Goodbye dear friend

For a number of years (more than I can remember, but between 15 and 20) I’ve had my web hosting on a box in my office beside my desk on a machine called pcbo.dcs.aber.ac.uk.  We’ve had our ups and downs over the years, but she became so long in the tooth, and a security scan last week prompted me to do something about it finally.  Today I pulled the plug on her (literally), and have switched over to my new rented server in a different country.

No longer will I hear the rattling of the hard drive when someone looks through a lot of my photos or web crawlers start indexing my site, and it’s just a silent beige box waiting to be thrown out.

All that remains are all the blog posts that I moved over onto this new server, and a CNAME record that redirects all traffic to the new box.  Some links from pcbo will still work, but most will change – this is a new machine with different operating system and web server software, much more modern and up-to-date, which should be able to cope with security patches much better.

It’s really something I should have done years ago, but now it’s less of a worry that I could be an attack vector on the university network.

So long, old girl.  You were old and noisy, and the office is quieter now.

Report of a chained account hack.

Read Matt Honan’s tale of woe as an instruction on why not to use the same passwords on different accounts, and why you might think twice about chaining your accounts together.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

On “Reflections on Trusting Trust”

In 1984, Ken Thompson wrote “Reflections on Trusting Trust”, and it is still valid today.

All students writing anything higher level than machine code (does anyone still do that?) should have an appreciation of what goes on at various points in the toolchain, and how it can be exploited at each of those levels.

The article can be read here and is also has some refelections on Open Source to consider.

Obfuscation can happen at many levels and nobody’s commits should be taken at face value – only vigilance in code reviews will keep everyone honest.

Oh, and apparently he implemented it, but never distributed the compiler.

Don’t annoy Immigration Officers…

From Risks Digest:

UK Immigration Officer Puts Wife on the No-Fly List

Bruce Schneier
Tue, 15 Feb 2011 00:03:31 -0600

[From CRYPTO-GRAM, 15 Feb 2011. PGN]

A UK immigration officer decided to get rid of his wife by putting her on
the no-fly list, ensuring that she could not return to the UK from abroad.
This worked for three years, until he put in for a promotion and—during
the routine background check—someone investigated why his wife was on the
no-fly list.

Okay, so he’s an idiot. And a bastard. But the real piece of news here is
how easy it is for a UK immigration officer to put someone on the no-fly
list with *absolutely no evidence* that that person belongs there. And how
little auditing is done on that list. Once someone is on, they’re on for
good.

That’s simply no way to run a free country.

http://www.cnbc.com/id/41372870
http://www.loweringthebar.net/2011/02/immigration-officer-puts-wife-on-the-no-fly-list.html
http://www.dailymail.co.uk/news/article-1351937/Immigration-officer-fired-putting-wife-list-terrorists-stop-flying-home.html

Possible backdoors in NetBSD IPSEC stack?

I just picked this up from a friend at the FSFE.

Apparently, someone who was working with the FBI a few years ago alleges that he came across information regarding backdoors that had been inserted into the IPSEC stack.

I know, that this is technical but it comes down to the fact that the FBI can snoop on “secure communications” that are encrypted using the NetBSD IPSEC stack. Now is the time for a code review, especially as it appears that the FBI have apparently been pushing use of the allegedly backdoored stack for firewalls and VPN tunnels.

The email that details this is linked below:
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

I do like the “Merry Christmas” at the end.

Google Instant Blacklist

So you’ve used google instant right?

What happens if you accidentally type in something that might return some “dodgy” results? Well, good old google will protect you from yourself through its blacklist.

You can still get the full results by pressing return in the search box, so make sure that you press return if you want all those results.

And for a full list of words on the blacklist, pop over to 2600.com…
http://www.2600.com/googleblacklist/

Spam filtering, and how not to do it.

Alun is not having a very fun time with secureserver.net and from the sounds of their technical support staff, they’re secure through a certain amount of incompetence.

I’m sure that you will enjoy reading the exploits of a sys-admin at a UK university, so here’s the link secureserver spam blog entry

Oh, and this counts as a little assistance in getting pushed up the google search rankings