Category Archives: Technology

Technology

[Tech] The future is cardboard

Leave a comment

I’ve just tried Google Cardboard Virtual Reality..

It was a bit blurry but very interesting..

The video was of the O2 and Greenwich Peninsula, and how it might look in 20 years time..

Apparently there will be huge very narrow snaking walkways that propel people along, and the cable cars will just go into a cloud and vanish..

Strange things to look forward to..

Will now download the cardboard app and try a few more VR experances.

The biggest disappointment in the experience was having to type Greenwich Peninsula into a web browser to find the video they wanted, I suggested that they should have a QR code.

[Update] The even better suggestion from a friend was a wi-Fi hot-spot that only served the correct page.  They were so close with this vision of the future, and yet so far away.

Technology, Web

[www] Microsoft IIS HTTPS ping of death

Leave a comment

So I have been intrigued by the news coverage or lack of it from a bug reported in Microsoft’s IIS webserver last week.  What makes this slightly unusual is that Microsoft released a patch on Tuesday, and by Thursday some bight spark had worked out what exactly the patch fixed and worked out that if you gave a very interesting poke at an unpatched IIS webserver then it would blue screen.

The interesting magic to test if a server is vulnerable being:

curl -v [ipaddress]/static.png -H "Host: test" -H "Range: bytes=0-18446744073709551615"

Simply change the 0- to 20- and the server instantly hits the blue screen of death. Manual intervention is required some poor operator has to reboot the computer for it to be usable again.

So how much press did this bug get, practically zero. It was reported in the Register, but from the main stream news outlets nothing. Which is interesting, as the recent must patch now bugs for Linux, heartbleed for example got quite a bit of press. Admittedly that bug was in the openSSL package, that is used for encryption, but it also didn’t have the power to crash the server. Maybe it was the fact it had a way cooler name that helped it get attention.

What is very interesting is that both bugs were caused by the same very simple mistake. Accepting input and not checking that input is valid before you act on it. A very clear explanation of the heartbleed issue in cartoon form is given by XKCD. In one it can be used to reveal information, and in the other crash the server.

Hang on a minute, an instruction sent to an open port on a server had the opportunity to crash the whole server! Not just the webserver, or the currently active thread that is returning a single web page, but the whole server. Really.
This is because of an arms race between IIS and Apache that happened a few years back, both were trying to demonstrate that they were the fastest webserver at a range of tasks, one of which was returning HTTPS webpages.
In order to try and gain an advantage in that race, Microsoft broke a security model. They moved the HTTPS handling of the IIS webserver into the kernel, the main core part of the operating system. This made the processing of HTTPS pages faster, but it means that a simple bug will crash the whole server.

Which is why people don’t host critical systems on Microsoft webservers, they know that bugs like this one will be out there, the code base isn’t being independently checked, and that security standards are ignored to try and satisfy performance problems.

Technology

[tech] I have killed my mobile..

Leave a comment

My mobile is dead, very dead, the screen stays resolutely blank unless I force a reboot in which case I get a small flash from the navigation keys at the bottom.

The screen has been flickering for a little while now, which has been annoying, but I had thought it would hold out till the new year.  Well it nearly made it.  So have the choice of trying to find another little mobile phone shop and seeing if they can fix it.  or getting a new phone.  Neither of which will be very quick.  Which is rather annoying.

So I will be slightly harder to get hold of for the next while.  Sure that you will be ale to cope mind.

Technology, Web

[tech] Infomation Security Fail

Leave a comment

So I have just registered on a job website for Information Security roles.  Nothing exciting there.

What has amused me is that as part of that registration the site which specialises in Information Security, sent me a confirmation email, an email that included both my username and password in clear text.

Part of me is wondering if this is some sort of test, if you don’t comment on this then clearly you do not work in the field.

Why do websites continue to do this? this is such a school boy error.

And if they have got that wrong, then what other mistakes are they making?

Technology

[tech] this was posted from a Windows free laptop..

Leave a comment

So after 2 weeks of faffing I now have Debian running on my laptop, took rather more mucking about than it should have done.  Just so I remember what I had to do here are some notes.

To get past UEFI secure boot I had to install Ubuntu, once that had successfully installed the grub boot loader, then I could install Debian non-free as the USB wifi dongle I was using was based on the Ralnk chipset, and that isn’t part of the standard package.

Once that was installed, you could add the distributions for back port and  contrib and non-free to /etc/apt/sources.list also add support for 32 bit architecture and install  firmware-iwlwifi

After all of that it seems to be working, which is a very good thing.

Technology

[Tech] Windows8 second thoughts

Leave a comment

So I spent most of the weekend trying to dual boot my laptop so I could use Debian rather than Windows8.
Only a new thing has happened which is called uefi, and oddly pronounced like unity without the n.  This is the new secure boot system, so strictly speaking isn’t Microsoft’s fault but they do seem to have used it to make booting anything that is windows a complete nightmare.

Annoyingly while I can boot the Debian boot USB image that can’t talk to my wireless network, (and my new laptop doesn’t have a Ethernet port, clearly shows when I last upgraded my laptop).
So I can’t try and download additional packages that might help.  Or read the internet forums on the topic from within Linux.

So at the moment I am stuck with Windows8, so I had just better get to like it.