Saturday, 10 November 2012

Owncloud external filesystems not mounting?

OwnCloud is an excellent roll your own dropbox replacement.

I was having trouble with getting it to mount the local filesystem which is, confusingly, part of a feature it calls "External Filesystems" and can also be used to mount other filesystems such as webdav, samba, ftp etc.

I stumbled upon the solution and it turned out this feature is actually a plugin that you need to be enabled.

Wednesday, 15 August 2012

wget over ssh proxy

My current working situation involves me at a contractors desk in a network environment I do not control. I have been having an on going problem with file downloads freezing after a couple of megabytes however ssh works just fine.

wget is not socks proxy aware so this resulted in me looking for a way to do this. I stumbled across a script that gave me exactly what I wanted.

The only major modification is the addition of the delete line at the end which can be commented out if you do not wish to remove the file from the ssh server. You may also need to tweak the ssh statement, I rely on the ssh being setup in a ssh config file so all I enter is the hostname and the config takes care of port and key files. A great guide on setting up an ssh config file is available  here

Sunday, 12 August 2012

Blogger post category pages and RSS feeds

The more web aware(interested?) people reading this may have noticed this site runs on Google's Blogger platform although I've taken a few steps to hide that. It is not that I mind the site being on blogger and more that I just did not like the look.

One the plugins I used to have in WordPress was to generate pages that only show posts from a certain category, almost as if they were sub-blogs. Doing this in Blogger isn't obvious but is doable once you combine a couple of things.

Categorised Pages.

To access such a page you use the search feature of the site and you end up with an URL formed as [domain]/search/label/[label] to create the following.
You can obviously use this link where as you would anywhere else but if you want it to appear in your site navigation you need to create a page that points there. Fortunately this is also built in, so just use the "Web address" option when creating a new point.

Then add the url like so

Categorised RSS feeds.

The principle here is basically the same as above, create a URL and link to it however you so desire. The url is formed as follows

Now you have that link its just a matter of putting it into an HTML widget with the appropriate tags, images etc and your good to go.

Thursday, 2 August 2012

Tesco Value Online Security

There has been an interesting storm brewing on twitter thanks to Troy Hunt all centred around Tesco's on-line security and has hit many news sites - 1,2,3 and 4. Quite frankly its appalling for such a large company and I'm going to try and explain why that is the case in plain English.

*Please Note: This post was written on the 1st of August 2012 so please keep in mind that things may have changed since then.

The reassuring statement 

It seems to have started with a generic customer service statement from UKTesco on twitter which is a verified account so we know this is a representative of Tesco Plc. They stated "Password are stored in a secure way. They're only copied into plain text when pasted automatically into a password reminder mail"

"Passwords are stored in a secure manor" - Well I should hope so.

"They're only copied into plain text when pasted automatically" - Oh no, This is where things go bad.

"Reminder mail" - And just got worse.

Ok, There is a lot of more technical information out there but lets not get to technical and explain why this sentence should make you cautious

Password Reminders are very bad

If you think about it you don't like the idea of someone knowing your password. Saying its copied automatically is, at face value, a comfort. That is until you consider that all data in a computer is retrievable either by the system administrators or by hackers and therefore in order to have a secure system it should not be possible to retrieve passwords. 

Additionally, Under ABSOLUTELY NO CIRCUMSTANCES should passwords, or any other sensitive information for that matter, be emailed to anyone or anywhere. The reason for this is emails are not secure. The dirty secret of the internet is that emails are transmitted in plain text. They may go from your provider to you under an secure connections but out on the internet they where not secure, relying on the nobility of every system and network engineer that it happens to cross between the person the sent it, their service provider, your service provider and yourself. In fact this is such a sore point for the security minded there are websites dedicated to shaming the companies who do this -

Don't worry if you didn't know that email was an insecure communication method, neither did Tesco (Part 1, Part 2). For a company to display that kind of fundamental misunderstanding of the technology is embarrassing and I can only hope the the IT staff, CTO and CIO do not hold the same belief

This leaves a question that you might have picked up on.

If you can not retrieve passwords how do you confirm I entered it correctly?

Well this is where we risk getting technical but understanding is important to gain context. Encryption has been an important tool in security from the Caesar cypher in Roman times, to the enigma machine in the Second World War and is vital in modern IT. Indeed all important information should be encrypted to protect data from unauthorised access. 

Such technology helped a Brazilian drug dealer frustrate the FBI for over 12 months before they admitted defeat in accessing the suspected evidence on his computer. This is an unfortunate example as the roles of good and evil are reversed but you can appreciate that if implemented correctly we have the facilities to protect information from people we do not want to have access.

The difference with passwords is that you do not want anyone to see your password and that includes the minimum wage employee, the web developer, the system administrator and the CEO. You wouldn't give it to them in person why should they be able to call it up on the computer.

This is done using a process called Hashing which is done with some interesting maths but rest assured I am not about to explain this, I'd only get it wrong and embarrass myself. It is engineered so whatever you entered is converted into a fixed length string of gibberish and so that it is impossible to return this collection of gibberish back into your password. 

The interesting part is when you apply the hashing process to the same value then this results in the exact same string of gibberish. This allows the company to verify you entered the same password without ever seeing what the password is ensuring that you and only you know your password

How does this apply to Tesco and why there is a bigger problem

Well as we have already established Tesco email you a password reminder, this means they can retrieve your password from their system and this exposes your password. Well it goes deeper, take a look at the image below.

I said this points to a bigger problem and most of you will not have blinked your eyes at the screen above but it both worries and frustrates me. We all know longer passwords are more secure so the minimum of 6 characters is reasonable and if anything these minimum requirements are fairly relaxed with no requirement for different case or the use of letters and numbers.

The scary part however is the 10 character maximum. As stated earlier passwords should be put through a "Hashing" process that results in a fixed length string of gibberish. So no matter if you use a 5 character password or a 55 character password it will result in the same length of gibberish.

Why then are Tesco passwords limited to 10 characters?

When databases are designed you select a length of each field, for Tesco to enforce a password character limit of 10 this suggests they are not hashing your passwords but storing them directly into the database in a field limited to 10 characters.

Why is this a problem? Well you've no doubt heard about hacking in the news from LinkedIn,, eharmony and Sony. The worry is if someone does hack Tesco they will get a plain text password.

They have my password, so what?

Well if the hackers just have a huge list of passwords we need not worry as they are hardly going to match a random password to you. Well this may be true but it is not really the point. No hacker worth his salt is going to get into the system and just take passwords. They are going to take everything they think will be of use including your email address and any other details they can grab including email address, delivery address and credit card details.

Further evidence of an apathy towards security.

Well we have established that Tesco do not follow up to date best practices for web security. Lets have a look at a few other aspects to Tesco's website

The picture on the right is the information displayed when you click on the "Why It's safe to shop at" link.

There is two worrying aspects to this page. First is the red HTTPS, this means that not ALL of the page is secure. Again we are risking a drift into the technical but lets just say there is no reason in this day and age not to use HTTPS across all aspects of the website.

The second is the comment about Secure Socket Layers (SSL) and version 3.0 of explorer and version 3.02 of Netscape. Well I presume "Explorer 3.0" is a reference to Internet explorer and Netscape, essentially, went out of business in 2003. Lets just say there has been numerous security issues in the 16 years since those software versions where current. Do you even have a single item of technology that is 16 years old?

There is also a message posted on-line (although it cannot be verified, so I'm not going to link to it) that stinks of arrogance and incompetence including the statement
to my knowledge we've never been hacked and they've tried
A good hacker won't leave a trace meaning it may have already happened and based on the arrogance of that statement I'd guess you are not paying as much attention to your servers as you should be.

I'm closing my account

We now have multiple examples of Tesco's design and security being not only behind the times but woefully inadequate. We have also established that if a hacker does infiltrate Tesco's infrastructure then chances are then are going to end up with a fair amount of info. Well your instinct is probably the same as mine: I'm going to delete my account.

Except you can't do that on-line, you have to phone them and pay for that call....

P.s. For any Tech people who do read this far, I would like to point out a lot of this is a simplification but I was trying to convey the concepts behind this in way that is a bit simpler to understand.

Saturday, 30 June 2012

An open question to smarter people: RIM and Blackberry

I have been saying for a long time that RIM are in trouble and that is definitely coming into fruition now based on their latest earnings call which included first operating losses in many years, Job losses and further delays in the new Blackberry 10 OS.

My question is why bother with an OS? I have previously said they should just ditch hardware and sell/license BES to provide secure email to other devices however I understand this leaves them in a very vulnerable position as they have no USP. If they were to take a full android base admit they are not trying to be the biggest and best device out there and focus on what they do well and be competent at the other aspects of the modern device.

So what should they do, I think they should ditch whatever OS they are using its clearly not up to the task and they have next to no chance at building an ecosystem around it but how to go about it

  • Take the android base similar to how Amazon did with the Kindle Fire.
  • They can they create their blackberry apps on android and release BBM to the android masses (to build on the success that product already has and capitalise on the market share they still have before iMessage and other services leave BBM in the dust)
  • Build in tighter security controls and central management then other android devices such as administratively blocking side loading apps another control other settings from inside BES. 
  • Build a proxy market system like Microsoft is doing with windows 8 for the enterprise to let administrators open the doors or only install apps on a white list. This could be blanket as in allow all versions of this app or only allow approved versions. 

I think the final point is key, allow administrators the control while also allowing users the functionality without having to fight tooth and nail to build an ecosystem in the way that Windows Phone is having to do just now. It's all about ecosystem and RIM currently do not have one. Using android would allow them to instantly have this without having to work for it, Amazon realised this. 

My question is why don't RIM go down the same route; can anybody tell me why they continue dragging their own OS kicking and screaming into the future?

Sunday, 11 March 2012

Multiroom XBMC Library using MySQL and why its weird

*Note: This page gets a lot of views, More then anything else I've posted. If you have questions about multi-room XBMC hit me up in the comments and I'll try to answer/help.

Running XBMC off MySQL is an excellent setup. It allows for XBMC to be made into a (kind of) multi-room entertainment system. OK so it can't do synchronized media playback but it does synchronize libraries and resume points. If your like me, however, the best part is you can do library updates on your computer and then the Apple TV that your using to run XMBC does not choke up for 5 minutes as it painstakingly scans 3TB's of downloads and DVD rips.

The XBMC wiki contains, most of, the information you need to configure this but it does not do a very good job of explaining things especally how it interacts with mysql databases, so I wanted to publish some of these details as they are glossed over/ignored with most setup guides.

My Setup

  • Main XBMC running on Apple TV2

  • Secondary XBMC running on a Windows 7 Desktop, this is used to manage and update library.

  • Media served from a usb Drobo via a Atom powered netbook (they may be useless as a PC but they make a nice little server)

If you already have a library in use then now is a the time to export it to a single file from the XBMC settings menu so you can import it once the library is setup. Then you need to create a file in your xmbc user data folder, stored whereever your OS stores its profile data.



Now xbmc will take ages to start up as it tries to connect to MySQL and the library database. I have put in the name field to specify the name of the database because its important to note that this is not the full name of the database it creates. The name field is not actually required if your happy to let xbmc use the default database name.

The XBMC wiki page on setting up MySQL for this purpose just gives the xbmc user freedom to do whatever it needs to inside MySQL, it then creates a database with the version number appended onto the end of it. I have no upgraded xbmc a couple of times so my MySQL database list looks like so:
| Database
| information_schema
| mysql
| test
| xbmc_music_craig18
| xbmc_video_craig58
| xbmc_video_craig60

As you can see I have a music library configured in schema version 18 and currently my video library is running on schema 60 with a deprecated version 58 still stored in MySQL.

The obsessive inside me wants to tweak the grant privileges for the xbmc user so it can not access the rest of my databases and when (if) I get the time to play with the privileges and get that setup then I'll update this post in the mean time I'd recommend when you first run xbmc use a privileged account then once the database is created revert to one with access to only the latest database.

Friday, 9 March 2012

Loch Ness

Some photo's from a trip I had to Loch Ness, unfortunately it wasn't a brilliantly sunny day but it there was still some gorgeous shots in there.