Green Thinking
  • About Me
  • Contact
  • Posts
November 1, 2013

Interesting Interview With Ladar Levison of Lavabit

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[billjonesgeneralstore] - Nov 5, 2013 Reblogged this on You Better Watch Out.

More!
November 1, 2013

Interesting Interview With Ladar Levison of Lavabit

An excellent and informing interview with the founder of the Lavabit email service, who was recently involved in a legal case with the FBI, who attempted to force him to hand over SSL encryption keys. This was of course the email service used by Edward Snowden, so attracted a lot of attention. There’s some really interesting technical stuff in here, specifically about the value of perfect forward secrecy in HTTPS encryption, which he wasn’t using, and how he protected his user’s data, in many clever ways. A classic part, was when finally forced to reveal the SSL key protecting all 400,000 user’s data, he printed it out in 4 point font, to hand to the FBI agents, and then whilst they took the sealed envelope away, proceeded to completely shutdown the service, his company, and encrypt all the data onto external hard drives.  Brilliant stuff. http://www.youtube.com/watch?v=XTe0mT1611c

More!
October 31, 2013

Cryptolocker - Seriously Problematic Ransomware

There’s a new piece of ransomware in the wild, called Cryptolocker. It’s a nasty piece of software that uses public/private keypairs to background encrypt all your documents and files, and then helpfully let you know it has done it. Then - you will be asked to pay $300/€300 to unlock your files.  If you don’t, you will lose the key to decrypt them, and then lose all your files. Not only that - it also encrypts shared drives, such as on your business network. The biggest problem - this is properly implemented encryption, and they have thought it through.  There is absolutely no way to recover your files, short of paying them the money, or restoring the backups (which you obviously already had taken). BACKUP YOUR FILES. [http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information] And don’t open random email attachments - that’s the key way it is spreading.

More!
October 28, 2013

Simple Steps to Use Yum Rollback on Centos / RHEL 5

Simple Steps to Use Yum Rollback on Centos / RHEL 5 Some nice instructions on a simple backup/rollback technique for packages on Centos / RHEL 5. This can be accomplished even more easily in newer versions of yum, such as on Centos / RHEL 6, which the ‘yum history’ command.  There’s a nice undo feature there now, that makes it trivial to revert a change, if you have problems with a package update for any reason.

More!
October 22, 2013

Interesting Talk on DevOps

This is an excellent (albeit long) talk on DevOps, and where it came from. Some of the systems theory stuff in here, which is rarely covered by computing enthusiasts is illuminating and extremely helpful. If you’ve wondered why agile doesn’t work in operations, or why there’s such a counter-productive feedback loop between developing a deploying your software, this is really worth a watch. It’s aimed at sysadmins, but I think developers would get a lot from it too. http://www.youtube.com/watch?v=h5E--QSBVBY

More!
October 13, 2013

Watch "Getting Started with Puppet - PuppetConf 2013" on YouTube

https://www.youtube.com/watch?v=TdAmAj3eaFI&feature=youtube_gdata_player

More!
October 8, 2013

SQRL (Squirrel) Authentication - Bye bye usernames and passwords?

Distruptive technologies ocassionally come along which can make a big difference in computing.  Something in the early days which I heard about last week was the SQRL authentication proposal by Steve Gibson. This proposal aims to address the extremely big problem of user and password authentication across the internet.  This is a huge and annoying problem for all internet users - you must try to come up with secure passwords, whilst giving passwords to many different parties, some of who you can trust, and some of whom you can’t. The proposal is a simple idea, but it seems to work very well. 1. Website presents a QR code. 2. User snaps the QR code with their phone’s camera.3. User is logged into the website. A bit too simple? The strength comes in the implementation though - your secrets are not shared across different sites, you control your private key password at all times, and no third parties are involved. In the background, the QR code contains a URL - the app on your phone uses this URL and it’s unique token, signs a return message with the private key, and then sends that message to the URL given by the QR code.  The beauty of this, is that you have out-of-band authentication, which is hard to intercept, and that the site never sees your private password, so even if the site is compromised, these details are not lost. There are probably some weaknesses, but the general idea is brilliant, and will hopefully gain the traction it deserves. For more information have a look here: https://www.grc.com/sqrl/sqrl.htm

More!
October 5, 2013

Examining the Glastonbury Ticket Sales Website

Note: Also see my updated 2016 post about this topic.

Tomorrow is that time of year again, when hundreds of thousands of people spend hours pressing their F5 key, in an often futile attempt to try to book Glastonbury Festival tickets. Although I have been successful the last couple of years anyway, this year I had the opportunity to do a bit of investigation beforehand, as they had a smaller ticket sale on Thursday evening.  Since we have baby in tow this year, will be caravanning, and couldn’t buy a coach ticket, but I could use the opportunity to check out the SeeTickets servers, and get an idea how their pages and queuing system work. This is also more important, since 15,000 of the tickets have already sold, there will be less available tomorrow than on previous years. When I first hit the site, right on the dot of 6pm, I refreshed a few times, and immediately got to the coach ticket selection page.  Here, you got to choose between Wednesday, and Thursday departures.  I clicked Wednesday, and immediately got a registration numbers form.  I was impressed - in the past I’d been stuck in a queue for a long time before being able to type my reg numbers in! So, I saved the page, so I could have a look at it later.  I clicked through, and had a look at all the pages, including the payment page. Over the next half an hour I refreshed the page a few times, until I got added to the normal queuing system.  This is a javascript based refresh which refreshes every 20 seconds, and polls the server for a booking slot.  I assume they use a session based queuing system, because although last year there were problems after typing in the registration numbers (because of a DNS configuration issue), the previous festival, once I got through to this screen, I had no further issues. Looking at this then, it’s fairly simple on how to get your booking slot - you keep refreshing the page until instead of showing you a queuing message, you get a page where you type in the registration numbers. What you are actually hoping the see, is this form:

More!
October 5, 2013

Examining the Glastonbury Ticket Sales Website - Comments

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

Lewis Cook - Sep 1, 2015 Great blog post. . Any chance of an updated blog post for Sunday’s ticket showdown?

chrisgilbert42 - Oct 0, 2016 Hi Lewis, hope you managed to get tickets last year/this year. I’ve noticed a few things that have changed this year, I’ll see if I can come up with an updated post soon. Won’t be quite as detailed, but does appear they are now using IP rate limiting (hence the advice to only use one device at once).

More!
September 19, 2013

Google's Password Storage Database

Do you have an Android phone? Some interesting news I read this week was that an innocuous (on by default) setting on Android phones can save your Wifi passwords on Google’s servers.  It also backs up all your app settings, bookmarks and so on.  This isn’t that worrying - it could be considered a useful feature.  However, the worrying thing is that these plain-text passwords aren’t encrypted using your account details - they are available in unencrypted form to Google employees. This includes the password to any Wifi point you’ve connected to - home, work, and so on.  Seeing as how Google have been harshly criticised in the past for collecting data about the locations of Wifi access points, it seems a little foolish to trust them with unencrypted passwords to all these access points too.  We already know they can be compelled to hand off this information to the security services.  It just makes it a little too easy for it to be abused. They claim that turning off the feature will delete the data from their servers - but who knows whether that happens or not?  I am getting more and more concerned about how much this one company knows about me.  It gives them an awful lot of power. What if I want to save my app settings but not my Wifi passwords?  There is no option.  It’s pretty much all or nothing.  I shall be backing up my data myself from now on I think…

More!
  • ««
  • «
  • 1
  • 2
  • 3
  • 4
  • 5
  • »
  • »»
© Green Thinking 2026