Skip to content

Blog

Apple Event Brain Dump

Some very raw and unfiltered thoughts on today’s Apple announcement:

I thought after all this time there’d be more content deals for the new Apple TV — the “apps” focus suggests that they are having to concede their former approach entirely and acknowledge that they won’t funnel much TV content through iTMS at all.

Harry Potter photos!

4K video capture on a phone is pretty amazing.

The MLB Apple TV app demo with watching two games at once must have been a Back to the Future II reference for 2015 — “give me channels 5, 9…”. Right? Right?

I’m interested to see (hopefully non-fanboy/girlish) thoughts on how the iPad Pro will compare with the Surface range. It’s interesting to me actually that if MS get the touchy style apps done well (they have to do a better job than with Win8!), the Surfaces also having the flexibility to run classic Windows apps too might make them more competitive in that “pro tablet” area.

I want to go play with 3D Touch when I can! If they’ve done it well, it could be quite cool.

I’m no artist in drawing terms, but the Pencil looked pretty amazing. I was deriding it at first as a silly stylus. I was wrong.

So. Much. Stuff!

Adventures in SELinux

Security Enhanced Linux (SELinux) is a pretty powerful technology that adds another layer of access control to a Linux system. It helps significantly limit the ability for an attacker who has partly compromised a system to use their access to jump deeper into the system.

It has been standard in Red Hat Enterprise Linux and its derivatives for quite some time, and is often the cause of many a headache when something doesn’t work because it is being (apparently) silently blocked by SELinux’s security enhancements!

Its potential to cause breakage, especially when third-party bits and pieces are brought into the mix, means the advice from well-meaning individuals is often a cry of “just turn off SELinux!”, rendering a system without that extra layer of protection.

I will not pretend that my recent dealings with SELinux in CentOS 7 have been free of frustration, but a few simple tools have made it a surprisingly simple affair to get something up and running again if a particular behaviour (always of something a bit third-party in my experience!) is being erroneously blocked.

I think a big part of what makes SELinux get switched off in frustration is the perception that it is breaking things silently, and the psychological impact of its verbose ‘scariness’ when you do find those logs!

audit2why

As long as you remember that SELinux can be the cause of potential unexplained weirdness, your first port of call can be audit2why:

audit2why -a

What is particularly nice about this tool is how quickly you get (semi-)human readable output, detailing which rules an application is breaking. If you do hit one of these ‘weird problems’, a quick trip to this tool usually makes it clear that SELinux is the cause of the failure!

audit2allow

I was surprised by how relatively quick it was to identify an issue with audit2why and make a custom module with audit2allow to get an application working again.

There are a good set of instructions in the Red Hat manual.

It sounds like a big deal, but the tools have made it almost completely automated — it really isn’t necessary to have a deep understanding of SELinux’s internal workings.

setsebool

Finally, there are some flags that are disabled by default for SELinux protected applications that you might need. Again, audit2why will often make it clear what you need to toggle using this tool!

For example, a web server process that does legitimately send out emails might need the appropriate flag switched on. Without it, the web server doesn’t get the right to talk to sendmail.

Give SELinux Another Chance!

I suppose my point in this rambling is this: give SELinux a chance if you have given up on it in the past. If you have the time to set up your system properly (and you should!), taking a little extra to figure out how to grant only the permissions really needed does make a material difference to your security should one application be compromised. An attacker being able to get their foot in the door needs to be assumed to be possible, so making their life a lot harder at that point is worth making your life slightly harder on the odd occasion.

With a little patience and the use of the tools I have talked about, I think it is a lot easier to work with than it might seem at first glance, or when it first arrived in RHEL many moons ago!

My Alternative Christmas Wish

Conflict minerals 5 by Sasha Lezhnev of the Enough Project - http://www.enoughproject.org/

Conflict minerals 5 by Sasha Lezhnev of the Enough Project

Licensed under CC-BY-ND 2.0

I am always interested to know where the products I buy come from, and at this particularly consumer-focused time of the year, it highlights the issue further. It is interesting to me just how complex the chains of dependencies involved in making any non-trivial ‘thing’ really are.

The computer I am writing this on was assembled in the UK, but I would suggest that most, or all, of its components were not. What about the suppliers who provided sub-components for those components? What about the raw materials, including the traces of rare earth minerals needed to do its electronic magic?

Unfortunately, the result of this enormous complexity, and the fact that the retailers from which we buy care about little but the price they pay, means it is very difficult to verify really important aspects of how the goods we consume were made. It seems that nobody, not even the retailers at this end of the chain, has the depth of insight into their supply chain needed to affirmatively say “this is how our product was made”.

So, when cost is the primary concern, and nobody really digs deep to understand what is happening at each stage of a product’s life, how can consumers at this side of the transaction be empowered to make more ethical choices?

If I go to my local big-name supermarket to buy a kettle, for example, I cannot look at all the options and make an assessment about which product was made in a way that best aligns with my values. Did the manufacture of the cheapest £5 kettle involve the exploitation of somebody? Probably. Is the £30 ‘luxury’ choice any better? We just don’t know.

There are pockets of hope in this area — initiatives like Fairtrade have, for some product categories, encouraged supermakets to go ‘all Fairtrade’ for particular items, and for other companies (tea and coffee businesses being a good example) to take steps to at least appear to be sourcing more ethically.

I just wish there were a big push from somewhere to gather accurate intelligence about how our stuff is made, and begin labelling more products in a way that empowers consumers to make better choices. I think there is a good portion of the population who want to make better choices that support human rights, environmental protection and social progress, but without high quality, verifiable information about what goes into what we consume, we are in the dark. While we remain uninformed, we cannot exert pressure on the market to do better as a whole.

Serving Pi

I recently completed a physical migration of my server, the one that hosts this very page! It all went successfully, and without any noticeable downtime for this site, which I am pleased to be able to do.

There was, however, a period of time during which this server needed to be physically switched off and moved to the new location. To enable zero downtime, something would need to be able to host the server during that period.

Enter my Raspberry Pi!

Raspberry Pi in box

This amazing little thing is capable of running Raspbian, a modified version of Debian, which means I get access to the rich library of Debian packages that are available. I have a private Git repository containing a modular set of Puppet manifests. These describe the exact configuration of this server, so by applying the Puppet manifests, I can spin up a new instance of this particular server’s configuration on a whim.

So, I dusted off an SD card that was lying around, dropped Raspbian on it, and installed Puppet and Git and applied the manifests.

If I’m honest, there were a few components that weren’t quite so happy to run, despite packages being available. Varnish didn’t seem to like my VCL file, so I had to run the site here directly with Nginx pointing to PHP-FPM instead.

To cut a long story short, it worked! I was successfully serving up this site, from the Pi, using (almost) my existing configuration. Performance was not stellar, even compared to the modest hardware that normally serves this page, with page load times about 10 times slower than uncached page loads normally would be. The main blog page did take 1.5 seconds to render! For the short time I needed it though, I was very happy to have a very inexpensive and easy solution.

The Changing Face of Vulnerability News

Heartbleed logo  Shellshock Logo

The recent news about the bash vulnerability being called “ShellShock”, and the degree to which it is getting mainstream press has got me thinking about how software vulnerabilities are now being reported in the mainstream media.

Apparently, no vulnerability these days is complete without a catchy name and logo — see Heartbleed and Shellshock! Joking aside, though, the very fact that these vulnerabilities are making non-tech news headlines puts pressure on everyone running potentially vulnerable systems to do their duty — usually as straightforward as running a pre-packaged security update.

The Heartbleed and Shellshock stories are taking the place of what we used to see reserved for particularly influental computer worms, like Sasser and Mydoom. It’s most definitely positive that some vulnerabilities are getting attention — unfortunately it is still the case that for some companies and system administrators, only outside pressure will convince them to promptly, diligently and consistently apply security updates.

What I’d like to see, is some way for people interested in improving computer security, the “good guys” for lack of a better term, to leverage this media interest to send a message to system administrators that it’s always necessary to apply software updates promptly, even when they don’t get on the TV news!

The Curse of The Black Box

The other key issue that Shellshock highlights, as did Heartbleed, is the issue of embedded ‘black box’ systems that might be vulnerable. This kind of system is everywhere — and because in many cases they are ‘set it and forget it’ machines, they represent a particular risk. It’s often very difficult to convince vendors of these systems of the importance of pushing upstream software updates down to end users, particularly when there is a lack of understanding and a lack of financial incentive.

Something big and mainstream, like Shellshock and Heartbleed, might convince system administrators to badger vendors to release patches for this kind of product, but we need to extend this further, and make it a social (or even a legal) expectation on vendors to supply security updates for any product they ship, for a reasonable lifetime period for that product.

The security landscape is too complex, and everything too interconnected, for anyone to have the opinion that “I don’t need to patch that, because there’s nothing important on it”.

Leaving Yourself in the Loop

I want to part with a few bullet points, with some actions I try to take to stay up-to-date. Automatic updates are increasingly common, but not universal, and these simple things can help you not miss a known vulnerability.

  • Document and understand the whole software footprint of the systems for which you are responsible. (This means embedded systems, software libraries, and more!)
  • Subscribe to announce mailing lists, follow Twitter accounts of the software projects and systems you use. (It pays to be in the know about available updates, and not hear about them after it is too late!)
  • Look for useful vulnerability resources for particular projects you use. (For example, for WordPress, the recently launched WPScan Vulnerability Database.)

Personalised Search: Technologically Induced Confirmation Bias

DuckDuckGo filter bubble site

I can’t unfortunately remember what led me to this page (I think a retweet from someone), but I found myself perusing DuckDuckGo’s marketing site “Escape your Search Engine’s Filter Bubble” recently.

(I don’t have a relationship or particularly strong opinion about DuckDuckGo at this time, by the way, so this is no marketing astroturf.)

It shows you just how search engines deliver different results for the same query, based on the user’s habits in the past.

The profile the search engine has built up on the user through their cookies doesn’t just inform them about relevant advertising, it literally changes the search results.

This troubles me greatly.

Now, I don’t believe I am experiencing this when I search. I am borderline obsessed with clearing cookies and other browsing data to ‘reset’ my browser to the same state after each session. Assuming mainstream search engines aren’t using technology like Evercookie, then I get a generic set of results across different browsing sessions.

Most people don’t do that, which means that most people are becoming increasingly unlikely to come across viewpoints that differ from their own on the web. They have a technologically induced confirmation bias, where, unless they click through a number of pages of search results, they will rarely hear people who might (respectfully, thoughtfully) disagree with them.

Confirmation bias… is a tendency of people to favour information that confirms their beliefs or hypotheses. People display this bias when they gather or remember information selectively, or when they interpret it in a biased way.

I am, frankly, frightened at the idea of people never being exposed to a diversity and plurality of opinions. I am frightened of how easy it could be to not develop and nurture empathy. The consequences of that could very well be more profound than we might realise on the surface.

As well as the societal implications, it doesn’t seem the right decision to me either in terms of the technical role a search engine should play. What I previously liked about the ‘old days’ of Google Search was their strong commitment to put the most relevant result first. I’m not sure, though, that delivering the most personally relevant result is the same as delivering the most relevant result for the query.

So how do we address this? Well, I think that media literacy in general is something we need to make a priority. Trying to change the way the search engines work when everything ‘targeted’ is such big business is unlikely to be successful.

At the very least, we need to get the message out to people that this is happeningprivacy might not be the only reason you might want to clear your cookies.

iOS 7 and Obsolescence

iPhone 4 with iOS 7

This is my iPhone 4. I purchased it more than three years ago.

You don’t get into the technology world without, begrudgingly or otherwise, accepting that things move very fast. What is relevant today may be completely superseded in a matter of months.

A big reason why I have ended up a user of Apple’s iOS ecosystem is that, unlike some of its competitors, there seems to be a genuine focus on the relationship with the customer after you have purchased the device. I can run this old iPhone 4, using the latest operating system that was released this month.

From a security point of view, upon which I can’t resist to comment, the pace of mobile OS development is such that security fixes are not routinely backported to older OSes. You end up with the situation we have today with Android — scores of vulnerable devices out there in the wild.

Aside from some frustrations I do have — the original iPad that was released in the same year as my iPhone 4 is now stuck back on iOS 5 — Apple actually seem to think about device lifespan the least cynically of all the manufacturers. When they were developing the iPhone 4, they clearly thought about how it would run the next three operating systems yet to come.

It can’t be denied that the iPhone 4 isn’t quite as quick and responsive with iOS 7 as it was when it shipped with iOS 4. It doesn’t enable all the fancy features of the new OS. What it is, though, is in line with the performance you would expect from a device that is a little older now. It is definitely acceptable, and probably even good.

This is why I make the purchasing decisions I do. As long as you avoid first generation products(!), you can make an investment in a piece of Apple kit. It is so much more than just a product to shift off the shelf.

On Vine and Third-Party Use of Your Content

Vine logo

None of the commentary with respect to terms of service and legal agreements in this blog post can be taken as legal advice. If in doubt, ask someone who really knows their stuff.

I really like the medium of short, tweetable videos that Vine has made popular. It succeeds where other video-over-Twitter services, such as yfrog’s, failed. Once again, it is actually by imposing limitations that we find a unique way to express creativity.

So, I toyed with the idea of joining Vine, even despite it not supporting protected accounts like on Twitter. But being an unusual breed, I felt it necessary to read and at least attempt to understand the Terms of Service.

I didn’t like what I saw. (All emphasis is mine.)

You retain your rights to any Content you submit, post or display on or through the Services. In order to make the Services available to you and other users, Vine needs a license from you. By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).

This is a standard kind of sentence you will see if you read many different ToSes. It is, apparently, the boilerplate for “we need your permission to display the stuff you are posting”. It seems fair enough.

You agree that this license includes the right for Vine to provide, promote, and improve the Services and to make Content submitted to or through the Services available to other companies, organizations or individuals who partner with Vine for the syndication, broadcast, distribution or publication of such Content on other media and services, subject to our terms and conditions for such Content use. Such additional uses by Vine, or other companies, organizations or individuals who partner with Vine, may be made with no compensation paid to you with respect to the Content that you submit, post, transmit or otherwise make available through the Services.

Suddenly, this paragraph changes the tone — from “we’re needing a licence to actually display your stuff at all” to “we’ll reserve the right to exploit any commercial value in your creativity whenever we feel like it”.

It is not just about using your content to further promote Vine, it seems to leave the door open for them to sell your content to anybody at all, subject to some additional terms and conditions I didn’t find.

I am not naïve. I know these services will need to make money eventually, and that a ‘free’ service comes with an exchange of value, even if it is not you paying a monthly fee.

With that said, this is not an acceptable arrangement for me, and I would encourage others to examine the value of the content they expect to submit to Vine in the light of these words.

Contrast Vine’s ToS with similar verbiage in the YouTube ToS:

When you upload or post Content to YouTube, you grant: to YouTube, a worldwide, non-exclusive, royalty-free, transferable licence (with right to sub-licence) to use, reproduce, distribute, prepare derivative works of, display, and perform that Content in connection with the provision of the Service and otherwise in connection with the provision of the Service and YouTube’s business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels;

In short, YouTube might use your stuff to further YouTube as a platform, on any medium, but they aren’t going to reserve the right to flog it off to some ‘partner’ who may not be as fair about compensating you. (Also, YouTube’s existing, long-term relationships with their content partners demonstrates, in my view, a much better mutual respect than the implication of Vine’s ToS.)

There seems to be a weird irony that it is exactly the fact that Google wants to jealously keep you and your content in their ecosystem that they aren’t going to pawn it off to someone else’s ecosystem who might not treat you right.

I’m not saying don’t use Vine. That is your decision, based on what you find an acceptable deal. But don’t be in the dark about the potential implications of these differences in that agreement that, on the surface, might appear subtle, but could be really important.

Today, if you put your stuff on YouTube, and it gets popular, you can join the Partner Program and get compensated for the value in your content. With Vine, however, maybe there would never be an opportunity to see any value from your work. I think they need to answer that question, even if the implementation is not here yet.

Protecting the value of the content you create, whilst always being respectful to your customers, is not just for big media organisations. We are all creators, and we all deserve to have mutually respectful relationships with those who publish our content on our behalf, and those who consume it.

Valuing Corporate Values

Much is said about Google’s “don’t be evil” corporate motto. That is not what this post is about.

This is about corporate values — and a (rather smaller) company I have found myself appreciating because of their words and actions on the subject. This stuff can be easily overlooked when the market demands a rush to the lowest price, but to consumers like myself, it is possibly the most important thing.

This isn’t some murky sponsored post (although I do have an affiliate link at the bottom) — this is all genuine and from the heart.

Cloak

Cloak logo

I found out about Cloak through their co-branding with 1Password, my password manager of choice. They are a VPN service designed to give you a way to encrypt your traffic when you are connected to untrusted networks. Their service is technically brilliant, but what is more important than that is the honesty, openness and realism they have shown so far in their communications.

At first I felt a little apprehensive about their corporate values and how well they were upheld in practice. Their privacy policy was scant in detail — using claims along the lines of “we don’t store any of your data”, but with an exception of data that they’d need “to make sure you’re not sending out spam”.

Well, what does that mean?

» Read the rest of this post…

Raspberry Pi

Raspberry Pi logo

In other 2012 gadget acquisition news, I got my hands on a Raspberry Pi this year, too.

Raspberry Pi in box

Ordered in the summer, and only delivered last month, due to the high demand, it is something I have not yet had an opportunity to play with as much as I would have liked. The advantage of having to wait that long, however, has been a beefier 512 MB version of the device!

In the spirit of my recent iPad mini post, here are some first thoughts on the device:

  • It is amazing how much you can do on such a tiny and inexpensive device. With the Debian wheezy build that is the Pi’s default operating system, you have access to almost the same rich range of software packages on any other Debian system. I was able to install Nginx to serve up web pages at rapid speed, and I am quite sure it would be possible to completely replicate Van Patten Media’s Managed Hosting platform that I have spent much of the year working on, even on such a device!
  • It is unashamedly geeky. This will probably be enough to put off some people who have received a Pi, but perhaps who don᾿t have the support in place to best use it. It isn’t that difficult to get started, but you do need to be able to get the OS onto an SD card. For me, though, I like that opportunity that it gives you.
  • It legitimises the hobbyist again. This pleases me a lot. Many great things were achieved by (originally) hobbyist hackers; re-igniting that spirit has huge potential.

There is some irony in that the Pi is, in a number of ways, the polar opposite of the iPad — it is hobbyist rather than consumerist. The Pi gives you complete control but requires some fiddling, the iPad gives you little control but is so intuitive.

I leave this year much more satisfied about the state of computing because of these two devices.

Why? There is now opportunity for both consumer hardware, and hobbyist hardware, to co-exist and complement each other.