Skip to main content

Senior WordPress platform developer. Open web / Music. DJ (under @CloudseerDJ). Tall Dutch guy.

twitter.com/svandragt

github.com/svandragt

mixcloud.com/cloudseer

Stop OpenPGP passphrase prompting on login

1 min read

As a security conscious person I setup my OpenPGP keys with a passphrase, however on OpenSUSE Leap 15 this causes a login prompt to appear that delays the network connection from initiating. The same issue also blocks software updates and means a browser restart due to DNS cache stopping connections to websites. This is fairly annoying.

It turns out that this can be fixed by sharing the network connection via Connections > open the connection > General Configuration > All users may connect to this network. This causes NetworkManager to cache the required  authorization tokens (this is my understanding).

Note that other software such as Kontact might set a daemon to startup by default, causing the same prompt. This can be unticked in its settings.

If everything else fails, then you could remove the passphrase for the PGP key but this is not recommended as this means someone can take on your identity should your key be exposed for any reason.

Transitioning to Gutenberg

1 min read

The WordPress Project says:

The Classic Editor plugin will be officially supported until December 31, 2021.

[...]

Since the Classic Editor plugin is central in this transition, we are considering including it with upgrades to WordPress 5.0.

In the context of my professional work with WordPress it would be beneficial to see the Classic Editor plugin be included by default into the installation package. This would signal to plugin and theme developers that we are in a transition phase but supporting the existing installations, until Gutenberg is more fully accepted by the wider community. Not doing do could put pressure on smaller developers to just test their updates for Gutenberg only, resulting in a lot of broken sites or a security nightmare where people won’t be able to update to the latet versions of WordPress or their plugins until the teams and processes are ready.

Banning the "Ban Crypto" Agenda

1 min read

Cory Doctorow over at BoingBoing.net writes:

Theresa May says there should be no "means of communication" which "we cannot read" -- and no doubt many in her party will agree with her, politically. But if they understood the technology, they would be shocked to their boots.

Perhaps we should no longer assume that politicians 'do not understand the internet' and assume they are asking for changes in the full understanding that they don't achieve the goal for which they're introduced.

As long as the situation that's being created is more favourable for them than the current one it's a net benefit.

Short-term politics is the biggest threat to UK society at the moment and the current government is particularly good at it.

Updating Homebrew for macOS Sierra

1 min read

If you've just upgraded to Sierra and previously had Homebrew installed you may find that it no longer works because of the stricter security feature in macOS. In order to get Homebrew back up and running you need to execute the following commands in your terminal (thanks thehitmaniptf):

sudo chown -R $(whoami) /usr/local
xcode-select --install

The first command simply gives your local user account ownership of /usr/local (where brew installs things). The second command updates the Xcode command line tools without which Homebrew cannot compile packages.

Once this is done you can successfully update Homebrew as normal, and diagnose any remaining issues:

brew update
brew doctor

After running this you will receive instructions on how to restore the permissions on /usr/local as after updating Homebrew no longer will use this path.

Update 6th Nov, 2016: When using cask you might get told to update the cask room location:

sudo mv /opt/homebrew-cask/Caskroom /usr/local

Tip: keep a list of domains covered by security certificates and their expiry dates.<p>#status </p>

Security through insecurity

1 min read

Schneier explained how, initially, NSA Director General Keith Alexander claimed in 2013 that he had disrupted 54 terrorists plots. A few months later, this was revised down to 13, and then to "one or two." Eventually, the only success that the NSA could point to was the prevention of a San Diego man sending $8,500 to support a Somali militant group.

Doesn't sound like a worthy trade-off.

How to tell a site is reputable or not?

2 min read

I get asked every now and then if a new online shopping site is reputable or not. As there is no magic way to determine this I have written up these pointers to help you do the same.  Now please I am not responsible for any mistakes in ordering from a site that seems legit and then turns out to be fraudulent!

I'm trying to look at the following things:

  1. Do a google search for the domain name together with one of the following words added: reliable, reputable, fraud, scam etc. This might bring up a few experiences, check some links to determine that these experiences are genuine (not written by a competitor for example).
  2. Search for the domain name on the Web Of Trust and TrustPilot. Don't just look at the figures, look at the comments, so these seem genuine (have they been written with due care and attention and proper punctuation etc)?
  3. View the incoming links for the domain, using Alexa. Are these from genuine sites or things like link directories where people can add their sites just to get higher in the search results.
  4. All reputable shops will use social networking for marketing purposes. Check their Twitter replies and Facebook wall comments for happy / unhappy customers.
  5. If you know of a community that discusses the subject matter, search there too. They will probably have determined whether or not the site can be trusted.
  6. If you are still unsure, attempt a trial checkout and see if the website supports reputable external payment options. If your payment details are not stored with the website then they are safe in the event of a hack / security breach.
From the resources above you will get a general gist of any major issues. Feel free to get in touch with any of your tips.

Letter to Ministry of Sound

2 min read

Dear sir/madam,
I am writing you to complain about the new ministry of sound website and the lack of data protection with regards to your users.

Earlier today I received an email notification about the new MoS website. The email also notified me that a new password was issued to use on the website. These are two characteristics of a phishing mail - in this case launching a new website and sending out new passwords, they could easily have been sent from a malicious source wanting me to login to their MoS-lookalike website and take my credit card details. You shouldn't send out a new password unless someone requests it on your website, because email can be forged. You also sent out my password in plain text email rather than on a secure part of your website. Anyone can read it and login to my account and purchase orders.

Also to my surprise while investigating the source of the mail, several of the links point to a http://www.c-f-1.com/ domain (update: this domain name no longer exists!), the name doesn't help to improve the trust in your email. To my astonishment the link led to a webpage with the html email, again with my password in plain sight. Have a look (link removed), I changed my password already. Let's wait for Google to index it so that anyone can search for my account information. They already found other newsletters.

Finally, I used mosdownload.com to buy my mp3s online. This site no longer works as an error comes up when it tries to redirect, due to a configuration error. My order history is gone, most of my profile is gone.

I'm very disappointed with your lack of security and care for your customers and unfortunately have come to the conclusion that I won't be using your service again, and I will recommend my friends and family to do the same, due to these trust issues.

Avoid spyware by running applications with SetSAFER

4 min read

Everybody who's ever tried it knows the problem. Life as a regular user on Windows is a pain: who wants to switch users just to install software, sometimes even to run it? However running software as a non-admin increases security. It's impossible for spyware to install itself into the system when it is not allowed to.

Using SetSAFER, a program created by Microsoft employee Michael Howard we can run just any applications as a regular or limited user, while still using an administrator account. After testing for side effects, which I explain below, I recommend you give this a try. I no longer have to run a realtime spyware scanner, and now just schedule routine scans.

As one of the articles Michael has written on the subject is not available anymore I'll quote the nonadmin site for an complete explanation of the program:

SetSAFER is a policy-setting tool written by Michael Howard that can force applications to always run with lower privileges. You can download it and read about it in his MSDN article "Browsing the Web and Reading E-mail Safely as an Administrator, Part 2".

For example, you could mark you favourite  browser to always run as a user, regardless of whether it starts by invoking an URL on the desktop, a link in email, a newly spawned browser and so on.

SetSAFER uses the SetSAFER.xml file to configure the applications that should be run with lower privileges. You can edit this with any text editor such as notepad to add applications and even folders. My configuration can be found below. This way I run my browsers, e-mail software and messengers without worrying about spyware:

<?xml version="1.0" encoding="UTF-8"?>
<safer>
<app comment="Internet Explorer" path="c:\program files\internet explorer" user="true" />
<app comment="Mozilla Firefox" path="c:\program files\mozilla firefox" user="true" />
<app comment="Opera 9.5 Alpha" path="c:\program files\opera 9.5 alpha\opera.exe" user="true" />
<app comment="Outlook" path="c:\program files\microsoft office\office12\outlook.exe " user="false" />
<app comment="Outlook Express" path="c:\program files\outlook express" user="true" />
<app comment="Windows Messenger" path="c:\program files\messenger" user="true" />
<app comment="Windows Live Messenger" path="c:\program files\windows live\messenger" user="true" />
</safer>

Side Effects

Some applications are not built to run in a mixed privileges environment and seem to cause issues when run like this. However, this is not SetSAFERs fault as it just uses the built-in windows policy settings!

Google Desktop and Google Toolbar for Internet Explorer monitor the browser history for pages that are visited and add them to their database. I assume this is not allowed as a regular user. Whatever the reason, it causes the browser to freeze whenever you go to a webpage. I've uninstalled Google Toolbar and Google Desktop until I have found a solution. Any help would be appreciated.

The website for Windows Update and Microsoft Update and certain Java applets will not  function if the user is not an administrator. This can be a pain if you want to manually check for updates. The solution: navigate to the installation folder for Internet Explorer (c:\program files\internet explorer ) and copy the iexplore.exe program to another location. The copy will run with full rights.

Finally, any program started from another application inherits the security settings from the parent program. This means that installations run directly from the browser will run with lower privileges. They'll let you know you do not have enough rights to install it. This is intended and exactly what we want: a secure browsing environment. However, it might prove a slight annoyance at first. Just browse to the file yourself and run it yourself.

Downloads and Resources