protector and saver of tabs! [2014: integrated session managers are pretty comprehensive now!]

 

Download Them All

[2014:Still very useful last time I used it a few years ago, but internet speeds have increased monumentally since 2009, so much so that download managers are not needed for that anymore. It’s still a brilliant tool for downloading all images from a page for example]