Everything, Everything - December 2015

2021: January
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Saturday 26th December, 2015 12:08
Spotify sounds massively better when I stream using Extreme Quality instead of Automatic. Good job I have unlimited mobile data.
Thursday 24th December, 2015 21:49
Thankfully my hand doesn't hurt too much after getting @GuitarHero Live for my birthday. Played some awesome sets straight away.
Tuesday 22nd December, 2015 21:23
I’m hoping Santa will get me a Jaguar F-TYPE Coupe for Christmas, but he didn’t last year, and I’m starting to think he might not be real!
Atom And Iframes
Wednesday 16th December, 2015 10:34
After embedding the Star Trek Beyond trailer into my website, which also required some adjustment of my recently added Content Security Policy header, I discovered that my Atom feed was no longer valid. I couldn't see anything obvious in the RFC about the iframe tag, but several feed validators insist that iframes are evil.

The iframe tag doesn't support fallback content, but I can replace the iframe with a link to the content. Someone's bound to have done that before, right? And provided some example PHP? Right?

After a bit of searching, I gave up and resorted to writing my own code. I've been a bit lazy as I'm assuming that the value of the src attribute will be surrounded by double quotes and that there aren't any spaces around the equals sign, which it doesn't have to be when writing valid HTML5 code, and that there's a closing iframe tag (which should be the case, as I don't think it's a self-closing element). Anyway, here's my code, including a quick str_replace to replace the embedded version of YouTube videos with the normal web page:
// replace iframe with a link
$text = preg_replace('/<iframe.*?src="(.*?)".*?\<\/iframe>/', '<a href="$1">$1</a>', $text);
// replace YouTube embed links with watch links
$text = str_replace(".youtube.com/embed/", ".youtube.com/watch/", $text);
I'll leave it to someone else to extend this to support single quotes and spaces. Or everyone could write their HTML my way. The right way.
Tuesday 15th December, 2015 20:27
How to break View Source in Edge: configure the HTML editor in IE. What? https://t.co/9rcd4rja55
Star Trek Beyond
Tuesday 15th December, 2015 17:21
I used to love Star Trek. I would watch episodes of The Next Generation on the BBC before going swimming, before Sky bought the rights, and then I watched TNG, DS9 (possibly my favourite Star Trek series) and Voyager on Sky One (which wasn't particularly easy while I was at university).

I even tried to like Enterprise, but it was around that time that I much preferred watching a myserious and exciting new TV show by JJ Abrams called Alias. I also got excited about Lost (although in hindsight I wish I hadn't, I think I will always feel bitter about the ending). Even What About Brian and Six Degrees were pretty good (even though they were cancelled).

I enjoyed watching The Fast and The Furious, which I watched with friends from university when we met up one summer in Aylesbury. It probably helped that we'd been drinking, but it became a guilty pleasure watching the rest of the movies. Justin Lin took the helm with the relatively low budget The Fast and the Furious: Tokyo Drift, which essentially lacked the original cast (Vin Diesel has a brief cameo role), and made just enough money to keep the franchise going. He'd go on to direct the next three movies, before handing over the reins for Furious Seven.

I wasn't entirely happy that Star Trek was rebooted, as I loved the attention to detail everyone (and I mean everyone, even the lawyers would pick up trivial things when reviewing the scripts) gave to ensure chronology and consistency in the Star Trek universe. However, it allowed JJ Abrams to do what he wanted with The Original Series cast without having to be heavily constrained by everything that has already happened in the future. I was sort of fine with that... until he started rehashing the original movies. Seriously, you can do whatever you want, so you steal and copy things? I appreciate some of the scenes are a nod to the original fans, but I would have much preferred new storylines and adventures.

The new Star Trek movie could be exactly that. It could be the perfect blend of action from Justin Lin and intrigue from JJ Abrams, with the chance to see Kirk and the others resolve a storyline that hopefully doesn't revolve around Spock's Brain.

Here's the trailer:

Something tells me that Star Trek Beyond is going to be fun to watch, but ultimately not a proper Star Trek movie.
Tuesday 15th December, 2015 14:45
Coincidentally, I saw mod_status on a production server during my last pentest, after not seeing it in years. https://t.co/uiDAF4r9iy
Monday 14th December, 2015 16:13
Very exhaustive page covering Mimikatz. I like using Mimirobz (although dumping LSASS process is usually safer). https://t.co/qqPFmqN3Hv
Monday 14th December, 2015 14:38
Should I upgrade to PHP 7?
Sunday 13th December, 2015 12:44
Looks like Arsenal aren't taking any chances against the team at the bottom of the table. Strong starting lineup! https://t.co/Li17Z0galk
Friday 11th December, 2015 22:14
After watching Have I Got News For You, I now have @taylorswift13 stuck in my head. #shakeitoff https://t.co/cW30rjsQEI
Wednesday 9th December, 2015 21:09
Also, that Microsoft DNS Server vulnerability sounds nasty. *double checks my servers are definitely patched*
Wednesday 9th December, 2015 21:08
Giroud scores his first ever hat trick and should have ensured Arsenal progress tonight. What a game.
Saturday 5th December, 2015 13:29
How unlucky that Arnautovic hit the post! Either Stoke are playing well or Man City are really bad today (probably the latter).
Microsoft User Interfaces
Friday 4th December, 2015 16:31
Microsoft spent a lot of time and effort improving their user interfaces, even when it appeared to be a backwards step. No, I'm not talking about the new Start Menu and missing button that was introduced in Windows 8, that was clearly a backwards step. I'm talking many years ago when Microsoft improved the Start Menu with Vista and Windows 7. I'm talking about the Ribbon menu introduced with Office 2007, which took me 3 frustrating months to learn to love. But in recent times their UI is really pushing people to upgrade to the latest versions. For example, starting OneNote 2010 will produce this lovely dialogue box:

OneNote Free Upgrade

Your only option is to "Upgrade Now", although you can close this using the X in the corner. There's no "Upgrade Later" option.

You get something similar with Windows 10. On a Windows 8.1 host you initially got the little icon in the bottom right corner. Then it started to pop up a little box in the corner. More recently it brings up a big window that doesn't give you particularly great options, such as "No thanks, I don't want it".

Upgrade to Windows 10

From what I've heard on Twitter, if you accidentally select to install your free upgrade to Windows 10 there is no going back!

I appreciate Microsoft are trying to move people onto the latest and greatest (although I'm not convinced the latest OneNote and Windows are their best for all users; although the latest IE is pretty good), but they could be a little less aggressive about it.
Nexus 5X Chrome Performance
Friday 4th December, 2015 11:48
I've had my Nexus 5X for over month and it's a nice phone. It's definitely the spiritual successor to the Nexus 5 from a couple years ago, a reasonable size with a reasonable specification and reasonable price. I also like Marshmallow, and I'm quite happy with the general performance and battery life on the Nexus 5X (after having run all the M previews on my old Nexus 5, it doesn't seem any worse on the 5X). Despite the encryption, which is on by default, it seems to cope okay. This is possibly due to using an ARMv8 chip that accelerates AES and SHA.

However there appears to be one pretty big problem: the phone only comes with 2GB of RAM. For the most part this is okay, but there appears to be one application that needs far more than 2GB. An application I use on a daily basis. One that Google has created, which I imagine many Nexus 5X users will be using. It's Chrome Dev.

Chrome Dev uses 3GB

As you can probably tell from the screenshot above, in the last day Chrome Dev has needed 3GB of RAM at some point. The phone only has 2GB, and it probably needs to use some RAM for the operating system. I presume this means about half of Chrome Dev's RAM is paged to the filesystem, which uses relatively slow chips plus there's the overhead of encryption (about a 30% hit, I think?). I suspect this explains why Chrome will sometimes grind to a halt, causing the phone to lag really badly. So badly that it doesn't even recognise some interrupts.

Time to look into chrome://flags to see if there are any settings I can change to reduce RAM usage. If I can limit Chrome Dev to 1.5GB instead of letting it eat 3GB then perhaps I'll avoid some of the performance issues I'm seeing. Fingers crossed. Or I could go back to Chrome, which appears to be a 32-bit application and hopefully doesn't have any major bugs or regressions.
Is It Safe?
Thursday 3rd December, 2015 12:01
I was pointed in the direction of an audit of major UK ISPs. It's not particularly scientific, it presents a load of facts with colours followed by summaries of the companies.

My initial questions are around things like what exactly does StartTLS mean? They've broken down SSL/TLS for each service, such as POP3, IMAP, SMTP, but then followed that with a rather generic single line of StartTLS, which could be implemented for all of the above mail services. Why not split them into separate lines? Are we making PlusNet, for example, look bad because they don't support SSL/TLS with their mail services, but perhaps they support the StartTLS extension for all 3? Without the breakdown, does "Yes" mean they support it for all email services or "at least one"?

In terms of passwords, Virgin are made to look particularly bad because they don't allow special characters, but really people should care about length more than complexity (P@55w0rd can be cracked in about 1/1000th of the time it takes to crack longeralphapassword, and I know which one will be easier to remember). There should be a much greater emphasis on the minimum (and maximum) password length, or ideally the amount of entropy, or number of attempts to correctly crack the password. Virgin could have gotten away with restricting the password complexity if they allowed really long passwords. Sadly they don't.

EE has a ridiculously low 6 character minimum, and doesn't support many characters (a-z, A-Z, 0-9 and an underscore), but at least allows up to 16 characters, which saves them slightly (about a hundred billion centuries to crack strong passwords offline, and much slower for an online attack); Virgin has a similarly restrictive set and a pretty rubbish maximum length of 10 characters, which is terrible. With Virgin's more restrictive policy, you're looking at around 3 hundred thousand centuries to crack it online (assuming they don't spot the repeated attempts over the centuries), which sounds reasonable, but an offline crack might only take someone around 3 months. Oh dear.

The strongest password you can set is with BT, which would apparently take so long to crack online that you start with the phrase "hundred trillion", add the word "trillion" several times, then finish with the word "centuries". Even if an offline attack occurs, because someone managed to get the hashes, you're still talking trillions and trillions of centuries. You'll be long dead by then. Probably.

Unfortunately, most people won't go with a 50 character password using the full password complexity. I imagine Autumn2015 or Winter2015 would be pretty decent guesses right now for a significant percentage of customers for all of the ISPs listed.
Google Calendar (Hope For The Best)
Tuesday 1st December, 2015 17:27
For some reason IE was behaving a little strangely over a VPN connection with auto detect proxy settings, causing my own site to be displayed using an older document mode, and making Google Calendar display the following alert:

Hope for the best

At least they gave me the option of clicking cancel and hoping for the best. It seemed to work fine, and I was able to edit the entry I wanted to update. Everything's fine now I'm off the VPN too.
© Robert Nicholls 2002-2021
The views and opinions expressed on this site do not represent the views of my employer.