<![CDATA[notken]]>http://www.notken.com/Ghost v0.4.0Fri, 04 Mar 2016 14:07:03 GMT60<![CDATA[How to reset MySQL root password from command line]]>Because you will mess this up and need to reset the password from the command line. SSH into your server and:

    su -
    sudo service mysqld stop
    sudo mysqld_safe --skip-grant-tables

That's stopping MySQL on Red Hat family. If you have something else, just go lie in the road and die.

Then open a new terminal:

    mysql -u root
    UPDATE mysql.user SET Password=PASSWORD('password') WHERE User='root';
    sudo service mysqld start

Yay! Now go screw up something else.

http://www.notken.com/2015/11/17/how-to-reset-mysql-root-password-from-command-line/cf276fa3-1bfd-4192-a238-68abb7c07555Tue, 17 Nov 2015 10:16:00 GMT
<![CDATA[Google to decouple Google+ and YouTube, sort of]]>In a move that's only several years too late, Google has announced that they will no longer force users to have a Google+ account in order to use YouTube. At first this seems like great news, but then this sinks in:

...[I]n the coming months, a Google Account will be all you’ll need to share content, communicate with contacts, create a YouTube channel and more, all across Google. YouTube will be one of the first products to make this change, and you can learn more on their blog. As always, your underlying Google Account won’t be searchable or followable, unlike public Google+ profiles. And for people who already created Google+ profiles but don’t plan to use Google+ itself, we’ll offer better options for managing and removing those public profiles.

So, I still need to use my Google account to access YouTube? I can't have a separate YouTube account? Honestly, I can see giving me the option to have one. Maybe I want to tie together an Analytics, AdWord, YouTube and Webmaster account for a business. But the general unease about the security of my "underlying Google Account" is still there, and that will keep me from engaging on YouTube.

http://www.notken.com/2015/08/06/google-to-decouple-google-and-youtube-sort-of/a5a075a9-43b3-4e03-9c80-2f3d4d3068eaThu, 06 Aug 2015 18:02:00 GMT
<![CDATA[Why you (probably) don't want to run your own email server]]>I just finished four years of running a corporate email server, and here are my thoughts on why I'd never do it again within the context of a young SME.

Before I start: I'm not saying don't learn how to set up an email server, because there is definitely a lot of value in learning how to do it. I'm also not saying don't run one at all, because again, there is value in doing it. This post is more along the lines of why a sysadmin should find the budget to outsource this particular part of the technology stack.

The TL;DR version of this would be: You're not Google and you have better things to do with your time than try to recreate what Google Apps already does for email. Besides, you can't guarantee 100% uptime on your VPS, dedicated server or bare metal email server setup. 100% uptime is a feature, and no business, no matter how small, should choose the potential troubles of running email in house over guaranteed uptime (I ran mine first on bare metal, and then on a dedicated server - both were the same for all intents and purposes, except the dedicated server was quieter).

Email is, of course, mission critical to any business. So are web and database servers. But as a sysadmin, you know what to do when those go down. You have those servers backed up and your code is in repositories and you have a disaster recovery plan that can have you back up and running in no time.

But email doesn't work that way. What happens when someone in an office halfway around the world does something that blacklists your domain? Email servers come with a host of potential problems that planning and backups won't help you with.

That said, running a corporate email server was a great experience for me. I learned a lot. Once I had my setup running, I barely had any problems. Blacklisting and fine tuning spam protection were basically the big ones.

Still, it's something that deserves a full-time solution for any business, and for most sysadmin/devops people in SMEs, your time and expertise are probably better spent on the web and/or software stacks.

http://www.notken.com/2015/01/16/why-you-probably-dont-want-to-run-your-own-email-server/088a0160-6504-486d-9422-b99fec405b5fFri, 16 Jan 2015 10:12:00 GMT
<![CDATA[2013 World Chess Championship on GitHub]]>Here's my Git repository of .pgn files for the 2013 World Chess Championship between Viswanathan Anand and Magnus Carlsen.

http://www.notken.com/2014/06/16/2013-world-chess-championship-on-github/bb65638c-1f17-4c13-80c2-5d39112c7de7Mon, 16 Jun 2014 06:10:00 GMT
<![CDATA[Cleaning up and formatting your database query results in CodeIgniter]]>This is actually an old post that was on my old blog. But people have been searching for it a lot and now they can't find it, so I'm reposting it. For the record, I don't think anyone should be doing new sites in CodeIgniter 2.x, but I know lots of people do (there are definitely worse options out there).

Let's take a very simple model:

    public function get_robots($type){
        $this->db->select('id, name, type, hometown, website');
        $this->db->where('type', $type);
        $query = $this->db->get();

At this point we have our query data stored in the $query array. Now we can clean up the fields that need enforced formatting. Maybe the input for the "hometown" is irregular and the input for the "website" sometimes has http:// and sometimes doesn't. No problem. Make a new array, clean up the values you want, assign these values to the new array, and return that new array to the controller:

        $rows = array();
        foreach($query->result_array() as $row)
            $row['hometown'] = trim(strip_tags($row['hometown']));
            $row['website'] = (substr($row['website'],0,7)=='http://' ? $row['website'] : 'http://'.$row['website']);
            $rows[] = $row;

        return $rows;

And there you have it. The examples here are simple, and in production I would build the cleanup processes as functions in a utilities library, but that's the basics. The full method looks like this:

    public function get_robots($type){

        ## Gets all robots of the specified type
        ## Returns an array of formatted results

        $this->db->select('id, name, type, hometown, website');
        $this->db->where('type', $type);
        $query = $this->content_db->get();

        $rows = array();
        foreach($query->result_array() as $row){
            $row['hometown'] = trim(strip_tags($row['hometown']));
            $row['website'] = (substr($row['website'],0,7)=='http://' ? $row['website'] : 'http://www.sitename.com'.$row['website']);
            $rows[] = $row;
        return $rows;
http://www.notken.com/2014/05/11/cleaning-up-your-database-query-results-in-codeigniter/d2cea132-f9b3-4019-bbf6-1e4025710b38Sun, 11 May 2014 13:31:00 GMT
<![CDATA[Dodgy advertising on Facebook]]>There have recently been several articles posted around the web on whether or not Facebook advertising is a good value for advertisers, given how many clicks and likes seem to come from fake accounts and botnets.

But here's an advert I came across on Facebook this afternoon:

Fake Halifax advert on Facebook

This immediately struck me as strange, since I hadn't heard anything from Halifax bank about this, and the URL doesn't look legit.

So of course I went into a safe environment and simluated clicking that advert. First, it redirects to "bank-account-refunds.co.uk/h/" and ends up on the site below:

Fake Halifax advert on Facebook

The rest of the page is a simple form asking for your full name, email address and phone number. This is obviously a phishing attempt; the page doesn't even use HTTPS.

I contacted Halifax over Twitter and they confirmed almost immediately that this isn't legit:

Fake Halifax advert on Facebook

Actually, I couldn't report it as spam because the ad was no longer displaying in my Facebook sidebar. I decided to give the page a refresh to see if it came back, and it did. Facebook does give the option to hide an advert and mark it as spam, but no option for reporting fraud.

If you've advertised on Facebook before, you're no doubt aware that Facebook delays showing new adverts as part of some kind of approval process. Clearly this approval process is being defeated if fraud is slipping through. I've always wondered how Facebook would deal with adverts that get approved and then add in a redirect later.

There's a lot to speculate in this realm, but I'm not going to do that now. I just think it's worth thinking about how Facebook is going to police their advertisements. Of course, they will bear no responsibility for users clicking on fraudulent adverts, and if pressed they will no doubt issue a statement in meaningless corporate English about doing everything they can to protect their users...etc etc.

Except they're not.

http://www.notken.com/2014/04/22/dodgy-advertising-on-facebook/8f46bf5f-d8fb-4bca-a356-4b7191fc8766Tue, 22 Apr 2014 23:42:32 GMT
<![CDATA[Linode is still deploying CentOS 6.5 with compromised version of OpenSSL]]>This morning I fired up one Linode instance and one Digital Ocean instance of CentOS 6.5 to check if both were deploying with patched versions of OpenSSL. To my surprise, Linode is not:

Linode unpatched

Digital Ocean was fine.

So anyone on Linode, this would be a bad time to forget your update and upgrade on a new VPS.


I've also checked the following distros at Digital Ocean, and they are all updated on deployment:

Fedora 19
Ubuntu 12.04 LTS
Debian 7.0

http://www.notken.com/2014/04/11/linode-is-still-deploying-with-compromised-version-of-openssl/0cce17f3-9bab-4c72-aa85-ba67cd3e9efcFri, 11 Apr 2014 10:28:51 GMT
<![CDATA[Heartbleed fallout: Expect more spam and phishing attempts]]>As if dealing with the Heartbleed exploit itself hasn't been bad enough, IT departments and personnel really need to gear up for the fallout about to hit them: At least a month of sustained avalanches of spam and phishing attempts.

Crisis is of course the seed of opportunity, and in the case of Heartbleed, that means opportunity for the bad guys. Heartbleed is a perfect storm for spammers, scammers, phishers and any other related Internet bottom-feeding scum. Why?

First of all, Heartbleed is not well understood by the public. Wait, let me take a step back: Explaining Heartbleed to developers and tech support staff is often difficult. Outside of Linux/Unix sysadmins, no one's really going to grasp the seriousness of this exploit at face value.

So you make it easy and boil it down for people: "You need to change your passwords and not use the same password on more than one site."

They ask, "Is Facebook ok?"

You say it is...probably.

They hear, "Everything is fine. Go home and have half a bottle of wine."

Secondly, in case it wasn't obvious from above, people hate changing their passswords. This is not the same as saying people are lazy. It's simply a fact of life. All of us are more likely to stick to a regimen of getting up at 5am every morning to go for a run than we are of changing our passwords every month.

Thirdly: "Is our antivirus up to date?"

Oh no. Antivirus isn't going to help you with this one. This isn't a virus.

"Then what are we paying for?"


See point one above. This is all part of Heartbleed being esoteric and difficult to understand, and probably has something to do with sysadmins having a hard time explaining it to non-technical staff.

So, let's say you're an Internet Bad Guy. Right now you know what people aren't doing: They aren't going home from work and updating their passwords. They also aren't setting different passwords for different sites and services, because, well, they're not updating their passwords to begin with.

"Excellent," you say, rubbing your hands together. "Time to go phishing." Because two things will happen over the next week to ten days: People will learn more about Heartbleed and people will forget about Heartbleed. Yes, at the same time (sigh...cognition state concurrency control is so complex in humans).

This is the perfect opportunity for Internet Bad Guys (and Girls!). In ten days to two weeks time, enough people will see a fake email that looks like something from their bank saying they must log in to update their password that they will fall for it. Or it could purport to be from any other service people use online. My bitcoin is on fake Netflix emails, because of the irony factor of watching Netflix while being Internet Bad Guyed by someone pretending to be Netflix.*

So, Internet Good Guys (and Girls!) - at least those of us getting paid to fight the scumbags who would prey off of people in situations like this - be ready for an onslaught of spam and phishing attempts in your workplace. Start talking about it and making people aware now. Make sure everything is up to date; this is a great opportunity to run a full software/hardware audit and request funds for that solid gold Watchguard firewall Santa forgot. Remember, if they lose information, you lose sleep. Be pro-active about protecting your sleep.

* I know that's not really irony.

http://www.notken.com/2014/04/09/heartbleed-fallout-expect-more-spam-and-phishing-attempts/0e21622f-c3c6-4d9c-8a52-e2862cb46293Wed, 09 Apr 2014 21:03:08 GMT
<![CDATA[Transport for London's new responsive website is awesome]]>I didn't say it's perfect, but it's awesome. Transport for London has rolled out a new responsive website that sets the bar for public transportation operators in other global cities.

TFL already had a solid set of Twitter feeds updating tube and bus status, as well as the ability to check bus services online. But the new system is so much better, faster and easier to use.

As a comparison I went back to look at a couple of my favourite cities and my hometown. Tokyo Metro's website is easy to navigate and looks ok, but it's not responsive and any search requires a page load. If you're a tourist, the English version of the website doesn't offer the same breadth of information as the Japanese site, and it blurs the line between being the Tokyo Metro website and a tourism promotion site.

New York City's MTA site is outdated and not responsive.

Boston's MBTA website looks a little better, but it's still dated and not responsive.

TFL's website, by contrast, offers a RESTful API with decent documentation. It's hard to understate the importance of this; opening up this data and offering an API will create developer jobs in the capital. Check this out:


What does that do?

    Gets the bike points that lie within the bounding box defined by the lat/lon of its north-west and south-east corners.

And the information is updated every five minutes.

There's definitely room for improvement, but this is a huge upgrade for TFL and will hopefully be copied by other global cities.

http://www.notken.com/2014/03/29/transport-for-londons-new-responsive-website-is-awesome/4193c135-633d-4481-98d8-217fa87e1c7cSat, 29 Mar 2014 11:08:48 GMT
<![CDATA[Using multiple TLD subdomains with the same virtual host entry in Apache]]>Yesterday I was looking for a way to simplify subdomain entries in Apache's virtual hosts when I tried something I couldn't find in the documentation:

        ServerName sub.domain.*
        DocumentRoot /path/to/some/stuff
        <Directory "/path/to/some/stuff">
            Order deny,allow
            Allow from all
            Allowoverride all

It just works. So point multiple domains with different TLDs at that IP address, and Apache will serve content for them all from the same source folder. Now start thinking what can be done with aliases from here...

*This works on Apache 2.2.x - as you can see from the "Allowoverride all" statement. I've not had a chance to try on Apache 2.4, so holler at me if you do.

http://www.notken.com/2014/03/13/using-multiple-tld-subdomains-with-the-same-virtual-host-entry-in-apache/58dd207f-2ce2-417e-9f35-1a3f4184e1abThu, 13 Mar 2014 18:09:02 GMT
<![CDATA[This week around the web]]>1) The biggest news for developers this week was definitely that Digital Ocean has secured just over $37 million in a Series A funding led by Andreessen Horowitz. Digital Ocean has experienced explosive growth over the past year and a half, but that growth hasn't come without a few hiccups. Hopefully this helps the firm sort out some of its outstanding issues, especially (from my wishlist) latency to its new Singapore datacentre and the lack of ability to assign multiple IP addresses to a single VPS instance.

2) It's not from this week, but I found it this week, and it's still relevant: Forbes published an article entitled How The Syrian Electronic Army Hacked Us: A Detailed Timeline. The hacking boils down to three main factors: 1) Lots of phishing, 2) Human error/carelessness, and 3) Using WordPress as a CMS. I keep hearing from people how there are these great new security tools to keep WordPress safe. And the more I hear about them, the more it seems I hear about a WordPress site getting hacked.

If you're going to use WordPress, fine. But keep to some rules: 1) Don't use third party extensions or plugins, 2) Don't keep anything you don't want stolen in the WP database, 3) Use the WP database in an isolated environment, and 4) Don't use third party extensions or plugins.

3) Nicholas Carlson from Business Insider published a good look at some of the ways employees at startups are getting shortchanged. A must read for anyone in the industry.

4) The GitHub Developer program is now open. See you there!

5) Netflix has joined Facebook and is now blocking use of the Chrome developer console. Stupid, bad, useless. If you want to stop this nonsense, run the following line in a Chrome extension to stop the blocking from working:

Object.defineProperty(window, 'console', {configurable: false, value: window.console});

6) Snapchat still isn't secure

Remember, kids: If your phone can display something for ten seconds, it can display it forever. Let's see if Snapchat moves to real DRM.

7) Salon published this: Robert Reich: WhatsApp is everything wrong with the U.S. economy (another one from last month!)

I don't agree. A full post is in order on this.

http://www.notken.com/2014/03/08/this-week-around-the-web/eeb16966-ebc7-444f-9fa2-4d490a6c0d3aSat, 08 Mar 2014 21:41:37 GMT
<![CDATA[Does my site need SSL?]]>I see this question come up quite a bit in places like StackExchange, and most often the question seems to be posted by a developer who's not deeply experienced with using SSL certificates. If you're an experienced dev, you probably already realise that simply asking the question, "Does my site need SSL?" probably means that it does.

Here's an example situation I recently saw: Someone is developing a backend solution for a company that is saving "sensitive information," and that backend can only be accessed from two IP addresses. The client has requested SSL, but the developer isn't sure it's necessary.

Does that site need SSL? Here's a checklist to compare against:

  • Will the users of this site be connecting and transferring this sensitive information over a wireless connection at any point in time? If this is the case, then yes, it needs SSL.

Developers need to make sure that clients understand the limitations of wireless encryption. Without getting technical, you should always assume wireless encryption doesn't work or is easily defeated.

  • Are there legal issues involved with this sensitive data? If you are transmitting customer information in a client database with phone numbers, postal addresses, email addresses, login information - or even more seriously, credit card numbers - then you need SSL.

Ask yourself if you would trust a company who transmitted this same information of yours without SSL.

  • Is the client worried about the financial or performance costs of SSL?

HTTPS is not such a burden on server resources as it once was, especially with computing power and VPS or cloud setups being so cheap these days. And in the situation described above, with a site only being used by a limited number of users at defined locations, it should be trivial to provide horsepower enough for the maximum number of users.

The truth is that if the client wants functionality that requires SSL, then they need to pay for SSL, even if that means more expensive servers or load balancers. That's simply the cost of doing business. The outlay for proper security is dwarfed by the potential consequences of not having it.

Here's where as a developer one needs to start thinking about legal protection. If the client refuses to pay for SSL but wants you to do the job, ensure that your working agreement legally indemnifies you from any of their bad business decisions.

If financial costs are truly an issue, self-signed certificates can be used for internal systems. The OpenSSL toolkit provides good resources for this.

In the case above, however, the client requested SSL but the developer was unsure if it was necessary. If the client asked for it and is paying for it, setting up SSL isn't an undue burden on any developer worth their salt, and as a developer no one really ever should be in the position where they're arguing for less security. If there's a problem later, it comes back to bite you. Cover your rear end.

TL;DR - If it's even a question, use SSL.

http://www.notken.com/2014/02/21/does-my-site-need-ssl/34dd2699-c47b-4539-8a68-5e24cb304c14Fri, 21 Feb 2014 06:34:00 GMT
<![CDATA[2014 Web Predictions Update: Kickstarter Hacked]]>One of my 2014 web predictions was for continuing security problems, especially at newer websites, web services and apps that have scaled up without proper security expertise in place. We can now add Kickstarter to that list1.

The good news: Kickstarter did save passwords encrypted. Here is the text of an email sent by Kickstarter to its members:

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system. No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account. While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one. As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password. To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass. We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again. Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com. Thank you, Yancey Strickler Kickstarter CEO

TL;DR: Change your passwords. Don't use the same password on multiple sites. And, we don't want to talk about Rainbow Tables and Salting.

The interesting part is here: "Upon learning [of the hack], we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system."

It sounds as though the security problem was easily found, which makes one wonder why it hadn't been discovered in previous security layering iterations.

Lesson to take away: Get someone to hack your site, service or app. No one in your organisation is as good at security as someone on the outside is at breaking it.

1 Kickstarter has actually been around for 13 years. Take that to mean what you'd like about it being new or not.

http://www.notken.com/2014/02/15/2014-web-predictions-update-kickstarter-hacked/66469c1a-e832-4527-a8cb-9a853d81196bSat, 15 Feb 2014 23:15:00 GMT
<![CDATA[How many Facebook accounts are fake?]]>According to Facebook's fourth quarter earnings report, the social media giant had 1.23 billion active monthly users in December 2013 - a 16% increase from a year ago. Facebook also reported having 945 million monthly active mobile users, a 39% increase from a year ago.

And in its 10-K filing with the Securities and Exchange Commission, Facebook states that between 5.5% and 11.2% of its users are fake.

With over a billion users, it doesn't take a mathemetician to realise that a 5.7% difference is a lot of users (70.11 million). The lower end of Facebook's estimate puts the number of fake users at about 67.65 million users, while the higher 11.2% would be 137.76 million.

One telling risk factor from Facebook's SEC filing: "[U]sers feel that their Facebook experience is diminished as a result of the decisions we make with respect to the frequency, prominence, and size of ads that we display, or the quality of the ads displayed[.]"

So, Facebook needs better information on you, even if you're fake.

http://www.notken.com/2014/02/04/how-many-facebook-accounts-are-fake/ed0d4b2a-5478-45a5-a053-91bcf52d7369Tue, 04 Feb 2014 01:06:51 GMT
<![CDATA[RapGenius ranks #1 in Google for the #1 rap song]]>It looks like it didn't take long for RapGenius to recover their Google rankings after having been nearly banned from the search engine in late December after their questionable SEO tactics were exposed by a poster to Hacker News.

So here it is, a #1 organic search result for lyrics to C.R.E.A.M. by Wu Tang Clan:

RapGenuis back on top

Hands are undoubtably wringing somewhere over the speed with which RapGenius has recovered their organic search results. But I'll worry about it tomorrow, because right now I have Wugazi on my mind.

http://www.notken.com/2014/01/28/rapgenius-ranks-1-in-google-for-the-1-rap-song/abb1a4c5-f3d9-487d-a75e-d73c0d022c0fTue, 28 Jan 2014 20:17:53 GMT