Posted on

ParentPay won’t support “insecure” browsers

This week that ParentPay, the Microsoftie payment system used by many schools, rolled out a web site update to support an even more limited range of browsers. This included dropping support Internet Explorer before 9 for “security reasons”.

By coincidence, in the same week Microsoft trumped their loyal fanobois at ParentPay by announcing that everything prior to version 10 was hereby deemed unsafe. ParentPay has yet to comment.

However, the notion that any version of Internet Explorer is “safe” is stretching the truth badly. All the mainstream browsers are dodgy; they all support unsafe scripting and embedded code. Microsoft may have the worst reputation, but they’re all undermined by their code and add-ons – and host operating system, to be fair. Only a few niche browsers, that don’t support things like JavaScript and ActiveX, can be considered safe; and those are the ones that ParentPay refuses to support because they don’t allow “rich content”. (And their developers are Microsoft fans). It’s definitely a case of form over security, yet again.

As an illustration of just how feeble their new browser support policy is, here’s a list  of those they’ll accept, taken from their web site:

  • Chrome 35 or higher
  • Firefox 30 or higher
  • Internet Explorer 9 or higher
  • Safari 6 or higher.

The the the the That’s All Folks!

Schools should be seriously considering their relationship with ParentPay, given the cost and inconvenience they’re forcing parents to go through in order to use it. Analysis of the traffic across my servers suggest that IE has around a third of the browser market. Of these, more than half are using IE 9 or earlier.

ParentPay’s assertion that this will only affect a “..small proportion of parents” may be literally true, but it’s disingenuous. Let’s do some simple arithmetic. Say there are 1500 parents in a secondary school. A third of these use IE – that’s 500. Half of these use an old IE (on an old PC) – that’s 250/1500 parents at each school who’ll be grossly inconvenienced. Cancel the fraction out and it’s 1/6, which could be described as a small proportion, but it’s still 250 per school.

The number of people who would be using”unsupported” browsers on tablets or mobile devices is probably very high. Anecdotally, parents have access to a PC somewhere that they currently have to go to in order to use ParentPay. Many would rather use a tablet.

It’s about time someone set up an alternative to ParentPay and schools were educated in to the benefits of open standards.

Posted on

How to stop Microsoft Windows 10 upgrade

Famously, Microsoft announced that the “upgrade” to Windows 10 would be free of charge. How nice of them. Given that historically Microsoft has made a lot of money selling consumer upgrades, this is a little puzzling until you realise what happened to Windows 8 in the commercial IT world. Basically, it’s as popular as a rattlesnake in a bran tub. Commercial users are still demanding, and getting, Windows 7 whilst home lusers have had no choice – having only Windows 8 pre-installed.

Since then, Windows some users have been “encouraged” to “upgrade” to Windows 10 by having a pop-up nag screen turn up on top of their work at regular intervals. This is produced by an update called GWX (“Get Windows Ten” in Roman numerals). An update you don’t seem able to un-install. Nice!

However, Microsoft has bottled out of doing this on Enterprise versions of Windows. They’re not that crazy. Imagine what would happen if every corporate customer got “upgraded” to a version of Windows that didn’t support their bespoke CMS, all at once. Every IT support person in the world would be heading for Seattle with a pitch-fork and flaming touch. ARM and embedded Windows won’t auto-upgrade either; nor (I believe) will machines connected to a domain controller – indicative of being used in a business.

As usual, it’s the voiceless SMEs using Windows 7 Pro that left paying the price for choosing Microsoft, and I’ve heard of plenty of people falling for the nag screen and getting in to trouble.

In repose to customers’ requests, demands and threats of physical violence, Microsoft has told the world how to disable the activities of GWX, in a KB article found here. Basically you have to add the following registry keys and it should stop. To disable OS upgrading add:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And to stop the nag screen add:

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1

The free “upgrade” offer only extends until July this year, so it will be interesting to see what happens then. In spite of Microsoft’s threats to drop it, Windows 7 is still being used in new installations, and from where I’m sitting, it’s the default option.

Posted on

Microsoft Security Essentials hangs during a full scan

First off, can I be clear about one thing – endpoint virus scanners don’t make your computer “secure”. A lot of the most dangerous stuff gets past them, but trusting lusers believe they’re safe and will therefore take risks they outerwise wouldn’t. See my posts and academic papers passim ad nauseam. Now that’s out of the way, I favour Microsoft Security Essentials (or Microsoft Endpoint Security) on Windows as I find it less likely to make the system unusable. I don’t recommend it, except as the least-worst option.

On with the problem…

Sometimes, especially in the last year or so, I’ve found Security Essentials will stall when its doing a background scan. You may not notice its done this, but some symptoms are that web browser file downloads won’t work (it’ll download 100% but never finish) and the PC won’t hibernate automatically using the power-saving settings.

I’ve looked for solutions to this, as well as searching the web for an answer. You’ll often see people posting (without references) that this is bug and Microsoft are working on, or have now fixed it. I’ve tried theories myself to see if it’s caused by compression or archive formats causing a decompresser to break (I’ve noticed this often fits the facts), but this is little help when finding a solution, and even then it sometimes still hangs when the option to check compressed files is turned off.

What I’ve yet to find is anyone giving a real solution, so here it is:

  1. Deinstall Security Essentials.
  2. Download and install Security Essentials.

I’ve never known this not to work. On the other hand, I’ve known all the other theories you see posted on forums fail to work pretty consistently.

 

Posted on

The Force is Strong in George Osborne

George Osborne, Chancellor of the Exchequer, has an exit strategy from politics. Rather than being employed as a consultant in the city, his career will revolve around making appearances and selling autographs at sci-fi conferences.

How do I know this? Read the credits for “The Force Awakens”. He’s mentioned there, unambiguously, as “George Osborne, Chancellor of the Exchequer”. It probably only appears on the UK release though.

Posted on

New Nominet Registrant terms

If you have a domain name ending in .uk it’s probably administered by Nominet (exceptions being .gov.uk etc). Nominet is a not-for-profit outfit set up in 1996 to manage UK domain names as the Internet expanded. Unlike certain other countries, our domain registration service as traditionally operated for the benefit of Internet users, which is as it should be.

Right now Nominet is holding a public consultation on changes to the terms and conditions for anyone registering a domain name. It’s mostly sensible stuff, like dropping the need for a fax number. But there are a couple of changes that do worry me.

First off, there is a provision in the old terms that if Nominet changed the T+C of the contract once it had started, the owner of the domain could cancel and get a refund. This is only fair; people registering direct with Nominet could be paying hundreds of pounds in advance and you can’t change the rules of the game once it’s started without consequences.

The plan is to drop this provision, with the apparent stated justification that they can’t remember anyone ever invoking it. Lack of use doesn’t mean the provision is wrong; it simply means that they haven’t upset anyone with a change in T+C enough to make invoking it necessary. One likely reason for this is the requirement for a public consultation before changing the T+C’s.

The second problem is that they want to drop the need for a public consultation before changing T+C. This is all in line with “industry practices”, apparently.

Hang on Nominet, what have industry practices got to do with you? You’re not an industry; you’re a service run for the benefit of, and paid for, by Internet users in the UK. Other countries have domain registration services run on commercial lines, for the benefit of shareholders, and the last thing you should do is follow suit on their sharp practices. So why ask for permission to do so?

Nominet has been a beacon of how the Internet should be run, setting the highest standards in fairness and transparency. It should continue this way by setting an example of the highest standard.

Eroding the power of the stakeholders may be convenient from an operational point of view, and doing things properly may cost money (not something Nominet is short of). Dropping these awkward provisions may seem like a good idea at first glance. But for the sake of the wider picture, eroding the rights of domain owners would hardly be their finest hour. Unless, of course, the public consultation tells them to back off!

Here’s a link to the consultation. If you’re in the UK, your views count.

Posted on

How to stop Samba users deleting their home directory and email

Samba Carnival Helsinki summer 2009
Samba Carnival (the real Samba logo is sooo boring)

UNIX permissions can send you around the twist sometimes. You can set them up to do anything, not. Here’s a good case in point…

Imagine you have Samba set up to provide users with a home directory. This is a useful feature; if you log in to the server with the name “fred” you (and only you) will see a network share called “fred”, which contains the files in your UNIX/Linux home directory. This is great for knowledgeable computer types, but is it such a great idea for normal lusers? If you’re running IMAP email it’s going to expose your mail directory, .forward and a load of other files that Windoze users might delete on a whim, and really screw things up.

Is there a Samba option to share home directories but to leave certain subdirectories alone? No. Can you just change the ownership and permissions of the critical files to  root and deny write access? No! (Because mail systems require such files to be owned by their user for security reasons). Can you use permission bits or even an ACL? Possibly, but you’ll go insane trying.

A bit of lateral thinking is called for here. Let’s start with the standard section in smb.conf for creating automatic shares for home directories:

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

The “homes” section is special – the name “homes” is reserved to make it so. Basically it auto-creates a share with a name matching the user when someone logs in, so that they can get to their home directory.

First off, you could make it non-writable (i.e. set writable = no). Not much use to use luser, but it does the job of stopping them deleting anything. If read-only access is good enough, it’s an option.

The next idea, if you want it to be useful, is to use the directive “hide dot files” in the definition. This basically returns files beginning in a ‘.’ as “hidden” to Windoze users, hiding the UNIX user configuration files and other stuff you don’t want deleted. Unfortunately the “mail” directory, containing all your loverly IMAP folders is still available for wonton destruction, but you can hide this too by renaming it .mail. All you then need to do is tell your mail server to use the new name. For example, in dovecot.conf, uncomment and edit the line thus:

mail_location = mbox:~/.mail/:INBOX=/var/mail/%u

(Note the ‘.’ added at the front of ~/mail/)

You then have to rename each of the user’s “mail” folders to “.mail”, restart dovecot and the job is done.

Except when you have lusers who have turned on the “Show Hidden Files” option in Windoze, of course. A surprising number seem to think this is a good idea. You could decide that hidden files allows advanced users control of their mail and configuration, and anyone messing with a hidden file can presumably be trusted to know what you’re doing. You could even mess with Windoze policies to stop them doing this (ha!). Or you may take the view that all lusers and dangerous and if there is a way to mess things up, they’ll find it and do it. In this case, here’s Plan B.

The trick is to know that the default path to shares in [homes] is ‘~’, but you can actually override this! For example:

[homes]
    path = /usr/data/flubnutz
    ...

This  maps users’ home directories in a single directory called ‘flubnutz’. This is not that useful, and I haven’t even bothered to try it myself. When it becomes interesting is when you can add a macro to the path name. %S is a good one to use because it’s the name as the user who has logged in (the service name). %u, likewise. You can then do stuff like:

[homes]
     path = /usr/samba-files/%S
     ....

This stores the user’s home directory files in a completely different location, in a directory matching their name. If you prefer to keep the user’s account files together (like a sensible UNIX admin) you can use:

[homes]
     comment = Home Directories
     path = /usr/home/%S/samba-files
     browseable = no
     writable = yes<

As you can imagine, this stores their Windows home directory files in a sub-directory to their home directory; one which they can’t escape from. You have to create “~/samba-files” and give them ownership of it for this to work. If you don’t want to use the explicit path, %h/samba-files should do instead.

I’ve written a few scripts to create directories and set permissions, which I might add to this if anyone expresses an interest.

 

Posted on

Governments’ hacking fantasies

It’s silly season again.

Yesterday George Osborne warned that Islamists were tooling up and planning deadly cyber-attacks against the UK, targeting critical systems like ATC and hospitals, as he announced government spending on countermeasures would double from about £200M to £400M a year. Mr Osborne shown a rather tenuous grasp of technology in the past, and I fear he’s been watching too many Hollywood movies when forming his current opinion.

I know a bit about ATC, and the chances of a jihadi disrupting NAS over the internet are slight. Damaging aviation is much easier by more direct means.

Likewise, while I have little time for the design of NHS computers systems, even they’d be hard to seriously disrupt. So difficult that it really wouldn’t be worth the bother. If you want to knock out a hospital, blow up the generators and electricity feed – it’s obvious. About the only systemic damage you could do remotely would be to mess up central databases, but these seem to get messed up regularly anyway, and the world goes on.

But this seems positively sane and sensible compared to today’s report from the “US-China Economic and Security Review Commission”. They’re all exercised about those nasty Chinese guys pinching trade secrets by hacking in to US companies and their government agencies. I’m sceptical about the idea that the Chinese government is behind this, and the Commission has weakened the credibility of their claims with their suggested response to the activity:

Yes folks, their suggestion is that Americans hack in to the Chinese systems and steal back or delete the stolen data. How exactly does one steal back data? And do they really think it’s possible to locate, identify and delete stolen data found in a foreign country. Deleting all copies of data from a local system is hard enough, and if the IT department knows its stuff, it’s impossible as it won’t all be on-line.

Whilst there’s plenty of evidence that people in China, and possibly the military, are engaged in cyber-espionage, this idea reads like the plot of another Hollywood movie of the type George Osborne seems to have been watching. Everyone in the security world knows that the majority of criminal activity on the Internet actually comes from…. the USA. This doesn’t mean the US government is behind it – by the sound of the advice they’re getting, they wouldn’t know how.

People like me have been saying that cyber-crime is (going to be) a big problem for many years now, and I welcome governments waking up and taking it seriously at last. The private sector has done spectacularly badly, as the money is in the superficial stuff, and real security gets in the  way of profits. It’s just a shame that governments have woken up and are groping groggily around in the dark.

Posted on

FreeBSD on 96-core 64-bit ARMv8

A couple of year’s back I managed to compile and run FreeBSD/Apache/BIND on an ARM-based Raspberry Pi. It was fun, but I have to admit it’s been left on the shelf ever since. A solution waiting for a problem.

Since then the ARM has been a specific target for FreeBSD 11. Do you really need FreeBSD on your smartphone? However much I like BSD, the Linux-based Android does well enough. But wait…

ARM has a 64-bit turbo-nutter-bastard version waiting in the wings, for server use. The ARMv8 is scalable to at least 48 cores per socket and intended to go like the clappers in SMP applications. FreeBSD has long been considered to have the edge over the Linux kernel when it comes to SMP. This is getting interesting.

Cavium-ThunderX
Cavium ThunderX ARMv8 board board.

A team including Semihalf has now got FreeBSD 11 stable running on a twin-CPU monster using the Cavium ThunderX ARM chips, each of which has 48-cores. For details see their blog. With a lot of serious web applications running FreeBSD in preference to the freewheeling Linux, there could be a very ready market for this kind of box.

I would be in danger of being extremely jealous, as my budget for playing with ARM chips doesn’t stretch much past the Raspberry Pi. However, in the 1980’s Atari Research gave me an ATW transputer box with 128 discrete CPUs to help implement an OS on, so I’m still 32-cores ahead. There wasn’t much of a market for the ATW back then, but Cavium could be on to a winner with the approach nearly thirty years later.

Footnote

Does anyone know what happened to the big transputer box prototype that was knocking around the Cambridge office? When the ATW/Abaq was released it was greatly scaled down with no more than 13 transputers, and lacked the glass case with all the flashing lights.

Posted on

Microsoft plans to dump OneDrive unlimited and Windows 7

Microsoft continues to lose the plot. This week saw the announcement that OneDrive customers have a year to shift their data way, and business have a year to switch from Windows 7 to Linux Windows 10.

The problem they’re having with OneDrive is that when they sold it on the basis of “unlimited” storage, they didn’t realise the punters would actually believe them. After all, who believes what Microsoft says about any of their products? But, apparently, some credulous customers have been using it for backing up all their stuff and this has caught the folks in Redmond by surprise. So they’re withrawing the product, and users have a (at least) year to shift their stuff off, after which the Office365 subscription would have lapsed anyway. The maximum storage available after that date will be 1Tb, but they have yet explain what will happen to the excess.

And in the same week, Microsoft announced that Windows 7 will no longer be available in a year. It may surprise some to hear that it’s still available, as anyone buying a domestic PC from the high street has only had Windows 8 since 2013. However, if you buy a business machine from a business supplier, chances are it will still have Windows 7 pre-installed, with a set of Windows 8 downgrade disks in the box to satisfy an “everything now ships with Windows 8” clause in some OEM deal. Businesses don’t want Windows 8, and voted with their cheque books to keep Windows 7.

Microsoft now plans to take that choice away, and force everyone on to Windows 10. This is hardly unexpected, but now it’s official. The reasons aren’t clear to me. Okay, Windows 10 has the creepy doll sending user data back at Redmond, in order to deliver a richer user experience (and targeted adverts) and make the world a better place (for Microsoft shareholders). Possibly a case of corporate Google-envy? Is Microsoft so keen on the Google business model that they’d risk hacking off the loyal customers who’ve been buying Windows XP and Windows 7 for years? Ironically, Google is pushing it’s paid-for cloud apps, and I suspect, would like to get a larger revenue stream from selling SaaS.

Listen up, Microsoft. People buy Windows because it runs the applications they want. It has nothing to do with whether the like the colour scheme. Windows XP runs DOS stuff; Windows 7 does, just about, because it has XP emulation. This is a concept known as Backward compatibility, and Intel knows all about exploiting this and making mega $$$ if you need a reminder. Lightweight home users and kids might be impressed by the new and shiny, but business wants something that works, and if it ain’t broke, don’t fix it.

The beneficiaries of this will probably be Linux (including Android), Google GDrive and other cloud storage providers, and alternatives to Office: (Google Docs, OpenOffice.org and smaller companies like SoftMaker. The latter has just released SoftMaker Office 2016, with an offer to make it free for use in schools.

Posted on

TalkTalk Ransom Demand

So, the head of TalkTalk (Dido Harding) has received a ransom demand following the latest hack? From a bunch of Islamist gangsters? I don’t think so. Okay, she probably received an email extortion attempt. Several in fact. It’d be form for Islamist gangsters to have a go, amongst the usual suspects. But the idea that whoever is behind the attacks also sent the ransom demand does not sound like the normal MO. It smells wrong to me. Extortion attempts of this kind generally follow a demonstration that the criminals can disrupt a web site, not after a long-term outage.

I get the vibes that TalkTalk doesn’t know what happened, and take everything they say with a pinch of salt. The only certainty is that their web site was toppled. Data theft, or script kiddies? I suspect the latter, actually. They floated the possibility of widespread data theft, which is very responsible of them until it’s figured out what exactly happened. This is a possibility in any attack.

Meanwhile, people are now questioning whether the stolen data (if there was any) was encrypted, and if not, why not. On a live system, data can’t be encrypted. Think about it! This is allegedly a hack of a live system, so the criminals would have access to the same data that he live system would.

This whole story has been hyped up way beyond the facts. No one (including TalkTalk) wants to suggest it may be overblown for fear of being branded irresponsible by a technically illiterate news media and opportunistic politicians. But it smells all wrong to me. How much more embarrassing if it was was actually script kiddies getting lucky, rather than the APT being hinted at.