Last year someone threw out an old Toshiba Techra laptop that was still in working order. It was a very old machine as it had a 37 Gb hard drive 256 megs of memory, one USB port and no wireless networking. I checked out the machine and could not see any personal information on it. If there was anything there I would have wiped the files. For a while I used that laptop as an emergency machine, or, if one of Emily's friends visiting needed a machine it was there for them. This machine was running XP and it ran very slowly, but, it ran. Since XP is not being supported I wanted something running on the machine that is a bit more secure, but, light on what it needed for hardware. I found a lot of candidates when I searched DistroWatch and did a search. I found one called Netbook that appeared to fit the bill and I downloaded a copy and burned it to a CD. I had to burn a CD as the Toshiba machine would not boot from the USB stick.
I rebooted the laptop with Netbook and it didn't take very long to launch and bring up a working system. I clicked on the network and it auto detected the USB network card and it was working! It was moderately responsive running from the CD and I figured it was safe to install. I followed the steps and I thought I had a working system. I did a restart, but, the machine wouldn't boot. I went back and read that I had to set GRUB and once I followed the menu options from the Netbook CD I had a working machine. The next reboot worked and I was up and running. The basic system is working and we now have a spare machine that can connect to our network. Firefox runs well and takes maybe 5 seconds to launch on the machine. I will be dropping off the machine in our daughters office that we set up in the basement for her and she has a nice low end machine for her friends to use when they visit and don't have a laptop.
If you have an old low-end machine that still works I would recommend checking out what DistroWatch has available for Linux distributions and try them out on CD/USB on the machine. You can then get a bit more life out of the machine and have a secure system running. The only downside is that Java isn't installed by default and I haven't tried to do an install for Java, but, there is only one site (Runescape) that I was interested in testing it on and I know the system wouldn't be able to run it at an acceptable frame rate.
Sunday, April 13, 2014
Friday, April 11, 2014
Heartbleed from my perspective
For the record, I am not a security expert. However, I have been working as a professional for over 32 years in the I.T. industry so I believe I can make comments on a number of items about Heartbleed.
Please try to remember is the internet was not designed to be secure. It was originally designed for universities to communicate and they trusted everyone on the network. Over the years bits and pieces were bolted on to help with security as the internet grew and was opened up to more and more businesses/people.
A bit of background about myself:
- I have a diploma in Business Administration, Programming major.
- I can work in Assembler (PC and mainframe versions), APL, AWK, Bash, Basic, C, COBOL, Pascal, PL/1, and REXX in various levels of expertise. (there are others that I have used, but, I have minimal knowledge of those languages)
- Over 32 years I have worked on dozens of software projects large and small. I performed a number of roles during this time such as developer, tester, business analyst, support and team lead.
- Where I am currently working my role is interface expert for systems requiring access to to that system. At this time the client is moving from FTP to SFTP and as a result I have obtained a working knowledge about SSH, SSL, certificates and private/public keys.
- I can work with CP/M, DOS, Windows, Z/OS (AKA TSO), V/VSE, UNIX and Linux.
First thing, don't panic!
Second thing is don't change all of your passwords until the sites have updated their SSL and received new certificates. Changing them right now probably will not protect you if the site site has been compromised. When the site asks you to change, or, when they fix the site then change it ASAP! Pick a moderately long password that is not easily guessed (no kids/pets/wife names/birth dates). I usually pick two or more words not related and string them together with numbers to make it harder to guess. One other important thing is never use the same password for different sites! If you do get hacked, don't make it easy for them by using one password for everything. You also should change passwords on a regular basis.
I was reading the news and some of the politicians here in Canada blame the government service cuts for this problem. In my less than humble opinion this is complete utter BULLSHIT! This problem has nothing to do with the government in any way, this is a very short code change in one OpenSSL module by a person several years ago and it passed a review before being deployed. When I looked at the code fragment identified I didn't see any problem with it other than why do it just for performance reasons? This is something that is usually bundled with the operating system if not then offered as an add-on for secure communications. There was no reason to check this and no way to know there was a hole. The blame is just cheap political theater and does not do anything to help fix the issue.
For those who are saying "why publish it, you are creating panic and letting hackers know about the hole?" All I can say is:
- True hackers (not script kiddies) probably knew about this and were making use of the hole. Until recently there was no way the sites would be able to detect use of the hole and log the attempts to compromise the security of the system. There are now signatures to help IDS identify possible hackers using the hole.
- Various experts wanted to inform the general public about the issue and what they need to do, when to do it and how to do it. These researchers who found this hole assumed hackers already knew about it!
- Alert site owners who are using SSL to look at their operations to see if they are impacted and to determine their next steps to fix their systems if they are vulnerable.
- If the site was compromised then the safest thing is to assume that all encrypted communications can be read until they fix the site, revoke their old certificates and publish new certificates. If you are aware the site has been compromised you can make informed decisions as to if you want to communicate with that site before a fix is in place.
I have seen others asking why some sites (like some banks) say they are OK. We will need to trust those sites there, but, the likely reason is that they are not running the impacted OpenSSL module. It would help if they could give a high level reason why they are not impacted.
Lessons learned:
- For businesses you may want to review your BR/DR (Business Recovery / Disaster Recovery) plans to see if this type of problem is identified. If not, then take the time and review the documents and insert what steps should be followed if there is a suspected breach in your network.
- Software code reviews are a great way to identify potential problems before it is released. The reviews may not catch all bugs, but, it helps confirm that good coding practices are followed at a minimum.
- Security should be considered at the start of any code change. It does add extra work and cost, but, it is easier to fix a bug before it gets out the door. A process and set of test rules may also be a good way to check for specific errors. There are packages out there that could be useful to the developers if management is willing to invest a wee bit of money.
- Never let marketing dictate the timeline of a project, or, how the software is developed/tested.
- Default settings for software should by default tend to be more paranoid and lock things down. Explain each setting and the possible holes they may open up if they are changed.
- Never have a default password, on install ask the end user what their password will be.
- For users, never re-use your password!
Other thoughts:
Can this happen in the future? Optimistic me says no, realistically speaking it just may happen again. Try to remember that a lot of the Open software is written by people who does this for the love of programming and don't get paid full time to do this and many do it without getting paid anything. Many of the tools you are using are written by these people and the result is the wonderful rich online environment we have today. The downside is they don't get a lot of money to pay people to do full time work where they can check for holes, review code checked in and improve the infrastructure we call the internet.For those who say proprietary is better as they get paid my response is you don't know what the proprietary code does as we cannot review their work. With open software we can review the code itself and in many cases make changes ourselves, compile those changes if we have a special case, you can't do that with proprietary code.
What can we do? Well pull out your wallet and give a wee bit to the developers of the free software you are using would be a start. Hopefully politicians and businesses see the benefit of funding a core set of people to work full time reviewing the core of the internet and make improvements as we are now dependent on the net for more and more of our daily lives.
Sunday, October 06, 2013
Be wary of going Bell Canada Fibe TV & Internet.
This is a summary of the issues I had trying to get Fibe TV and internet upgrade from Bell Canada. Basically if Bell doesn't have any issues with the telephone line you may be lucky and get the service installed. If you have issues be prepared for a lot of calls to 310-Bell and getting passed around to dozens of people (at least it was that for me) over weeks trying to get it scheduled for installation. This was a highly frustrating experience for me in that Bell tried multiple times to blame things that turned out not to be true and the issues are all on their end of things, wiring issues in total are Bell owned locations and not the customer.
9/12 ~ 14:30 - main line dead. I made multiple calls to Bell, line is dead at demarc point.
Email says 9/13 install, Bell says it was 9/12 and they cannot find the order easily.
9/13 - 06:00 - no line 1 and now no DSL. At 08:00 - called 1-866-797-8686 and they couldn't find the order, transferred over to Bell tech. They cannot install Fibe until main line is active and records show 7070 as the DSL line and not 5053. DSL has been on 5053 since we got DSL. Tech supposed to visit 9/14 in the afternoon to see what the problem is. This is a royal pain as we have no main line and no internet. If work calls about NIBS and doing support I don't have internet access! Ref # xxxxxxxxx. At 9/14 - 15:30 - Called the 310-BELL and it claims a technician tested the line and it is working. THE LINE IS STILL DEAD and no technician stopped by to check the demarc jack. Called Bell and the 'earliest' they can be in is Monday morning. New ticket is xxxxxxx. Tried to escalate, but, no luck yet. Call Bell Retention 1-866-669-3995 and explained the situation. There are only three major telcos and they really think that they can do anything to their customers, I hope we soon get a fourth that will kick their fucking asses to hell and back. They tried to call the number, no answer. He did note that there seems to be an issue with the line, but, couldn't determine what from his end reading the various notes.
16:45 - reference number xxxxxxxx
Talking to supervisor 'BEN' to see if they can prioritize work for Sunday and not Monday. Should be somone on Sunday morning, Ben promised to call back and check on status.
9/15 @09:15 - Telephone and internet back up!
9/16 - I tried to reschedule an installation and they promised my a Friday date. Not even one hour after I rescheduled our Fibe TV installation Bell called us and told us that they cannot install on Friday. The earliest would be Saturday, if not Sunday. Jane went nuclear and I don't blame her as I am still royally pissed after what they did to us on the weekend. What is their problem in trying to schedule an install, if the system showed Friday open then honour that and stop delaying our order. If that is how they treat customers for then they won't have us for a customer. We will be checking out Rogers for Cable, at least we know they keep their commitment for installations and service. This was the final straw after Bell fucked us over by deleting our main line and internet for 4 days and they would have put it to 5-6 (or longer) if I didn't point out that an outage of more than a day is not acceptable.
Frankly if they are so short staffed they should be hiring people to handle the demand rather than calling everyone back and saying their order will be delayed. I guess the almighty dollar for senior execs is what they worship and the fact that there are only three major players means that they can try to fuck over the customer as they don't have an serious competition who are willing to treat the customers properly.
Next up is I have to find that number for customer relations and let them know what happened and that they lost a customer for Fibe TV and going back to Rogers. Also, I will be killing the second line I have and go to a basic phone service. Why should I give Bell my hard-earned money if they act like this to me? Our Cell has been cancelled and they won't be getting my business back there.
As I started vacation on 09/30 I figured it was one more time for Bell Fibe TV installation. On 9/26 I went to a different location this time and he reviewed what we tried to get the last time and did a new order. We are also getting a minor break on the high speed cost too! They will be calling us to confirm the time on Wednesday. I hope this time goes a lot better than the last time and they don't disconnect the phone and internet!
Here is last part of my issues with Bell and their attempts to get Fibe TV and internet upgraded.
Summary is that they failed and it was a total mess that it forced me to go to Rogers for cable TV and internet. From September 12 to October 4 I talked to over 2 dozen Bell people who couldn't do anything and at times blamed inside wiring, how the phone was wired and told me to wait for internet service which I am paying for until the upgrade. I had no phone service for a total of four days and no internet service for a total of eight.
Here is the high level timeline for the straw the broke the camel's back:
2013/10/02 - Bell finally arrived after 18:00. Cannot do install as the intercom system will kill signal. No Fibe TV or internet. Bell needs access to the "I/T" room and since it is locked they cannot do anything (why don't they have a key to that room?). One possible reason is that I have a 2nd line. When Bell comes in next he/she has to swap the intercom to use line 2. The DSL was dropped, but, tech restored the DSL until next install. I now need to contact Minto and see if someone to be there (probably Friday morning) to unlock room, or, have the key ready for the tech. The Bell Tech support person was supposed to call back, but, didn't. I had to call to verify install is Friday. He didn't have an answer and promised to call back on Thursday morning. 21:45 - DSL dropped. I called 310-Bell and 310-Surf continously trying every option, but, the system would not connect me to any live person as it is after hours. They suggested I use WEB, but, that is a bit difficult as I don't have DSL. At 22:15 calling Bell (I dialed zero and pressed a lot of keys) and finally got a person. He promised to call back in a few minutes after doing some line tests. Needless to say he didn't call me back.
2013/10/03 I called 310-Bell at 08:00. Person confirmed Friday AM (08:00 to 12:00). Transferred to tech support and they are trying to determine the issue. At 08:35 - Person on phone said there is nothing he can do I must wait until Friday. I asked him to transfer me to his supervisor. Supervisor is on looking at the notes. He is calling Fibe TV and see what can be done (08:50) and will call back 10-15 minutes. At 09:30 I called the customer service number. Francisco tried to help, Remi (supervisor) came on. The problem is the install wasn't done, but, billing showed active so DSL is offline and there is nothing they can do. Earliest we can get access is Friday which is the Fibe Date. I told him to cancel Fibe TV and internet upgrade and I will be calling Rogers for Cable and Internet. Reference number for the cancel is xxxxxxx.
2013/10/04 I Called 310-Bell @12:30. NO DSL still, and it is supposed to be up! She couldn't do anything and said the whole DSL line was removed, but, she wanted to check with the tech. Since that takes time I told her to stop, I will be doing a full cancel on Monday. Upshot is that Bell was getting about $250 a month from me for 2 phones, internet and cell. After I finish they will be lucky to be getting $50 a month. I called Rogers and they guaranteed to be there Saturday 12:00-14:00 so I set up the appointment to install cable and internet.
2013/10/05 Rogers called at 13:00 that they would be there at 13:30. Tech arrived a few minutes early. He did need access to equipment room, but, he got the key and continued the install. It took him about 15 minutes to finish and then step me through the basics. Internet was quick and easy and within 2 minutes we had the network back up and running and even using the old SSID to minimize my work.
Things for Bell to consider:
Update 10/08:
9/12 ~ 14:30 - main line dead. I made multiple calls to Bell, line is dead at demarc point.
Email says 9/13 install, Bell says it was 9/12 and they cannot find the order easily.
9/13 - 06:00 - no line 1 and now no DSL. At 08:00 - called 1-866-797-8686 and they couldn't find the order, transferred over to Bell tech. They cannot install Fibe until main line is active and records show 7070 as the DSL line and not 5053. DSL has been on 5053 since we got DSL. Tech supposed to visit 9/14 in the afternoon to see what the problem is. This is a royal pain as we have no main line and no internet. If work calls about NIBS and doing support I don't have internet access! Ref # xxxxxxxxx. At 9/14 - 15:30 - Called the 310-BELL and it claims a technician tested the line and it is working. THE LINE IS STILL DEAD and no technician stopped by to check the demarc jack. Called Bell and the 'earliest' they can be in is Monday morning. New ticket is xxxxxxx. Tried to escalate, but, no luck yet. Call Bell Retention 1-866-669-3995 and explained the situation. There are only three major telcos and they really think that they can do anything to their customers, I hope we soon get a fourth that will kick their fucking asses to hell and back. They tried to call the number, no answer. He did note that there seems to be an issue with the line, but, couldn't determine what from his end reading the various notes.
16:45 - reference number xxxxxxxx
Talking to supervisor 'BEN' to see if they can prioritize work for Sunday and not Monday. Should be somone on Sunday morning, Ben promised to call back and check on status.
9/15 @09:15 - Telephone and internet back up!
9/16 - I tried to reschedule an installation and they promised my a Friday date. Not even one hour after I rescheduled our Fibe TV installation Bell called us and told us that they cannot install on Friday. The earliest would be Saturday, if not Sunday. Jane went nuclear and I don't blame her as I am still royally pissed after what they did to us on the weekend. What is their problem in trying to schedule an install, if the system showed Friday open then honour that and stop delaying our order. If that is how they treat customers for then they won't have us for a customer. We will be checking out Rogers for Cable, at least we know they keep their commitment for installations and service. This was the final straw after Bell fucked us over by deleting our main line and internet for 4 days and they would have put it to 5-6 (or longer) if I didn't point out that an outage of more than a day is not acceptable.
Frankly if they are so short staffed they should be hiring people to handle the demand rather than calling everyone back and saying their order will be delayed. I guess the almighty dollar for senior execs is what they worship and the fact that there are only three major players means that they can try to fuck over the customer as they don't have an serious competition who are willing to treat the customers properly.
Next up is I have to find that number for customer relations and let them know what happened and that they lost a customer for Fibe TV and going back to Rogers. Also, I will be killing the second line I have and go to a basic phone service. Why should I give Bell my hard-earned money if they act like this to me? Our Cell has been cancelled and they won't be getting my business back there.
As I started vacation on 09/30 I figured it was one more time for Bell Fibe TV installation. On 9/26 I went to a different location this time and he reviewed what we tried to get the last time and did a new order. We are also getting a minor break on the high speed cost too! They will be calling us to confirm the time on Wednesday. I hope this time goes a lot better than the last time and they don't disconnect the phone and internet!
Here is last part of my issues with Bell and their attempts to get Fibe TV and internet upgraded.
Summary is that they failed and it was a total mess that it forced me to go to Rogers for cable TV and internet. From September 12 to October 4 I talked to over 2 dozen Bell people who couldn't do anything and at times blamed inside wiring, how the phone was wired and told me to wait for internet service which I am paying for until the upgrade. I had no phone service for a total of four days and no internet service for a total of eight.
Here is the high level timeline for the straw the broke the camel's back:
2013/10/02 - Bell finally arrived after 18:00. Cannot do install as the intercom system will kill signal. No Fibe TV or internet. Bell needs access to the "I/T" room and since it is locked they cannot do anything (why don't they have a key to that room?). One possible reason is that I have a 2nd line. When Bell comes in next he/she has to swap the intercom to use line 2. The DSL was dropped, but, tech restored the DSL until next install. I now need to contact Minto and see if someone to be there (probably Friday morning) to unlock room, or, have the key ready for the tech. The Bell Tech support person was supposed to call back, but, didn't. I had to call to verify install is Friday. He didn't have an answer and promised to call back on Thursday morning. 21:45 - DSL dropped. I called 310-Bell and 310-Surf continously trying every option, but, the system would not connect me to any live person as it is after hours. They suggested I use WEB, but, that is a bit difficult as I don't have DSL. At 22:15 calling Bell (I dialed zero and pressed a lot of keys) and finally got a person. He promised to call back in a few minutes after doing some line tests. Needless to say he didn't call me back.
2013/10/03 I called 310-Bell at 08:00. Person confirmed Friday AM (08:00 to 12:00). Transferred to tech support and they are trying to determine the issue. At 08:35 - Person on phone said there is nothing he can do I must wait until Friday. I asked him to transfer me to his supervisor. Supervisor is on looking at the notes. He is calling Fibe TV and see what can be done (08:50) and will call back 10-15 minutes. At 09:30 I called the customer service number. Francisco tried to help, Remi (supervisor) came on. The problem is the install wasn't done, but, billing showed active so DSL is offline and there is nothing they can do. Earliest we can get access is Friday which is the Fibe Date. I told him to cancel Fibe TV and internet upgrade and I will be calling Rogers for Cable and Internet. Reference number for the cancel is xxxxxxx.
2013/10/04 I Called 310-Bell @12:30. NO DSL still, and it is supposed to be up! She couldn't do anything and said the whole DSL line was removed, but, she wanted to check with the tech. Since that takes time I told her to stop, I will be doing a full cancel on Monday. Upshot is that Bell was getting about $250 a month from me for 2 phones, internet and cell. After I finish they will be lucky to be getting $50 a month. I called Rogers and they guaranteed to be there Saturday 12:00-14:00 so I set up the appointment to install cable and internet.
2013/10/05 Rogers called at 13:00 that they would be there at 13:30. Tech arrived a few minutes early. He did need access to equipment room, but, he got the key and continued the install. It took him about 15 minutes to finish and then step me through the basics. Internet was quick and easy and within 2 minutes we had the network back up and running and even using the old SSID to minimize my work.
Things for Bell to consider:
- When you promise to call back and promise a time then call the customer back. For the most part I got promises and no call backs. I had to chase Bell to find out what was going on.
- One point of contact for the client. Over the three weeks I was passed from one person to another and I had to keep updating them on the issues and what was done so far. They need to have one rep 'own' the issue and that rep should be going to the various sections to get the information. During the whole period there were no follow-up calls to see if the issue was resolved.
- If the person lives in a multi-unit dwelling then they should be told that access to the equipment room may be required. In many places Bell and others do have a key to get there, but, sometimes they to contact the landlord to make arrangements for having the room opened and the client should be made aware of this from the start.
- Move the call centres out of India, or have support people who can communicate clearly to the client when they call. I have worked many years with tech support in India and I don't have a problem with the accents, but, the people Bell hired have accents so thick and they talk so fast I cannot understand most of what they say. When I called Rogers the people there talked clearly and I could understand one hundred percent of what they were telling me.
- For your 310-BELL and 310-SURF have a 24-7 operation. A number of times I called after 'business hours' and I went through every option trying to get a real person on the line to see what the problem is. The system actually told me the hours of work then it hung up and didn't give any option to contact a live person. People do work outside of the 21:00-08:00 time frames Monday to Friday many times and they also work on the weekends outside of the operation hours too. It is not acceptable that I had to wait up to ten hours before I could talk to someone to find out what the problem is.
Update 10/08:
Bell has the feel of Nortel and Blackberry when they were at the top and were arrogant and believed they could do no wrong.
Update 2014-01-25:
I waited for now to see if they would do anything, but, nothing so I am publishing this!
Subscribe to:
Comments (Atom)