It's over a year since my last post - and it's been a hell of a 12 months.
Soon after my last missive went live to an audience of over 3 people who sometimes read this blog by accident, I was made redundant from my job as a a Product Manager at ADI - we were quite reliant on funding from the EU, and cuts were needed. It seems they're surviving, and taking the product vision I helped create forward. I'm also pleased to see the rest of my erstwhile colleagues who lost their jobs that day are doing well too.
I spent a few months doing some consulting before landing back at Smoothwall after their recent management buyout. The Fareham office was closed by the new owners, so a new Engineering & Product team was needed up in Leeds. It's pleasing to be asked to come home, and the new management team are really ripping up the rulebook.
It feels strange to be back here, writing in this blog 3 years on. Looking back, I see one of my first posts was on Wordpress going HTTPS. I've just turned HTTPS on for blogspot now they finally support it for custom domains - so another topic that's come round again too.
I'd promise more posts, but I don't like empty promises! Going to get busier for me before it gets easier I think!
(not just) Infosec Thinkings
Everything that's too long for twitter, but short enough to bother writing
Friday 17 August 2018
Sunday 16 July 2017
Netgear Orbi: A Review
As it was Amazon Prime Day this week, I finally gave in and bought a Netgear Orbi RBK40 "whole home wifi" kit. This is the newer, but slightly less powerful version of the RBK50.
I've been coveting the Orbi for a while - or something like it. Since I got VDSL, the number of dropouts between my powerline networking units seems to have increased. Maybe that's confirmation bias (I expected them to cope less well), but it was enough to put the powerline units on my hit list for removal. We're in a 3 story house, so the wifi needs to be roughly central. The TV cabinet is a good choice: we need bandwidth here for the Roku box, and the living room is on the first floor, so it's ideal. As usual, the phone master socket is just inside our front door.
My other choices were:
I've been coveting the Orbi for a while - or something like it. Since I got VDSL, the number of dropouts between my powerline networking units seems to have increased. Maybe that's confirmation bias (I expected them to cope less well), but it was enough to put the powerline units on my hit list for removal. We're in a 3 story house, so the wifi needs to be roughly central. The TV cabinet is a good choice: we need bandwidth here for the Roku box, and the living room is on the first floor, so it's ideal. As usual, the phone master socket is just inside our front door.
My other choices were:
- Run a cable from the hall to the living room: could have gone via the coat cupboard, but would have still been a ballache going through the floor.
- A 3rd different brand of Powerline - the Netgear ones are better than the TP-link I had - could I find some better? No. Not without burning money brute forcing the problem!
- Eero - not available in the UK
- Ubiquiti
- professional gear - too expensive & ugly, needs a controller
- Amplifi - no ethernet ports on satellite which i'd like to have
- Google Wifi - wants to double NAT
- BT Whole home - All a bit BT. Also, apparently not very configurable
- Linksys Velop - a bit expensive, and, according to my wife, also a bit ugly
So - why did I go for the Orbi? Well, I liked that it had 4 network ports on each unit. This means I can keep the TV unit all wired (Roku, TV, Soundbar, Playstation, Hue Bridge all live here). Some of these will go wireless, others like the Hue bridge are wired only. I could probably do away with the switch if I let a few things go wireless...
I also liked that it didn't force me to re NAT my network. I hate double NAT - its probably OK for my parents' network (in fact I'll probably take them down the google route as Holly Brockwell seems to like it, and she's not often too far off the mark), but I won't put up with it. Double NAT can cause issues with VPN (my likely use), and other less-than standard protocols. Only thing worse is trying to put a consumer router in bridge mode. Don't get me started.
Anyway, I got it up and running fairly quickly with no recourse to the instruction manual. Went straight in by the fairly basic web UI (over wifi), dismissed every wizard in sight, clicked "advanced" and disabled router mode. You lose parental controls in Access Point mode - but (a) I don't care, and (b) it's only OpenDNS and you can set that up yourself. It was nice to have an access point admitting to being just an AP for once. The UI got a bit salty about not being connected to the Internet, but it got over it.
I then attached the router node to my existing network, after renaming the SSID to my existing choice, and pulling the cord on the old AP. The Orbi is one of those devices where it reboots to save almost every major setup item - disappointing, but it meant that I could be fairly confident changing the SSID even though I was connected over Wifi. I didn't have to fetch the Mac's ethernet dongle.
As soon as the Orbi had connectivity it detected new firmware and installed it. Good. That's what I like to see Netgear - no grubbing around on your website looking for new firmware. I hope it's downloaded over HTTPS, and I will be putting a network tap in to find out later!
Adding in the satellite unit was fairly painless - though it's hard to see the LED lights, so I guessed about the timings. It said it had failed, but then seemed to be working fine. Bit fruity. The satellite unit needed a prod to update its firmware, but after that I slotted it in its designated place net to the TV (the previous AP, a repurposed home hub, had been deemed too ugly by Amy, and had to sit in the cupboard).
I've now got to think of some way to add in the printer, which was hanging off a powerline unit: maybe an AP in client mode. If the Orbi "plug in" version had a single ethernet port, that'd be perfect :(
So far - 3 days in - it's been a solid set up no complaints.
Overall: Whole home wifi is an expensive proposition. That's a given. It's probably better than powerline though, and it does have the huge benefit of extending your wifi's usable range.
In particular the Orbi is neat, has plenty of ethernet ports, and can be configured through the web, without recourse to an app - I don't really like stuff that demands you use an app. Setup was painless.
The level of functionality in terms of bells and whistles is low. I've not tried the bandwidth management, but it looks like it's been done all wrong. The reporting functionality is minimal (you can look at realtime-ish bandwidth figures per interface) - nothing graphical. The access control to the router is basic http auth - difficult for password managers to paste into and kind of clunky.
I'd give it 6/10 - but I still think it's the right choice for me. I'm not into bells & whistles.
Sunday 11 September 2016
Just a Few of My Favourite Things...
No, I'm not going to go all musical on you - i'm going to point out a couple of inexpensive or free bits of software that have saved my butt a couple of times over the last couple of years. This post isn't really for the more technical among you (OK, I'm pretending I have readers here, I don't), as you probably already have solutions to these problems, but rather for those who are happily wandering through their digital life with a few bits missing. I've found myself doling out the same bits of advice a couple of times to friends and family members over the last year or so, so here it is, condensed in barely readable blog form...
Backup
You gots to have backup. Please believe me when I tell you that there's no such thing as a reliable harddisk (or, these days, SSD). Not only can the storage in your PC or Mac easily take a turn for the worse, but there's now ransomware, viruses, and plain old human stupidity to contend with. The last time I suffered a total loss of an entire PC was a combination of mild stupidity, laziness, and a windows 10 upgrade. And I am supposed to know better. So my go-to tool here is Backblaze. For £50 a year you get an unlimited amount of space in Backblaze's cloud to store your data. The little bit of software you download works out which files you've added or changed, and uses your Internet connection to store a copy far, far away. You will find it chews up your internet connection for fun to begin with, as your entire life's work gets compressed, encrypted and sent to the cloud. This is but a temporary inconvenience. When everything goes wrong, you can download files ad-hoc, or buy a harddisk from them with all your data on. Lifesaver.
PC or Mac - £50/yr - www.backblaze.com
Password Management
Most people have a fair few passwords in their possession. Actually, they don't. They have a fair few accounts, and mostly they reuse the same password, because the human brain is rubbish at storing passwords. Occasionally, one of your accounts will get popped by the bad guys, and depending on the security chops of the organisation that lost your deets, the bad guys will have your password, clear as day (the one you re-used everywhere) within a couple of hours or a couple of weeks. Dropbox, for example, have had roughly 70 million accounts compromised. Many of those users will subsequently have their email or Amazon accounts taken too. My suggestion is to use a password manager that securely generates random passwords for you. You lock these passwords up in an electronic safe which you protect with one, strong password you don't re-use. Ever. This is putting your eggs in one basket, and watching that basket like a hawk. Personally, I keep about 4 passwords: Email, Bank, Credit card, Password manager. The Password manager looks after the other 135.
My favourite is LastPass - the free account is perfectly serviceable, I go for the $12/yr premium.
PC, Mac, IOS, Android - Free - www.lastpass.com
AntiVirus
Old, old hat, but many people, especially Mac users (of which club I am a newly minted member, see also the Windows 10 debacle) dont bother with AV. I still wouldn't bother on a mobile device (to my mind, the app store gives a level of protection that makes the extra battery drain and aggro of AV not worth while) but on a desktop or laptop AntiVirus remains essential. Windows Security Essentials is OK, but far from perfect. I'm going to recommend Sophos, and this is for a few reasons: they're a decent enough company, they score OK on the AV comparatives, and they're the only free anti-virus out there that doesn't bombard you with ads or freemium upgrades. I picked Sophos for the mac ahead of a couple of paid-for variants. When I couldn't transfer my Bitdefender licence, the market for Apple AV is still pretty small. Sophos hit the heights in the recent comparatives on Mac, and I wasn't about to argue on price. Hopefully the simple download and install and zero cost will get you using AV if you don't already have it, or it is out of date. All management is through the web console: this is both a blessing, and occasionally a curse (less so if you have Lastpass, logging in is so much quicker!). You can add up to 10 computers to the management console.
PC or Mac - Free - www.sophos.com
I know i've only hit the high spots here, but if you aren't using anything in these 3 categories, please, start today. I've only given you one product - Backblaze - that costs anything, and even that is fantastic value.
Backup
You gots to have backup. Please believe me when I tell you that there's no such thing as a reliable harddisk (or, these days, SSD). Not only can the storage in your PC or Mac easily take a turn for the worse, but there's now ransomware, viruses, and plain old human stupidity to contend with. The last time I suffered a total loss of an entire PC was a combination of mild stupidity, laziness, and a windows 10 upgrade. And I am supposed to know better. So my go-to tool here is Backblaze. For £50 a year you get an unlimited amount of space in Backblaze's cloud to store your data. The little bit of software you download works out which files you've added or changed, and uses your Internet connection to store a copy far, far away. You will find it chews up your internet connection for fun to begin with, as your entire life's work gets compressed, encrypted and sent to the cloud. This is but a temporary inconvenience. When everything goes wrong, you can download files ad-hoc, or buy a harddisk from them with all your data on. Lifesaver.
PC or Mac - £50/yr - www.backblaze.com
Password Management
Most people have a fair few passwords in their possession. Actually, they don't. They have a fair few accounts, and mostly they reuse the same password, because the human brain is rubbish at storing passwords. Occasionally, one of your accounts will get popped by the bad guys, and depending on the security chops of the organisation that lost your deets, the bad guys will have your password, clear as day (the one you re-used everywhere) within a couple of hours or a couple of weeks. Dropbox, for example, have had roughly 70 million accounts compromised. Many of those users will subsequently have their email or Amazon accounts taken too. My suggestion is to use a password manager that securely generates random passwords for you. You lock these passwords up in an electronic safe which you protect with one, strong password you don't re-use. Ever. This is putting your eggs in one basket, and watching that basket like a hawk. Personally, I keep about 4 passwords: Email, Bank, Credit card, Password manager. The Password manager looks after the other 135.
My favourite is LastPass - the free account is perfectly serviceable, I go for the $12/yr premium.
PC, Mac, IOS, Android - Free - www.lastpass.com
AntiVirus
Old, old hat, but many people, especially Mac users (of which club I am a newly minted member, see also the Windows 10 debacle) dont bother with AV. I still wouldn't bother on a mobile device (to my mind, the app store gives a level of protection that makes the extra battery drain and aggro of AV not worth while) but on a desktop or laptop AntiVirus remains essential. Windows Security Essentials is OK, but far from perfect. I'm going to recommend Sophos, and this is for a few reasons: they're a decent enough company, they score OK on the AV comparatives, and they're the only free anti-virus out there that doesn't bombard you with ads or freemium upgrades. I picked Sophos for the mac ahead of a couple of paid-for variants. When I couldn't transfer my Bitdefender licence, the market for Apple AV is still pretty small. Sophos hit the heights in the recent comparatives on Mac, and I wasn't about to argue on price. Hopefully the simple download and install and zero cost will get you using AV if you don't already have it, or it is out of date. All management is through the web console: this is both a blessing, and occasionally a curse (less so if you have Lastpass, logging in is so much quicker!). You can add up to 10 computers to the management console.
PC or Mac - Free - www.sophos.com
I know i've only hit the high spots here, but if you aren't using anything in these 3 categories, please, start today. I've only given you one product - Backblaze - that costs anything, and even that is fantastic value.
Wednesday 18 May 2016
Converting Firefox Bookmarks
So, I recently bought a Macbook. Windows PC had died a horrible death involving Windows 10.
I have my backup - but I no longer want to use Firefox (I have Chrome, I have Safari... that'll do). I need to convert Firefox bookmarks into something useful. Normally, you'd export as "bookmarks.html" and have at it. Unfortunately I don't have the running system to export from.
Firefox has some loopy compressed json backup format - I couldn't read that based on 5 minutes googling. I used "places.sqlite" from the profile directory instead.
Here is a bit of perl which will do a very rudimentary job of converting the mozilla sqlite database into something approaching bookmarks.html. I hope somebody finds it useful, and maybe it saves them installing Firefox just for a conversion.
I have my backup - but I no longer want to use Firefox (I have Chrome, I have Safari... that'll do). I need to convert Firefox bookmarks into something useful. Normally, you'd export as "bookmarks.html" and have at it. Unfortunately I don't have the running system to export from.
Firefox has some loopy compressed json backup format - I couldn't read that based on 5 minutes googling. I used "places.sqlite" from the profile directory instead.
Here is a bit of perl which will do a very rudimentary job of converting the mozilla sqlite database into something approaching bookmarks.html. I hope somebody finds it useful, and maybe it saves them installing Firefox just for a conversion.
Saturday 16 April 2016
Wordpress goes HTTPS - Not All Good News?
Wordpress has recently turned on encryption for blogs hosted in their cloud. Good news, mostly. Particularly good for Wordpress users, who will benefit from a better google pagerank.
To be honest, that's about the only major benefit here. I hope it will help, long term, to get folks thinking about crypto. I hope it results in a few fewer security issues.
Unfortunately, it will lead to an uptick in secure traffic that's malicious. Wordpress blogs are a notoriously good place for stashing a bit of something unpleasant, and if Internet wrongdoers can get a "green padlock" on their fishing site, or avoid mixed content issues, I am sure Wordpress just got a little more attractive.
Ultimately, Wordpress are heading in the right direction, for which I admire them, but sometimes, doing right by the good guys also gives the bad guys a leg up. It's up to the rest of us to raise our game.
To be honest, that's about the only major benefit here. I hope it will help, long term, to get folks thinking about crypto. I hope it results in a few fewer security issues.
Unfortunately, it will lead to an uptick in secure traffic that's malicious. Wordpress blogs are a notoriously good place for stashing a bit of something unpleasant, and if Internet wrongdoers can get a "green padlock" on their fishing site, or avoid mixed content issues, I am sure Wordpress just got a little more attractive.
Ultimately, Wordpress are heading in the right direction, for which I admire them, but sometimes, doing right by the good guys also gives the bad guys a leg up. It's up to the rest of us to raise our game.
Sunday 17 January 2016
The Last Bastion of Port 80?
It's good to see the wane of plain HTTP traffic, and the rise of almost ubiquitous HTTPS. Indeed the 30 or so tabs I happen to have open today comprise 24 HTTPS and 6 plain HTTP (3 of these belonging to a large organisation that should know better). We can't trust the transmission media in the way we did in those carefree days of the 90s, so everything sensitive must be encrypted. Of course, we know the perils of mixing plaintext delivered content within supposedly secure pages, and likewise the issues around moving from one realm to the other. As such, we have no option: HTTPS is everywhere.
There is one last place, however, where plain ol' HTTP reigns supreme - home network appliances. Things like the new NAS I treated myself to the other day to replace an aging linux server. What do I need to bother with keeping that running - all I really need is a DLNA server, Samba... case closed, the NAS is perfect. Trouble is, these devices all encourage us to administer them over port 80. I can see why, as well. Because of all the issues secure sites have had being spoofed, it is more and more difficult to visit a site with no "real" certificate. You need to click through 101 warnings and find the "advanced" section to allow the transaction to continue. This is a good thing for the Internet at large, but it brings difficulties in cases like this.
What's the answer? Well, there's not a good one - at least not yet. I appreciate the efforts Buffalo have gone to in allowing me to upload a certificate for my NAS. That's a start. I'd like to see HSTS as an option: so that once I have either sorted the cert, or added it as an exception I don't accidentally go back to plaintext.
Is there room for an extension to HTTP/2 that can help us set up these home devices, where we've got no infrastructure? Perhaps. It sounds like something that could be exploited, however - so would need careful thought. If the "Internet of Things" is going to be a reality, though, we must do better (perhaps the "everything has it's own webserver" paradigm is what needs to die?)
In the meantime, make sure you give each of these devices a unique password, so if it is sniffed off your network by the cat (my cat's not that into hacking, so I'm ok), she can't log into your amazon account.
There is one last place, however, where plain ol' HTTP reigns supreme - home network appliances. Things like the new NAS I treated myself to the other day to replace an aging linux server. What do I need to bother with keeping that running - all I really need is a DLNA server, Samba... case closed, the NAS is perfect. Trouble is, these devices all encourage us to administer them over port 80. I can see why, as well. Because of all the issues secure sites have had being spoofed, it is more and more difficult to visit a site with no "real" certificate. You need to click through 101 warnings and find the "advanced" section to allow the transaction to continue. This is a good thing for the Internet at large, but it brings difficulties in cases like this.
What's the answer? Well, there's not a good one - at least not yet. I appreciate the efforts Buffalo have gone to in allowing me to upload a certificate for my NAS. That's a start. I'd like to see HSTS as an option: so that once I have either sorted the cert, or added it as an exception I don't accidentally go back to plaintext.
Is there room for an extension to HTTP/2 that can help us set up these home devices, where we've got no infrastructure? Perhaps. It sounds like something that could be exploited, however - so would need careful thought. If the "Internet of Things" is going to be a reality, though, we must do better (perhaps the "everything has it's own webserver" paradigm is what needs to die?)
In the meantime, make sure you give each of these devices a unique password, so if it is sniffed off your network by the cat (my cat's not that into hacking, so I'm ok), she can't log into your amazon account.
Monday 9 November 2015
UK to get "Fast Broadband" as a "Right"
So, Mr Cameron has helpfully announced that the UK is to get 100% coverage of "Fast Broadband" by 2020. A lot of broadband bigmouths are engaged in useless chatter about what constitutes "fast", so I thought i'd lob in my £0.02. I mean, why not? Nobody reads this anyway :)
I know what slow broadband is. I get 5Meg. I live in an area where there's FTTC and cable broadband at speeds of 10 or 20 times that, but I happen to occupy a neat little "notspot". Would I be happy to double my speed to 10? Sure. But I'd give up the extra 5 in a heartbeat for another 1 upstream.
All this "superfast" is doing is making us superfast consumers! What about those of us who would like to work from home? Are you going to guarantee us reasonable connections to our co-workers? Backup is something most people do appallingly - but something like Backblaze is a massive win, you need never lose a byte again, but my 17megapixel camera takes huge images, so my backup lasts longer than my holiday.
If we're going to relegate ourselves to consumers - and don't get me wrong, I'd like to be able to binge watch box sets of "House" in HD as much as the next man - we need to think a little about latency too. High latency can choke a video stream as effectively as crappy bandwidth.
"Mbit/sec" as a measure of "Internets" is about as good as "Mhz" as a measure of CPU performance. Why do I expect any better from politicians?
I know what slow broadband is. I get 5Meg. I live in an area where there's FTTC and cable broadband at speeds of 10 or 20 times that, but I happen to occupy a neat little "notspot". Would I be happy to double my speed to 10? Sure. But I'd give up the extra 5 in a heartbeat for another 1 upstream.
All this "superfast" is doing is making us superfast consumers! What about those of us who would like to work from home? Are you going to guarantee us reasonable connections to our co-workers? Backup is something most people do appallingly - but something like Backblaze is a massive win, you need never lose a byte again, but my 17megapixel camera takes huge images, so my backup lasts longer than my holiday.
If we're going to relegate ourselves to consumers - and don't get me wrong, I'd like to be able to binge watch box sets of "House" in HD as much as the next man - we need to think a little about latency too. High latency can choke a video stream as effectively as crappy bandwidth.
"Mbit/sec" as a measure of "Internets" is about as good as "Mhz" as a measure of CPU performance. Why do I expect any better from politicians?
Subscribe to:
Posts (Atom)