Categories
Metal (Technical)

Weeeee’re back!

You may not have noticed, but my server crashed a while back (I did get one unprompted comment, so I’m not completely writing into a vacuum). Since it no longer runs anything business-related, and I had been looking for a cheaper server, I wasn’t in any rush to restore it.

I had already got an account with GreenGeeks. My motivation to move wasn’t that I was unhappy with Asergo (previously Easyspeedy), where I’d been hosting happily since 2006. It was simply that having a sports car to putter up and down the driveway isn’t the best use of resources, and a much cheaper Golf Cart would do just fine.

GreenGeeks state that they have been running since 2008, and contribute back 3 times the power they consume into the grid in the form of renewable energy. I’m already hooked. And starting at $2.95 per month, rather cheaper than what Asergo are currently asking for a dedicated server, it seemed a no brainer.

Except that, by the time of the crash, I’d been running both in parallel for a while already, so was in effect paying $2.95 more than before.

When the server crashed, I thought it’d be a good time to move.

Except that the experience wasn’t particularly fun. Used to running my own server entirely, where I know what to do, and can freely access and customise what I need, I found the limitations of working through cPanel immensely frustrating. I needed to contact support multiple times to allow me to ssh into the server (no fault of theirs – it automatically deactivated when unused for a certain period of time), but when, after months of delay, I finally set aside the time, to be unable to even ssh in wasn’t a great start. Through cPanel, I couldn’t find out how to access the server error logs for the secondary virtual host. The primary logs were accessible through the interface, but nothing else. Accessing an error log on my server would take seconds, and I could find and fix the actual error. Now, after fumbling around for way too long, support would have to be contacted, and an evening wasted.

I have no complaints with GreenGeeks, but time is a little more important to me these days, and the thought of wasting endless hours on stupid obstacles like this became too much, and I returned to my trusty sports car.

Besides, any day now, I could be releasing the next Twitter or Zoom, and unless it uses Silicon Valley levels of compression, running it from a $2.95 server is not likely to happen.

A clean install was a chance to run some up-to-date software, and it now runs the latest version MariaDB 10.4 and PHP 7.4, up from the dated MySQL 5.5 and PHP 5.6 releases I was running previously. I had to do a bit of rewriting to get everything to work with the latest PHP, making me realise a) how rusty my coding is b) how ancient some of the scripts living on the server are, but it was soon running smoothly again.

Still, it’s up, and like a new toy, you may see more posts than usual for a while. And for the one person that noticed my absence, thanks for watching!

Related posts:

Image from Wikimedia Commons

Categories
Metal (Technical)

Fourteen years of silence

But it’s been 14 years of silence
It’s been 14 years of pain
It’s been 14 years that are gone forever and I’ll never have again

Yes, the lyrics of a Guns N Roses classic, and yes, also how long it feels to have been locked up for two weeks alone in my house due to South Africa’s coronavirus restrictions (we are not allowed out to go jogging, or even windsurfing).

But 14 years is also how long its been since I wrote about Free Software attempts to create an alternative to the then-dominant Skype.

At that time, the two candidates I looked at were Wengophone and Ekiga. Both didn’t cut it back then, and sadly neither ever did. Ekiga’s last release was in 2013, and Wengophone was rebranded as Qutecom in 2008 after the original sponsors, Wengo, handed over ownership to another party, and development stalled.

With both projects effectively dead, has another champion stepped forth?

Enter Jitsi, which began as a student project in 2003. The real game-changer was the introduction of WebRTC, which allowed Jitsi to morph from a desktop app into the modern Jitsi Meet, which essentially allows communication with the use of a browser only.

Initial WebRTC support was added in 2013, bringing us to today, where it takes nothing more than visiting meet.jit.si to start video calling with multiple people.

Jitsi is actually a number of projects. Jitsi Desktop is no longer supported by Jitsi, but there is a community effort to keep it going. However, the one getting most attention is Jitsi Meet. It’s a completely Free and Open Source video conferencing solution, fully encrypted, offering all the usual features such as chat and screen sharing. It’s possible to run your own dedicated Jitsi Meet instance, or to use one of the publicly available ones. The official Jitsi instance, https://meet.jit.si/, is available for anyone to use at no cost.

Jitsi is integrated into Zulip, a distributed Team Chat I use both at work with the MariaDB Foundation, and with Wikimedia South Africa.

So, how well does it work? The results have been mixed to far. We tried Jitsi a number of times in 2019, and while it was usable, voice quality was not as good as alternatives. Note that there’s a difference between 2-person calls, in which participants communicate via peer-to-peer (P2P) or calls with more than 2 people, which are made via the Jitsi Videobridge.

The instance on meet.jit.si uses soft moderation, where it assumes everyone is a responsible participant, and can mute others if they, for example, are talking loudly on another call and have left their mic on. This probably wouldn’t work in all contexts, with a lot of anonymous participants and the risk of someone kicking off the coordinator.

Moving forward to lockdown 2020. Everyone is rushing to move everything from tai chi classes to date nights online, and there’s been a scramble for solutions. Zoom, the proprietary video conference software, has probably been the biggest beneficiary. However, Zoom is not open source, and has been challenged on its privacy protection, as well as on its claim to to support end-to-end encryption.

Jitsi security is transparent, and Jitsi have released a statement on Jitsi Meet Security and Privacy if you want to know more.

This past weekend proved serendipitous for my Jitsi use. First, a meeting I was attending ended up using Jitsi Meet by accident. The video conferencing meeting wasn’t set up in advance, so, since we were already in Zulip, someone created a link to a meet.jit.si instance. I was late to the meeting, and a little reluctant to rely on it given previous negative experiences, but call quality was great with about eleven people participating.

Literally seconds after the conference ended, I got a message from someone else, asking what I knew about Jitsi, as they were keen to try it out. I gave them feedback, and we set up a small test, with multiple different devices, including laptop browsers, Android and Apple devices, and pushed it by activating video on all. It passed with flying colours.

Intrigued, I pinged meet.jit.si and got a better response time than with many other high profile, responsive sites, including Google.

So Jitsi look like they’ve ramped up their capacity. I’m keen to watch their progress, try them again, and quite possibly install my own dedicated instance.

Related posts:

Categories
Metal (Technical)

Simple hosting?

ENIAC

All I want is a simple website!

OK, I have a website, and you’re probably reading this on it.

But I want a simple website. Since 2006, I’ve had a server hosted with Asergo (previously EasySpeedy). It ran a lot at one stage. Huge mounds of organic food found new homes through its circuits. Today it’s not so busy, but stands ready, waiting to handle any imminent Slashdot Effect when my latest masterpiece goes viral. Except it never does, and I’m basically paying for a private jet when I could make do with a rusty bicycle.

In other words, a bog standard WordPress hosting offering will do just fine these days.

Moving from total control of my own server to a tiny hosted offering seems limiting, and its kept me from moving for a while. But gradually I’ve come to make peace with it, and will make do with a tiny instance offering limited functionality.

So what am I looking for?

* a reasonably new version of PHP
* a reasonably new version of MariaDB, or similar
* perhaps even hosted locally? Other sites I help with that host locally have made me wary, but there must be some good ones out there?

Space (my current server feels like it’s got backups going back to the dial-up days, so this will be a good chance to clean up), bandwidth etc. are all much of a muchness, as most offerings give some flexibility here

Let’s look at some of the options.

As a starting point, seeing as another site I manage is hosted there, 1-grid. They’ve gone through some wobbles. At first part of Web Africa, the hosting division got spun off into Gridhost, which then got renamed 1-grid.

1-grid
* R89 a month
* Unlimited MySQL databases
* PHP 5+. Really? What does this mean? PHP 5.6 and PHP 7.0 reach EOL in about a month… I happen to know PHP 7.1 is available, but sites really need to publicise this stuff!
* No mention of MySQL version. The instance I manage has the venerable but still supported MySQL 5.5, with no mention of possible upgrade.
* But, the dealbreaker. A measly 5GB storage. The next tier, offering 50GB, is R219 a month.
* Another big dealbreaker – they charge an extra R519 for SSL, for one domain only!

Hetzner
* Hetzner were one of the first locally to move to MariaDB, a major plus in my books (yes, I know I work for the MariaDB Foundation so perhaps I’m slightly biased)
* Another plus is they offer Lets Encrypt SSL with all hosting packages
* R99 for 5GB, 10GB costs for R149 a month
* However, they only mention MariaDB 10.0, which, while a version above MySQL/MariaDB 5.5, is still quite old. In discussion with them, they do offer MariaDB 10.1, but again their website lags with no mention of this.
* PHP 5.6 and PHP 7.0 only.
* Only offer Debian 8. Debian stable is itself already pretty venerable when it comes out, and Debian 8 came out way back 2015. I don’t need cutting edge, but Debian 9 came out in Jun 2017, so this makes Hetzner’s offering a little on the old side.

Ok, moving internationally. I moved my domains to Gandi a few years ago. They offer a Simple Hosting service as well.

Gandi
* Unusually, they offer Percona Server as a MySQL equivalent. Based on MySQL 5.7, which came out at about the same time as MariaDB 10.1.
* Support PHP 7.2
* 20GB for ~R45 a month (a discount as I have domains with them)
* In price, space and up-to-date software they absolutely blow the local offerings out the water
* They also offer a free 10-day trial.

Their Simple Hosting seems to be just that, really simple, not offering as much as the full CPanel or KonsoleH services offered by 1-grid and Hetzner but hey, I did start by saying I wanted a Simple website.

I spend way too long investigating the governments of Luxembourg and France to decide which of the two server locations to choose, but in the end I’m sold (I chose Luxembourg for those interested).

Except I’m unable to sign up, as their interface isn’t working (I tried on three browsers) and I cannot actually sign up. I contacted them a few months ago, pointing out inconsistencies in their documentation (the site mentioned MySQL/Percona 5.5, 5.6 and 5.7 being the latest available version in various different places). The site still lists MySQL 5.6 as the latest release in at least one location.

So not exactly getting a good feeling from them either.

Am I destined to keep paying for my jumbo jet hosting, as it least I know it works?

Any personally recommended hosting suggestions?

Related posts:

Image from Wikimedia Commons

Categories
Metal (Technical)

Firefox Quantum and too many tabs

I’ve been running Firefox Quantum as a browser since it came out, and there’s been a noticeable improvement in all areas. Rendering speed, CPU, memory – it lives up to all the hype.

Quantum

I’ve used Firefox as my primary browser for ages, but often used Chrome and Chromium as alternatives for certain sites, or when Firefox was creaking under the load of too many open tabs. I’ve moved most of them to Firefox now, and only use those browsers for easily running multiple sessions (logging in to Twitter with an alternative account, or to quickly test how something looks when I’m not logged in).

I can see this all backfiring though when it comes to the number of tabs I have open. I already spend way too much of my time scrolling through tabs trying to find a specific tab. In the past, I used to vigorously close tabs, as Firefox collapsed under the load when it reached a few hundred. I may not need to do this so much, which means my open tab count could grow drastically. To keep tabs (ha) on this, and since I’ve more than once tried to manually count my number of open tabs, I’ve installed the Tab Counter plugin, which does the tallying up for you.

Right now I’m at a measly 80 open tabs, so I’m feeling light and fresh. Let’s see how high it goes…

Image from Wikimedia Commons

Categories
Metal (Technical)

South African Banks SSL Security (2)

After seeing someone’s Facebook security horror story about a local credit card (not one of the banks listed below), I was inspired to re-run the tests I previously ran on the South African banks, using SSL Lab’s SSL Server Test.

The results last time were awful, with Standard Bank and Absa falling way below the acceptable standard. This time, I was pleasantly surprised (previous results in brackets).

Ranking Bank Overall Grade Protocol Support Key Exchange Cipher Strength
1 FNB A+ (B) 95 (95) 90 (80) 90 (90)
2 Nedbank A (B) 95 (70) 90 (90) 90 (80)
3 Capitec A- (A-) 95 (95) 90 (80) 90 (90)
Absa A- (F) 95 (0) 90 (90) 90 (90)
Standard A- (F) 95 (0) 90 (0) 90 (60)

All of the banks have improved their scores. Capitec, which has dropped from first to third, still does not support Forward Secrecy, but has improved its key exchange ranking from 80% to 90%.

FNB, which jumped from second to first, has deployed HTTP Strict Transport Security (HSTS) with long duration. FNB gets the only A+ ranking.

Nedbank, which jumped from third to second, has improved from a B to an A, improving its protocol support and cipher strength rankings.

Absa and Standard Bank have both improved from F’s to A-‘s, and are joint third with Capitec. To put things in perspective, their rankings would have put them top during the previous test. So all banks are doing better than the best bank in May 2016. With no-one talking of a big four anymore (Capitec now outrank Nedbank in some metrics), perhaps little bit of competition is helping after all.

Related Posts:

Categories
Metal (Technical)

Trust Us, We’re a Payment Gateway

A friend told me today about an experience of attempting to book a flight on kulula.com. His credit card wasn’t working, but there was an option for bank transfer (EFT), so he chose that.

The EFT option used SID, a payment option promising secure EFT transactions. All good so far, so he followed the link.

The SID window asked him to enter his bank account login details… You know, the kind you’re constantly warned about to never give to anyone and never to enter on any other site except your banks.

I couldn’t believe that this is actually what happened (perhaps the friend had missed his morning coffee), so I checked it for myself. Looking into SID’s documentation, they claim to be externally verified, not to store the login details, and to use the bank’s own security system. But yes, you are asked to enter your bank account login details in their window.

I’ve got no reason to doubt that SID does what it says, but the methodology seems hopelessly flawed.

Let’s say I start a new payment system called SAD. At the same time I launch my casino website, relying on trusted SAD security. I state clearly that SAD uses the bank’s own security systems, and doesn’t store any of the login credentials. Totally secure!

The transaction succeeds, and the customer has a credit to spend on my casino site. They spend many happy hours on my casino website, winning up a storm, and dreaming of their new Tesla. For some reason the cashout option isn’t working today, but check back soon…

Some time later, they decide to check their bank balance, and find, to their horror, it’s all gone. They immediately phone their bank. Perhaps the conversation goes something like this:

HORRIFIED CUSTOMER: There’s a transaction clearing out my entire balance! It wasn’t me! The transaction needs to be reversed!

BANK: Hmm, our records indicate you logged in from internet banking, and transferred the money out. When was the last time you remember logging in?

HC: Er, I logged in to winbigbillionscasino.com and made a R50 transfer to their account from my bank account, using the safe and secure SAD system.

BANK: OK, no problem, we’re refunding the money now, apologies for the mistake.

Or perhaps not…

Perhaps the bank, in their charming and professional manner, laughs you off the phone and tells you you’re and idiot for giving your login details to another site.

Merchants asking customers to trust them, assuring them that their bank details are secure, is a recipe for disaster. Just don’t do it.

Related posts:

Image from Wikimedia Commons

Categories
Metal (Technical)

South African Banks SSL Security

After coming across an article testing the security of the SSL implementations of Australian banks, I decided to run the same tests on the South African banks, using SSL Lab’s SSL Server Test. I have a little bit of inside info into some of the banks systems, so was not too surprised how bad the results were.

Bank Overall Grade Protocol Support Key Exchange Cipher Strength
Capitec A- 95 80 90
FNB B 95 80 90
Nedbank B 70 90 80
Absa F 0 90 90
Standard F 0 0 60

None of the banks score an A (they all fail with Forward Secrecy), but pick of the bunch was Capitec, whose only only other failing was using a relatively weak signature.

FNB is limited to a B by accepting the weak RC4 cipher, and Nedbank adds supporting only older protocols to the list of failings.

You’d hope for better security from banks, but the failings of Capitec, FNB and Nedbank are not too serious. On to the others…

Absa has all of the above failings, does not support secure renegotiation, uses the obsolete SSL3, and most dismally of all, is vulnerable to the POODLE attack against TLS servers.

Although Standard Bank also gets an F, it stands alone in the number of criteria it failed. It uses the even more old and insecure SSL 2, supports insecure Diffie-Hellman (DH) key exchange parameters, supports 512-bit export suites and might be vulnerable to the FREAK attack as well as being vulnerable to POODLE.

It’s quite astounding that Standard Bank may still be still vulnerable to the FREAK attack, which has been known about for over two months, and which is extremely serious.

These results match the banks scores in other areas as well, such as bank fees and customer satisfaction. So Standard Bank clients will be happy to know they’re not only with the least secure bank, but also with the most expensive and the one with the worst customer service.

Related Posts:

Categories
Metal (Technical)

A comparison of WhatsApp, Facebook Messenger and Telegram permissions on Android

Recently I’ve seen quite a few postings of the article The Insidiousness of Facebook Messenger’s Mobile App Terms of Service , claiming you should remove your Facebook Messenger because of the control the app has over your Android device. Many have suggested Telegram instead, which I’ve been using a while. “Using”, I should add, in the same sense I would use a carrier pigeon. It’s nice to have, but there aren’t many others to share the fun with.

So how bad is the Facebook app compared to others? Here’s a comparison between the permissions demanded by Facebook Messenger, Telegram and Whatsapp on Android:

Permission Facebook Messenger Telegram WhatsApp
Retrieve running apps No No Yes
Find accounts on the device Yes Yes Yes
Find accounts on the device No Yes Yes
Read your own contact card Yes Yes Yes
Read your own contact card Yes Yes Yes
Read contacts Yes Yes Yes
Modify your contacts No Yes Yes
Approximate location (network-based) Yes Yes Yes
Precise location (GPS and network-based) Yes Yes Yes
Edit your text messages Yes No No
Receive text messages (SMS) Yes Yes Yes
Read your text messages Yes No No
Send SMS messages Yes No Yes
Receive text messages (MMS) Yes No No
Directly call phone numbers Yes No Yes
Read call log Yes No No
Test access to protected storage Yes Yes Yes
Modify or delete contents of your USB storage Yes Yes Yes
Take pictures and videos Yes Yes Yes
Record audio Yes Yes Yes
View wifi connections Yes Yes Yes
Read phone status and identity Yes Yes Yes
Read sync statistics No No Yes
Receive data from internet Yes Yes Yes
Download files without notification Yes No No
Run at startup Yes Yes Yes
Prevent device from sleeping Yes Yes Yes
View network connections Yes Yes Yes
Install shortcuts Yes No Yes
Change your audio settings Yes No Yes
Read Google service configuration Yes Yes Yes
Draw over other apps Yes Yes No
Full network access Yes Yes Yes
Read sync settings Yes Yes Yes
Read sync statistics No No Yes
Control vibration Yes Yes Yes
Change network connectivity Yes No No
Toggle sync on and off No No Yes
Use accounts on the device No No Yes
Modify system settings No No Yes
Uninstall shortcuts No No Yes

The permissions that have got most people worried, with visions of their phone starting to video them and record their conversations, “Take pictures and videos” and “Record audio”, are shared by all the apps. In Android’s permission system, they’re required to function. So if you want to use the chat functionality, you have to give the app these permissions. If the software is proprietary (Facebook and Whatsapp), you’ll need trust the company behind the app (Facebook owns Whatsapp as well). Telegram is open source, and therefore anyone can (and does) check the code. If you’re worried about security, you should be as concerned about what happens to your messages and data in transit, and here the best option I know of right now is Telegram, which is designed with a focus on privacy.

Now if only more people would use it…

Categories
Metal (Technical)

Autumnal spring cleaning

This weekend I did some unseasonal spring cleaning. I closed down my chess website, my rugby website, the Wikipedia template translation tool, the free and open source feeds list, and some now rather dated software that I hosted.

So, if you’ve been redirected here looking for any of those, sorry to disappoint you! It’s time to simplify and none of the projects were particularly active or interesting anymore, so it was time to so some tidying.

Categories
Metal (Technical)

WordPress spam, Akismet and Cookies for Comments

This blog gets about 1 spam comment a second.

Not bad for an obscure blog with, as I write this, only one post open for comments.

Akismet, the spam plugin does a great job of keeping the spam out, although recently a few more spam posts have been sneaking through for moderation, perhaps two a week. Still considering I get about 600 000 spam comments in that week, a miss ratio of 1 in 300 000 is rather exceptional.

The volume of spam shot up markedly after this post, which in retrospect, isn’t so surprising, since it contains every about spam phrase out there.

A feature I’d like to see in WordPress is the ability to automatically delete spam after a certain period. Apparently this is automatically set to one month, but since in that month I’d get about 2.5 million posts, and have to up the space on my backup server, I prefer to delete spam posts manually a little more often than that.

Deleting spam posts isn’t entirely smooth. If the number is too large, the script times out and I have to re-run a number of times. Since the spam arrives so quickly, I never have an empty spam folder, as by the time the deletion has happened, but before the page reloads, there’s normally a couple more posts.

After coming back from the weekend to 40 000 spam posts, I decided to look for a solution. It’d be easy enough to adjust the period in the code manually, but since I’d have to re-implement the change each time I upgraded, I prefer to look for an existing solution.

Enter Cookies for Comments. The solution is simple – the plugin sets a random cookie, which, if it doesn’t exist when a comment is posted, is almost a sure sign that the comment is being placed by a bot.

You can set the plugin to either automatically mark the comment as spam (effectively catching the two or so comments a week Akismet misses, but not solving my problem), or automatically delete the comment.

I set it automatically delete comments. Boom! Blissful silence with my recently-cleared spam folder now not moving from 247 comments.

You can play further and use an Apache rewrite rule to block the requests from even reaching WordPress, which I haven’t implemented yet, but looks hopeful in reducing unnecessary load further.

What’s that? You’re suspicious of cookies and have disabled them, and now you can’t comment on my blog? I doubt you can do much else on the internet either…

Related posts: