Skip to content

Blog

Adventures with Arch Packages: Exercise Caution with Exclude

Running a bleeding-edge rolling release Linux distribution like Arch Linux has its challenges and risks, but there is perhaps no greater feeling of absolute control over your own operating system! It also leads to the opportunity to have “adventures” like the one described here. While “adventure” might be tongue-in-cheek, the truth is that there is great educational value in breaking something and thus being forced to fix it!

I recently made the mistake of seeing that a pacman upgrade to icu (International Components for Unicode) would break a few Electron packages, which I needed for the open source build of VS Code, among a few other options. (I generally like to avoid Electron apps, but VS Code is a rare exception!)

I was notified by pacman that there was a dependency issue here that could not be solved, so that the entire transaction was not possible.

My mistake was thinking “oh, I’ll just exclude icu from the upgrade, as it’s causing the dependency issue”. Usually these issues are fixed in a day or two, so I’d upgrade it later.

This was indeed a mistake.

Somehow, apps were now referencing the new icu that wasn’t there already. I rebooted, to discover that the GUI wouldn’t start, and I couldn’t even use pacman in single-user mode to roll back the previous transaction, as pacman itself depended upon icu.

I’d broken the very package manager that I needed to roll back. Oops!

Install media to the rescue

I booted into the Arch install media, and set about to address the issue.

chrooting into the target filesystem and using pacman wasn’t an option, as running the package manager from the target filesystem failed with the same dependency issue.

I had a few false starts with trying to run pacman from the install medium, pointing it at the mounted OS partition with --sysroot.

While this didn’t pan out, I remembered that pacstrap, while designed for install-time, presumably could install packages in the target filesystem without needing pacman itself. I was concerned that this might reinstall some base packages, but it turns out you can specify which packages to install manually on its command line.

So, I gathered the list of packages that needed upgrading by using pacman -Syu --sysroot /mnt against the target filesystem, and then supplied this package list to pacstrap:
pacstrap -G -i -M /mnt icu brltty electron27 electron28 electron29 electron30 freerdp freerdp2 harfbuzz-icu raptor
And… we’re back!

Lessons learned

  • The manual isn’t joking about “Partial upgrades are unsupported”.
  • Considerable caution is required when using pacman --exclude
  • “The OS is ephemeral and I can rebuild it” is a bit too relaxed an attitude when you don’t really want to have to rebuild the OS at short notice. Back up the OS packages and libraries too.
  • Really understanding the package manager and install process gives you the tools to pull yourself out of the holes you dig for yourself!

 

Adventures in ETW: “Slow Comment”

I am a great admirer of the work of Bruce Dawson on Event Tracing for Windows, UIforETW and his blog posts on using ETW to track down all sorts of weird and wonderful issues.

I also found Bruce’s training videos on the subject, despite the videos knocking on the door of being a decade old, to be very useful.

I was delighted to have a recent opportunity to practise my own skills in this area, following Bruce’s lead!

The Symptom

The end user was experiencing delays of between several seconds and about half a minute when saving comments in a Word document. Choosing to Insert the comment was fine and when typing the comment, Word also behaved normally. Press Save, however, and Word’s UI would hang for somewhere between a few and 30 seconds.

Yep, sometimes half a minute for each comment being saved!

In a document that required a lot of comments, this was dramatically slowing the user’s work.

» Read the rest of this post…

Licensing: Restricting the ability to prevent others exercising their rights

There is great potential in using open source and free software licensing to support and encourage the ethical use of technology — and indeed to deter its use in violating human rights and provide some legal mechanisms to challenge this when it happens.

But it’s also an extremely complex and difficult issue, as there are always a great number of implications, and they’re not always easy to anticipate.

This is an area I watch with keen interest, and I was interested to read Matthew Garrett posing some interesting questions around how a clause relating to taking away another’s ability to exercise their rights under the licence might work. The idea is taking the moral goal of preventing harm being done to others by means of the software and expressing that goal in terms of prohibiting actions that would prevent others from exercising their rights under the same licence.

This work may not be used in any way that impairs any individual’s ability to exercise the permissions granted by this license, whether or not they have received a copy of the covered work

To be clear, I don’t think this is a good license – it has a bunch of unfortunate consequences like it being impossible to use covered code in self-defence if doing so would impair your attacker’s ability to use the software. I’m not advocating this as a solution to anything. But I am interested in seeing whether the perception of the argument changes when we refocus it on user freedom as opposed to an independent ethical goal.

Matthew Garrett

When You Have No Add-Ons, and about:studies is a Blank Page

It’s a tough day for some at Mozilla, I imagine, with pretty much all Firefox add-ons suddenly being disabled due to an expired intermediate certificate.

I love Firefox. I love having a browser that is not increasingly proprietary (*cough* Chrome *cough*), and so I too was hit by this issue.

Mozilla rolled out a fix using their studies system, and users were told to go to about:studies and it would show up within 24 hours.

My about:studies was a blank white page. Not a blank list of studies with the explanatory text — an entirely blank page. Here’s what it should have looked like:

about:studies as it should be.
I, however, saw a completely white screen.

I delved into the Firefox source code to see if I could track this down.

Running Firefox with the -jsconsole switch revealed errors relating to IndexedDB and the Top Sites component. Initially, I ignored these, but it turns out they were likely symptoms of the same problem.

In the end, I found toolkit/components/normandy/lib/AddonStudies.jsm, which I believe is the backend that the about:studies frontend JavaScript code talks to.

const DB_NAME = "shield";
const STORE_NAME = "addon-studies";
const DB_OPTIONS = {
  version: 1,
};
const STUDY_ENDED_TOPIC = "shield-study-ended";
const log = LogManager.getLogger("addon-studies");


/**
 * Create a new connection to the database.
 */
function openDatabase() {
  return IndexedDB.open(DB_NAME, DB_OPTIONS, db => {
    db.createObjectStore(STORE_NAME, {
      keyPath: "recipeId",
    });
  });
}

So, I knew I was looking at IndexedDB and I needed to locate what was happening with this particular shield database.

This StackOverflow answer was old, but gave me a hint of where to look. In the Firefox profile folder, there is storage/permanent. Inside here, a number of subfolders, including chrome (no, not Chrome — chrome) and other folders relating to devtools.

I noticed that in the chrome folder, I had four files for two different databases. Each database had a .sqlite-wal file and a .sqlite-shm file. This didn’t seem right — these are an index and a write-ahead log, but where is the actual data file? There should be a .sqlite file as well with the actual data for both databases.

So, I deleted these four .sqlite-wal and .sqlite-shm files from my profile (after a backup, of course, and when Firefox was not running).

A restart of Firefox later — several databases were regenerated and reappeared in that folder. Critically, about:studies was no longer blank and displayed as it should have — albeit with no studies yet.

A Fix? A Workaround?

Performing these steps may cause your Firefox profile to be irreparably damaged. This is an advanced and entirely unsupported process. Proceed at your own risk and only with a backup.

Great caution should be exercised here — I don’t know what these chrome IndexedDB databases contain, or should have contained. In any case, I’m pretty sure that the absence of the .sqlite file but the presence of the wal and shm files meant that Firefox was unwilling to delete them and start again for fear of losing something.

However, if you are experiencing the same problem:

  • Quit Firefox
  • Go to your Firefox profile folder
  • Back up your profile
  • Inside the profile folder, go to storage/permanent/chrome/idb
  • See if you have any .sqlite-shm and .sqlite-wal files without a corresponding .sqlite file
  • If so, move the .sqlite-shm and .sqlite-wal files elsewhere on your disk, away from your Firefox profile, and restart Firefox
  • See if about:studies is no longer a blank page

“File and Printer Sharing Ports Blocked” — But Are They?

A recent upgrade to System Center Operations Manager, taking it to the new 2019 release, perhaps combined with an update to the Windows Server management packs, created an interesting issue.

On the management server, an alert was triggered about the management server itself:

Resolution State: New
Alert: Server Service: File and Printer Sharing Ports Blocked
Source: SCOM (SMB)
Path: SCOM.fqdn
Last modified by: System
Last modified time: 3/13/2019 2:14:28 PM
Alert description: Either Windows Firewall is disabled or the firewall inbound rules for TCP ports 445 or 139 are disabled.

Interesting. Did the upgrade to SCOM 2019 or the management pack somehow break Windows File Sharing? And if it did, why hadn’t we noticed more significant issues than just this alert?

Well, no — it looks like this alert is actually earlier from March, but perhaps the alert has re-surfaced, post upgrade, as the monitor re-evaluated. What I was sure about, however, was that the file sharing ports were indeed open and that this alert couldn’t be correct!

Right? Right?

To the Firewall!

Investigating all the relevant firewall rules revealed that everything was in order — Windows File and Printer Sharing exceptions were allowed, as appropriate, across the board.

File and Printer Sharing rules

What is it Detecting?

So, it was time to dig a little deeper.

I was able to go to the Alert details and click on the Alert Monitor to drill down and find the details of how the monitor was coming to this apparently erroneous conclusion.

I extracted the script and tried running it manually on the server using cscript.

With a few WScript.Echo calls of mine sprinkled in, the relevant part of the VBScript that powered the monitor was as follows:

Dim rule

For Each rule in fwPolicy2.Rules
  If (rule.Protocol = NET_FW_IP_PROTOCOL_TCP) And (rule.LocalPorts = "445") Then
    WScript.Echo("Proto " + CStr(rule.Protocol) + " and port " + rule.LocalPorts + " enabled: " + CStr(rule.Enabled))
    WScript.Echo("rule.Profiles: " + CStr(rule.Profiles) + " and rule.Enabled " + CStr(rule.Enabled))

    If (Not rule.Enabled) And (rule.Profiles And fwCheckProfile )  Then

      WScript.Echo "Setting file sharing ports enabled to true"
      fwFileSharingPortsEnabled = "True"

      Exit For

    End If

  End If
Next

So, let’s go ahead and run this.

The script also checks to see if any non-hidden shares exist on the server and will only put the monitor in an unhealthy state if at least one exists.

It iterates over all the rules for port 445, decides all the rules are enabled, which would allow access to File Sharing, but then ends up with fwFileSharingPortsEnabled still being false.

This propagates to the ultimate script output of a PropertyBag with the value Disabled under PortStatus.

All the rules are enabled, but the result is that it considers the ports not open for business??

Is this Logic?

Is this Logic?

It seems to me that there is a logic error here:

If (Not rule.Enabled) And (rule.Profiles And fwCheckProfile )  Then

Only if the firewall rule is not enabled and the profile matches the current network profile, we consider the port enabled?

Remember that if the rule is not enabled, traffic would be blocked by the Windows Firewall.

It seems that this might be a simple logic error in the management pack. A comment later in the script even states:

‘ Only if regular share exists and port 139/445 are not open will portStatus be returned as “Disabled”

Am I missing something obvious?

I’d Report This…

I cannot figure out where I should report this, if I’m correct in thinking how this should be working. Should I complain on a forum? Is there a System Center Operations Manager support Short-Form “Bird” Social Media Site Before It Went Terrible profile? Product Support?

An Unorthodox Workaround

For now, disabling at least one of the rules for port 445 suppresses this alert. For example, if you don’t need or want Remote Event Log Management, you can disable the Remote Event Log Management (NP-In) rule. This script will then return Enabled and the alert will not be fired.

Any of the port 445 rules being disabled will cause the script to be happy again.


When is iMessage not iMessage? (When it’s facebookexternalhit/1.1)

Facebook is a company that engages in unethical behaviour. Its ubiquity and its necessity for many people’s social lives undermines people’s ability to meaningfully grant or withhold their consent to its policies.

I take no pride in seeing this coming in 2010, and I have refused to use any of their services consistently since.

So I was surprised, to say the least, when I sent a link over iMessage that I knew would be unique, but saw a request being made for it by the facebookexternalhit/1.1 bot user agent. This URL should not have ever been seen by anyone but me and the recipient. I took the time to verify that the only access to this URL was by myself and the recipient.

“GET /some-secret-url HTTP/1.1” 200 – “” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Short-Form “Bird” Social Media Site Before It Went Terriblebot/1.0″

It turned out that the facebookexternalhit/1.1 request (also identifying as Short-Form “Bird” Social Media Site Before It Went Terriblebot!) was issued by the same IP address that I had. How could I be a Facebook/Short-Form “Bird” Social Media Site Before It Went Terrible bot? How could it be that some Facebook code was running in my network? (I’m pretty particular in blocking large numbers of domains relating to Facebook properties.)

It turns out that this message preview in iMessage seems to make a request for the URL using this user agent string. It doesn’t identify itself as iMessage in the user agent string at all!

I’m satisfied that I answered the question — and indeed I understand the nature of user agent strings and how everybody pretends to be something else for compatibility. I expect a service to add to the user agent string, though. Chrome pretends to be Safari, which pretends to be “like Gecko”, which pretends to be “Mozilla/5.0”.

So why can’t iMessage add “iMessageLinkPreview/1.0” or something to the user agent string?

“Accident Advice Helpline”, 0161 854 1173 , Where Did You Get My Number?

A Case of Curious Coincidences…

Put on your citizen’s journalism hats, because we’re about to go on an investigative adventure.

UPDATE: More unsolicited calls recently from 0161 854 1214 where no message is left — unverified as to whom this is at this stage. It seems reasonable to presume that this in the same range of phone numbers, given the MO.

I have received a number of calls from 0161 854 1173 recently (May 2018). A voicemail message is never left, but if you pick up, you always hear a very short extract of hold music before you are connected with a person (automatic dialer, perhaps?) The agent typically identifies themselves as from the “Accident Advice Centre” or “Accident Advice Helpline”.

I have made a number of call recordings of my interactions with this phone number. I stress that these recordings have been made lawfully, as incoming calls to my number automatically play a pre-recorded message “this call is recorded” before the ringing begins, thanks to my service provider. (A recorded message stating that the call is recorded is common practice in that it is similar to the recorded messages that one hears when calling up companies.)

I was of course curious who was calling and how my phone number had been obtained.

Me: “I’m just wondering really where the number that you’ve called came from? I mean, obviously —”

Agent: “Oh, your number, sorry, sir? Your number?”

Me: “Yes. Yeah, yeah, yeah.”

Agent: “Ah, right, I do apologise. I thought I — no — no worries. Yeah, we work off the Accident Portal1, sir. So when you ring your insurance and tell them about your accident, er, it comes under what you would call the Accident Portal. Now [inaudible] organisations that have access to the Accident Portal, OK? The DVLA, the Accident Advice Centre, that’s us, the Motor Insurance Bureau and the DVLA2. Sorry, the [inaudible], the DVLA and your insurers.”

Me: “You’re a government organisation?”

Agent: “We are a [government/governing]3 body, OK? Er, we were set up to make sure your insurance companies are doing their job correctly. Also just to make sure the complaints[?] OK and happy with your insurance [inaudible] and everything, and just to make sure you know, you’ve received all your requirements — your legal, erm, payments and stuff. Now—”

Me: “What I’ve [inaudible] is to find out information about your organisation, because I’ve struggled on a number of occasions to actually find out any more.”

Agent: “Say again, sorry?”

Me: “I’ve struggled on a number of occasions to actually find out any more information about your organisation.”

Agent: “Just bear with me one second, I’m going to get my manager, OK?”

Me: “I tend to start asking these questions and the call seems to be cut off.”

Agent: “Right, well, why did you think your call seems to be getting cut off?”

Me: “I don’t know.”

Agent: “Is this our company you’re talking about, or…?”

Me: “Yeah, calls from this number. The number you are calling from, and, yeah, I seem to ask for information about the organisation and then I don’t seem to — the call doesn’t seem to stay, uh, connected.”

Agent: “Are you just looking at the [inaudible], because that’s just an area code, so it could be a million, um, you know, a million people calling you.”

Me: “— the full phone number”

Agent: “Let me just see who’s called you in the past, give me one second.”

Agent: “Yeah, I can see that our, our, our, my colleague [name] tried contacting you. Erm, but she put it down to answering machine, like, we couldn’t get hold of you, and that’s why it’s come back through today.”

Me: “Yeah, as I said, it’s not the first call. I’ve had a number of calls, but, um…”

Agent: “Right, so are you aware of the compensation that has been set aside for you, Peter? — — Hello?”

Me: “Again, what I’m wondering about is more information about your organisation.”

Agent: “Right, like I said— That’s completely fine, obviously you’re only [inaudible] obviously want to know who we are and make sure we have your best interests at heart. Erm, just bear with me and I’m going to get my manager, she’ll just come over and give you a bit more of an explanation of who we are and why we are calling you, OK?”

Me: “That would be great, thank you.”

1: The closest thing to “Accident Portal” I can find is “Claims Portal Limited”, a “a tool for processing low value personal injury claims”. I have no evidence that this is the “portal” in question, however. Investigations into whether Claims Portal Limited have my data are ongoing. Unfortunately, this company’s website Terms of Use prohibit me from linking to them without prior consent, so you will have to use a search engine yourself. (“You may not provide a link to this web site from any other web site without first obtaining Claims Portal Ltd’s prior written consent.”)

2: It’s credible that there is a database of incidents for legitimate organisations like insurance companies. That data presumably would be processed for the purposes of the prevention and detection of fraud. It certainly would not be permitted to use the data for “leads” for claims management companies, especially if the data subject is not specifically aware of the data processing in the first place.

3: It’s not clear enough to distinguish between these two words in my recording. I did want a clear answer as to whether they were identifying themselves as some kind of official body, or as a for-profit company. We’ll discover more about the identity of the organisation later.

After a brief interlude, the manager spoke with me. I asked for the full organisation name and the registered office.

Manager: “It’s the Accident Advice Helpline, OK?”

Me: “OK, so that’s Helpline. Is that Limited?”

Manager: “It’s just the Accident Advice Helpline. So basically we make the follow-up calls, Peter —”

Me: “—  the name of the organisation.”

Manager: “Accident Advice Helpline. Yes?”

Me: “OK, so not Accident Advice Helpline Limited…”

Manager: “Yes. OK? So, basically what we do is we make the follow-up calls to make sure that each and every person that has been involved in a recent road traffic accident or an incident — is being looked after, and offered a 5-star service so they’ve got the courtesy vehicle in place and the car’s in the garage and that you’re happy with the recovery of the vehicle etc. And obviously we explain to them about the payment when it’s a non-fault incident, there’s a payment automatically set aside1 — erm — which is for minor discomfort2, so this payment has got nothing to do with your insurers, it comes from the third party, the fault driver’s insurance—”

Me: “—so the information you’ve received about my number. Where has that come from, please?”

Manager: “That basically is uploaded onto the database. When you pay your premium — and everyone in the UK and Scotland pays their 0.34% of all the premiums put together — creates the Accident Advice Helpline3, so we’re authorised4 to receive all the, basically, the details of incidents and make sure that you’re being offered a good service by your insurers and then obviously, like I said, we ask you about your courtesy vehicle, the recovery of your vehicle, if you’re happy with the services and then obviously if you’re non-fault we explain that you are entitled to a payment, which I believe [original person who called me]’s explained to you already for the minor discomfort — you’ve had your seatbelt on5, someone’s collided into your vehicle and you’ve been involved in a low-velocity impact collision you are automatically entitled to a payment from the third-party6. So, like I say, just to confirm — erm — and to reiterate, this has got nothing to do with your insurers, this is coming from the fault driver’s insurance. Does that make sense?”

Me: “Erm — so, does your organisation have a registered office?”

1: Automatically set aside by whom I wonder?

2: “Minor discomfort”. Remember that justification that has been given for the “payment”, as we’ll be coming back to it later.

3: If I’m understanding the manager correctly, she is stating that the organisation is created from funding from everyone in the UK and Scotland [sic] and, I presume I am meant to believe, that the “automatic payment” comes from those monies. There is no evidence for this.

4: I did not press this point during the call — I was conscious that asking too many awkward questions seems to correlate with early termination of the call — but I’d love to know by whom they were authorised to receive my details. The “database”?

5: Another reference to “minor discomfort”, but then we move away from that and get more specific. Indeed, this is the closest I have come to any suggestion of the type of claim they’d actually want to pursue on my behalf. Mentioning the seat belt suggests they might look to see if a whiplash claim was a possibility if I continued further with them.

6: Automatically entitled? And this is “coming from the fault driver’s insurance”? I don’t accept these statements are true.

I will spare you the details of me explaining that asking for the registered office meant that I wanted a street address!

I eventually got this registered office from the manager:

50-52 Chancery Lane
London
WC2A 1HL

This address appears as the registered office address for an Accident Advice Helpline Limited, company 05121321. This doesn’t exactly match with the manager’s statement that it is “just the Accident Advice Helpline”, but the registered offices are the same.

The last filed accounts with Companies House were on 30th June 2017 and were accounts for a dormant company. I don’t think I can determine if the company is still dormant until they next file accounts in June.

(Coincidentally, Accident Advice Centre Limited (10275785), with registered office 8 Exchange Quay, Salford, United Kingdom, M5 3EJ, was dissolved on 13th June 2017, weeks before those dormant accounts were filed for “…Helpline”. I have a call recording from the same phone number, also from this month, where the agent identifies as from the “Accident Advice Centre” and confirms that this was the address of that organisation — “Yes, that’s our address”. So I’m still not sure who exactly is calling me from this same Manchester phone number — is it “Centre” or “Helpline”?)

I clicked on the name of the first company director for Accident Advice Helpline Limited listed on Companies House, and discovered this individual holds 36 directorships, almost all of them also with correspondence addresses of the London address as above.

Some of the more interesting ones:

I stress that all of the companies above can be reached at the 50-52 Chancery Lane address above.

The list seems rather comprehensive and efficient, in the sense that the whole process of lead generation, claims management, cost assessment and medical assessment for personal injury claims could, in theory, be administered all from this one building.

With all these companies physically located in the same building and with at least one common company director, I wonder how the issue of conflicts of interest is dealt with?

For example, I am sure that a “costs consultants” business would want to act in good faith to (I assume) estimate costs associated with an incident, but with such a close link to legal services firms and claims management firms that may be interested in maximising the assessment of costs… I will say that it raises ethical and procedural questions that I am sure the organisations involved will be happy to answer.

Back to my calls — I take the view that, while they may not want any money directly from me, that this is a marketing activity. They are a private company, trying to generate leads for business for personal injury claims.

My phone number is listed in the UK’s Telephone Preference Service. Let’s look at the legal obligations that this places on organisations:

Direct marketing telephone calls: it is unlawful for someone in business (including charities or other voluntary organisations) to make such a call to any Individual if that Individual has either told that business or organisation that he/she does not want to receive such calls or has registered with the Telephone Preference Service that they do not wish to receive such calls from any business or organisation.

I notified the manager that my number is in the TPS and that, therefore, I took the view that the call was unlawful.

Me: “Given that the number you have called is in in the Telephone Preference Service, um, list of numbers not to call, um, unfortunately the calls you’ve been making are actually unlawful under that relevant legislation1. When you said that this isn’t a marketing call—

Manager: “Oh for goodness sake.”

Me: “I’m sorry?”

Manager: “Do you want me to make a payment? Yes or no?”

Me: “Hello?”

Manager: “I assume no.”

Me: “Are you still there?”

[some confusion — I am asking “are you still there” because I am conscious that the call is likely to end soon]

Manager: “— so you don’t want to move forward with the payment, so I’m going to take you off the system, thank you — [hold music for ~0.5 seconds, then call disconnects]”

1: http://www.legislation.gov.uk/uksi/2003/2426/regulation/21/made

I’m struggling to think of another “helpline” would normally have managers who say “oh for goodness sake” to the people they “help”.

I do hope that she did indeed “take [me] off the system”. I should never have been on there in the first place — and if the company was checking numbers against the TPS list before making marketing calls, as they are legally required to do, this never would have been an issue.

My advice? Do not deal with this organisation, or any with a similar name and similar spiel. Perhaps calmly ask them a few questions about who they are, and see whether their story matches the ones above.

If any relevant official investigatory body wishes to contact me for further details regarding the way this organisation has identified itself, the calling of numbers listed in the TPS, etc., you are most welcome. Your call may be recorded. 🙂

Filesystem? What New Filesystem?

A quite legitimate criticism of iOS for some time has been the fact that you seem to end up with multiple gigabytes of unexplained “other” disk space usage after using the device for some time. It’s frustrating, especially on smaller devices.

Reinstalling iOS and restoring from your most recent backup would clear the mythical “other”, at least for a while.

It seems that the latest update to iOS, version 10.3, introduces a whole new filesystem technology, APFS. This wasn’t mentioned in the release notes, and is only really detectable by the end user in the form of a much longer upgrade process than would be needed for a typical iOS release.

Since upgrading a few devices, I have noticed a big jump in the available free space on those devices. The pesky “other” is still there, but appears to have shrunk significantly.

Hats of to Apple for fixing what was a criticism going a long way back, and for managing a quite potentially disruptive filesystem migration in such a transparent way for the end user.

May the “other” space usage forever remain small.

Let’s Encrypt on Windows with ACMESharp and letsencrypt-win-simple

The march of freely available TLS certificates for domain validation continues in the form of the Let’s Encrypt project and I’m very pleased that it does.

I’m very happy with the Certbot client on most systems where I need to deploy Let’s Encrypt, but on hosts facing the big wide world that are Windows-based, Certbot obviously is not an option!

Fortunately, I’ve had success with the ACMESharp library for PowerShell. What’s cool about the library is that it does break down the process into individual commands, meaning you can automate, script and report on your certificate status with a great deal of flexibility.

For simpler scenarios, though, the letsencrypt-win-simple client offers a nice friendly command line interface to the ACMESharp library and is a nice easy way to quickly retrieve and install a Let’s Encrypt certificate on a public-facing IIS instance. Automating the renewal process is easy too — just create a Task Scheduler task.

Yes, it’s a command line client, and there are Windows folks who may not be comfortable with that, but it walks you through every part of the process. No memorising of switches and flags are needed!

There really is no excuse — now is the perfect time to get everything on HTTPS!

Hopes for 2017

I hope for a world where we are able to actually keep calm and carry on in the face of significant challenges, rather than just displaying the aforementioned in poster form.

I hope for a world where those with all different political persuasions will have the courage to stand up for what is right, even when it is hard.

I hope for a world where we always remember to treat each other like human beings.

Happy New Year everyone.