Pages

Friday, 25 May 2018

Facebook security

Facebook recently announced that they tightened up their security, and have removed 583 fake accounts.

And they've put uip a notice saying that if you log in from a different computer, they're going to do a check on whether you're really you. Which sounds nice.

So we went away for a few days, and I logged in from the hotel's wifi, using a portable I took with me. So the IP address was different, and if Facebook had dumped any cookies on my computer, they weren't on this laptop.

Facebook immediately spat me out. So this is their security is in action. But what happened next ...

They asked me for a mobile number, so they could send a six digit verification code. Obviously I'm not going to give them my usual number. I dn't want to start getting spam on it.

So, I went around the houses. I have an old iPhone 4, inherited from Ladysolly a while back, and just festering in a drawer. I went to Vodafone to get it unlocked, which was pretty easy. Then I did a full reset, to wipe off all the data.

Then I went to freedompop.com. You pay £7 or so, and you get free minutes, texts and data. Not very much, and I think they're hoping I'll top up and pay for more. But I won't. And as a surprise, they gave me a second sim for an extra 1p. Nice. So I put the sim into the old iPhone, and gave Facebook that number.

And Facebook was happy, and I was happy, and everything is tickety-boo.

But.

Facebook didn't actually do any verification of me at all. All they verified, is that the person who logged in, also owns a phone.

It's just more "Security Theatre".

So. In future, when I go away, I'll VNC into the computer that Facebook expects me to be using, and they'll never know that I'm hundreds of miles away, using my laptop. I tested it, and it works fine.




Thursday, 24 May 2018

Mouse pad

Mouse pads are important. You want something that isn't too rough and isn't too smooth, and which is big enough for your mouse movements, but not so big that it takes up too much desk.

Also, I want a gel pad for my wrist to rest on, so I don't get tendonitis.

For many, many years, I've been using the Fellowes "Gel wrist rest and mouse pad". They must be more than ten years old now, and they still work great.

So I just bought four more on Ebay, about £12 each.

Recommended.

Power supply difficulties

The power supplies in PCs are one of the components that wear out. Sometimes the fan goes, because they are mechanical. That's easy, I just replace the fan. But sometimes, it just fails.

They are easy to replace; PCs are like Lego, but with screws. I have a small stock of PSUs (power supply units), so that I don't have to order one each time one fails.

And my small stock has dwindled - time to order more!

So I had a look around, and Bluepoint were offering 15 refurbished PSUs (which means, second hand and wiped over with a cloth) for a mere £1.91 plus Vat. "I'll have some of those" thought I, and ordered 15. "Yes we have them, no they aren't in stock, but we can get them". They took my money, then called back. They don't exist.

So I tried another bunch of PSUs they had, for the same price.

Same problem.

So I tried another PSU that they had on their web site. Not available. So I explained, "look, I tell you what. Rather than me try to guess which of the products that you offer, I can actually buy, suppose you make a list of what you can actually sell to me, and put it on your web site? Because I'm tired of playing "Guess the product" with you."

And I went to eBay.

Where I found some excellent, brand-new, 700 watt power supplies for only £5 each, free postage. So I bought ten.

A few days later, I got a message frmo eBay. Someone had been very naughty, and the items didn't exist, sale cancelled. I went to Paypal, where I found that the £50 had not been claimed, so I cancelled the payment.

Which took me back to square one.

So I went on a rampage on eBay, and bought every PSU that was the right kind and was under £7, which means I now have 13 assorted second-hand PSUs on their way to me.

Fingers crossed!

Tuesday, 15 May 2018

Hungarian rhapsody

I've just received a third communication from the Hungarian tax people. The first two were complaining about a non-payment of VAT on two dates, both of which I had indeed paid.

I was dreading what the third would be. But it's OK! It was an apology for sending the first two emails. Apparently, a "technical error".

Monday, 14 May 2018

PCI DSS woes

It's PCI DSS time again! Every three months, an external agent (in this case, Sysnet Global Solutions) has to check my Secure Server, to check whether some newly discovered insecurity has caused the need for an update.

So I submitted the URL for checking, and it came back "FAIL". That was the start of the nightmare.

The fail, apparently, was that one of the chain of certs (certificates) used SHA1, and SHA1 is no longer considered secure. The recommended answer was to get back to the vendor of my cert, Comodo, and get them to sort it out. So I did that.

First, I tried using their chat function. Using that, they sent me this cert and that, but each time, I got the FAIL.

Then I tried again, next day. First one new cert, then another, and so on, and eventually they gave up and told me to email.

So I emailed, and the email I got back said, "Don't worry, it's a false positive".

I wasn't happy with that, and phoned. Over a two hour transatlantic call, the Comodo tech and I tried this, that and the other. He even got me to edit the certs around; taking a piece out of one and another piece out of another. And still it failed.

But.

I learned a lot. Apache thinks that there needs to be three certs:

SSLCertificateFile SSLCertificateChainFile and SSLCACertificateFile

Actually, you can combine one of more certs into a single file. And until I understood that, I was getting a lot of grief, because Comodo were only offering two files. The SSLCertificateFile which is the file for my server, and the other file, which combines SSLCACertificateFile and SSLCertificateChainFile.

It turns out, that the problem lies in  the root certificate. The signatures of those aren't actually checked, so it really doesn't matter if they use SHA1 or not. They are trusted according to their identity, not their hash. And it was the root cert of Comodo that was SHA1.

So I boldly decided to tell Sysnet that they were throwing a false positive. I backed that up with quotes from Google and Microsoft, explaining that a SHA1 at the root wasn't a problem, and I put a cherry on top in the form of "I notice that the Sysnet web site also uses SHA1 for the root server."

It worked. After a week of agony, I got my cert authorised, and the cream of the joke is that I could have got it authorised the first time I'd tested it, if it hadn't been for that false positive.

But some good came out of it. When the time comes for me to renew my cert with Comodo for £90 per year, I shall instead be using "Letsencrypt.org", which is free, and gives me a cert that the PCI DSS is happy about - I know that, because that's what I'm using now!


Friday, 11 May 2018

Let's Encrypt

Every "secure server" has to have a certificate; this is a text file that certifies that the server is encrypting.

I've been getting my certificates from Comodo, because I decided that Verisign were too expensive. They seem to be part of Symantec now, and Symantec want $399 per year for a cert, $1999 for a wildcard cert (which covers all subdomains of a domain name). 

Eyewatering.

Also, Chrome will soon be untrusting Symantec certs. It's a sad story.

Comodo were charging me $60/year. Now it's £90, more than twice what it used to be. Feh. Godaddy are a bit cheaper, about  $60/year, but they warn you that it will be $75 when you renew.

I'm already using Letsencrypt.org for a few dozen domain names. Their big advantage is that it's free. Certs last for 90 days, but they make it easy to automate refreshing them.

So I thought, how about using this for my Secure Server? There's only one drawback to the certs from Letsencypt, and that is that they don't certify the name of the organisation. But when was the last time you checked the cert on a secured web site to verify that it really was the organisation you thought it was?  As long as the lock thing is shouling locked, and no alarming popups pop up, it should be fine.

So I downloaded certbot-auto, and made myself a free wildcard cert (the thing that Symantec wants $1999 for) and made myself a wildcard cert. I checked the server with Qualys SSL Labs and got an A+ rating, that's as high as it goes.

I just checked Barclays, my bank, and they only got a B! Naughty Barclays are still using SSL 3, which is known to be insecure.

So, while I was overhauling things, I also brought the server up to the latest Fedora, version 28, and the latest Apache web server, 2.4.33. And I also made a backup server, so I can slide that in immediately if the hardware goes pearshaped.

While I was building it, I had a bit of a clear-out of faulty motherboards. It seems to me that motherboards wear out; I'm guessing it's the capacitors. Anyway, that left me with a bunch of CPUs for which I had no motherboard. So I went to Ebay.

I found a guy selling suitable motherboards for £7 each, which sounded good until I noticed that each one came with a CPU and memory. Better than good! So I bought all six that he had.





Wednesday, 9 May 2018

Specific spam

This weird seed helps burns fat 1828% faster

This spam in interesting because of the strangely specific percentage.

Saturday, 5 May 2018

A strange cut-and-paste bug

I use cut-and-paste a lot. Often, I'm copying from a nedit text file, into the Firefox browser.

For a while now, that has stopped working. So I looked into it.

I can cut-and-paste from nedit into anything else, such as a terminal. That shows that copying from nedit to the clipboard is working

I can cut-and-paste from anything else into Firefox. That shows that copying from the clipboard to Firefox is working.

I don't understand it.

Upgrading to Fedora 28

Fedora 28 is out. So, naturally, I downloaded it and installed it on a machine. It worked fine. So I decided to upgrade more machines to 28. I ran into a couple of minor difficulties.

1. With Fedora 28, desktop icons are no longer there. It gives you a clean desktop - but I want my icons. I found this:

dnf install nemo

Then pico ~/.config/autostart/nemo-autostart-with-gnome.desktop and put into that new file:


[Desktop Entry]
Type=Application
Name=Nemo
Comment=Start Nemo desktop at log in
Exec=nemo-desktop
OnlyShowIn=GNOME;
AutostartCondition=GSettings org.nemo.desktop show-desktop-icons
X-GNOME-AutoRestart=true
NoDisplay=true


To start it, do

nemo-desktop &

And that gave me my icons back.



2. And then apache didn't work; this is version 2.4.33

pico /etc/httpd/conf.d/nss.conf

add: NSSEnforceValidCerts off

That's OK, because these servers are only accessed for http, internally.