Hosted Exchange – Auto-forwarding to external domains

A Very Sensible policy, enforced by default in Exchange Server is to ignore rules automatically forwarding mail to external domains.

It’s fairly easy to see why this is, in fact, Very Sensible:
Your organisation assigned email addresses to people who have agreed to be bound by its policies (right?) – allowing auto-forwarding to any address outside that domain risks you being responsible for a breach of confidence.

I’m all for having the “secure” option be the default and for discouraging or preventing users from breaking that security in the name of convenience.

But there are times when other, less sensible policies are in place that I feel the users should have recourse to implement workarounds. One such policy might be (for example), having an email quota set to (purely hypothetically), 100MB.

This is ample space for email in 1997. This is hilariously limited space in 2016. Continue Reading…

Android – Location Based Reminders

Just a quick one:

I’ve had issues with Google Now’s reminders since I first owned a Nexus 4 (a few years back) and the issue persists with my Nexus 5X. The trouble is in having reminders trigger at a particular location, rather than a particular time.

For example, if I know I need to pick something up next time I visit my in-laws, but don’t know when I’ll next be at their house, I can set a reminder and select “place” instead of time. In theory, entering their address is all that is needed to make it work.

google-now-location-b

This image was stolen wholesale from this article: http://www.makeuseof.com/tag/8-amazing-life-improving-uses-google-now-reminders/

In practice… nothing. Just… nothing. Continue Reading…

Stay Classy, Cert Companies

Let’s Encrypt has been a welcome addition to the security landscape – if only because it’s nice to do business with someone who actually gives a damn.

The trouble with HTTPS has always been more of a “business model” thing than a technical thing – anyone can set up strong encryption on their server and send/receive encrypted traffic to their users, but the initial connection needs to also confirm to the user that the site is who it says it is, and therein lies the rub.

The solution for the past 2 decades or so has been to have big corporations (called certificate authorities) who are trusted by browsers (the software, not the people) issue the certificates and keys needed for encryption. When a browser connects, it can identify whether or not one of the certificate authorities vouches for your website. If it does, the browser knows to trust that it is, indeed, connecting to the correct site.

This is a crucial step, as otherwise another site, posing as, say jonathan.ihle.in might manage to trick a browser into connecting to it. The connection itself would be perfectly encrypted, but the encryption would be for nought – as the user would be sending all their private data to the wrong party.

The problem with this arrangement is twofold – it forces site operators to decide whether or not a site is worth spending money to encrypt and it puts the issuing of certificates and keys into for-profit organisations who have varying demands for determining site identification. The end result: many sites remain without encryption.

Let’s Encrypt was created to resolve this specific issue. Continue Reading…

Looking for a Copy replacement: pCloud

As of this month (May, 2016), Copy is no more.
(I’m sure one day soon that link will be a dead end or be sold to someone not relevant)

Copy was a cloud storage service much like Dropbox or Google Drive – you had an amount of storage space to fill up with your junk, a web interface to access it, some local applications for your computers and mobile devices and it handled syncronisation.

there is no cloud

Sticker from Chris Watterston – click the image to visit his store thingy

Continue Reading…

Let’s Encrypt – Mysterious Authority Issues

Lately, new sites I’ve created using my ISPConfig automation and letsencrypt.sh have been received inconsistently on various browsers – the issue appears to be particularly prevalent on OSX.

Doing some digging revealed a possible incomplete chain issue to be the cause.

Sure enough, modifying my Apache conf to incorporate a direct link to the intermediate chain fixed the issue.

My LE-ISPConfig Apache conf now looks like this:

Alias "/.well-known/acme-challenge/" /var/le-ispconfig/
<Directory /var/le-ispconfig>
  Require all granted
</Directory>
<IfModule mod_headers.c>
  <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "text/plain"
  </LocationMatch>
</IfModule>
SSLCertificateChainFile /path/to/intermediate/chain.pem

That little line at the bottom was what made the difference; chain.pem (a symlink to my primary domain’s intermediate cert chain) will be updated as and when keys and site certs are updated via cron. Continue Reading…

The backdoor in the iPhone *is* Apple

So recently, the FBI has obtained an order to have an iPhone compromised for an investigation.

The issue is thus:

  1. The iPhone is locked with a 4 digit passcode and the FBI doesn’t know what that passcode is.
  2. The iPhone’s data is encrypted – so they can’t just yank out the flash memory and attempt to read the contents. The passcode is required, through the operating system on the iPhone to decrypt that data.
  3. Because 4 digit codes aren’t really very secure (only 10,000 possible combinations), iOS will gradually force longer and longer delays between failed attempts to unlock the phone. (Edit: As Kieran points out below, codes in recent versions of iOS allow up to 6 digits, or 100,000 combinations)
  4. As an added layer of security, a user can set their iPhone to wipe its data after 10 consecutive failed attempts.

 

The FBI wants the data on that phone. But the process of brute forcing an unlock might wipe that data out and even if not, will still take a long time with the lockout delays and manual passcode entry. So a US federal magistrate has ordered Apple to do whatever is necessary to work around these safeguards so the FBI can access the data quickly and safely.

Apple is refusing.

They’re refusing on the grounds that (among other things) this will create a “backdoor” that will compromise all iPhones ever.

This is not true. iPhones are already all compromised. The backdoor is Apple. Continue Reading…

Teachers as Practitioners

Should high school teachers be practitioners of the subjects they teach?

It can be a compelling argument – certainly, some graduate art teachers have described to me a requirement to exhibit their work regularly to maintain their qualification and at first blush that seems reasonable (to a non-art teacher).

After all, how can you expect a specialist art teacher to provide the best education in art if they aren’t “an artist” (questions about what constitutes a “professional artist” aside)?

One Art, Plrease!

Art’s value has plummeted with one standard US folio fetching only 15.64 USD

Continue Reading…

ECU Assignment Stapler

A working copy of the stapler can be found here.

Why does this thing exist?

When you submit assignments, you should submit them in PDF, not Word format.

There are a few reasons why, but the main two are as follows:

  1. You can be more sure that your tutor or lecturer will see the same thing you submitted
    Word documents can display differently depending on the version or device used.
    This is far less of an issue with PDF.
  2. You can’t accidentally munge your keyboard and change the final document.
    Probably not normally a consideration, but after 9 hours staring at papers on the significance of First Name Consonant Frequency in Childhood Misbehaviour*, you can easily make silly mistakes and be completely unaware that you just moved a crucial paragraph and are now submitting the antithesis of your intended argument.
(*Not a paper, but totally should be)

Continue Reading…

Milktape – brief excitement, abiding disappointment

Milktape - don't bother.

Pointlessness.

About 15 years ago (whoa!), I was researching which MP3 player to sink my limited funds into.

I did not want an iPod, a position that I continue to hold to this day – the veneer is nice, but the premium you pay for an inferior experience (particularly on the library management end) wasn’t worth it for me.

One of the options way out of my range was a little number called the “Rome MP3” – it managed to straddle both ends of the technological spectrum by simultaneously being a solid state MP3 player and a playable cassette. I’ll let that sink in.

rome_mp3

Check that puppy out.

Continue Reading…

XenServer 6.2 -> 6.5

In preparation for the upgrade from XS6.2 to 6.5 at my day job, I’m removing the XenTools drivers/software from our VMs (apparently old versions of the tools can cause booting issues for Windows VMs at the very least).

Something I hadn’t realised – removing the XenTools suite will cause Windows to lose its network drivers and revert to network defaults (which I guess should have been obvious? Not sure.).

Network defaults being DHCP for IP address, meaning our VM server just got assigned a client IP and for all intents and purposes couldn’t be found by the client software on our actual client machines.

Not a big deal or a hard fix in the end (VM reboot -> manually assign IPs again), but a reminder to self that this whole upgrade process will be a painful in both expected and unexpected ways.

Update:

The actual upgrade went well. Larger orgs usually have a physical server pool and upgrade using something called “rolling pool upgrades”.

We don’t have this, we’re poor. As a result, we have one main server with heaps of RAM and a second, backup server with enough resources to run essential VMs.

In the event of disaster, we can recover a VM image to the backup and pick up where we left off until a replacement main server is arranged.

So no rolling upgrades for us – instead I just prepped the VM images (as above) and then upgraded the backup server first (which, in case you’re wondering involves rebooting the physical server and running the installer from the ISO – either a USB or CD, of all things, and just selecting “upgrade” rather than “install and destroy all my stuff forever”) to verify everything would be running okay.

Once we were sure the backup could run our images on 6.5, we then processed the main server.

The whole process was significantly faster than the preparation, and there were no issues. Very impressed.

6.5 doesn’t do a heck of a lot for us overtly (although I’m quietly upgrading our Ubuntu VMs to 14.04), but there are a slew of improvements and I’m not sure whether it’s a coincidence or not, but our SVN/Dev/Local DB server is no longer having weird reboot issues.

Hooray for progress!