Just a quick note to wish you, dear reader, a very Happy New Year. As I enter my 11th year of blogging, I hope I will be able to make a little bit more time in 2016 for more regular posts!

Also, I’m pleased to note that thanks to the wonderful folks at the Let’s Encrypt project, the whole of my site is now served over HTTPS. Given my more recent security focus, that was something that was long overdue. I’m very grateful to the Let’s Encrypt project sponsors, as the project offers a solution that provides equal, if not better, verification that traditional Domain Validation TLS certificates, at the cost of precisely zero.

Here’s to 2016!

About a month ago (whoops!), I released another open source project into the wild, SaveTimer.

This was one of those “wouldn’t that be a cool idea” moments that spontaneously resulted in a modest little project. The whole thing was conceived, built and published in the space of a few hours!

Save Timer

Notify a user if they have not saved in a ‘watch directory’ for a certain interval.

Basic Description

This is a very simple application, written in C#/.NET 4.5.2, which observes a specified ‘watch directory’ on a given interval. The most recent file in the watch directory is examined to determine its last modified time. If this is older than the specified interval time, the user is shown a message reminding them to save their work. The user can suppress the messages for an indefinite period of time by right-clicking the icon in the ‘clock box’/system tray and choosing ‘Stop reminding me’.

This was written to support academic examination access arrangements, where users are intentionally only given access to a cut-down word processor such as WordPad, without spellcheck support. Unfortunately, WordPad does not autosave, so this application provides a regular reminder for the user to save. In this usage, the user is given a blank mapped drive to save in. In addition to the regular save reminders, the application also ensures that the user has saved in the correct directory to avoid data loss and ensure compliance with controlled conditions of where they must save.

SaveTimer logo (the Dashicons clock, licensed under GPLv2 or later with font exception)

At the risk of sounding immodest, one of the most enjoyable things about this project was jumping right back into the C#/.NET environnment, with which I have spent less time recently, and discovering that I still had all of the intuition of how to build the functionality I desired. Perhaps this is testament more to Visual Studio’s IntelliSense suggestions and the simplicity of the application, rather than my memory, but it nevertheless was a rewarding feeling to quickly go from zero to an app that does a specific task quite well!

I’m also pleased to say it ran in… shall we say, production… without causing any issues. If it saves one piece of work, I think it will be worth it!

SaveTimer is released under the GNU GPLv3 or later. The code is available on GitHub and you can also download a ready-to-run executable, if you have .NET 4.5.2 installed. No installer required!

I made my first blog post on this day ten whole years ago.

Back then it was all pre-self-hosting, and the blog (sans the rest of the website) lived over at Blogger. Beyond just the technology, I think my blogging style and the content that I have focused on has evolved quite a lot since my first few posts as well!

The years brought a migration to WordPress, upon which the blog still runs, and four major design revisions too.

Here’s to the next ten years!

Some very raw and unfiltered thoughts on today’s Apple announcement:

I thought after all this time there’d be more content deals for the new Apple TV — the “apps” focus suggests that they are having to concede their former approach entirely and acknowledge that they won’t funnel much TV content through iTMS at all.

Harry Potter photos!

4K video capture on a phone is pretty amazing.

The MLB Apple TV app demo with watching two games at once must have been a Back to the Future II reference for 2015 — “give me channels 5, 9…”. Right? Right?

I’m interested to see (hopefully non-fanboy/girlish) thoughts on how the iPad Pro will compare with the Surface range. It’s interesting to me actually that if MS get the touchy style apps done well (they have to do a better job than with Win8!), the Surfaces also having the flexibility to run classic Windows apps too might make them more competitive in that “pro tablet” area.

I want to go play with 3D Touch when I can! If they’ve done it well, it could be quite cool.

I’m no artist in drawing terms, but the Pencil looked pretty amazing. I was deriding it at first as a silly stylus. I was wrong.

So. Much. Stuff!

I’m very excited to have put the ideas mentioned in my previous blog post about Cautious Unattended Upgrades into practice!

To quickly recap, the idea is that, on a Debian-based test system (‘the canary’), this is a software package that runs the latest security updates, runs an automated browser-based test suite to make sure these new updates have not broken any critical functionality on our clients’ sites, then ‘pushes’ just these package updates to the production servers.

In keeping with my original plan, the software is written in Ruby and uses Watir/Selenium WebDriver to run a suite of tests that verify, just as a human being would in a live web browser, that client websites work correctly.

Cautious Unattended Upgrades — the canary in the coal mine. Image by stevep2008 on Flickr, licensed under CC-BY 2.0.

I was expecting the biggest challenge would be getting this browser automation side of things working, but actually that proved very easy, which is a testament to the design of those projects.

The software is still a little rough around the edges, as I explain in the README file on GitHub, but I’m very pleased with the project’s progress. We have put it into use on our live systems at Van Patten Media, so we can keep servers promptly up-to-date with security patches without our intervention, but retain a greater peace of mind that our clients’ sites are still working as they should post-upgrade. (This is of course dependent on the quality and breadth of the tests that we write!)

I am particularly excited that this marks the first ‘real’ project in Ruby that I have written. Ruby isn’t a platform I have worked with too extensively before, so I have enjoyed challenging myself to be exposed to a different environment and quickly pick up how to achieve what I want to do. There is definitely more work to do — it really should be organised in a slightly more ‘Ruby-like’ way, and perhaps become a proper Ruby Gem, listed on rubygems.org, so those are things I will be looking at over the longer term for this project.

If you are interested in using Cautious Unattended Upgrades, or contributing to making it better, the project is licensed under a BSD-style licence and the code is available on its GitHub project page.

Effraction by Sébastien Launay on Flickr. Licensed under CC-BY 2.0.

My attention has turned recently to how to automate the installation of security updates on various Linux distributions.

As Van Patten Media runs more servers, the effort and time needed to apply critical security updates promptly grows. Waiting several days to get security fixes just isn’t acceptable in a post-Shellshock era, yet there is always a risk of a completely automated update breaking important functionality.

One of the projects I will be investigating over these few weeks is how we might build an automated test environment that could apply the updates quickly to a test VM, run a test suite to verify none of our critical client functionality breaks, then push those updates to the live servers.

There are various solutions for truly automatic updates; I focus on Debian’s unattended-upgrades package here. What seems to be more difficult, however, is being able to push that list of ‘approved’ packages and just install those when we are ready.

My current train of thought on how to proceed on this is as follows:

• Test box installs the day’s upgrades
• Runs the test suite automatically
• If the test suite passes, it determines which packages were most recently installed
• Pushes that/those package names to the unattended-upgrades whitelist on the clients
• Clients, on next unattended-upgrades run, will install those upgrades
• Upon successful upgrade, we reset the whitelist

I am in the very early stages of looking at this, so that is a very rough sketch of where my thoughts are currently. There are missing pieces, but I was looking at Watir for the browser test suite component.

I would be interested to hear from anyone who has looked at this before, or if anyone knows of any interesting similar projects I haven’t found!

Security Enhanced Linux (SELinux) is a pretty powerful technology that adds another layer of access control to a Linux system. It helps significantly limit the ability for an attacker who has partly compromised a system to use their access to jump deeper into the system.

It has been standard in Red Hat Enterprise Linux and its derivatives for quite some time, and is often the cause of many a headache when something doesn’t work because it is being (apparently) silently blocked by SELinux’s security enhancements!

Its potential to cause breakage, especially when third-party bits and pieces are brought into the mix, means the advice from well-meaning individuals is often a cry of “just turn off SELinux!”, rendering a system without that extra layer of protection.

I will not pretend that my recent dealings with SELinux in CentOS 7 have been free of frustration, but a few simple tools have made it a surprisingly simple affair to get something up and running again if a particular behaviour (always of something a bit third-party in my experience!) is being erroneously blocked.

I think a big part of what makes SELinux get switched off in frustration is the perception that it is breaking things silently, and the psychological impact of its verbose ‘scariness’ when you do find those logs!

audit2why

As long as you remember that SELinux can be the cause of potential unexplained weirdness, your first port of call can be audit2why:

audit2why -a

What is particularly nice about this tool is how quickly you get (semi-)human readable output, detailing which rules an application is breaking. If you do hit one of these ‘weird problems’, a quick trip to this tool usually makes it clear that SELinux is the cause of the failure!

audit2allow

I was surprised by how relatively quick it was to identify an issue with audit2why and make a custom module with audit2allow to get an application working again.

There are a good set of instructions in the Red Hat manual.

It sounds like a big deal, but the tools have made it almost completely automated — it really isn’t necessary to have a deep understanding of SELinux’s internal workings.

setsebool

Finally, there are some flags that are disabled by default for SELinux protected applications that you might need. Again, audit2why will often make it clear what you need to toggle using this tool!

For example, a web server process that does legitimately send out emails might need the appropriate flag switched on. Without it, the web server doesn’t get the right to talk to sendmail.

Give SELinux Another Chance!

I suppose my point in this rambling is this: give SELinux a chance if you have given up on it in the past. If you have the time to set up your system properly (and you should!), taking a little extra to figure out how to grant only the permissions really needed does make a material difference to your security should one application be compromised. An attacker being able to get their foot in the door needs to be assumed to be possible, so making their life a lot harder at that point is worth making your life slightly harder on the odd occasion.

With a little patience and the use of the tools I have talked about, I think it is a lot easier to work with than it might seem at first glance, or when it first arrived in RHEL many moons ago!

SuperDuper is one of my favourite backup applications for the Mac, and I use it as part of my backup and recovery strategy.

One of its benefits is creating a bootable clone, so in the case of any trouble, you can connect the backup drive, hold Option/Alt and boot your alternative system.

The world has changed since I first used this tool, and full-disk encryption is now essential for maintaining privacy and “not-having-your-life-turned-upside-down” in the event of a loss of control of the drive with your life on it. FileVault on OS X since Lion works beautifully for your boot drive, but unfortunately I had to sacrifice the bootability of my SuperDuper backup in order to ensure it was encrypted.

Recently, a drive failure on my SuperDuper backup drive (yep, they do happen, and that’s why we back up!) required me to replace the drive. That gives a good excuse to play, and try and make a bootable and encrypted backup — FileVault-style, but on an external disk that we manage ourselves.

» Read the rest of this post…

I am very excited to be able to announce that Total Slider 2.0 has been released!

Version 2.0 is a significant milestone in the plugin’s history, and brings a very important behind-the-scenes change to the way your slide information is stored. In addition to that, and a lot of cleanup work in the code itself, there is now the capability of having draft slides as well as auto-saving of those drafts, making it much more difficult to lose data!

Being a side project that has to fit in around my day job and other work, this has taken much longer to get out there than I would have liked, but I am very happy with the result. The particular challenge of making sure the data format upgrade goes without a hitch involved some extensive testing, but I’m pretty confident (about as confident as you can be!) that the upgrade process will be very smooth. In the unlikely event there is an issue, you can roll back the plugin to v1.1.5 without any loss of data. Obviously, taking a database backup is a good idea, though! 🙂

With this big infrastructure change out of the way, I’m looking forward to the future of this plugin. I hope we can deliver more graphical goodness (a slider template previewer would be nice!) and a greater variety of templates that ship with the plugin to support the different preferences people have for their sliders.

It’s really exciting to finally get this released to the 1,000+ active users (according to its WordPress plugin page) this software has, and I’m looking forward to making it even better as and when I can!

You can download Total Slider from the WordPress Plugins Directory.

Google Analytics is almost ubiquitous as the solution for collecting useful information about how your website is being used by visitors. It is a good product, and has evolved over the years to be very flexible indeed.

But since it first launched, my opinions of Google have certainly changed, as have many others. Without wishing to get into a debate on the subject, there definitely is a market for a competitor to this very useful tool that might free us of that reliance on Google infrastructure, and be more respecting of our visitors, by means of initatives like Do Not Track.

Piwik’s desktop and mobile views

I recently deployed Piwik, an open source PHP-based application intended to replace Google Analytics. A full disclosure — it will not be as full-featured as Google Analytics for those people using the full power of that solution, but it puts the power and control back in your hands. Moreover, it uses a very similar-looking (perhaps even largely compatible) JavaScript API, meaning I had to do little work to figure out how to track the events that I wanted.

With built-in support for avoiding the use of cookies altogether, you can sidestep the well-meaning, but ridiculously ill-conceived EU Cookie law and its onerous “we use cookies!” notifications entirely, while still delivering enough tracking capability for many simpler analytics applications where detailed insights into repeat visits aren’t so important.

I haven’t made the time to replace Google Analytics on this site with it yet, but that is on my list of things to do! Right now, I have some custom code server-side that detects your Do Not Track status and suppresses the Google Analytics JavaScript entirely, but Piwik would do away with that need for complexity.

It might not do enough for your application — but as a way to put your money where your mouth is and genuinely support the user’s right to give and withdraw consent for tracking, it is most definitely worth a look.