* Posts by KHobbits

10 posts • joined 17 Jul 2009

Budget hotel chain, UK political party, Monzo Bank, Patreon caught in Typeform database hack



> Startup bank Monzo, which was caught up in the Ticketmaster hack

I thought Monzo was the company that informed Ticketmaster that Ticketmaster (or one of their third parties) had been breached, and in no way more caught up in it than any other bank...

2016 just got a tiny bit longer. Gee, thanks, time lords


Google smear

Google have released their smearing ntp servers to the public, for people who don't want to deal with 61 seconds our repeated seconds.

Their blog has a nice write up of the problem and why they solved it that way.


Code Spaces goes titsup FOREVER after attacker NUKES its Amazon-hosted data


Wise men enable security

No matter what sort of solution you decide to go with, you are throwing your trust behind a vendor, that could be the guys that make your tape drive, or the guys who are providing you with offsite hosting.

Amazon has a fairly decent track record, so I'm fairly happy to trust them with my data.

AWS has a rather decent level of security. If you want to have a web application interact with the AWS API you set it up with just enough IAM permissions to do the task it needs to do. You can bake these credentials into the app, or into a server, or even a set of credentials for each app per server.

You should never need to write your console credentials in any script or server location. Each console account can be fine tuned in privileges. I for example have granted my development team with access to view all my servers, ssh to them with the key attached to their account, but they can only use sudo and deploy to the development stacks.

The developers have read only access to the s3 object storage, but not access to delete, and don't have any access to the AMI's or ability to manage databases what so ever.

Me and my boss both have our own admin console credentials, protected via 2 factor auth, with the root credentials secured in the same manner.

This is all standard, and recommended behaviour for any AWS account. Anyone that isn't doing this is ignoring recommended practices, and if you would be stupid not to if you are hosting anything worth protecting.

Brit telco flagship BT joins blockade of Pirate Bay


For people who find themselves interested in pirate politics, you might find the pirate party website to have an interesting stance on the situation....


LinkedIn admits site hack, adds pinch of salt to passwords


Re: Eh, isn't this impossible???

They could use double hashing, for example:

sha1 ( sha1(Password) + salt )

If they did it this way, they could upgrade the old database by just taking the current hash, adding a salt, and rehashing.

That said, using a single static salt on a database the size of linked in, wouldn't really be sufficient for my piece of mind.

Web hosting


Re: I'm using Linode

Linode has some really decent hosting. When I signed up to Linode originally, they didn't have the London DC, so I did a bit of chatting to people on their IRC help channel (currently over 400 users).

After spending a few minutes talking with the happy customers in there, and doing a few speed tests to pull from some of the offered test files, I found Newark data centre offered fast enough speeds to Europe for my purposes. And infact if you were looking to host websites with a global audience I'd still recommend Newark.

Few perks:

Really nice web interface, you can roll out a really nice selection of premade images of distro's ready to go, and manage thinks like DNS from on panel.

Full root access, and running on XEN software, so you don't get silly shared burstable ram, and can do anything you want to the box.

More help than you could ask for, their 'linode library' has guides to set up a huge range of services, their customer support is fast, and has a huge community online with helpful souls.

Nest cloud storage for backup fun


Re: symlinks with mklink?

There is a nice windows shell extension (google: link shell extension) which allows drag and drop links to be made, when dragging a folder from one to the other by right click (option appears below 'create shortcut').

Webmin for users: Usermin

Thumb Up


Because the main version is pay to play most people gloss over the GPL version of virtualmin, but its a great tool. As mentioned above webmin has the ability to give selected powers to individual users, the virtualmin extension, expands this to include all the tools a user would need to handle web hosting, such as mail/mysql/apache details for a domain or subdomain, even the ability (if you allow it to create sub users and sub domains). It's a full blown alternative to cPanel. There is also an install script available which completely rolls out and configures everything a shared hosting server would need (although I recommend a little bit of time spent tightening the security).

Opera Mini de-betas on Android



Last time I checked the most popular alternative android browser was Dolphin (or Dolphin HD for android 2+ devices). A little surprised not to see a comment nor mention in the post.

High spam response powers junk mail economy


Some people don't need it.

Although it isn't as popular as some email services, gmail is pretty damn popular. Not only is gmail popular with users itself, my own website, my ISP (Sky) and my university have all moved to gmail powered systems. The system has such good spam filter (with built in reporting), I get spam through to my inbox less than once a month and I don't think I've ever noticed a valid email get marked as spam (I occasionally check the spam bin every 3 weeks or so) At the moment, gmail blocks around 900 spam emails a month from my inbox.

If gmail can do such a good job, there doesn't really need to be anything left on the client end. Just so you know, gmail supports email forwarding, pop3, imap, over 7gb space and can collect email from other pop services.

Biting the hand that feeds IT © 1998–2018