All posts by bigpresh
Generating openssl keys & certificate signing requests (CSR)
A quick post for my own easy reference more than anything else.
Generating a 2048-bit key:
openssl genrsa -des3 -out www.example.com.key 2048
Generating a certificate signing request:
openssl req -new -key www.example.com.key -out www.example.com.csr
Writing a Bugzilla extension to auto-link commits
I’ve been meaning to write a Bugzilla extension to turn mentions of commits in bug messages into a link to view the commit via our web-based SVN viewer for ages – this morning I finally found the time to do it.
I needed to use the bug_format_comment hook to format comments as they’re being displayed, turning mentions of commits (e.g. “Commit 123” or “r123”) into links.
The code was pretty simple:
Continue reading Writing a Bugzilla extension to auto-link commits
Secure password handling in Dancer apps with Bcrypt
James Aitken has released Dancer::Plugin::Bcrypt, a new plugin for Dancer apps to make secure password hashing using Bcrypt easy.
For a background on why you ought to use Bcrypt rather than simpler hashing, see http://codahale.com/how-to-safely-store-a-password/ – basically, using MD5/SHA etc is too inexpensive, meaning that, even with a good salt, cracking the hash isn’t too hard to do these days, especially with the advent of use of the GPU. Bcrypt is intentionally expensive and slow (you can decide just how much).
Dancer::Plugin::Bcrypt makes validating a password hash as easy as:
if (bcrypt_validate_password($entered_password, $stored_hash)) {
...
}
Generating a hash to store is also very simple:
my $hash = bcrypt($plaintext);
Generation of random salt is taken care of for you.
*UPDATE* – the above is a nice simple way to quickly get secure password hashing with minimal effort – it is likely not the best way, though. If you’re already using DBIx::Class, then see DBIx::Class::PassphraseColumn for a better way to do this automatically at your database model level.
Thanks to mst for prompting me to mention the above :)
Virgin Media – quit adding adverts to On-Demand stuff
At home we have TV through Virgin Media, with “TV XL”.
As part of the package, we get on-demand TV shows and music videos, but recently Virgin have started adding adverts (for example, for FilmFlex) to the start of the videos. Sorry, what? We’re paying a fortune for the service which includes on-demand stuff; don’t add adverts to it. If we were getting it for free and it was subsidised by the adverts, fair enough, but we’re paying for it, so just show us what we ask for, without adding crap.
Time to call them up I think.
SMART monitoring drives on 3ware cards
I’ve been updating my Nagios monitoring to make sure I’m carefully monitoring my server hardware, including temperature, fan speeds and hard drives, and I wanted to use S.M.A.R.T. monitoring to monitor drives on a 3ware RAID controller for signs of imminent failure.
I already monitor the status of the RAID array itself using my nagios_3ware_raid_check Nagios plugin (which I previously blogged about), but I wanted to use SMART monitoring to look for signs of imminent drive trouble, rather than simply finding out when a drive has just failed.
After installing smartmontools, I was able to edit /etc/smartd.conf, disabling the default of scanning for devices, and listing devices explicitly, as follows:
# Monitor the drives on our RAID array; schedule self tests for Sundays.
/dev/twa0 -d 3ware,0 -a -s L/../../7/02
/dev/twa0 -d 3ware,1 -a -s L/../../7/04
The above monitors both drives of a RAID-1 mirrored pair on a 3ware controller card; the -s option schedules a long self-test every Sunday, starting between 2-3am and 4-5am respectively.
I’m still looking for a good way to monitor via Nagios, though; the (poorly-named) check_ide_smart plugin doesn’t support the ability to monitor drives on other interfaces as far as I can see. I found a couple of Perl scripts such as Check-SMART-status-modified, but they had issues.
LulzSec hacked the UK census? Says who?
This afternoon there’s been a lot of speculation based on this pastebin post, which claims to be by LulzSec, and warns:
We have blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census
We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)
Myself and the rest of my Lulz shipmates will then embark upon a trip to ThePirateBay with our beautiful records for your viewing pleasure!
It’s gathered a lot of attention, including a report on The Register, SC Magazine, V3, but with nothing to actually suggest it’s true.
LulzSec’s Twitter stream disclaims any knowledge:
I’m not seeing “we hacked the UK census” on our twitter feed or website… why does the media believe we hacked the UK census? #confusion
Not sure we claimed to hack the UK census or where that rumour started, but we assume it’s because people are stupider than you and I.
Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.
Anyone in the world can copy and paste The Lulz Boat ASCII art and general lighthearted theme. Smarten up, check the feed first. #AntiSec
Looks like someone decided to make up a rumour, and it’s been circulated widely by the media.
Of course, I wouldn’t have actually been at all surprised if it did turn out to be true; this is the UK Government and Lockheed Martin we’re talking about, and LulzSec have shown their ability to hit some pretty big targets in the past…
.xxx domain pre-registrations available from UK2
Whilst I don’t think much of the upcoming .xxx TLD (in particular the crazy prices), you can now get .xxx domain registration from UK2 (sunrise/landrush and general availability pre-registration).
Using Yahoo Pipes to strip images from RSS feed
I’ve been subscribed to the It Made My Day RSS feed for ages, but fairly recently they started adding pointless cutesy image macros as well as the text – I don’t want to see those in the feed as they’re generally hard to read and a waste of bandwidth.
So, Yahoo Pipes to the rescue – I created a simple pipe which fetches the IMMD feed, uses regexes to strip out the images, then subscribed to the result of that pipe.
Job done – if you’re interested, the pipe feed URL to subscribe to is http://pipes.yahoo.com/bigpresh/immdnoimages.
iPhones can’t receive vCard contacts via SMS?
I’ve just been sending a phone number by SMS as a vCard to a friend’s iPhone, and after two attempts, both of which were successfully delivered to the phone, according to the delivery report, he didn’t receive them.
A bit of Googling would suggest that the iPhone just silently ignores incoming vCard contact details. Seriously, what the actual fuck?