Random: Site Stuff, LG D686 Fail, Shellshock, Transport Stuff, etc.

It’s been a few weeks since my last random post, and many things have happened in the tech world. Unfortunately, because of the amount of work that I’ve had to do, I haven’t been able to take a break to get these thoughts off my mind – but that wasn’t the only hindrance this time around.

Website Performance Enhancement

In the past few site updates, I was on a quest to improve the website performance for visitors. In order to do that, I have leveraged CloudFlare, despite my initial insistence to avoid it. Furthermore, I decided to go with some caching in the form of WP Super Cache, improving the performance of the site by reducing the need to dynamically generate pages on each user visit.

Initially, a few interesting issues were discovered – Rocket Loader and Jetpack Comments don’t play well causing a duplicate post warning because of the timing of the posting and reloading the page, so I had to disable Rocket Loader. Change of the Permalink structure somehow resulted in pingbacks working again, which was rather nice.

Then, I discovered that the preload feature in Super Cache doesn’t work quite as expected, and old super-cache files weren’t being properly purged, resulting in stale sidebars. I noticed this early on, and have since forced the purge of the files on every new post which seems to make it achieve what I want it to.

super-cache-response-times

From looking at the Pingdom Tools website response time checker, it seems that it worked quite well. The super cache has a big effect on the response time of the server, as using rewrite rules avoids needing to invoke PHP, and does allow for the site to continue despite a temporary loss of database access. That’s a great thing.

cloudflare-requestsThe impact of CloudFlare is a little harder to quantify – from my point of view, it definitely helps in terms of serving static assets. From their analytics data, they’re handling about 30-40% of the requests and saving me about 10-20% bandwidth – it might not seem much but it’s still something considering it’s free.

But one thing is that CloudFlare seems to have done wonders to the problem of comment spam. Even with the security settings set to ‘essentially off’, the level of comment spam dropped from manageable to virtually non-existent.

But even then, it could still be better. In what would be considered a basic move by some professionals, I’ve decided to share the loading of static assets from two alias subdomains (cdn1.goughlui.com and cdn2.goughlui.com). This improves load performance by overcoming browser-based limitations in the number of ports opened simultaneously to a given server.

visitor-load-times

Again, quantifying the performance improvement is a little hard, but according to my checks with Pingdom Tools and WebPageTest.org seem to show much improved load times, when CloudFlare doesn’t have a stall. In some cases, we’re down to 7 seconds for a whole load, whereas getting sub 20-seconds used to be a trouble.

Unfortunately, when it comes to real user analytics like the one above, there are still long load times experienced by some probably due to their slow connections. That’s not an indication of something wrong with my site, per-se, but I do realize that it is very dial-up unfriendly.

And then … I’m Under Attack

I noticed, despite all this optimization work, it seems the site was still performing slow for un-cached users – i.e. recent commenters, and myself. Eventually, it was slow enough to the point where I’m having difficulty even writing posts. I wondered what was happening, but I was completely in the dark until Thursday 9th October as statistics are only generated every 24 hours at my web host and at CloudFlare for free users.

attack-traffic-cloudflare

Looking at the statistics from CloudFlare shows that I was under attack, to the tune of 40,000 hits in under 12 hours from malicious sources. From cross-checking with my AWstats package at the web host shows that almost certainly, they were all targeted at wp-login.php. Someone wants in – this is a brute force attack. Yikes.

I find it unlikely that my password would be guessed, but I have tried to improve my security. I tried implementing some .htaccess/.htpasswd protections, but for some reason, it didn’t work. I’ve got an anti-brute-force protection plug-in at the moment, but it’s not the best protection.

As a result, I’ve had to increase my CloudFlare security level up to Medium. Initially, I had it at essentially off, because I’ve experienced the CloudFlare CAPTCHA system myself and know of the frustration it poses to end users. I wanted to be kind to visitors, on the expectation that visitors would be “good actors”, but that assumption obviously doesn’t hold true. Unfortunately, this may very occasionally inconvenience some legitimate visitors behind proxies, but it’s a necessary measure to protect the integrity of my website.

Ziphosting MySQL Server Collapsing

Coincidentally, it seems, Ziphosting’s MySQL server is having trouble. Queries are running excruciatingly slow to the point where using the WordPress Export tool to backup fails with a timeout, as does trying to export the database using PHPmyadmin. This only exacerbates the problem, because attempted logins consume database query resources, as does certain types of visitors. In essence, a rapid brute-force attack can serve as a damaging denial-of-service attack.

I did contact Ziphosting, who have acknowledged issues with their MySQL server and are fixing it – at the moment it seems to have stabilized somewhat.

Why would they bother?

Unfortunately, I don’t have the resources or time to try and follow up why this is all happening, but one can only assume one of several possibilities:

  • Someone’s not happy about what I’ve said about their products, and they want to take me out so that others can’t benefit from my opinions.
  • Maybe they would feel good about themselves in hacking and defacing my own private website just for kicks.
  • Someone might have found a brute force tool and saw me as an easy target.
  • Maybe they’re looking out for some computing resources to exploit for their own needs.
  • Maybe they want to get into the data I have and steal it outright.

Whatever it is, it’s a bit of a nuisance. Thank god that I’ve employed CloudFlare to front my site because I’m pretty sure that my main hosting provider isn’t going to survive even more bashing if CloudFlare didn’t shield me from the even more malicious actors.

But there’s another possibility that scares me even more – there’s probably someone out there stealing my content, refactoring it, reposting it on their own sites and trying to take me out so that they can boost their own search engine rankings above mine in order to collect the revenue from the hard work that I have done. It seems to be a very possible scenario, based on an analysis of the referrers that have hit my webpage over the past week. I won’t elaborate any further on this, but I suppose I have succeeded in my mission to disseminate information.

Where to from here?

I’ve tried my best to look out for the health of the website by keeping an eye on everything I can, given the amount of time I have. So far, there seems there’s no evidence of intrusion which is good. However, I have been seriously contemplating the change of hosting providers, but I’ve done some reading up on the more popular low-cost options and virtually every single one of them has numerous disaster stories on record. Given the work required, and the risk, I think it might be best to stay with Ziphosting for another year – there isn’t much to be gained from what I can see.

Site Updates

Since the last update, I’ve managed to update the Socket 370 listing in the CPU Corner with a pair more CPUs. In fact, I’ve just received a few more specimens, so I’ll have to get around to putting those up too. I’ve also refreshed my “the SIMMS” post with a pair more 30-pin SIMMs.

One of the most major updates relates to the fact that I’ve been contacted by numerous companies at numerous stages to review their products. It’s something I love to do, but it’s something that I do out of my own passion and is a work that I am proud of. As a result, in order to protect myself and the readers, there is now a publicly visible set of rules, and an open invitation for companies, groups and individuals to contact me with any review opportunities provided they accept all the conditions posed.

LG D686 G Pro Lite Dual Annoyances

I’ve been the owner of an LG D686 for a while now, and it’s never really impressed me enough to deserve its own review. It was stranded with Android 4.1.2 for a very long time, but lately, an update to 4.4.2 was made available over-the-air and I decided to jump for it.

I did the over the air update with no issues, although when I first did it, it unrooted the phone as expected, but then there wasn’t a working method to root the phone. This is probably also due to the locked LG Bootloader which hasn’t been defeated yet.

Soon, I discovered something really broken about the 4.4.2 build – my tethering stopped working altogether. With working mobile data on the phone, and the Portable Hotspot feature configured in any encryption/SSID/channel setting, it was possible to join Wi-Fi clients to the hotspot, and get a DHCP IP, and ping the gateway (i.e. the phone) but no traffic would be routed through the phone altogether. No DNS resolves would be made either, despite the mobile data working just fine on the phone – and changing the APN type from blank, to default, to default, suppl, mms, dun etc didn’t help either.

I decided it might have been an issue with the OTA, so I decided to try and do an update via the LG mobile software on the desktop. It reported that I had the most recent version of ROM and wouldn’t offer me any choice to upgrade. I decided to do a factory reset on the phone itself, and spent an hour or so restoring all of my original applications from the Play store.

Unfortunately, after the re-install, the system behaved exactly as it did before. Tethering seemed terminally broken. I couldn’t find anything online about this, so maybe this is related to Lycamobile data which requires roaming to be active. Prior to the update, the phone tethered just fine, but there is no way to revert the version of the OS. Unfortunately, that limits the usability of the phone for me, but there’s nothing much I can do as a user.

I even decided to buy paid tethering apps to see whether their various configuration tweaks and different tethering methods could bring me joy. After about 30 minutes of tinkering, I still couldn’t get any further.

At least, I did find a workable method to root the 4.4.2 version ROM, but that didn’t aid in my quest for working tethering either.

Shellshock

A big news was the public disclosure of a vulnerability in the way the bash shell handles environmental variables, dubbed by the media as Shellshock. It’s a pet hate of mine – the mainstream media likes to make puns, but which leave users none the wiser as to what it means. The other thing is that media likes to hype up things – and being a vulnerability that affects bash which mostly is used in Linux distributions, commonly considered to be “secure” only entices the media to make it out to be a bigger deal than Heartbleed.

The vulnerability itself seems to stem from how bash handles environmental variables passed to it at invocation. Certain formatted environmental variables will be evaluated in such a way that it is, in essence, executed. This, in itself, is the vulnerability which isn’t a big deal until it’s combined with server software which plugs in with bash.

In web servers with cgi configured with bash as an interpreter, by crafting a specific request with such a string in the HTTP request, commands can be executed on the server as the web-server user. This is possible because the request parameters are passed to bash as environmental variables. It is also said that certain DNS/DHCP servers may be vulnerable to specifically crafted requests for similar reasons.

This means that:

  • Not all Linux users are affected – those that don’t have bash installed won’t be affected.
  • Windows and Mac OSX can be affected – if they have bash installed (e.g. Cygwin in Windows).
  • It probably doesn’t matter even if you do have bash installed if you don’t do any serving or have any avenues where environmental variables can be passed to bash from the side.
  • Even if you run bash, if you don’t have such servers, the only way to get in is to get on the shell itself. By the time you’ve gotten there, you’ve practically got direct control of the system anyway.

For these reasons, it’s really not as big of a deal as it first seems, but it’s still a good idea to patch the vulnerability anyway. There are actually several security bulletins which are related to shellshock, as some initial patches were incomplete in their implementations meaning that there are still exploitable holes (albeit, slightly more difficult). This means it would be wise to update any Raspberry Pis you have running as well.

Rebuilding my Chrubuntu

I’ve been running Chrubuntu on my Samsung ARM Chromebook for a while now, and I’ve generally been satisfied despite the quirks. Lately, because of the need to maintain currency, I decided to embark on a dist-upgrade, only to find that it didn’t work as expected and it never really booted again.

As a result, I had to restore Chrome OS to it with the imaging tool (which now, requires the installation of Google Chrome – how sneaky).

Afterwards, I was able to re-install different flavours of chrubuntu using instructions posted here. There are a few small errors in the instructions with step numbers, but you can probably work it out.

Unfortunately, having gone through it all, I found that Ubuntu 14.10 wouldn’t get to the desktop, and there were strange issues with the network manager under Kubuntu. I tried lubuntu, which did work, although not particularly well, so I settled for xubuntu. One major issue was the problem of setting screen brightness, of which this xdotool set of instructions proved handy. I couldn’t seem to get xbacklight working.

So after quite a lot of back and forth, I’ve managed to get everything set up the way I like it again – and I actually don’t mind Xfce at all – it’s quite a nice desktop environment.

Apple News

News of the iPhone #bendgate/#bendghazi continued to roll around causing embarrassment for Apple, with some devious kids visiting stores and bending display models and “informal” tests showing that the phone was on the weaker end of the spectrum. Other people remain steadfastly adamant that the phone is not bendable and tried to prove it with their own video. It seems like every new release continues to inflame the discussion with fanboys taking “immovable” positions.

iOS 8.0.2 update was released, which is probably an improved patch over the 8.0.1 release which caused people to have their cellular and Wi-Fi connectivity disabled for reasons unknown. I managed to apply this update without any significant issue, but it seems like another update is on the way (8.1) soon that closes a loophole that some have been using to load emulators.

It seems new iPads are on the way, but delayed. I’m not sure where the whole idea that 12″ tablets are a good idea, but I suppose it would better approximate the size of an A4 sheet of paper. But it would not be as portable. I wonder how well this would sell.

It has come to light that Mac OSX is affected by the shellshock vulnerability – users should take the time to patch their system if they use bash. The update can be downloaded from Apple directly.

Internet Surveillance in Australia

It seems possible that an internet surveillance bill is to be passed in Australia, despite some protest, potentially marking a significant time in the history of the internet when we went against the grain.

Again, it seems that the majority of the Australian ISPs have stood idly by, as well as most people, expecting the data retention bill to make it into law unopposed. As with some prior internet-related precedents, iiNet seem to have taken it upon themselves to call this scheme out for what it is – an impractical mass-surveillance system that will cost everyone.

I have to give iiNet a round of applause, for taking its job as an ISP for the people/customers seriously. It staggers me that if the government decides to do something, that they can just make anything turn into law and then see all the companies go into blind compliance mode “because they told us so.”

Once such equipment is in place, it would make surveillance trivial, and it can easily be imagined how such systems can be misused. Especially in the post-Snowden era, it’s clear that governments place citizens under the illusion of knowledge by presenting a sanitized, redacted and twisted reality while actually doing something else.

More importantly is to question how effective such a scheme could be. Any cybercriminal worth their weight already understands the basics of using encryption and hidden networks/proxies to do their communication with. These systems are difficult to break, and it’s not inconceivable that the governments do not possess enough equipment to break them. For the real hardened criminals, such retention efforts would prove meaningless. Instead, it is more likely to catch the plain text communication by innocents and probably the casual explorer.

I remain unconvinced that it’s what we need, and I think such measures will spoil the internet. Overseas in the USA, where net neutrality and the definition of broadband is currently being debated, the future of the internet (in terms of its freedoms) is really at risk. Even our civil rights seem to be under threat, with secret searches by the AFP to be allowed.

Windows 10 Technical Preview

Microsoft announced the release of Windows 10 in the near future. While everyone had expected it to be called Windows 9, the jump to 10 has led many to speculate on the reason for it. Some believe it is related to faulty version checking code in software that checks for a begins.with(Windows 9) with some level of evidence (although weak) to back this up. Instead, they should have been checking for the version number (i.e. 4.00 for 95, 4.10 for 98).

That aside, the new OS is said to blend elements of Windows 7 and Windows 8 together, with the upgrade being freely delivered to Windows 8 owners, with Windows 7 owners getting a significant discount.

For intrepid users, there is already a technical preview available, both as a bootstrap install over an existing Windows installation, and as a standalone ISO as well. Access is easily granted based upon a name/e-mail sign up.

But be warned. They promised to make it better than previous releases by monitoring what you do with the technical preview much more closely. This includes everything from the files on your drive, to the keystrokes you enter. This has led to many people, myself included, to be wary of the whole thing. How can you fully evaluate an OS if you’re afraid of entering your passwords in the case they might be captured? Try it at your own risk!

Transport Stuff

I haven’t really been going out much of late, so there isn’t as much transport stuff to report as before.

At the toilets at Central station, I’ve noted that the initial generation Dyson Airblade hand driers with the yellow inserts are being replaced with newer Dyson Airblade dB models with blue inserts. These ones are supposed to be quieter … here’s a picture of a white one taken at a shopping centre:

20141010_095827

Another thing I noticed while wandering around at Central, is the information board on the escalators from the country concourse to the suburban concourse. This used to be a large board filled with colourful platform numbers and lines. Instead, it seems to have been replastered as a plain but clear sign.

20141002_115806

I also managed to get to Redfern where I saw their new LED lights up close. It looks to be a Canadian made luminaire, with a very interesting design. The black cable carries the power (current limited) and the whole set of LEDs appear to be series wired on a metal core circuit board. A quick-release latch secures this LED board to the luminaire, allowing for heat sinking and quick changes of the LED modules. How innovative!

20141002_140611

I did talk about tactile tile replacements – unfortunately, in some places, such tiles can’t be installed … so they paint it. It doesn’t fool me!

20141002_141947

I also spent a day riding around the rail network, playing with capturing magnetic induction loop audio announcements when I passed Glenfield and saw, with my own eyes, the progress being made on the South-West Rail Link.

20141002_094946

I can see that the necessary overpasses, and track has already been laid mostly, with the overhead wires still being sorted. It’s quite impressive. Having witnessed how long it typically takes a rail project to actually happen, I didn’t believe it when the maps said “under construction”. Apparently this one isn’t a lie – and I hope to have a chance to ride on it as soon as it opens. I wonder whether it will see the patronage required to see it stay alive, or whether it will see the same fate as some previous branch lines (e.g. Royal National Park) and eventually get shuttered.

I managed to pass a few DTRS sites along the way, although shutter lag did stop me from taking a picture of many of them. In order, it’s Casula, Cabramatta and Farfield.

20141002_094442 20141002_104453 20141002_104905

I managed to pass a local bus shelter, which now proudly advertises that it is Opal ready:

20140930_102917

I’ve noticed that bins at stations are being replaced. The old round metal bins are being taken out …

20140930_114317

… and are being replaced with metal bins which are square, built around wheely bins.

20141002_090929

While at Chester Hill station, I also noticed an interesting solution to their insulated fence panel being next to a painted metal pole – insulate that with perspex.

20140930_114422

Such a system is needed for safety, especially in continuous metal fencing where there might be a potential for wires to fall onto the fence and make it live. The insulated panel is the only “safe” access panel to go through in that case.

While waiting for a train, I managed to get treated to a steel-hauling train on the SSFL track.

I was also at Lumeah station where I saw one of the passenger information displays have a loss of horizontal sync which seems rather strange. In the case of digital connections, it’s really not normal …

20141002_100325

I was reading Wikipedia the other day, when I came across the fact that the V-set based DTRS test sets actually have a designation as a Y-set.

We Will Get 700Mhz 4G LTE

Great news came this week in the form that Telstra and Optus will be launching their own 700Mhz networks with the “digital dividend” spectrum. This will bring better indoor coverage to compatible handsets and help spread the bandwidth load across different bands to improve user experience. There was a lot of talk that 700Mhz might be given to public safety services for their networks, and that we would never get to use it, but it seems that is no longer the case.

I wonder whether this means older US 700Mhz band-only 4G devices, such as “the new iPad (3rd Gen)” would operate correctly on this new network, termed 4GX by Telstra, or whether there are some intricacies with the way the frequency allocations are made that will mean we need specific 700+1800Mhz band equipment for us.

Other Stuff

  • Belkin routers suffered outages when heartbeat.belkin.com went dead for a while. I think this is a big silly problem which should have never existed and is part of the sillyness that device manufacturers think they’re smarter than you and try to “detect” whether you have a connection to the internet. Should they fail to provide the service, the routers do not fail gracefully, instead breaking DNS requests altogether. A router like this isn’t one which is designed properly – if the company goes down, if the path to the heartbeat server fails, if the company folds, then it’s going to break it. Worse still is whether this service also forms an unintended tracking service to work out whether the routers are up, what versions of firmware are being run etc.
  • I have noticed that in Chrome and Chrome Mobile, the address bar has been replaced by a search/address bar. On thinking about it the other day, it occurred to me that most users would be logged into Chrome, meaning that Google can tie the searches to the user profile. Worst of all, entering web addresses are likely to be submitted as a search to Google anyway, as part of the search suggestions feature, meaning Google actually has a way of determining what websites and links you visit even if you have ad-blockers and tracker-blockers, as it’s masquerading as the search functionality. Worse still, this may be another form of information leakage issue for certain types of privileged URLs. Unfortunately, if SSL is being used, there’s no easy way to tell what information is being transmitted, and if it is implemented properly, it should be impossible. Just as SSL can secure us against everyone else, it can secure the applications against their users!
  • Adobe Digital Editions reader seem to be violating their user’s trust by sending information back to Adobe about your reading habits, unencrypted. I think big data is misleading companies into a hole of collecting data just in case we can make use of it and because it lends them some sort of competitive advantage even over the weakest of correlations. Unfortunately, the reality is more likely that it’s wasteful and dangerous. Part of the reason it was discovered was that it transmitted it unencrypted. Imagine what might happen if everything was secured properly with SSL – application developers may be doing something very sinister without our permission or knowledge and we wouldn’t have a way to prove it.
  • In terms of misbehaving apps – it seems third party Snapchat apps may be responsible for “The Snappening”. It seems that in terms of malware, more and more malware masquerades as legitimate applications only to become malicious in the future after users have grown accustomed to it and feel that it is a “safe” application.
  • I’ve long lamented the issue of social networking becoming increasingly about advertising, tracking, and noise rather than real “social” interaction. It seems that Ello have picked up on this, and are running a minimalist ad-free social network. At the moment, it is beta and invite-only. Especially worrying is the knowledge that new teens seem to be getting tired of Facebook altogether.
  • Another thing I’ve been skeptical of is “low quality” mobile gaming based on freemium models. We’ve seen the slow decline of Zynga and King Digital, but to add to that is the studio famous for Angry Birds – that of Rovio. It seems this is the way of the viral marketing schemes – quick rise to fame, and quick decay.
  • Bad news for shops in the US with another big name retailer, K-Mart, joining the ranks of Target, PF Chang, Dairy Queen, Goodwill, UPS, Supervalu, Albertson’s, JP Morgan Chase, AT&T and Home Depot in being breached and having credit card data stolen. It seems rather crazy to think how specialized the breaches were, in attacking point-of-sales systems, but that they seem to be so widespread as of late. Maybe POS systems need to be better designed and hardened, rather than relying on security through obscurity.
  • Intel CPUs stuff up at math, this time, with the fsin instruction. But since fsin isn’t that often used, and it only occurs at certain large values, it may not really be that important in reality.
  • Yahoo Mail managed to get on my nerves this week by flashing me this notice – I’ve got a lot of tablets and computers!maillock
  • At one point, it even stuffed up and started spitting me out a HTTP 0.9 response header with SPDY mixed in with it?                                                                                         yahoo mail fail

Conclusion

Sorry for another longwinded random post, which mainly focused on the site itself, but I’m learning every day and I’m doing my best to stay afloat. I just hope that everything returns to normal soon enough and apologize in advance for any disruptions to service. It’s a strange world we live in – it seems cyber-security issues are becoming more and more of a problem, and balancing that with our expected rights and privacy seems to be a continuing issue. Until next time …

About lui_gough

I’m a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!

This entry was posted in Computing, Opinion, Telecommunications, Travel, Uncategorized and tagged , , , , , , . Bookmark the permalink.

2 Responses to Random: Site Stuff, LG D686 Fail, Shellshock, Transport Stuff, etc.

  1. sparcie says:

    That’s really quite an impressive result with the caching from super cache and cloudflare. A 30% decrease in traffic at cloudflare is pretty good when you consider the way most people use websites. I used to run a web cache at my old work place and our hit rate varied greatly. It works best on static content such as that generated by the super cache software, again working quite well!

    It’s a bit of a worry you’ve been attacked like that, but it’s an unfortunate reality on the internet. I’ve had a few machines at work brute force attacked via SSH at work. We deployed software such as fail2ban and sshguard to read the log files and block people at the firewall when they have many failed login attempts. Perhaps something similar could be rigged up here with assistance from your host (if possible). I’ve set it up on my own connection at home despite using a non-standard port for ssh, just in case.

    Using the HTTP authenication as an extra layer on the WP login may help, but they could attempt to brute force it too. You’re probably doing the right thing, I wonder if you can apply more strict security to some areas with cloud flare.

    Who ever is doing it is clearly connected as they have a botnet doing their bidding.

    The shellshock bug is a bit of a surprise, but really shouldn’t affect many users at all. As you said the main security issue is with running it as a CGI interpreter, I wasn’t aware that people did that, I always thought Perl or others were far more prevalent. It seems you just need to make sure your network services aren’t relying on bash and you should be ok, but still upgrade it anyway. I’ve been using NetBSD as a server which doesn’t even have bash installed by default, so it should be ok. There are others BSD systems that don’t use bash as well.

    Heart bleed was a far more worrying bug as it could reveal the contents of server memory to attackers, potentialling including password information.

    I guess people are surprised by these bugs as they are in software that is reputed as reliable and secure.

    I’m a bit worried about the surveillance they plan on doing, I am glad iinet is speaking up. Really they need to do something different as storing that much data is a hackers paradise as much as it is for the NSA and the like.

    As always it’s interesting to see the updates on the Syndey rail network. 🙂

    If you’re looking to sniff what’s in the SSL packets of what some tablets apps are doing it is possible, but you need a very specific network setup. It’s called a man-in-the-middle attack. It might be hard to pull off, but it should be possible to find out what’s being sent.

    As always an interesting read 🙂

    Cheers
    Sparcie

    • lui_gough says:

      Thanks as usual, for the comments. Unfortunately, I don’t really trust my web host to do anything major without screwing up, so a “basic” login banning plugin will have to do for now. As it’s not a VPS (eh, budget cloud offering), there isn’t shell-level access to my knowledge, so fail2ban isn’t really practical. Already, over 24 hosts have been banned for excessive login attempts that failed, so the sharks are really out to play ;).

      The cache hit rate definitely would vary quite a bit especially as I’m not a paid CloudFlare customer, so it’s likely that their limited CDN resources are prioritized towards those who have paid and see higher popularity in terms of hits. It is good that there is a free offering, and it has certainly helped with the many small requests, where the overhead of a slow responding server is probably going to be most felt. The super-cache does pre-generate static files with some caveats, but for the most part, has helped as viewers don’t notice the database server going down as often. When they do though, it seems CloudFlare misleads them by presenting them a 404 smart-errors document rather than the database error, which is unfortunate.

      I tried to set up the HTTP authentication using .htaccess to protect the wp-login.php, by following the guides on the official WordPress page, but since the host runs litespeed (“Apache compatible”), for some reason it doesn’t seem it works. Even after putting it into my .htaccess with a corresponding .htpasswd file, it didn’t prompt for HTTP Authentication. I’ll have to look into it more in the future because it was time that caught me this time around.

      I think security conscious people understood the fact that it’s a bad idea to have CGI interpreted by shell, as that’s a big potential security hole. It does make things easier, but I agree with you in the sense that Perl is much more prevalent. Of course, nowadays, any publicised vulnerability gets quickly jumped on, and people were scanning servers blindly looking for ones to exploit – certain requests with HTTP User Agent including a “ping” command were sighted as common attacks.

      I do know of MITM for SSL but to my knowledge, if the application strictly enforces that it checks the connection for a certain server-side certificate, then you’re likely out of luck. Most of the ones I’ve seen try to get you to generate a local certificate pair, and “inject” this into your device as a trusted certificate. Most apps which don’t have certificate pinning will just accept this and continue along. But of all apps, Chrome is known to have certificate pinning for Google’s domains, so as to expect a certain fingerprint to ensure that “fraudulent” google.com certificates can be detected (and indeed, were! http://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning)

      Another method that was used relies on weaknesses in renegotiation – and guess what? Our very security conscious patching regimes have closed this one very quickly (and for good measure). There may still be other methods, but whose practicality is questionable.

      Alas, it seems a technology that keeps us safe, can indeed be used to keep them safe from us! I suppose it’s a good thing to know that security runs both ways, but given how some companies treat user data, it’s not something I can necessarily see as being used for only good.

      – Gough

Error: Comment is Missing!