Presumptuous Browsers

It’s a bit of a mixed blessing, but it can be a tad irritating when a company decides what’s best for me without my consultation.  To some extent, we opt in, either through conscious choice or implied by purchases; and in so doing, we are putting our trust in the companies we choose.  But there’s a fine line and it’s easy to cross.

For example, given the ongoing drama surrounding internet encryption standards and certificates, a certain trend has developed in which browser vendors have leaned towards becoming a tad…snarky with their judgments.  For example:

This connection most certainly is secure, to which the browser will even attest upon closer examination:

Large cipher block, perfect forward secrecy, current protocol version, large hash bit size.  This is an excellently secure encrypted connection.

However

Without authentication doth not exist security, irrespective of the level of encryption.  And since the certificate for this site is self-signed (due to a lack of practical alternative options–since it’s my edgerouter), the browser cannot effectively authenticate the source of the encrypted connection.  Therefore, said encryption is useless if one cannot confirm to whom they are communicating.

Except…

I know the certificate and server are legit, and have accepted the certificate as de facto trusted and indicated such to my browser.  Yet the browser has the audacity to assert that the connection is not secure despite this.

It’s a step too far I say!  I angrily shake my fist at the monitor and log in anyway.  Fuck you!

–Simon

Broken WordPress

Techies live by two very wise philosophies:

  1. If it’s working, leave it alone
  2. If there’s a security update, install it

You might notice a paradox here.  And therein lies the source of endless frustration.  Plainly stated, you can’t install a security update unless you mess with a working system.  So what to do?

Well, my personal plan of attack has been to check the patch notes before installing anything, and judge its relevance to my given application.  For example, I put off updating my VPN software because the patched vulnerability was an old version of L2TP/IPsec–something I don’t use.

But the growing list of CVEs on my WordPress install started to concern me, some of which were alarming, like broken access restrictions with URL injection.  Yikes.  Still, I waited, because I really didn’t want to mess with it.

Then my server automatically updated its PHP packages (I thought I had disabled automatic updates), which brought my blog down.  So begrudgingly, I used it as an excuse to finally update.  I began the install process.

As it turns out, WordPress runs on PHP 5.6 (the scripting language which loads data from the SQL backend)–at least the package I have installed anyway.  Other programs I run require PHP 7, so I have both installed.  But the automatic PHP upgrade deactivated 5.6 in favor of 7, which not only broke the site, but prevented the install.  I manually reactivated 5.6, which then triggered its own update, requiring me to patiently wait another hour while it completed.

PHP updated, I tried to load the installer again, but found out that the MariaDB (the open-source fork of SQL) version, version 5, had been stopped in favor of version 10–very similar to the PHP problem.  So I reactivated version 5 and waited patiently while it updated.

These updates collectively maxed the server’s processing power, which then brought down the entire machine.  Nothing’s more nerve-wracking than watching an eternally-spinning icon, devoid of any meaningful information like a status bar.  But, patience and a lot of burning stomach acid later, the installs completed and the server came back online.

I started the WordPress install, and was prompted for MariaDB 5’s root password.  I looked up my complex and randomly-generated password, pasted it in, and continued.  Then I was prompted for MariaDB 10’s root password.  Curious, why would it need both?  Unfortunately, I have yet to find a solid answer, as the WordPress package installations and their associated communities vary widely across the web.

It’s friendly logo hides its true nature

Then I was prompted for my database user account, which I input as well.  The installation clocked for several minutes, then advised that I did not have access to the databases.  Curious.  I knew with certainty what my user password was.  I considered that maybe the root password was different.  To find out, I installed a database management interface and attempted to log into both databases as root.  All attempts failed.  So apparently I didn’t know the root’s password.

A brief web search revealed the default password to be blank, which bothered me immensely.  Granted, it probably wasn’t as big a problem as I was thinking, since presumably only the localhost would have access to the database, but that still seems like a bit of a security hole, like say if malware made its way into the machine.  Also, the management interface I had installed was Internet-facing, which meant that the moment I installed it, my databases were publicly accessible.  Nothing private is in there, but still.  Ah well, I used the interface to change the root passwords for both databases and reattempted the update with the correct credentials.

The install crashed and the logs said the update failed.  I checked the install package, and its version matched the newest.  Confused, I consulted the logs again, but this time it said that the install was successful.  Finally some good news.  I opened up the site.

The site loaded its front page, but without images.  I refreshed the page, only to then find that the only data loading was in the browser’s cache.  The page wasn’t there anymore.  So I checked the web directory’s contents and was dismayed to see that the entire WordPress folder had been purged of data.  The update had reinstalled anew, rather than updating.

I had taken the precautions of backing everything up, so I wasn’t completely distraught, but I began to fear that the WordPress package itself was beyond repair.  I had previously considered 3rd party hosting solutions, and figured that this would be my final salvation.  But first–I would use my automatic backup service to retrieve the last version from my Amazon Drive account, which was timestamped as that morning around 5AM.

The restore took about a half hour.  I reloaded my site, and it worked!  I admit I was surprised.  I had surmised that the site solely operates through a conglomeration of PHP scripts which access the database, but if that were  the case, then the file restore would have wiped out the upgrade–which after checking again, it hadn’t.  So it was the package itself that got updated, not necessarily the script files.

I admit, I still have a long way to go to understanding this technology, but that was the original point of starting this blog.  For now, I’ll remain content that my site is functioning at all.

–Simon

Lazy Eye

I have 3 monitors up currently, running at maximum resolution and with the sizing adjusted to cram as much information as possible onto these screens without feeling eye strain.  I casually peruse the internet.  Every tech site I visit has followed a similar theme–they’ve used the entire monitor’s real estate for its intended purpose and filled it with information.

Then I visit a blog and there’s large segments of white space and the articles are crammed into tiny columns with large verticality.  Now, I do know why, as I’m in the industry and have had experience with web design (I’ve even attended a seminar that touched on this): the human eye is lazy and wants to float through text as comfortably as possible, and varying studies have revealed anywhere from 45-70 characters per line to be the most comfortable.  And to this I say quite frankly: bollocks.

I can’t remember the last book I read, aside from a children’s story, which adhered to this philosophy.  Oh I know the argument has been that paper reads differently from digital, which has also been the primary argument in the running debate regarding deprecating serif fonts; but how lazy are we really when we want to read something of interest?  Personally, I don’t find it all that difficult to adjust to varying font sizes and widths, and my eyes are far from 20/20.  I do find it irritating, however, to have to continually scroll down a page as I read.

It was a lingering gripe I had with this default WordPress theme, that it was capping content width at around this 75-character mark, and no obvious means existed by which to adjust it.  The whole point of using an authoring program like WordPress was to not have to dig into code to add content and make changes.  Adding to that, it’s much more difficult to dig into code that someone else made than it is to modify my own, so this issue is doubly aggravating.  Further still, each version of WordPress and each separate theme has different settings, so consulting the usual Internet discussion was fruitless.

No matter, it’s all CSS after all.  How hard could it be?

As it turns out, it’s relatively easy to make the change.  The difficult part was finding the styling info I needed.  But thankfully, WordPress not only has an engine for modifying the stylesheet within WordPress itself, they were kind enough to also have left a comment trail throughout.  I found what I was after in a little section called Layout.

Post-modification, additional comments are mine to remember default values

“.wrap” encompasses anything under that umbrella, and after experimentation I found that 1200px made much better use of a full desktop monitor without overloading visual elements.  Then I adjusted the percentile ratios of “#primary”, the main content column which contains posts, and “#secondary”, all that sidebar stuff to the right.  Above are my changes.

Like all web design, visual layouts are trial and error, and I may tweak things more in the future.  But for now, I find the posts’ width to be much more practical.  And now my embedded images appear bigger as well.

I’m sure much of this is personal preference, but I really hated wasting all that space.  Whether or not anyone else might agree with my assessment, at least this post shows the means by which it can be changed to suit other’s needs.

–Simon

Oh My Oh My It’s a…

…Mile High Piece o’ Pie in the Sky!

That’s one of those weird Moorhead-isms.  24 hours in a car with your family will do that to you.  After the Adventures of Huckleberry Finn audiotapes grew stale and we started commenting on roadside advertisements, embellishments quickly arose and road delirium took its toll.

Anyway, my sister bought me a Raspberry Pi a couple years ago.  At the time, I think she intended it to be a low cost computer introduction for my daughter.  But by the time the kid was old enough to understand basic computer inputs, she had a tablet, so the Pi sat unused.  Then I made a dashboard, similar to my recent Xbox project, but this quickly fell into disuse as the Pi would timeout and I’d have to hunt down a keyboard and mouse to refresh the browser again (I discussed this recently).  Then I simply plugged it into the network as a Linux experimentation device to self-teach the command line interface.  Sudo apt-get upgradecd /etc/…uhhhh lssudo nano /boot/config.txt… You get the idea.  I figured if I really screwed something up, it was a low-risk device I could wipe clean.

The old laptop had been reassigned.  Sitting in the basement on the shelf with the network equipment, devoid of battery and working WiFi card, it served as a simple OS to run a web browser.  With an external monitor, it ran two windows–my Google calendar, and my weather radar.  Then Windows’ on-board SMART monitor detected an imminent hard drive failure.  I repeatedly ignored the warning, since I didn’t really care about its longevity and all its data had since been backed up.  Then one day the computer installed updates and failed to find the drive upon reboot.  Maybe one day I’ll swap the drive and install a Linux distro.

But I missed the omnipresent calendar, so I decided it was time to revive the Pi and once again give it purpose.  After all, all I needed was a basic machine that could run a browser (and Windows had been overkill, and a big security hole).  So I ordered a cheap keyboard and mouse from Amazon, which I received 2 days later (I love Prime’s free 2-day shipping).  I also needed an HDMI to VGA adapter, which Amazon was happy to provide as well.  I hooked up that 18-year old Apple LCD display (which retailed for $1,999 at the time; https://en.wikipedia.org/wiki/Apple_Studio_Display#15-inch_flat_panel_.281998.E2.80.932003.29, https://manuals.info.apple.com/MANUALS/0/MA473/en_US/StudioDisplay_15inchLCDSetup.PDF) plugged in the peripherals, and…everything worked instantly, because it isn’t Windows.

After some quick updating, I had the calendar up and running in kiosk mode.  All things considered, this was pretty benign, and was almost too easy to feel like a bona fide project.  Still, it got me the hour nerd fix I needed.

–Simon

Routing

For the majority of my adult life, I’ve had a preference for D-Link network products.  In the early days, before security was a primary concern, the simple ability of a router to even perform NAT routing reliably was a major accomplishment.  The old Apple Airport base station that dad had purchased was okay, but was notoriously flaky and required software to administer (rather than the universal browser-based GUI).  We had developed a ritualized order in which devices on the network had to be unplugged and rebooted in order to restore connectivity.

Network equipment from 1999–40-bit WEP encryption, awwww yeah!

When I moved into my first college apartment, a friend at the time gave me a D-Link router, the ol’ DIR-524.  It did it’s job admirably, though it became dated and thrown into a box when I moved into my second apartment, replaced by my roommate’s newer model Linksys.

This guy supported 802.11g!

But then the Linksys fried, and I dug out the D-Link again.  I continued to use it in two additional apartments thereafter, until I finally forked over $70 for a newer D-Link (although this was after I tried a Netgear, which continually dropped its routing), the DIR-655.

First gigabit-capable hardware I owned

That first D-Link has long-since disappeared, but the 655 still functions on my network to this day, having been reconfigured to operate as a hotspot (300N is still fast enough for an internet connection).  My point is that, over the years of router experiences, the only ones that seem to have been built with decent hardware and designed with stable firmware were D-Links.  After multiple iterations, I was a brand snob, and currently have 3 of their wireless routers in operation.

But the Internet’s come a long way since the 90s, and while router manufacturers have figured out how to design their equipment to function reliably at a base level, they have not put a premium on security.  I suppose that, given the price points of consumer-grade network equipment, the manufacturers have to prioritize, and that priority has fallen upon aesthetic design and marketing rather than support and security.  They can’t be blamed for that, since they’re only responding to demand (and the controversial “WAF”).  I suppose if customers demanded security, then they would respond accordingly.

My currently-running model: DIR-880L

I’ve listened passively as entire lines of consumer-grade routers were revealed to have massive security holes, and the manufacturers failed to respond.  These compromises always affected other brands, but all good things come to an end, and the flaws were gradually revealed throughout D-Link products too.  Pity.  Now it seems that no brand is immune.  All consumer-grade routers have similar problems, and I found myself left without a viable alternative.  And while I’m probably unlikely to be targeted, I do have Internet-facing services, like this site (rather that hiding in stealth mode).  So, it was time to consider upgrading to a business-class router.

When classifying routers, the target demographic is commonly used in its description.  That carries certain connotations, such as the knowledge and motivation of the purchaser, and the level of features and security.  Consumer-grade routers are designed to be pretty, work out of the box, and be easily configured if the user wants, but configuration isn’t generally required (or terribly robust).  At the other extreme are Enterprise-class routers, which assume a support staff of certified technicians (and an enterprise-level budget, being in the tens of thousands of dollars).  Everywhere in between lie Business-class routers, which I find to have the largest range in price and user-friendliness.

I was primarily after something basic–something that maintained firmware updates with vulnerability discoveries, that had good policy-driven default security settings, and still something that I could figure out given my lack of expertise.  I decided upon a Ubiquiti Edgerouter X.  It operates on their EdgeOS (which is the same across their entire line of products, which means it’s going to get updates as they respond to the needs of their bigger clients), and has received a number of positive recommendations from people in the industry.  And at $50, the price was good and low-risk.

Aesthetics be damned (but I still think it’s a cute little box)

It bears mentioning that this is no all-in-one wireless router–not a problem since I have hotspots configured, but be advised.

Amusingly, I lacked a general computer with an Ethernet port.  I know that seems odd, but computers are increasingly scaled down to reduce form factor and to extend battery life.  And since I haven’t yet built an office, I don’t have a place for a full desktop yet, and therefore stick to laptops.  In short, I needed an adapter.

After some searching, I found an Amazon brand adapter:

The reviews checked out, so I ordered that too.  I did anticipate some problems getting drivers, since the included CD-ROM was useless as I also lacked a CD drive, but they were available online and after a quick install, things were working as advertised.  I needed one of these anyway for other wired LAN configurations, so this project was just the final excuse.

In every consumer-grade router setup I’ve ever experienced, I plug in the router, connect via Ethernet to LAN port 1, navigate to http(s)://192.168.0.1, and am immediately presented with the configuration page login.  I followed these same steps, and…nothing.  Just an unfriendly browser timeout.  I repeated these steps, wondering what I had done wrong.  It was not a good sign that I failed at even finding the configuration page.  This was not going to be easy.

The instructions assumed a certain degree of competence, of which I apparently did not posses.  Fortunately, a kind soul elsewhere on the Internet had written a dummy’s guide for these initial steps (although later, I found these same steps on a quick setup pamphlet in the box, so that was my fault).  I had left my computer’s network settings to pull an IP address via DHCP, as is the norm, but the Edgerouter doesn’t come with DHCP enabled by default.  Instead, I had to manually assign an IP address to my computer within the normal range of the router’s subnet, which was 192.168.1.0/24 (excluding 192.168.1.0 and 192.168.1.1), so I chose 192.168.1.11 (anything in that range would presumably have worked, but I decided to follow the advice explicitly).  192.168.1.1 was therefore the default address for the router (and different than standard consumer grade routers).  I accessed this IP address and was presented with the login.  Success!

Already it looks more professional

The default login credentials were, however, in the manual; so at least I was able to log in right away.

Then, I was presented with the main screen:

The screenshot isn’t mine, but it’s more or less what I saw

Uhhhh, what do I do?  I spent the next half hour clicking everything to figure out where all the settings were.  Router GUIs are always somewhat random, but this one definitely allowed more customization than I was used to.  Fortunately, I found a wizard.  I generally avoid these, but I had two reasons for using them this time: 1) I wanted to keep the existing configurations on my D-Link, and it’s segmented guest WiFi, so that meant either massively overhauling the setup and possibly buying more equipment, or double NAT-ing; and 2) I didn’t fully understand what I was doing and wanted some more hand-holding.  I ran the WAN-LAN setup wizard.

I followed the prompts, the router rebooted, then nothing worked again.  Fortunately, I did know enough to switch the Ethernet cable to from eth0, where I had it and which was now configured to be the WAN port, to eth1.  Then I re-enabled DHCP on my computer.  Success!  I logged in.

I connected the modem to eth0, but the router never pulled an IP address from the ISP.  Frustrated, I repeated the above steps to no avail.  Then I went and fetched the most recent firmware for the device, which was many versions out of date.  Ultimately, this wasn’t the problem, but I’m glad it forced me to go pull the security updates before completing all my configurations.

Turns out I just had to reboot the modem.  I know I know, what a noob mistake.  I put the blame on the new hardware when in fact it’s probably the most advanced piece of network equipment I now owned.  I followed the wizard again, slightly changing the defaults so that eth1 and eth2 were separate subnets–a future experiment in network isolation.  It’s novel, and seemingly obvious now, that each port on a router be configurable.

So, the modem ran into eth0 (now the WAN), eth2 to the WAN on the old router.  Then I had to input all my port-forwarding settings so I could reach the server, and check a setting for NAT reflection, and input my DNS settings, bla bla bla.  In short, everything was back online…except for logging into my email server for some reason.  I’ll have to figure that out later.

[Edit: I figured out that I needed to add a firewall rule on the server to allow logins from the Edgerouter’s IP address]

The important thing is that it works, and my consumer-grade router is no longer the Internet-facing entry point to my LAN.  Presumably, I have a business-class firewall protecting me now.

And an interesting little extra is the DPI feature, screenshot example (again, not my own):

Of course, since I’m double NAT-ing, I don’t see the breakdown per client, but I do see an aggregate of all the network traffic.  I don’t know how robust this is, but it sure looks cool.

Liz might call be paranoid, but it’s only paranoia if aluminum foil wasn’t demonstrably effective at blocking alien mind-reading rays (at least business-class foil anyway).

–Simon