Feb 12 2014

checking client-side ssl/tls

At the tail end of last year I mentioned a couple of tools I had used in my testing of SSL/TLS certificates used for trivia itself and my mail server. However, that post concentrated on the server side certificates and ignored the security, or otherwise, offered by the browser’s configuration. It is important to know the client side capability because without proper support there for the more secure ciphers it is pointless the server offering them in the handshake – the client-server interaction will simply negotiate downwards until both sides reach agreement on a capability. That capability may be sub-optimal.

A recent post to the Tor stackexchange site posed a question about the client side security offered by the TorBrowser Bundle v. 3.5 (which uses Firefox). The questioner had used the “howsmyssl” site to check the cipher suites which would be used by firefox in a TLS/SSL exchange and been disturbed to discover that it reportedly offered an insecure cipher (SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA). Sam Whited responded with a pointer to his blog post about improving FF’s use of TLS.

From that post, it appears that TLS 1.1 and 1.2 were off by default in FF versions prior to 27. Hence they would have been off in the TorBrowser Bundle as well.

Permanent link to this article: http://baldric.net/2014/02/12/checking-client-side-ssltls/

Feb 12 2014

policy update

An exchange of emails with Mark over at bsdbox.co a day or so ago made me realise that my privacy policy needed updating. Not, I hasten to add, for any fundamental reason, but simply because a couple of the references in that policy were out of date. I have therefore amended it and version 0.2.0 is now in place. As promised in the policy, this post draws attention to the changes.

The amendments I have made are as follows:

I have amended my reference to geo-locating IP addresses because I stopped using the off-site “clustrmaps” tool some time ago. I now point out that I collect aggregate IP address geo-location data incidentally through my use of Counterize. However, as I note in the policy, I may drop Counterize shortly because it is becoming a drain on the site. Unlike static web log analysis tools, Counterize runs a script in real time to update its database. That database is now getting too large for my liking and some of the (automatic) queries it runs are not well optimised. I haven’t spent any long time investigating this, largely because my MySQL DB skills are woefully inadequate, but it looks to me as if some of the fields are not properly indexed to allow fast queries.

As an aside, readers may care to note that Counterize reports that I get between 30,000 and 40,000 hits on trivia each month and the top visiting countries are: the US at 57.8%, China at 13.6%, the EU at 6.8% and the Russian Federation at 4.5%. The dear old UK is eighth at 2.4% just ahead of Canada and the Ukraine. Those stats might look odd until you realise that I have allowed Counterize to include known webcrawlers. The biggest of these of course are based in the US, but Baidu in China is not far behind in its activity.

I have changed my references to the captcha and contact forms I use on trivia because I have stopped using Mike Challis’s plugins. I did this because Mike seems to like to update his plugins every other week or so and, much as that is to be applauded if there are real gains to be made, I found the maintenance overhead to be too high for what I was getting. Stability is good too.

Incidentally, for anyone interested in FreeBSD, particularly in its use on a server running Tor, or a website it is well worth paying a visit to Mark’s blog. He writes well and it is always worth looking at alternatives to Linux.

Permanent link to this article: http://baldric.net/2014/02/12/policy-update/

Feb 11 2014

privacy matters

The Open Rights Group here in the UK has been campaigning against mass, unwarranted surveillance by GCHQ since the Snowden revelations first emerged in summer of last year. Two of its current campaigns are: “don’t spy on us” and “the day we fight back“.

I have signed both of them.

I have also written to my MP in the following terms:

I have today signed the on-line petition for the “don’t spy on us” campaign. That campaign calls for an inquiry into the mass, unwarranted, surveillance of the UK population by GCHQ.

I call upon you, as my elected representative, to support my rights under Article 8 and 10 of the European Convention on Human Rights to a private life with full, unfettered freedom of expression.

I ask that you support the campaign both on-line, and in Parliament. Parliament has been completely ineffective in its oversight of GCHQ. That must end. You, along with all other Parliamentarians must do a much better job of holding them to account.

Yours sincerely

Mick Morgan

I’ll let you know what he says (though I can guess the reply. In fact I could probably write it myself.)

Permanent link to this article: http://baldric.net/2014/02/11/privacy-matters/

Feb 08 2014

compare and contrast

Foreign Secretary William Hague is apparently concerned about press restrictions in Egypt. He has reportedly urged the interim Egyptian government to demonstrate commitment to free expression.

The press release on the gov.uk website says:

Speaking today about increasing restrictions placed upon journalists and the media in Egypt, Foreign Secretary William Hague said:

  • “I am very concerned by restrictions on freedom of the press in Egypt, including reports of the recent charging of Al Jazeera journalists, two of whom are British, Sue Turton and Dominic Kane.
  • “We have raised our concerns about these cases and freedom of expression at a senior level with the Egyptian government in recent days. I will discuss these concerns with other European Foreign Ministers at the European Foreign Affairs Council on Monday, and we will continue to monitor the situation of the journalists very closely, and raise them with the Egyptian authorities.
  • “The UK believes a free and robust press is the bedrock of democracy. I urge the Egyptian interim government to demonstrate its commitment to an inclusive political process which allows for full freedom of expression and for journalists to operate without the fear of persecution.”

So, the UK Government believes that a “free and robust press is the bedrock of democracy”.

I agree.

Last weekend’s Guardian newspaper reported on the visits they had from and the conversations they had with Cabinet Secretary, Sir Jeremy Heywood and colleagues back in June and July of last year when the Snowden revelations were just starting to cause some ripples.

That article says:

In two tense meetings last June and July the cabinet secretary, Jeremy Heywood, explicitly warned the Guardian’s editor, Alan Rusbridger, to return the Snowden documents.

Heywood, sent personally by David Cameron, told the editor to stop publishing articles based on leaked material from American’s National Security Agency and GCHQ. At one point Heywood said: “We can do this nicely or we can go to law”. He added: “A lot of people in government think you should be closed down.”

It goes on:

Days later Oliver Robbins, the prime minister’s deputy national security adviser, renewed the threat of legal action. “If you won’t return it [the Snowden material] we will have to talk to ‘other people’ this evening.” Asked if Downing Street really intended to close down the Guardian if it did not comply, Robbins confirmed: “I’m saying this.”

Perhaps Hague should have a word with Cameron. They really need to be more consistent. If freedom of expression is vital in Egypt, I submit it is equally vital in the UK.

Permanent link to this article: http://baldric.net/2014/02/08/compare-and-contrast/

Jan 22 2014

dis-unity

The “cloud” is achingly trendy at the moment and new companies offering some-bollocks-as-a-service (SBaaS) keep popping up all over the ‘net. Personally I am extremely unlikely to use any of the services I have seen, I just don’t trust that particular business model.

I checked out the website for one of these companies today following an article I read on El Reg. The company’s website says, in answer to its own question, “what can you do with younity?” that you can:

Spontaneously access any file, from any device, without planning ahead.

Browse all your devices at once.

It further says:

share any file.
ANY FILE STORED ON ANY COMPUTER WITHOUT PLANNING AHEAD, VIA YOUNITY OR PRIVATELY TO FACEBOOK.

(I love that “privately to facebook” bit.)

However, further down it says “Step 1, download younity for Windows or Mac, Step 2, install on iOS”. So, the “any file stored on any computer” claim is just not true if, like me you have a mixture of Linux machines, Android tablet and CyanogenMod ‘phone. I’m pretty sure that claim must breach some advertising standard and I’d complain if I cared about using the product. Fortunately I don’t.

Another “cloud” company making some interesting claims is Backblaze, the company whose blog commentary on consumer grade disks I referenced below. They supposedly offer a service with “unlimited storage”, which “automatically finds files” on your computer and then stores them in the Backblaze cloud with “military-grade encryption”. The website says that “everything except OS files” is backed up, so the system must have the freedom (and permissions) to ferret about on your local disk and then pass the files it finds out to Backblaze’s pods. Forgive me if I don’t like that idea.

The section about encryption is intriguing because it claims:

When you use Backblaze, data encryption is built in. Files scheduled for backup are encrypted on your machine. These encrypted files are then transferred over a secure SSL (https) connection to a Backblaze datacenter where they are stored encrypted on disk. We use a combination of proven industry standard public/private and symmetric encryption methods to accomplish this task. To a Backblaze customer all of this is invisible and automatic. For example, when you create your Backblaze account, we automatically generate your private key that is used to uniquely protect your data throughout our system.

They go on to say:

Upon arriving at a Backblaze datacenter, your data is assigned to one or more Storage Pods where it is stored encrypted. Access to your data is secured by your Backblaze account login information (your email address and password). When you provide these credentials, your private key is used to decrypt your data. At this point you can view your file/folder list and request a restore as desired.

A blog posting by Backblaze’s Tim Nufire gives some detail about how the company encrypts your data. On the face of it, the use of a 2048 RSA public/private key pair in conjunction with ephemeral 128 bit AES symmetric keys (to actually encrypt the data) looks impressive – particularly when the company claims that the private key can be further protected by encryption with a user provided passphrase. But given that the company is US based, that claim bothers me. I am particularly sceptical about any claims that the company is unable to decrypt private data because /they/ generate the public/private key pair and they admit (in the blog post) that they store the private key on their servers. Sorry, but if my data is private enough for me to wish to protect it with strong encryption, then I want to use keys I have generated myself, on a system which I control.

Backblaze’s description of the file restoration process does not give me any warm feeling either. Here is what they say:

When you request a data restore, we do what is known as a cloud restore. This simplifies the data restoration process. For example, let’s assume your hard drive crashes and you get a new hard drive or even a new computer. To restore your data you first log in to Backblaze using a web browser by providing your Backblaze account information (email address and password). Once you have logged in to the Backblaze secure web interface you can request a restore of your data. You do not have to install Backblaze to get your data back. To make this work, we decrypt your data on our secure restore servers and we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on your computer, you can unzip it and you have your data back.

So if I want my data back, they get a clear text copy of it all before sending it to me. Worse, they even offer to send it to me through the post on a USB disk.

I don’t call that a private recovery system.

Permanent link to this article: http://baldric.net/2014/01/22/dis-unity-2/

Jan 21 2014

backblaze back seagate

In October last year I noted that the Western Digital “Green” drives in my desktop and a new RAID server build looked to be in imminent danger of early failure. That conclusion was based on a worryingly high load-cycle count which a series of posts around the net all attributed to the aggressive head parking features of these drives in order to save energy when not in use. I decided at the time to replace the desktop disk and recycle it to the RAID server. I have since decided to replace the entire RAID array as soon as I can. But which disks to use?

Well, Backblaze, a company which offers “unlimited” on-line backup storage for Mac and Windows users, has just published a rather useful set of statistics on the disks that they use in their storage arrays. The most interesting point is that they use the same domestic grade disks as would be used by you or I rather than the commercial grade ones used in high end RAID systems.

According to the backblaze blog post, at the end of 2013 they had 27,134 consumer-grade drives spinning in their “Storage Pods”. Those disks were mostly Seagate and Hitachi drives, with a (much) lower number of Western Digital also in use. Backblaze said:

Why do we have the drives we have? Basically, we buy the least expensive drives that will work. When a new drive comes on the market that looks like it would work, and the price is good, we test a pod full and see how they perform. The new drives go through initial setup tests, a stress test, and then a couple weeks in production. (A couple of weeks is enough to fill the pod with data.) If things still look good, that drive goes on the buy list. When the price is right, we buy it.

They also noted:

The drives that just don’t work in our environment are Western Digital Green 3TB drives and Seagate LP (low power) 2TB drives. Both of these drives start accumulating errors as soon as they are put into production. We think this is related to vibration. The drives do somewhat better in the new low-vibration Backblaze Storage Pod, but still not well enough.

These drives are designed to be energy-efficient, and spin down aggressively when not in use. In the Backblaze environment, they spin down frequently, and then spin right back up. We think that this causes a lot of wear on the drive.

Apart from the vibration point, I’d say that conclusion was spot-on given the reporting I have seen elsewhere. And the sheer number of drives they have in use gives a good solid statistical base upon which to draw when making future purchasing decisions. Backblaze note that the most reliable drives appear to those made by Hitachi (they get “four nines” of untroubled operation time, while the other brands just get “two nines”) but they also note that the Hitachi drive business was bought by Western Digital around 18 months ago – and WD disks do not seem to perform anywhere near as well as the others in use.

The post concludes:

We are focusing on 4TB drives for new pods. For these, our current favorite is the Seagate Desktop HDD.15 (ST4000DM000). We’ll have to keep an eye on them, though. Historically, Seagate drives have performed well at first, and then had higher failure rates later.

Our other favorite is the Western Digital 3TB Red (WD30EFRX).

We still have to buy smaller drives as replacements for older pods where drives fail. The drives we absolutely won’t buy are Western Digital 3TB Green drives and Seagate 2TB LP drives.

So I guess I’ll be buying more Seagates in future – and I was right to dump the WD caviar green when I did.

(As an aside, I’m not convinced the Backblaze backup model is a good idea, but that is not the point here).

Permanent link to this article: http://baldric.net/2014/01/21/backblaze-back-seagate/

Jan 20 2014

thrust update

I have just run a search for further evidence of the possible compromise at thrustvps and found threads on webhostingtalk, vpsboard, freevps.us and habboxforum amongst others. All of those comments are from people (many, like me, ex-customers) who have received emails like the one I referred to below.

So, I guess thrust /do/ have a real problem.

Permanent link to this article: http://baldric.net/2014/01/20/thrust-update/

Jan 19 2014

rage against the machine

I know it is futile to rant about banks. I know also that I should not really expect anything other than crap service from an industry that treats its customers as useful idiots. But yesterday I met with such appalling and unforgiveable stupidity and intransigence that I feel the need to rant here. I have left a period of 24 hours between the experience and the rant simply to allow myself time to reflect, shout at the cats and explain my frustration to my wife in the (vain) belief that it might actually be me at fault rather than the banks (I am, at heart, an eternal optimist).

Here is what happened.

Recently I was reviewing my meagre savings because the laughably small interest rate on one of my ISAs had been reduced following the ending of a “bonus period”. Great scam this. Offer a rate say 0.5% higher than that offered by competitors but limit it to a fixed period. Thereafter, drop the rate to (say) 1.0% below your competitors’ offerings. Better still, lock your customer into the agreement for a period (say) two years longer than the initial “high rate” period. We all fall for this, yet in my view it should be outlawed because it takes advantage of those least able to care for themselves – i.e people who do not actively manage their savings. Such people are often elderly, or infirm, and perhaps confused by the finance sector (who isn’t?). Some people are taken in simply because they naively believe that, as long term, loyal, customers they will be treated as such by their bank.

Following my latest review I noted that one of my ISA accounts (I have several, largely as a result of the aforementioned bank policy of varying introductory rates) was paying 3.0% when the one with the now lapsed introductory rate was paying only 2.0% (now to be reduced even further to 1.5% from 1 February this year). On the face of it would seem to be a no-brainer to move the funds in the lower paying account to the one paying the higher rate. But ISA investment is complicated by the need to make 2-3 year decisions now based on current rates when rates may rise later this year and by the fact that you are limited to a fixed maximum investment sum in any one financial year and in any one ISA. Decisions are further complicated by the policy of some banks to refuse transfers in from other (previous year) ISAs and the fact that some ISAs do not allow any withdrawals or indeed transfers out. Little wonder that “inertia” means that they get to keep your money at rates as low as a derisory 0.1% per annum. I kid you not. My wife was getting this from Barclays up until last year when I found out and stood over her whilst she completed the forms to move her cash. My wife is in the “loyal customer” camp.

So, do I move funds now in order to gain 1.0% or wait six months (when rates may have moved and we will in any case be in a new F/Y and sparkly new ISAs with fresh introductory carrots will be in place)? Tough call, but the fact the rate differential was set to rise to 1.5% in February, coupled with the fact that the Halifax (let’s name and shame) on-line banking system said that I could transfer in the ISA in question to their ISA paying 3.00% convinced me to start the process.

Big mistake.

On starting the transfer I checked, and double checked, that the account I was transferring into was the one offering the 3.0% rate. It was. The account number and sort-code matched. On completion of the process, the system even gave me a nice “Thank you for transferring into your cash ISA” page to print which summarised the action I was authorising (“from” account detail, “to” account detail, amount of transfer, National Insurance No. etc). A couple of days later I noted that funds had disappeared from the “from” account so I knew the process must have started. I checked several times over the next week to see if the funds had been added to my Halifax account but was not overly worried that it had not because the Halifax does explain that the process can take up to 15 days, but that they will credit interest to the account for the full sum transferred from the date of application (the “Halifax ISA promise“). Well, I wasn’t worried until I received a letter from the Halifax saying that they could not complete the process of opening my account until I had provided information to verify my identity. Note that this letter confirmed the account details as being the existing ISA I hold with them. The letter concluded by saying that I should “call into any of our branches to confirm” the identity information requested. It also said that if I had any questions I should call a telephone number provided.

I have several accounts with the Halifax, including a mortgage account, but not a current account. My first mortgage in 1977 was with the Halifax. The Halifax has confirmed my identity often, and indeed fairly recently since the ISA in question was opened only one year ago. My nearest Halifax branch is a round trip of 25 miles away. I was at the time feeling pretty grumpy and in no mood to make an unnecessary 25 mile round trip to go through yet another identity check when I could call them to sort out the issue. (I should add as background here that I suffer from both arthritis and a form of inflammatory arthritis commonly known as gout. At the time I received the letter I was suffering from a gout attack. The normal treatment for pain relief in gout is NSAIDs such as aspirin, ibuprofen or diclofenac. I can’t take any of those pain killers because I am allergic to the damned things. The main drug prescribed for relief of gout inflammation is called colchicine. Colchicine has an interesting set of side effects (look them up). Now figure out why I was grumpy and disinclined to make an unnecessary 25 mile round trip.)

I called the 0845 number only to be greeted by the monumental stupidity of one of those automated systems which requires entry of a specific type of number before it will take you any further. Such systems seem to have been designed specifically to wind you up to the stage that you give up and go away. Mistakes numbers 1 and 2 here are 1, refer customers to such a number on a letter which says “call here if you wish to discuss any questions arising from this letter” and 2, assume that all callers to this number will have current accounts and thus possess the magic number required to use the system successfully. Eventually, however, through persistence, I got to a human being. The human being in question appeared to be a nice helpful young man in a call centre. Unfortunately after listening to my explanation as to why I was calling, the NHYM in question said he was “not trained to answer” my particular question. I know that such calls are recorded, but I found the precise wording he used rather odd, obviously part of a script he was forced to follow in certain cases. I guess that there are certain key phrases which must be used in all transactions for regulatory reasons. As an aside, I find it sad that even in the situation where you do eventually get to speak to a human being after going through a brain dead automated process, that human being is then forced to act and speak like an automaton.

NHYM number one then passed me back to the automated system whilst reassuring me that he was actually passing me to a colleague who would be able to respond to my particular problem. Whilst I was on hold, the automated system asked me if I was aware that I could get nearly all my questions answered by going on-line to the Halifax web site. Mistake number 3 lies in assuming that anyone who prefers to talk to a human being on a telephone is remotely interested in (or maybe even capable of) using a web service. Those people who have got to the telephone are either web users who have found that the site does /not/ meet their requirements or they are people who actively prefer not to use a website. Referring either group to the web is thus both counter productive and irritating.

Having been on hold for a short period and having ignored all requests to press button “X” or “Y” I was again eventually connected to a (different) NHYM in a call centre. I then again explained my situation: viz. I had received a letter asking me to schlepp up to my nearest Halifax in order to provide documentary proof that I was the same bloke who had opened a particular ISA one year ago. I pointed out that the Halifax knew who I was from previous encounters (I listed various accounts in evidence) and that it should be relatively easy to confirm this on the telephone – hence my call. NHYM number two then took me through various “security questions” which will be familiar to anyone who has a UK bank account (give full name, confirm first line of address and post code, give balance of account in question, give National Insurance Number (it is an ISA), state date of birth). Having done all this, NHYM number two then thanked me and said that he would arrange for me to receive an identifying number which I could use in future telephone banking interactions which would prevent me having to go through this rigmarole all over again. However, he said, I would still have to go into my nearest Halifax branch to prove my identity because this is a “legal requirement” and part of “our know your customer programme”.

I confess that by this time my patience was stretched a little thin and I may have been somewhat abrupt with the NHYM in expressing both my incredulity that this should still be necessary and my intense irritation that the Halifax should assume it OK to insist on my travelling to them when I have already been through the necessary hoops more than once. I pointed out that I had just gone through the process of proving I was who I said I was to his satisfaction in order to meet their security requirements. I also pointed out that for all he knew, I could be a disabled old man incapable of leaving his home without assistance (not actually true, but not so far from the truth) and that it was therefore a little unreasonable to expect me to do so. NHYM sympathised, said that he would pass on my complaint, but felt obliged to point out that any formal complaint would not be upheld because Halifax was merely obeying its legal obligations to identify its customers and the source of their funds. (I know for a fact that this is utter bollocks and that banks choose how they should meet their obligations under money laundering regulations, but I did not feel that this would be a fruitful line to take with the NHYM so I limited myself to forcefully asking him to lodge my complaint). Before concluding our conversation, I apologised to the NHYM for venting my frustration upon him and told him that I realised that he was following instructions in a difficult job and that he was in no way to feel himself at fault for the failings of his employer and its systems.

I then made the trip to my nearest Halifax. Before going however, I decided that I should take the opportunity of the visit to close an old branch book based savings account I hold as trustee for one of my grandsons and transfer the balance to a newer account I hold elsewhere which offers a much better rate (they play the same “bonus interest rate” trick on poor defenceless children.)

On arrival I was greeted by a NHYL who listened to my story and then told me that what I had described could not possibly have happened because I was not allowed to transfer in new funds to an existing fixed rate ISA account. What I must have done (according to her) was to open a new ISA and request transfer of funds into that. I showed her the documentary evidence refuting this statement and also pointed out that the money had obviously been requested by the Halifax because it had left my other account about a week ago, NHYL again said that this was not possible because the Halifax would not request the funds until the account had been set up. The fact that the letter I held in my hand said that the account could not be opened until they had verified my identity proved that the account had not yet been set up. I pointed to the account number and pointed out that this number was my existing ISA account which was already open, so perhaps the Halifax had requested the funds in order to place them in my existing account. Again, NHYL said this was impossible. I then asked where my money was because it clearly was not in my other account and the Halifax appeared not to have it. She proved unable to answer this and suggested that I check with my other bankers as to what they had done with the money. So I trotted (slowly) up the road to the other bank and spoke to yet another NHYL (though this one actually /was/ helpful). Apparently, despite the Halifax NHYL’s protestations to the contrary, the Halifax had requested transfer of my ISA funds almost immediately. My bankers had simply responded as they were expected to do and passed the money on. On hearing my full story, and learning that I did not now wish to pass my funds to the Halifax (old account or not) NHYL number two spoke to her colleagues in the bank’s ISA section and confirmed that once the funds were returned to them (as they would have to be if the account opening process was not completed) my old ISA would be re-instated.

I thanked the helpful lady and made my way back to the Halifax where I updated the Halifax version of the NHYL on the position. Whilst there I also asked how I should go about closing my grandson’s account. I was directed to the counter. At the counter I entered what appeared to be yet another banking bubble divorced from reality. My request to close the account and let me have a cheque made out in my grandson’s name was greeted with the response that it would not be possible to provide a cheque for a sum less than £500.00. I was offered cash. I said that I would prefer not to take cash because (bizarre as it may sound) I knew that the bank holding my grandson’s account did not accept cash, dealing only in cheques. (Sometimes I despair). I then asked if the cashier could just transfer the balance of the account to my grandson’s other account and then close the old account. Reader, you will not be surprised to learn that this proved impossible.

I took the cash and left.

As I said at the start of this rant, I really should know better. Despite all the (supposed) huge investment in technology in our banking systems, systems which we rely upon in ways which are deeply fundamental to our society, those systems consistently fail to meet quite simple needs. Frankly, this terrifies me.

Note carefully that all of the problems relating to my ISA transfer described above could have been prevented very simply. All that was necessary was a check in the on-line system which should have popped up a warning when I attempted to transfer funds saying “Sorry, you cannot transfer funds into this account. Do you wish to open a new ISA?”

To which my answer would have been: “No”.

*** Update dated 13 February 2014

Following this post and my discussion with the NHYM in the call centre I had three ‘phone calls and a few exchanges of email with Halifax Customer Relations Department. In the interests of balance and fairness to Halifax I should report:

  • They tried hard to understand my problem, why I was complaining and what I expected them to do as a result.
  • Having fully grasped the nature of my complaint, they promised to take on board the issue of the failure of their on-line systems to properly check my account details and attempt to fix that for the future.
  • They offered financial compensation for my expenses in travelling to a Halifax branch, loss of interest on the ISA account whilst my money was between banks, and a goodwill payment for “upset and frustration caused”.

I am grateful to them for taking the issue seriously.

Permanent link to this article: http://baldric.net/2014/01/19/rage-against-the-machine/

Jan 18 2014

thrustvps compromised?

I have not used thrust since my last contract expired. I left them because of their appalling actions at around this time last year. However, today I received the following email from them:

From: Admin
To: xxx@yyy
Subject: Damn::VPS aka Thrust::VPS
Date: Sat, 18 Jan 2014 03:28:06 +0000

This is a notification to let you know that we need to verify for reduce fraud.

We want your data as soon as possible.

The data that we need is as follows:

Server Username (Included)
Server Password (Included)
Full Name (Included)
Address (Included)
City(Included)
State (Included)
ZIP (Included)
Phone Number (For Call To Verify)
Country (Included)
Paypal Email (If Order With Paypal)
Paypal Password (If Order With Paypal)
Credit Card Information (If Order With Credit Card)
Scan Of Credit Card Front And Back (If Order With Credit Card)

Data is sent to Email : thrustvps@yahoo.com

Thanks in advance for your patience and support.

http://damnvps.com – Damn::VPS – We give a damn

Now, apart from the fairly obvious phishing nature of this email (you want me to scan my credit card front and back and send you a picture? Right…), and the request to reply to an address other than the sender (“Data is sent to….”) it actually looks to me as if the email really came from Thrust. Certainly the full headers (including “Return-Path:”, “Reply-To:”, “Received:” and even “Message-Id:”) look remarkably similar to the real ones I have from earlier mails from Thrust. A normal phishing email will usually spoof the “From:” address and use the “Reply-To:” to capture return emails at the scammer’s address. The fact that this email actually asks (in grammatically poor english) that you reply to a yahoo address suggests that the scammers are not that sophisticated.

I may not have much time for Thrust, but I have even less time for spammers and scammers so I forwarded the email to Thrust with a recommendation that they check it out and let their customers know that there appeared to be a scam going on in their name. I also checked their website to see if they had any alert thereon. The website (as at 15.00 today) appears to be unreachable (and I have tested from the UK, SanFrancisco, NYC and Amsterdam). With a website down and dodgy mail appearing to come from a legitimate Thrust mailserver address it suggests to me that they may have suffered a compromise. Certainly it looks to me as if their customer email database has been compromised (the address I got the email on was not my normal address, rather it was the one I use for contacts such as this). Whether that means any of their other account details have also been stolen I cannot be sure.

But I am glad that I am no longer a customer.

Permanent link to this article: http://baldric.net/2014/01/18/thrustvps-compromised/

Jan 11 2014

strip exif data

I have a large collection of photographs on my computer. And each Christmas the collection grows ever larger. I use digiKam to manage that collection, but as I have mentioned before, storing family photographs as a collection of jpeg files seems counter intuitive to me. Photographs should be on display, or at least stored in physical albums that family members can browse at will. At a push, even an old shoebox will do.

So when this Christmas I copied the latest batch of images from my camera to my PC, I did a quick count of the files I hold – it came to nearly 5,500. Ok, so many of these are very similar, and this is simply a reflection of the ease (and very marginal cost) of taking photographs today compared with the old 35mm days, but even so, that is a lot of images. Disappointingly few of these ever see the light of day because whilst both my wife and I can happily view them on-line, I don’t print enough of them to make worthwhile albums. Sure, actually /taking/ photographs is cheap these days, but printing them at home on the sort of inkjet printer most people possess is rather expensive. Which is where online print companies such as photopanda, snapfish, photobox or jessops come in.

Most of these companies will provide high quality prints in the most popular 6″ x 4″ size for around 5 pence each – so a batch of 40 Christmas pictures is not going to break the bank. But one nice innovation of the digital era is that you can get your photos pre-printed into hard back albums for very reasonable prices. Better yet, my wife pointed me to a “special offer” (70% off) being run by a site she has used in the past. That was such a bargain that I decided to go back over my entire collection and create a “year book” for each of the eleven years of digital images I currently hold.

However, I don’t much like the idea of posting a large batch of photographs to a site run by a commercial company, even when that company may have a much less cavalier approach to my privacy than does say, facebook. Once the photographs have been posted, they are outside my control and could end up anywhere. And of course I am not just concerned with the actual images, but the metadata that goes with those images. All electronic images created by modern cameras (or more usually these days, smartphones) contain EXIF data which at the minimum will give date and time information alongside the technical details about the shot (exposure, flash timing etc). In the case of nearly all smartphones, and increasingly with cameras themselves, the image will also contain geo-location details derived from the camera’s GPS system. I don’t take many images with my smartphone, and in any case, its GPS system is resolutely turned off, but my camera (a Panasonic TZ40) contains not just a GPS location system but a map display capability. Sometimes too much technology gets crammed into devices which don’t necessarily need them. As digicamhelp points out, many popular photo sharing sites such as Flickr or picasa helpfully allow viewers to examine EXIF data on-line. It is exactly this sort of capability which is so scarily exploited by ilektrojohn’s creepy tool.

So, before posting my deeply personal pictures of my cats to a commercial site I thought I would scrub the EXIF data. This is made easy with Phil Harvey’s excellent exiftool. This tool is platform independent so OSX and Windows users can take advantage of its capabilities – though of course it is much more flexible when used in conjunction with an OS which offers shell scripting.

Exiftool allows you to selectively edit, remove or replace any of the EXIF data stored in an image. But in my case I simply wanted to remove /all/ EXIF data. This is easy with the “-all= ” switch. Thus having chosen (and copied) the images I wanted to post to the commercial site it was a matter of a minute or two to recursively edit those files with find – thus:

find . -type f -iname ‘*.jpg’ -exec exiftool -all= {} \;

Highly recommended – particularly if you are in the habit of using photo sharing sites.

Permanent link to this article: http://baldric.net/2014/01/11/strip-exif-data/

Dec 30 2013

http compression in lighttpd

Today I had occasion to test trivia’s page load times. I used the (admittedly fairly dated) website optimization test tool and was surprised to find that it reported that parts of the pages I tested were not compressed before delivery.

I have the default compression options set in my lighty configuration file as below:

compress.cache-dir = “/var/cache/lighttpd/compress/”
compress.filetype = ( “application/javascript”, “text/css”, “text/html”, “text/plain” )

and the mod_compress server module is loaded, so I expected all the text, html and scripts loaded by my wordpress configuration to be compressed.

It turns out that in order for compression to work correctly in WordPress (or any other php based web delivery mechanism) with lighty you need to enable compression in php. In all the time I have been running trivia on my own server I hadn’t done this. The option that needs to be changed to correct this is to set:

zlib.output_compression = On

in “/etc/php5/cgi/php.ini“.

What I think I might need to work on now is the number of scripts my theme and plugins load. Counterize in particular is beginning to feel a bit sluggish. Certainly the generation of traffic reports is now quite slow and mysql is chewing up a lot of CPU. I suspect that I may need to purge the database and start afresh in the new year – or find another nice traffic analysis tool.

Permanent link to this article: http://baldric.net/2013/12/30/http-compression-in-lighttpd/

Dec 26 2013

getting close to the nsa

Since my last post there have been a couple more entrants to the Tor logo competition. Neither, strictly speaking, meets the original requested criterion that they be suitable for inclusion in Tor Project team presentations, but each has its merits.

The first image below was posted by “David”. I think it captures rather nicely the feeling that Tor is an enabler for freedom in the face of oppressive, and aggressive, surveillance.

image of dove escaping eagle

The second image was posted by “grarpamp” who is clearly a freeBSD fan. It is, I agree, somewhat controversial, and it got a mixed reception by list members, some of whom found it deeply offensive. Offensive it may be, but I think the image reflects the sort of antagonism engendered in the community by the reported actions of the NSA. Forgive me, but I found it amusing enough to want to post it here.

tor-vs-nsa

I think it would make a good T-shirt. But I cannot believe it will be used by anyone in the Tor Project team.

Permanent link to this article: http://baldric.net/2013/12/26/getting-close-to-the-nsa/