Set your RAMTOP

home | blog | Teh Internet | guest blog |rants | political | projects | Gwen and Liam | Citadel patched | Tools | TMBG


- Careful Chrome users, this search box might be "Not secure"


11 October 2017, 16:21 UTCData just wants to be free!

Please, keep putting your data up on S3 storage unsecured people.
The defaults are secure, you are screwing it up....
https://aws.amazon.com/s3/faqs/#security

Q: How secure is my data?

Amazon S3 is secure by default. Only the bucket and object owners originally
have access to Amazon S3 resources they create. Amazon S3 supports user
authentication to control access to data. You can use access control mechanisms
such as bucket policies and Access Control Lists (ACLs) to selectively grant
permissions to users and groups of users. You can securely upload/download
your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you
need extra security you can use the Server Side Encryption (SSE) option or the
Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data
stored-at-rest. Amazon S3 provides the encryption technology for both SSE and
SSE-C. Alternatively you can use your own encryption libraries to encrypt data
before storing it in Amazon S3.

Looks like you have to go a bit out of your way to leave it open like this:
https://aws.amazon.com/articles/5050/
...
It has come to our attention that some customers have changed default permissions
and granted public access to their buckets. Although you can grant public access
to your bucket using ACLs, you must take the following issues into consideration:
...
Bucket public "READ" access: This is sometimes referred to as "list" access.
It allows anyone to get a complete list of your bucket content. 
It does not grant permissions to read content of an object. However,
a list of object names can often provide more information than necessary
to the public
...

You need to go further than read and poke even more holes!

[permalink]


26 September 2017, 19:41 UTCGoogle / Chrome - Breaking the functionality of the web to save users from themselves.

You have a site that is editable from a browser.
You can submit Javascript as a part of a post to the site.



You now can't using Chrome:


Suppose I need to write a web browser now.
Shall I name it pointy sharp things?

[permalink]


18 September 2017, 18:52 UTCOptionsbleed - ask / search for it today :-)

https://nvd.nist.gov/vuln/detail/CVE-2017-9798
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Check for Limit in your Apache .htaccess files for now, and patch.
If you allow users to create .htaccess on shared hosting... patch now. More to follow later...

[permalink]


15 September 2017, 17:07 UTCOld Python 2.7 install on Windows need pip / setuptools help?

Had some trouble with pip installing packages on a Windows install today.
I had a need to use pyad - 'cause screw using Powershell and writing 500 lines of code to do the same thing in what turned out to be 41 lines....
https://pypi.python.org/pypi/pyad
That rant aside, if you find pip or setuptools not working, here is how to kick-start it:

python -m ensurepip
python -m pip install -U pip setuptools

Then give your installer another go (should be installed and upgraded).
Global install if you dare:
python setup.py install

[permalink]


24 July 2017, 17:45 UTCGoogle - how about "no".

[permalink]


20 June 2017, 18:49 UTCSo, in 2017, Grub2 still can't boot md raid 1.2 with on lvm top of it?

In order to simplify a new build, I thought I would try to see if Grub would boot to layered md raid with lvm.
Seems no, I still need a /boot if going with metadata version 1.2.
I can't even see it in grub rescue with the module loaded.
Bummer.

[permalink]


6 June 2017, 20:14 UTCWhere does that module live in the Python install?

inspect module to the rescue:

import inspect
import datetime

for name, data in inspect.getmembers(datetime):
    print name, data

Wait for output...
MAXYEAR 9999
MINYEAR 1
__doc__ Fast implementation of the datetime type.
__file__ /usr/lib/python2.7/lib-dynload/datetime.x86_64-linux-gnu.so
__name__ datetime
__package__ None
date <type 'datetime.date'>
datetime <type 'datetime.datetime'>
datetime_CAPI <capsule object "datetime.datetime_CAPI" at 0x7f39d93a7960>
time <type 'datetime.time'>
timedelta <type 'datetime.timedelta'>
tzinfo <type 'datetime.tzinfo'>

Crud. Not exactly helpful.
But source is available :-)

[permalink]


31 May 2017, 18:38 UTCWindows 10 - Updates stopped and error: 0x8024401c?

After hammering at the WSUS server (as it seemed to be server side from all the errors I found)...
Turns out to be something on the client side.
Give this batch - (how quaint) - a shot:



win10-wu-reset.bat

It might be good to disable some crapware as well:
Good article on clean boot here from Logitech:
http://support.logitech.com/en_us/article/228

To check the Windows Update logs on later versions of Windows:
1 - run Powershell.
2 - Get-WindowsUpdateLog
3 - profit! (not really)

[permalink]


30 May 2017, 13:34 UTCGoogle, where is your head? Not Secure. Is that the best wording you could come up with?

So you want to tell users when they are on a non-encrypted connection to a website.
Not so sure on the wording. Overdoing the https everywhere much?



[permalink]


30 May 2017, 4:48 UTCO.K. Google, where are you getting your TZ data?

I am with you on point one. Canada is totally like... a different country :-)
Not so sure on the change in time zone though...



[permalink]



26 May 2017, 20:45 UTCBye
19 April 2017, 14:48 UTCSegfault error codes:
12 April 2017, 14:34 UTCTruly international experiences today.
5 April 2017, 16:54 UTCDocumentation is the only defense against tribal knowledge.
21 March 2017, 13:07 UTCHow not to serve a web page:
8 March 2017, 16:07 UTCDeployStudio - Inappropriate repository error
3 March 2017, 15:21 UTCGmail - get your smtp replies fixed - 4.7.0 is not a rejection.
10 February 2017, 19:28 UTCCheck your mail servers cert using a tls connection:
1 November 2016, 3:37 UTCWeb programming and n-tier programming:
11 October 2016, 19:09 UTCGood old telnet
7 October 2016, 19:29 UTCCold beer and pretzels, takes care of cancer.
24 September 2016, 6:09 UTCSolve peoples problems with technology or perish.
9 September 2016, 4:43 UTCFabric fun.
10 August 2016, 3:38 UTCE: Problem with MergeList?
29 July 2016, 22:17 UTCNo bvi installed? Give this a spin:
2 May 2016, 20:37 UTCWeb program migration to a new server.
4 April 2016, 2:49 UTCHistory, never repeats... Nah, it does.
18 March 2016, 14:44 UTCHaving DNS issues the last couple of days?
17 March 2016, 0:33 UTCMicrosoft - you suck - How about click and not run?
18 February 2016, 20:06 UTCLong time no bash Microsoft

All older entries




[atom feed]  
[æ]