Category Archives: Gimpy internet nonsense

On moving to SSL, infinite loops, and the downright impossible

Those of you who pay attention to such things (and, realistically, most of the people who read this blog are tremendous nerds about one thing or another) may have noticed the exciting green secure HTTP padlock to the left of the URL in their browser bar.

Yes, we’re now officially just as secure as a 3AM Donald Trump tweet about Saturday Night Live is insecure.

The adventure starts here

mobius strip
Artist’s impression of somebody trying to load this site recently

Not entirely unrelatedly, some of you may also have noticed that this blog disappeared for several days, my glorious content replaced with a dystopian hellscape of Too Many Redirects and Infinite Loop errors, because it did. Others of you may not have noticed this, because it didn’t. Extremely mystery, wow.

So first up: using TLS/SSL (which, in accordance with convention, I’ll refer to as SSL from now on) to deliver secure websites is a Good Thing, which more or less everyone serious now does.

It makes it a lot harder for someone to steal my login/password, for people to infect this site with spam links, for someone to pretend to be this site in order to confuse and bamboozle you, or for dodgy ISPs and hotel connections to stick ads and pop-ups in the middle of your browsing.

It also means that nobody snooping on your connection can see what you’re doing here (they can still find out that you’re doing  something on this server, but they have no idea whether you’re reading decent honest posts about IT security or downloading the secret archive of filthy dog porn).

Finally, because of all the above, search engines give SSL sites better rankings.

If you run a website, even one as modest as this one, you should move to SSL. You can get a certificate for free, which is extremely easy to deploy with most major hosting companies, or onto your own server.

But John“, you may well ask, “if it’s so easy to deploy, then why did your blog disappear for several days to be replaced by a dystopian hellscape of Too Many Redirects and Infine Loop errors?

Well, that’s a very good question and I’m glad you asked me it…

Continue reading On moving to SSL, infinite loops, and the downright impossible

I have ruined the weird sidebar shape

I’m not saying blogging is obsolete, just that I’ve had a lot of outlets for my views lately that aren’t here, and also everything* has been sufficiently terrible that I’m not sure I want to publicly express some of the views, etc etc.

But I try and do this sort of thing at least once a month andI’m sad that the scroll-down has been disrupted by that. Will do better. Nag me as @johnb78 on Twitter if you think there’s something I should write about.

*my personal life is actually quite good for once but either you agree the world is falling to pieces or you’re at the wrong place.

Dropping the dynamic, because everything is awful

Because I am a naive optimist, when I migrated various defunct blog archives from elsewhere to here, I assumed that running them on auto-updated WordPress would be fine. This was a stupid move. Not specifically because WordPress is bad, but because everything is bad, and hacking is easy. And, of course, happened.

After several months of this site being broken and struggling to keep client sites afloat, I’ve finally got everything sorted out.

My main websites, client and personal (this one included) are now signed up with crazy amounts of security. I’ve blocked all kinds of user agents, headers and IPs, and I’ve signed up with Cloudflare. They’ll probably get hacked again because YOLO, but at least less so than before. Meanwhile, the old websites are cloned HTML mirrors of the original with everything set to 644,  so nobody nefarious can nefare with them.

And now I can log into this site, I might even write something substantive here before anyone else dies.

Spot the difference competition

Pictured:
1) Vivian James, an embarrassing stereotype of outdated social attitudes and behaviours;
2) Vivian James, an Australian writer.

If you’ve no idea what I’m talking about, then you’ve probably missed #gamergate, the latest example of of socially inadequate men attempting to drive women out of ‘their’ space of video gaming.

Here is an excellent short version and here is an excellent extremely long version.

Twitter won’t kill the general feed, cos that’d kill Twitter

Long-time Twitter users, myself included, value it mostly for the general feed (everyone you follow, live and in chronological order) and the ability to replicate the general feed model for specific lists you’ve made of people you follow and for specific search terms and hashtags.

They need the cash to settle this guy's image rights suit
They need the cash to settle this guy’s image rights suit

At the same time, Twitter is a confusing experience for novices and newbies – and to keep the venture capital taps flowing, the service needs to demonstrate growth.

So this week Twitter-the-company has talked about taking something that resembles its existing “discover” feed, which shows some highlights from the last couple of days of a user’s interactions, their friends’ interactions, and paid-for commercial content, and steering new users towards this ahead of the general feed.

This has cause a bunch of people who mostly should know better to lose their shit (sample lazily pulled from the article above):

There is a tiny flaw in their reasoning: it is bollocks.

Why? Well, you need to remember that Twitter’s value – to users and advertisers alike – is completely different from Facebook’s.

Facebook collects detailed demographic information and combines that with your interactions with the site to create a scarily tailored advertising profile. That’s what it’s for. At work this week, I bought a Facebook advert to reach people in Perth, WA who are interested in space exploration. This would have been simply impossible before Facebook existed.

It's difficult to manage a wide group of stakeholders
It’s difficult to manage a wide group of stakeholders

Twitter doesn’t. It provides a direct, unmediated platform for anonymous people, pseudonymous people, named people, famous people, and brands, to all interact on the same level. It doesn’t collate demographic information; the demographic profile data it shows to advertisers is based on surveys of people and the networks they use, not on the information they provide to the site.

But the demographic profile it has is extremely valuable: Twitter’s users are older and richer than the users of any network other than LinkedIn. They are also stroppy as hell, as the storm over this issue (not to mention every other issue that there is in the world) has confirmed.

Twitter-the-company has a balancing act to run, trying to bring in new users so it doesn’t get Kiss of Death growth headlines that deter people from putting up money, but at the same time making damn sure it doesn’t alienate its existing users to any degree beyond that which is necessary to sell advertising, because that would also deter people from putting up money.

The way it deals with this balancing act will, absolutely and definitively, not be by turning into a version of Facebook with the targeting data that makes Facebook into Facebook removed.

So stop worrying. It’s not going to happen.

Spiritus in coelum

Ad me quiescam et requiescent cum moriar
Qui optimus in locum ire
Mori cum cubabo
Spiritus in coelum ascendere ad
Spiritus in coelum ascendere ad
Ibi ego ire cum moriar
Ad me quiescam et requiescent cum moriar
Qui optimus in locum ire

Scio te oportet praeparare
Obtinuit amicus Iesu
Ut scias, cum morieris
Ille agnus commendo
Quod spiritus hominis in caelo
Agnus commendo
Quod spiritus hominis in caelo
Illic es amet ire cum morieris
Et cum te ad mori
Qui optimus es agnus dei ire ad locum

Numquam ego peccator peccare
Jesus amicum habeo
Cum moriar, ut scias
Cum me ille agnus
Et spiritus in caelo
In caelo, cum spiritus me O
Ibi ego ire cum moriar
Ad me quiescam et requiescent cum moriar
Et ascende ad locum qui est optimus
Et ascende ad locum qui est optimus

(Nordmannis Lignum Viride fit a Medicus et Medici)

CBA’s Netbank platform was never vulnerable to Heartbleed

The suggestion has been doing the rounds, at least at the more paranoid/self-fancying end of the technology spectrum, that the Commonwealth Bank of Australia (CBA)’s Netbank online banking platform might have been vulnerable to the Heartbleed vulnerability.

TL/DR: it wasn’t.

Heartbleed only hit sites that use certain versions of the OpenSSL secure toolkit, with its Heartbeat function enabled. Netbank runs on SAP for Banking, implemented by Accenture. SAP for Banking is not affected by Heartbleed, which you’d expect given that it runs on Microsoft IIS (“Microsoft” and “open” go together like anchovies and custard). This isn’t a great surprise: no major western-world banks’ online banking platforms were ever vulnerable, because of the massively proprietary, as well as security-crazy, way in which online banking software is developed.

So why all the derp? Well, CBA’s non-transactional Commbank.com.au website does use OpenSSL, was apparently vulnerable to Heartbleed, and was apparently patched after the Heartbleed news broke. You don’t use your Netbank credentials to log into Commbank, it isn’t linked to your secure data, and it uses a different security certificate from Netbank.

This created some scope for confusion – and the scope was fully brought to reality by the combination of utterly stupid PR people, and self-satisfied circle-jerking techies happy to spread unjustified fear among CBA customers.

CBA published a blog post that completely failed to explain the difference between the two platforms, and then responded to comments asking for clarification with a meaningless copy-paste of the original post. Rather than doing the basic research that went into my post here, a whole bunch of tech folk who should know better then went crazy with the “WE DON’T KNOW IF OUR NETBANK PASSWORDS ARE SAFE OR NOT, WOES!!!!!!” line.

Stop it. Your Netbank passwords are safe. Someone in CBA’s PR department needs a long walk off a short pier, is all.

(thanks very much to Johnny and Chris for pointing me towards technical details here. Any screw-ups in this post, of course, are solely my fault.)