Wednesday, 18 May 2016

Converting Firefox Bookmarks

So, I recently bought a Macbook. Windows PC had died a horrible death involving Windows 10.

I have my backup - but I no longer want to use Firefox (I have Chrome, I have Safari... that'll do). I need to convert Firefox bookmarks into something useful. Normally, you'd export as "bookmarks.html" and have at it. Unfortunately I don't have the running system to export from.

Firefox has some loopy compressed json backup format - I couldn't read that based on 5 minutes googling. I used "places.sqlite" from the profile directory instead.

Here is a bit of perl which will do a very rudimentary job of converting the mozilla sqlite database into something approaching bookmarks.html. I hope somebody finds it useful, and maybe it saves them installing Firefox just for a conversion.

Saturday, 16 April 2016

Wordpress goes HTTPS - Not All Good News?

Wordpress has recently turned on encryption for blogs hosted in their cloud. Good news, mostly. Particularly good for Wordpress users, who will benefit from a better google pagerank.

To be honest, that's about the only major benefit here. I hope it will help, long term, to get folks thinking about crypto. I hope it results in a few fewer security issues.

Unfortunately, it will lead to an uptick in secure traffic that's malicious. Wordpress blogs are a notoriously good place for stashing a bit of something unpleasant, and if Internet wrongdoers can get a "green padlock" on their fishing site, or avoid mixed content issues, I am sure Wordpress just got a little more attractive.

Ultimately, Wordpress are heading in the right direction, for which I admire them, but sometimes, doing right by the good guys also gives the bad guys a leg up. It's up to the rest of us to raise our game.

Sunday, 17 January 2016

The Last Bastion of Port 80?

It's good to see the wane of plain HTTP traffic, and the rise of almost ubiquitous HTTPS. Indeed the 30 or so tabs I happen to have open today comprise 24 HTTPS and 6 plain HTTP (3 of these belonging to a large organisation that should know better). We can't trust the transmission media in the way we did in those carefree days of the 90s, so everything sensitive must be encrypted. Of course, we know the perils of mixing plaintext delivered content within supposedly secure pages, and likewise the issues around moving from one realm to the other. As such, we have no option: HTTPS is everywhere.

There is one last place, however, where plain ol' HTTP reigns supreme - home network appliances. Things like the new NAS I treated myself to the other day to replace an aging linux server. What do I need to bother with keeping that running - all I really need is a DLNA server, Samba... case closed, the NAS is perfect. Trouble is, these devices all encourage us to administer them over port 80. I can see why, as well. Because of all the issues secure sites have had being spoofed, it is more and more difficult to visit a site with no "real" certificate. You need to click through 101 warnings and find the "advanced" section to allow the transaction to continue. This is a good thing for the Internet at large, but it brings difficulties in cases like this.

What's the answer? Well, there's not a good one - at least not yet. I appreciate the efforts Buffalo have gone to in allowing me to upload a certificate for my NAS. That's a start. I'd like to see HSTS as an option: so that once I have either sorted the cert, or added it as an exception I don't accidentally go back to plaintext.

Is there room for an extension to HTTP/2 that can help us set up these home devices, where we've got no infrastructure? Perhaps. It sounds like something that could be exploited, however - so would need careful thought. If the "Internet of Things" is going to be a reality, though, we must do better (perhaps the "everything has it's own webserver" paradigm is what needs to die?)

In the meantime,  make sure you give each of these devices a unique password, so if it is sniffed off your network by the cat (my cat's not that into hacking, so I'm ok), she can't log into your amazon account.

Monday, 9 November 2015

UK to get "Fast Broadband" as a "Right"

So, Mr Cameron has helpfully announced that the UK is to get 100% coverage of "Fast Broadband" by 2020. A lot of broadband bigmouths are engaged in useless chatter about what constitutes "fast", so I thought i'd lob in my £0.02. I mean, why not? Nobody reads this anyway :)

I know what slow broadband is. I get 5Meg. I live in an area where there's FTTC and cable broadband at speeds of 10 or 20 times that, but I happen to occupy a neat little "notspot". Would I be happy to double my speed to 10? Sure. But I'd give up the extra 5 in a heartbeat for another 1 upstream.

All this "superfast" is doing is making us superfast consumers! What about those of us who would like to work from home? Are you going to guarantee us reasonable connections to our co-workers? Backup is something most people do appallingly - but something like Backblaze is a massive win, you need never lose a byte again, but my 17megapixel camera takes huge images, so my backup lasts longer than my holiday.

If we're going to relegate ourselves to consumers - and don't get me wrong, I'd like to be able to binge watch box sets  of "House" in HD as much as the next man - we need to think a little about latency too. High latency can choke a video stream as effectively as crappy bandwidth.

"Mbit/sec" as a measure of "Internets" is about as good as "Mhz" as a measure of CPU performance. Why do I expect any better from politicians?

Saturday, 3 October 2015

US Chip & Pin Implementation Fudged Again - but is it Relevant?

Over here in the UK, we have become quite used to chip & pin transactions. In fact, visiting a Chinese restaurant in Leeds last night I saw a sign saying "To combat fraud, we will only accept chip & pin" - must have been there years. I can't remember the last time I saw a card with only a magstripe.

Wait, yes I can - it was a few months ago, in Boston.  In the US, chip and pin is virtually unknown. I'd say I've seen more chip & pin in Kenya than in the states, and they too aren't far on with adoption. It seems, yet again, that a move to introduce chip & pin in the US has failed - a partial move, but not really.

Does it actually matter though? Is carrying a bit of plastic around in our wallets about to become a thing of the past? Last week I saw Barclay's advertise "bPay" in a free paper at the train station. Contactless fob... wristband... sticker. Is that even too physical? I plan to pay for my ironing to be done with Paym - just using an app. My wife pays for her car detailing with Paypal. With uber we pay for taxis with a card that nobody needs to see.

Here in the UK, we seem to be going magstripe >> chip&pin >> contactless >> no-card. Is the US just going to skip a generation, in the same way landline phones never made it into Kenya? Those guys skipped straight to mobile because the cost of putting in a load of wires was higher than the cost of the latest generation of technology. These days, not every revolution has to follow all the stages!

I quite like my wallet - but it probably has too many things in it. I suspect it won't be long before there's neither plastic cards, nor pictures of her majesty.

Friday, 18 September 2015

Unhackable? I Guess it's Possible...

Stories have been doing the rounds this week of an "unhackable" computer. Of course, these are not strictly true. More credible media reports an "unhackable" kernel - here in New Scientist. The kernel is the complicated bit of software that lets other stuff (so called "userspace") not have to worry about directly fiddling with the hardware, and makes sure all of userspace plays nice together. Here's the page with the FAQ from the folk who built it.

Of course, making an unhackable kernel is an incredible feat - though calling it "unhackable" is a bit more fluff in my view (totally forgivable, given the achievement, mind!). I remember looking at formal proofs in my student days. This stuff is hard. To prove a whole kernel does what it says on the tin. Wow. To do it without needing to trust your compiler? Even better.

Don't think though that this is going put AV vendors out of business any time soon. The overwhelming majority of security break-ins have been due to userspace software - think heartbleed for example - or due to errors at "layer 8" (those foolish bags of meat that drive computers). As such, just having a secure kernel is only going to get you so far - which is why this is useful in things like military drones: you can start to write formally proven drone software, and no-one is going to install adobe flash on a predator drone (please, FFS tell me they aren't!).

What this should do, though is inspire confidence in "the Internet of Things" - well, at least a bit. If my door locks are going to be on the Interwebs, I damn sure want them running a kernel like this that's formally proven and open source. Sadly, we will probably end up with a load of never-updated proprietary hoo-ha that's got more holes than a hedgehog's pillow.

I used to Write a Blog you Know...

So, this week, I changed jobs. The last 12 years, I spent with Smoothwall, which was a lot of fun. All good things, as they say, must come to an end, so here I am.

Anyway, I used to write news articles for the website, back before this newfangled "blog" idea was born ;) and in latter years, I wrote more than a handful of articles for the blog. Now, it was always a bit of a chore coming up with articles, but then I was rather constrained in my topics, so hopefully, this blog will prove easier to write. Not sure. My brother, Will, has a blog, he says its a real pain in the backside coming up with content. He's usually right. This is probably a dreadful idea. And his template is more stylish than mine.

Ah well.. I should give it a shot, shouldn't I?