An Awesome Custom Help Screen

 Computing, Linux, Working Notes  No Responses »
Mar 072015
 

So there I was, wandering down the street thinking about :-

  1. Sometimes being unable to remember custom key sequences that I've configured.
  2. That my "Help" button on my keyboard was unused.

And I thought that it would be fun to knock up a little application that would pop up a window and show a file. Then I got real, and realised that the application was already written and allowed fancy formatting of the help file(s) – it's called a browser.

Now for a whole bunch of reasons, you probably don't want to use a full blown browser, but something a little simpler and without any fancy controls, and I plumped for dilloTurns out that the "-f" flag turns off the fancy menu and toolbar, so what I needed was to persuade my window manager (Awesome) to run it when I pressed "Help" :- 

	awful.key({ }, "Help", function () awful.util.spawn("dillo -f /home/mike/lib/help-files/index.html") end))

If you need help adding that to your Awesome configuration file, you're in the wrong place!

And of course it works :-

2015-03-07_1457

(And now of course I need to spend some time writing some help files!)

My Triangle Is More Secure Than Your Penny Whistle

 Computing, Security  No Responses »
Feb 282015
 

This is a little rant about those people who feel the need to jump on every announcement of a security issue with Linux or Windows, and claim their favourite operating system is more secure. These days such rants are little more than fanboyism, and childish at that. 

I'm an old Unix guy (and thus am into Linux rather than Windows), and in the past did used to ramble on about how insecure Windows was. And Windows used to be a complete disaster area when it came to security.

But that has changed. Whilst I'm still not a big Windows fan, the security of Windows itself has improved to the point where it's not too bad.

Of course there are plenty of software vendors out there who are completely clueless when it comes to security, so any time you add some piece of cool corporate software to a Linux or Windows server you're running a big risk. 

But back to the haters. 

The most irritating thing about the whole 'my operating system is more secure than your operating system' is a simplistic comparison of Linux and Windows. They are not directly comparible. – simply counting the number of security vulnerabilities in "Linux" and "Windows" is an overly simplistic comparson.

First of all, Linux has many more components than Windows; partally because Linux tends to throw in the kitchen sink, and partially because of a different philosophy – the "Unix way" is to build many small tools rather than one big tool. But just because Linux includes tons of stuff, doesn't make insecurities in all that stuff a problem on your server – for example, none of my web servers have a web browser installed so all those hundreds of web browser bugs are irrelevant to my servers. 

Windows itself has caught onto the trick that has been standard practice for decades – only install the stuff you actually need. Whilst there are popular Linux distributions that do the same thing (Debian, and Ubuntu amonst others), there are still some that tend to install far too much (RedHat, SLES, etc.).

Secondly the number of vulnerabliities does not take into account how serious each vulnerability is. Ten privilege escalation vulnerabilities comes nowhere close to a shellshock

When you come down to it, the choice of which operating system to run has less of an effect on how vulmerable your server is than who runs your server. A tightly controlled Windows server that is patched often and well configured is far more secure than a Linux server that is patched when installed (if then!) and then left alone by an administrator who assumes that "out of the box" configurations are suitable.

Labelling a FAT Filesystem

 Computing, Linux, Working Notes  No Responses »
Feb 022015
 

Undocumented command options … grrr!

Every so often I find that I have a need to put a volume label onto a FAT filesystem – usually so a digital camera SD (or CF) card can be "automatically" mounted (actually they don't mount automatically on my workstation and I like it like that) in the right place. And of course every time I do, I remember that the command to do so is mlabel but I cannot remember exactly how to do it.

Because mlabel (together with the other mtools) has some sort of weird configuration file to turn Unix/Linux paths into drive letters‽ And yes that was an interribang although it could just as well be some other form of punctuation to express disgust instead. As it happens mlabel has an undocumented option to specify a device path … at least it doesn't appear in the usage hints :- 

» mlabel -h
Mtools version 4.0.17, dated June 29th, 2011
Usage: mlabel [-vscVn] [-N serial] drive:

It turns out that there is a "-i" option which takes a device path, but you still have to specify the drive as "::" just so things are less likely to go right :- 

» mlabel -i /dev/sdi1 ::
 Volume has no label
Enter the new volume label : LEICA1

And there it is!

Not Victim Blaming. Risk Reduction.

 General, Security  No Responses »
Jan 302015
 

There's a game called "victim blaming" which is where people decide the victim of a crime is somehow partially or wholely respomsible – the old "if she hadn't worn such a short skirt …".

Which is rubbish of course. The perpetrator of a crime is the one responsible for carrying it out whatever the circumstances.

But the shouting down of the "victim blamers" can perhaps drown out messages that allow risk reduction, and allow certain myths to be perpetuated. For example, many women believe that they are more at risk from strangers whereas most rapists are known to the victim.

Take a slightly less contentious crime – a phishing spam that criminals use to empty the bank accounts of the victim. Whilst the criminal here is obvious – the person who used stolen credentials to empty the bank account, the criminal needed the victim to make certain risky decisions.

2015-01-29_1517As you cannot look at the link contained within that, it's worth pointing out that if you paste the URL into a notebook, you will get a brazilian site … and I strongly suspect that Lloyds Bank is not very likely to use a Brazilian site (.br) for hosting their online account service.

And we call such victims "gullible". In the case of phishing, there are some simple procedures to follow :-

  1. Email doesn't necessarily come from whom it claims to be from. I can send you an email that will look as if it comes from Goodluck Johnathon without having anything to do with his email account.
  2. Don't click on links in emails.
  3. If your bank sends an email asking you to do something, shut down the email and open a web browser and use your existing way of getting to your bank's web site. Same applies to shopping sites, your workplace's IT department, etc.
  4. If you are determined to use a link from an email, copy the link into a notebook and read it. Does it make sense? Does the first part mention an organisation that has nothing to do with the organisation it is supposedly from? Don't trust it.

Plus a whole bunch more.

Detailing and quantifying risks isn't victim blaming; it's empowering someone to make educated decisions about their behaviour

Sony’s Tale of Woe

 Computing, Security  No Responses »
Dec 272014
 

What with North Korea’s latest explosion of bile, Sony is having a network security issue that will be used as an example of how bad things can get for probably decades. The phrase “I’m in the middle of a Sony” will be regularly used within the industry for the worst types of incidents.

It is not clear just what happened to Sony during the incident, and it will quite possibly never be clear. There are rumours that it may be something as simple as a phishing attack, and the FBI has claimed it has recovered code with similarities to code used in previous attacks against targets the North Koreans would wish to target.

It seems pretty certain that the North Koreans were involved in the attack against Sony; in addition to the code fragments, the North Koreans have gone out of their way to claim the attack was orchestrated by themselves. Yes they denied the attacks, but in the same way that a little kid denies having stolen the cake with all the evidence on his face.

Normally a corporation under attack from a state actor can be forgiven for getting opened up like a can of peaches, but this is Sony and a bunch of idiots who if they hadn’t lucked out by being in charge of North Korea would have trouble getting a job flipping burgers.

So Sony Pictures needs to have a good long look at it’s security. Two big tips for Sony:

First of all, change the name of the security team to the insecurity team. That is not a criticism of the team that does security at Sony right now, but because there is an assumption that the security team handles security and the rest of us doesn’t have to bother.

In reality, security is everyone’s responsibility.

Secondly take a second look at every recommendation that your security team has ever made and you have said No to. And reconsider.

 Older Entries  Newer Entries