May 25 2012

stupid hunt

According to reporting today, Jeremy Hunt, the Secretary Of State for Culture, Media and Sport, lobbied the Prime Minister in support of Rupert Murdoch’s bid for BSkyB. The report says:

“The inquiry heard that the culture secretary drafted the email on his private Gmail account on 19 November 2010 despite being warned by his officials that he should not intervene because the decision was being taken exclusively by Cable. In the memo he voiced concern that Cable, the business secretary, had referred the takeover to media regulator Ofcom, warning him that James Murdoch was “pretty furious” and that the government “could end up in the wrong place in terms of media policy as a result”.

His Gmail account? Regardless of all else of Hunt’s manifest deficiencies, that act alone means that the man is not fit to hold Minsterial Office.

Permanent link to this article: https://baldric.net/2012/05/25/stupid-hunt/

May 22 2012

tor abuse

I have been running at least one tor exit node for about three years now. Over that period I have occasionally had to move provider following one or more abuse reports. Most ISPs like the quiet life, and you can’t really blame them for not wanting the hassle of dealing with complaints from other ISPs about apparent hostile activity originating from their networks. I have been with one provider for a couple of years and, until now, they have been understanding when they have received complaints and I have pointed them to my exit policy and my notice on the tor node itself. However, this week that changed. They have received two more reports of hostile activity, aimed apparently at Brazilian Government servers, in rapid succession. Following discussions with my provider I have now reluctantly agreed to shut down the exit policy completely. In future my tor node will relay only.

This is a shame, but the only real alternative I was faced with was to shut it down completely and/or move yet again. I’m no longer prepared to do that.

For the record, the activity logged by the victims showed that some bozo was using tor (and popped out of my node) to scan servers with sqlmap. It is extremely disappointing to me that the tor network should be adversely affected by that sort of script kiddie activity.

Update on 24/05/12

I emailed the tor-relays list about my experience and rapidly received a half dozen or so “me too” replies. It would seem that someone has been heavily targetting Brazilian governnment web servers through tor.

Permanent link to this article: https://baldric.net/2012/05/22/tor-abuse/

May 19 2012

pure bubble

El Reg reports that facebook share dealing opened at $42 per share (up $4 on the opening IPO price of $38). As they wryly point out, the Telegraph reports that that price makes the company “worth” more than Boeing.

That is nonsensical beyond belief. Boeing actually make things. Big things, that other companies pay a lot of money to buy. Facebook’s sole revenue source is advertising.

A small prediction. This time next year, facebook’s shares will be trading at less than $5 each – tops.

Update – added 19 June 2012 – this Nasdaq daily quote page for Facebook may be useful.

Permanent link to this article: https://baldric.net/2012/05/19/pure-bubble/

May 13 2012

disappointing satnav

One of my hobbies is motorcycling. I have travelled extensively by bike in central and southern europe over many years, but oddly, I have never visited scotland before. I intend rectifying that shortly. When travelling in europe I have always made do with the excellent Michelin range of 1/1000000 (1 cm to 10 km) maps. These maps are of sufficient detail to aid serious navigation and they also fold quite neatly to fit in a motorcycle tank bag top. Never before have I felt the need of a GPS satnav device.

My wife, however, has a TomTom in her car and I noted that the device has two distinct advantages over a static map. Firstly it is immensely useful in the “last 5 mile stage” when you are hunting for a B&B in an unfamilar town, and secondly (of most use when in trouble) it has a “where am I” function that pinpoints location so that you can give your co-ordinates to a rescue service. This latter function is reassuring to someone travelling alone (or to someone left behind by someone travelling alone). So, since I shall be travelling alone in Scotland over some wild and windy expanses where the weather is notoriously less predictably friendly than it is in southern europe at this time of year, I saw the sense in getting a satnav. I bought a garmin (small, light and cheap). Mine even came with a free lifetime subscription to map updates. The device itself is a doddle to set up and works very well. But it has a fatal design flaw – all software and map updates assume that you have a microsoft windows or apple OSX desktop at home. Well, guess what. I don’t.

The garmin update mechanism uses a plugin to IE, firefox, safari or chrome. But only if you are using a “compatible” operating system. No matter how hard I tried to fool the site using a user agent switcher I couldn’t get the plugin to work. I even tried using wine (which according to one or two sites on-line) should have worked, but no, garmin refused to play ball. I can happily mount the satnav as a removable drive on my linux desktop so copying maps (or even software) to the device should be easy.

Now this is more than just a little irritating. I have paid for a device with a “lifetime map update licence”. But I can’t update the maps without a PC running a particular OS. I’m pretty sure that garmin satnavs run a version of embedded linux so the company cannot pretend they have no linux expertise. Worse, they can produce a plugin for OSX machines (which is BSD based) but not something which is debian based.

Garmin, I am disappointed. And annoyed as hell.

Permanent link to this article: https://baldric.net/2012/05/13/disappointing-satnav/

Apr 24 2012

cheap?

Michal Zalewski (aka lcamtuf) has just announced that google is changing the terms of its vulnerability purchase program. The google announcement says:

Today, to celebrate the success of [the program] and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:

  • $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.

Interestingly, the earlier part of the announcement says that the existing program resulted in:

“over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals.”

So, depending upon how you do the arithmetic, over the last year google paid out around $590 per vulnerability, or around $2300 per researcher. Whatever your views on the merits or otherwise of paying for vulnerabilities, that strikes me as pretty cheap, in all senses of the word.

As an aside, I found it amusing that the first commenter on the google posting was one Andrew Wallace, who styles himself an “Independent Consultant”. Wallace has been making a nuisance of himself around various security related mail lists and web fora for a while now. He used to post as “n3td3v” or latterly, as “Andrew from n3td3v”. Back in July 2010, Wallace labelled the google researcher Tavis Ormandy a “cyber terrorist” following Ormandy’s rather public disclosure of a nasty vulnerability he believed Microsoft were trying to hide. Interested (or bored) readers are invited to search the ‘net for Andrew Wallace, n3td3v.

It is also worth recording that as a result of Ormandy’s (some may say “premature”) disclosure in June 2010, after an initial furious response from Mike Reavey, Head of MSRC, Microsoft went on to devise and publish a new “Coordinated Vulnerability Disclosure” policy (warning, MS docx format document) covering the disclosure of “zero day” vulnerabilities in other vendor’s products.

Permanent link to this article: https://baldric.net/2012/04/24/cheap/

Apr 18 2012

now switch it back on

Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television set. He had discovered that a packet flood attack to any port on his TV using the tool “hping” would cause a denial of service. In his post he says:

“After 35 seconds the TV stop working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”

I can’t help thinking that using the normal remote control would have been easier.

Permanent link to this article: https://baldric.net/2012/04/18/now-switch-it-back-on/

Apr 18 2012

stallman likes sharing

The guardian’s series on internet freedoms (or otherwise) continues today with an article by Richard Stallman on the kindle and ebook publishing. Stallman makes a point I’d missed in my own commentary on the kindle when he says:

“Many other habits that readers are accustomed to are not allowed for ebooks. With the Amazon Kindle, for instance, you’re not allowed to buy a book anonymously. Kindle books are typically available from Amazon only, and Amazon doesn’t accept cash so users must identify themselves. Thus Amazon knows exactly which books each user has read. In a country like Britain, where you can be prosecuted for possessing a forbidden book, this is more than hypothetically Orwellian.”

One obvious way around this is not to buy ebooks from Amazon (or anyone else). The only books on my kindle are those out of copyright which I have downloaded from sites such as project gutenberg or other sites listed on portals such as ireaderreview. Of course you have to be careful that you do not add such books to your personal document archive or Amazon will helpfully copy and list them in your “kindle library”.

And I still haven’t really used my kindle except when on holiday.

(Note that Richard Stallman’s article is Copyright 2012 Richard Stallman under a Creative Commons Attribution Noderivatives 3.0 license)

Permanent link to this article: https://baldric.net/2012/04/18/stallman-likes-sharing/

Apr 17 2012

battle for the internet

This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen prophecy) “the end of privacy”. Personally I find the terms “cyberspace/cyberwar/cyberjihad/cyberwhatever” a horrible americanisation, but unfortunately the labels seem to have gained some traction even here in the UK. Whatever, it is at least refreshing that a mainstream newspaper (the guardian is mainstream, right?) should be taking a look at the issues rather than leaving it to the specialist press.

Yesterday’s reporting though was a hoot. The paper led with a front page article reporting an interview with Sergey Brin. Brin is reported to have said:

“there are very powerful forces that have lined up against the open internet on all sides and around the world”. and “I am more worried than I have been in the past, it’s scary.”

OK – I can see how there could be a number of possible threats to the continued existence of the sort of open and collaborative ‘net that I so admire. But the guardian article went on to say:

“The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.”

“He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.”

and moreover

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.””

So: along with restrictive regimes and an entertainment industry fighting to retain a lost business model, according to the world’s largest infringer of personal privacy, one of the biggest threats to the internet is the fact that apple and facebook won’t let google search the data they have gathered.

Is it just me? Or is this bonkers?

Permanent link to this article: https://baldric.net/2012/04/17/battle-for-the-internet/

Apr 16 2012

rockbox rocks

Some time ago my wife bought me a Sansa Sandisk Clip+ music player. When she asked me “what kind of MP3 player” I would like, I specifically specified the Clip+ because it could handle ogg vorbis encoded audio files. All my audio disks are encoded in this format. Picky I know, but there you go.

The version she bought me was the 8 GB Black which comes with (you guessed it) 8 GB of internal storage – sufficient for a fair number of audio tracks. But this version also has a microSDHC slot which will take a maximum of another 32 GB. That should enable me to carry most of my music collection (which currently runs to around 47 GB) if I cut out some of the obvious duplicates and exclude some of my more embarrassing ’70s choices. The device is small, neat and light and also has a pretty good battery life.

But Sansa have not been entirely honest in their advertising. Sure, the device will accept additional storage, but it is largely unusable. Once you get past around 6 or 7 GB on the internal storage and even as little as 3 or 4 GB on the additional card, the device is not capable of building its database of the collection. The symptom is pretty obvious. As soon as you disconnect the Clip+ from the USB connection used to transfer files (and incidentally to charge the device) the display shows “Refreshing your media” and a progress bar which slowly fills from left to right. If you only use the internal storage, there is no problem, but as soon as you get past the 3 or 4 GB additional store on the external card, the clip+ will sit there, refreshing away, for hour after hour if you let it.

Even after a firmware upgrade, the device wouldn’t do what it was supposed to, so I turned to the FLOSS community yet again. This time in the shape of rockbox.

Rockbox is a free, open source jukebox utility which runs on a wide variety of devices. The website provides detailed instructions on how to install and use rockbox and even comes with an installer for most operating systems so that you don’t have to get your hands dirty installing it manually. Most impressive of all however, is that the rockbox firmware can be installed alongside the original player’s firmware without danger of bricking the device. If you find that you don’t like rockbox (and what’s not to like about a free product that outperforms the paid for original?) you can still boot into the original firmware because rockbox provides a dual boot facility. And if you really don’t like it, then you can simply remove it and go back to using the original.

Thoroughly recommended.

Permanent link to this article: https://baldric.net/2012/04/16/rockbox-rocks/

Mar 31 2012

this video is private

I have just tried to (re)view a youtube video I last looked at a couple of weeks ago from a link that a friend sent me in an email. On clicking the link I got the message: “This video is private. If the owner of this video has granted you access, please log in.” On clicking the link, I was taken to a google sign in page.

I suppose I shouldn’t be surprised at that. After all, the new google privacy policy, which covers all of its “services”, is now in place. But I must admit it did piss me off more than a little. What next? Must I sign in to watch pingu with my grandson?

No google, I won’t sign in just to view a youtube video. But walling off bits of the ‘net may yet be your downfall.

Permanent link to this article: https://baldric.net/2012/03/31/this-video-is-private/

Mar 29 2012

that didn’t take long

My last post contained two (non-existent) email addresses in my baldric domain in the extract from my postfix logs. As I said in the post, I had edited the log entry specifically to mask real details. Yesterday, only four days after that post, I received spam email attempts at those addresses.

As I have said in the past, if you don’t want spam, don’t publish your email address.

Permanent link to this article: https://baldric.net/2012/03/29/that-didnt-take-long/

Mar 24 2012

android mail client is broken

In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my mouth. So this month I took the opportunity presented by the end of my contract to shift to another provider. Of course, in doing so I gained a nice shiny new ‘phone which meant that I could spend a fun few hours setting it up the way I wanted it and nailing it down as much as possible so that it didn’t leak all my data to google. This is unnecessarily difficult, and much harder than it should be (and I know that people like Peter H will simply tell me that I shouldn’t be using an android ‘phone in the first place). But that is not the point of this post.

Like most people these days, I use my ‘phone to pick up email. The standard email client on my last ‘phone was pretty uninspiring so I used K-9 mail in its place. K-9 is a pretty good application, but it has a silly little bug in it which is still not sorted properly. This bug manifests itself in a rather odd, and unpredictable way – K-9 seems to “forget” the X509 certificate used to protect the authentication process if that certificate is self-signed, or otherwise not verifiable by an external CA. The cure, such as it is, is to simply refresh the certificate by reloading the account settings and accepting the cert when K-9 warns you that “TrustAnchor found but validation failed”. The length of time between accepting the cert and K-9 “forgetting” it again seemed random to me, so I got into the habit of refreshing my account settings whenever I noticed that I hadn’t received any mail for a while. Annoying, but not ultimately a deal breaker for using what was otherwise a pretty good application.

So, the first application I looked at on my new mobile was, of course, email. The default mail client on this new phone looks a lot slicker than the old one on my previous phone, but then it is a much newer ‘phone, from a different manufacturer and the android version is much newer too, so no real surprise there. The setup seemed to have no problem with my self signed certs so I thought I might stay with the default to see if it would solve my annoying little problem with K-9.

Unfortunately not.

Whilst I had no problem with incoming mail over my IMAPS connection, all attempts to send mail failed. On checking my server logs I found the following (real details changed or obfuscated):

Mar 20 20:45:57 pipe postfix/smtpd[7594]: NOQUEUE: reject: RCPT from home.baldric.net[12.34.56.78]: 504 5.5.2 <localhost>: Helo command rejected: need fully-qualified hostname; from=<null@baldric.net> to=<noone@baldric.net> proto=ESMTP helo=<localhost>

Aha! My postfix configuration is set up to reject hosts which do not have valid hostnames or do not announce themselves with fully qualified domain names (i.e. names of the form “host.domain”). Now since I use SASL authentication in my postfix configuration the fix is relatively easy; just ensure that the stanza “permit_sasl_authenticated” appears in both “smtpd_sender_restrictions” and “smtpd_helo_restrictions” before “reject_non_fqdn_hostname” – thusly:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain

(In fact, this episode highlighted an error in my postfx configuration because my helo restriction was inadequate. By now checking the authentication before the helo restriction kicks in I am still well protected, but mail from valid authenticated users is permitted.)

I am in that (very) small minority of people who run their own mail servers and are able to change server side configurations. But, and this is a big but. I should not have to change the server side configuration to accommodate a broken client and the vast majority of people will not be able to do so anyway. Almost all well set up mail servers will reject mail where the client connection announces itself in the helo exchange as “localhost”. That is normally an indication of a spammer, indeed spamassassin will allocate a high score to any mail which is so flagged. This means that there will be a huge, and growing, number of people who cannot send mail from their android ‘phones.

If this is the default android mail behaviour, then google need to fix it now. Meanwhile, K-9 is looking attractive again.

Permanent link to this article: https://baldric.net/2012/03/24/android-mail-client-is-broken/

Mar 19 2012

unlinked

Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and b) am retired, the invitations immediately looked suspect, but the return address looked real at first sight. That is, until I looked more closely. The actual address used was linkedln.com (with a second letter “l”) rather than the correct linkedin.com.

Nice try.

Permanent link to this article: https://baldric.net/2012/03/19/unlinked/

Mar 14 2012

unplugged

A few days ago my sheevaplug died. Beyond the obvious lack of response either over the network or through the USB serial connection, the symptoms (single green LED rather than blue and green LED lit, ethernet LED light steady rather than flashing) were all consistent with a blown PSU.

This problem is well known and well documented on the Newit forum and the plugcomputer forum as well as plenty of other sites, so I was pretty confident in my diagnosis. The general consensus seems to be that the low quality components used by Globalscale in what is, after all, supposed to be a piece of development kit, coupled with its low power output, means that it can’t really cope with the demands placed upon it – particularly if you attach unpowered USB peripheral devices. Even so, I was pretty pissed off that it failed after only two years.

I use my plug as my NTP time source, network “apt-get” cache and local end point for my ssh proxy tunnel to tor. So it was quite important to me that I get it working again. Fortunately Newit now stock replacement PSUs. Mine arrived within a couple of days of order.

Newit have kindly placed a “howto fix your fscked plug” guide online. I found the process relatively easy, with the exception of replacing the new AC inlet plug back in the chassis. In the end I pushed hard and held my breath in case something snapped, but I got it in.

I have seen many pictures of the PSU on-line, but I confess I was pretty shocked at the completely amateurish look of the thing when I pulled mine out.


The picture above shows the PSU in its case as I pulled it out of the plug.



and this one shows the contents of the PSU when the case lid is removed. It looks like the sort of breadboard setup I last saw in a 1960s transistor radio built by my uncle. Certainly not of the quality I would expect from a major electronics company. Mind you, the new replacement unit (see below) is not /that/ much better.



This final picture shows the new PSU installed in what is actually the top half of the plug.


The plug is now back together, and to my relief it booted fine first time. But I’m now not at all confident that it will last. And since one of my earliest slugs is now becoming a little unstable, I’m looking for a replacement for both.

Permanent link to this article: https://baldric.net/2012/03/14/unplugged-2/

Mar 09 2012

steam locomotive

Most debian users will be familiar with the ASCII “moo” easter egg in apt-get.

I have just stumbled upon a more elaborate piece of ASCII art by one Professor Toyoda Masashi who wrote a joke program to reprimand those command line users who misspell “ls” as “sl” (it happens). I installed it on my desktop because my grandson loves “choo choos”.

Give it a try, it should be available in most distros. The animation is quite good.

And yes, I know I need to get out more.

Permanent link to this article: https://baldric.net/2012/03/09/steam-locomotive/

Mar 07 2012

iBomber Defence: Nuclear Option

Today’s G2 has a nice little article by Tim Dowling called “What’s on David Cameron’s iPad“. Dowling’s article says:

“David Cameron is about to take delivery of a specially programmed prime ministerial iPad, reportedly at a cost of £20,000 (3G contract not included). An iPad devotee already – he uses it to catch up on episodes of The Killing while travelling – Cameron will now be able to keep tabs on polling data, market fluctuations, unemployment figures, crime statistics and news feeds, all with the sweep of a finger across a special dashboard.”

Dowling goes on to list the applications he believes would be on the Prime Ministerial iPad. These include:

Nuclear Button

This secure application allows the PM to be in control of Britain’s nuclear arsenal at all times. For safety reasons, password must be at least eight characters long and contain both numbers and letters.

and

iBomber Defence: Nuclear Option

New game in which a world leader has just 12 hours to decide whether to launch a nuclear strike. Don’t worry – the icon is a totally different colour to the Nuclear Button.

Given what the iPad probably had to go through before Dave was let anywhere near it, I think £20,000 sounds pretty cheap.

Oh, and I quite like this little app….

rMail

A selection of hilarious private emails sent by UK citizens, delivered daily from GCHQ.

Permanent link to this article: https://baldric.net/2012/03/07/ibomber-defence-nuclear-option/

Mar 06 2012

banking stupidity

When I logged on to my new bank site this morning, I tried the “help” offered on the opening screen just to see what they had to say about the range of options available. I was not best pleased to be greeted by the message “Flash is not installed, is not enabled or is not up to date” together with a nice big button marked “Get Adobe Flash Player”. No – I don’t think so.

Adobe products have an unfortunate history of critical vulnerabilities. Indeed, only a couple of weeks ago they released a patch for a critical vulnerability in Adobe Flash Player 11.1 and earlier for Windows, Macintosh, Linux and Solaris. It wasn’t the first, and it certainly won’t be the last. There are probably a whole bunch of zero days out there primed and ready for use.

I do not want to see flash on one of the most critical sites I use. And I have told my new bank exactly that. Watch this space.

Permanent link to this article: https://baldric.net/2012/03/06/banking-stupidity/

Mar 04 2012

am I kidding myself

I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.

As you would expect, I do all my on-line financial transactions from my linux desktop. Given the prevalence of sophisticated banking trojans (PDF file) such as ZeuS, I really don’t see how anyone could comfortably use a windows based machine, even one fully patched, with up to date virus protection and firewall in place. But I go further than just using my desktop, I actually only log on from a second desktop within a virtualbox VM. Further, the browser I use in that VM is as stripped of functionality as is possible (no addons, no plugins, defaults to block cookies etc.) and only ever connects to my bank(s) and no other sites. Unfortunately, the banks insist on cookies and javascript so I have to enable those selectively.

The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.

But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.

But they do make me feel safer…..

Permanent link to this article: https://baldric.net/2012/03/04/am-i-kidding-myself/

Mar 04 2012

wordpress 3.3.1 bug update

Addendum to previous post.

On further experimentation, the problem seems to be caused by a combination of graphene 1.6.1 and wordpress 3.3.1, not just 3.3.1 alone. I’ll post to the graphene support site to see if anyone else has seen this.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug-update/

Mar 04 2012

wordpress 3.3.1 bug?

As part of the move to the new site I also upgraded wordpress to the latest release (3.3.1). Unfortunately I found a small bug in that version so I have reverted to the earlier version.

The bug is odd, and not particularly problematic but irritating nonetheless. It prevents upload of media (such as is used in embedding images) and also loses the html editor toolbar – the “visual” toolbar remains unaffected. Oddly though, the bug only manifests itself in the edit of “pages” as opposed to “posts”.

I think I’ll wait until the next full point release (to 3.4) before trying again.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug/

Mar 01 2012

we’ve moved (again)

Back in September 2009 I moved trivia from its original home on a cheap shared web hosting platform to one of my first VMs at Bytemark. However, in that move I left the design relatively untouched. (Having sat through more than my fair share of tedious powerpoint presentations I’m a firm believer in the power of content over bling). That said, trivia was overdue for an update so I have taken the opportunity of a move to another new VM (again hosted at Bytemark, but on their whizzy new platform called BigV) to change trivia’s theme.

One of the major limitations of the old theme was the loss of all sidebar navigation options when moving away from the home page. This meant that anyone arriving at a trivia page from a link elsewhere would have no sense of the (ahem) full depth or range of content available here. The new theme solves that problem and also allows me a to add just a little more bling. I think I’ve been relatively restrained, though I particularly like the scrolling random selection of old posts across the top of the new home page. I may play around with some of the minor options available in the new theme, but the overall layout is likely to stay broadly as you now see it.

Let me know what you think.

Permanent link to this article: https://baldric.net/2012/03/01/weve-moved-again/

Feb 20 2012

HMG goes cloudy

The UK Cabinet Office has announced the winning bidders to supply IT goods and services to UK Government under its new framework contract called “G-Cloud”. The winners are listed on a new website called the CloudStore which, supposedly, allows HMG procurement specialists to search for the goods and services they want to purchase. The new framework is supposed to break the old cosy relationships in HMG procurement circles between the big suppliers and HMG Departments. Politics and personal prejudice aside, I think Francis Maude’s intentions in setting the new services framework is actually quite honourable. But, frankly, the results baffle me.

I picked “Infrastructure as a Service” as my first choice and the list I was presented with gave several suppliers for which the description said “The supplier did not provide a description of this service, please click on the link to find out about this service.”. Of course, clicking the link merely confirms what the description says – no info. So I tried a search for “open source software” on the IaaS page and got no results. I also got no results when similarly searching “Software as a Service”. Excuse me? Am I expected to believe that not one supplier of the 255 successful companies even mentions open source software in their offering of IaaS os SaaS? Has no-one heard of the LAMP stack?

I then widened the search to include any and all service by any and all provider and got just one result – for some company called “Cloud Cache and Archive Limited”. The description says:

“Cloud Cache And Archive Limited is a privately funded software company with development based in London. Cloud Cache and Archive provides a game changing solution to allow the rapid integration of legacy applications and databases; and the deployment of new enterprise services and Web 2.0 applications on the Cloud. The solution leverages “big data” technologies; a 100% open source software; and cloud native platforms to provide Agile Information Integration and Agile Information Management all based on a cloud native platform. The proven solution is designed for Governments and large commercial organizations.”

I’m sorry, but that is just marketing drivel. WTF does that actually mean? What solution? To what problem? What is a “cloud native platform”? And how will this help a government procurement specialist (who, trust me, will not be an ICT specialist) choose a supplier?

Answers on a post card please.

Permanent link to this article: https://baldric.net/2012/02/20/hmg-goes-cloudy/

Feb 14 2012

Досвидания камрад?

From a peak of around 25,000 mail drops per month in the backscatter I was getting from the .ru domain to the non-existent address “info@baldric.net” I am now seeing virtually none. My logs show a distinct drop off from mid to late December last year to about 10-15 emails per day (when I had previously been seeing anywhere between 600 and 900 per day). Since then the trickle has slowed to a crawl. I now receive only a handful a week, with most days being completely clear.

I wonder where they have gone.

Permanent link to this article: https://baldric.net/2012/02/14/%d0%b4%d0%be%d1%81%d0%b2%d0%b8%d0%b4%d0%b0%d0%bd%d0%b8%d1%8f-%d0%ba%d0%b0%d0%bc%d1%80%d0%b0%d0%b4/

Feb 07 2012

perl programmer goes rabid

As a Guardian reader I find the Daily Mail distasteful and I would not normally refer to it in trivia. However, a friend of mine has just sent me a link to a random Daily Mail page generator which manages to lampoon the rag quite successfully.

image of spoof daily mail random page

Further investigation of the author’s blog reveals another random page generator which suggests he may have too much time on his hands.

Permanent link to this article: https://baldric.net/2012/02/07/perl-programmer-goes-rabid/