Trusting the Internet

In light of recent events (heartbleed and *cough* NSA *cough*), we now live in a world where the people you thought you could trust aren’t as trustworthy as we expect them to be.

One of the things that we lay our trust in every day are Certificate Authorities. These are the people with the power to issue SSL certificates, which are used when you use online banking, search google, access your email and other sensitive information over the internet. It can be identified with a either a padlock symbol, or simply ‘https’. You’ll notice that my blog is encrypted, and you can get details of this by clicking the padlock in the top right in Chrome and Firefox, or the padlock at the end of the address bar in internet explorer.

For this example I will use Firefox:

SSL Overview

You can see that the connection is secure. Wonderful!

What good is it however to have an encrypted connection, when it could be anyone in the world.
That’s where the trust part comes into it.

You can see that the certificate has been verified by, Inc. Clicking ‘More Information…’, ‘View Certificate’ and going to the ‘Details’ tab will take you to this screen:

SSL Overview

Here you can see the trust tree. This is the chain that lets firefox know that the certificate is one that it can trust.

Think of it this way, you’re having a party, and a guy enters. You don’t know him, and therefore don’t want him in your house, but he says he is friends with another guy, who you don’t know and ring up, but he says he’s friends with another guy, who you don’t know and ring up, who says he’s friends with one of your close friends, who confirms that he is indeed his friend, and he can vouch for his friend, his friend’s friends, and his friend’s friend’s friend who is at your front door.

From this you can trust all of his friends into your house. If one of them steals/breaks/otherwise vandalises your house, you can go back to your friend and either say ‘these guys did bad things to my house’, and he will revoke their friendship, or you can choose not to be friends with this guy who let idiots into your house anymore.

In this case, the guy at your door is ‘*’, his unknown friends are ‘Go Daddy Secure Certificate Authority – G2’ and ‘Go Daddy Root Certificate Authority – G2’, and the friend you trust is ‘Go Daddy Class 2 CA’

This root level of trust is built into the web browser (or in the case of Internet Explorer, Windows itself), and you can choose to revoke or add authorities at your will, but be warned: revocation is a drastic measure which will limit access to a number of sites and compromise your security at the same time. If a website does something bad, the best course of action is to take it up with the certificate authority which issued that website’s certificate and let them revoke it. Details for this can usually be found under the page linked in the ‘Subject’ field

Subject field

Visiting the site will usually give details on what to do if you suspect a certificate has been compromised or if the legitimate owner is performing malicious activity with it

Next up will be how to run your own certificate authority!

Turning off Lid Close Standby on Ubuntu Server 14.04 LTS in three easy steps

Let’s say you’ve turned your old laptop into a server. Great choice! It’s smaller than a full size tower, uses less power, is quieter (most of the time) and if you can’t access it you can tab right in on the physical keyboard and screen.

However, open laptops take up more space, so you’ll want to close the lid, right? On Ubuntu Server, closing the lid will put your server in standby, which is… unhelpful, to say the least.

Well, here’s how to stop that from happening, for all version of Ubuntu from 13.10 onwards (13.10, 14.04 LTS, 14.10 as of January 2015)

Step One

First, open /etc/systemd/logind.conf with a text editor

sudo vim /etc/systemd/logind.conf

Step Two

Find the line with HandleLidSwitch and change it to


Step Three

Save, exit and restart the daemon

sudo service systemd-logind restart

Et Voila! Your server is now happy about running with its lid closed!

How to lock down your Windows 7 machine like Fort Knox

I like security. There’s a fact for you

Imagine you’re going to sleep, and you suddenly realised you’ve left the front door wide open, with the keys still in the lock.
How would you react? Anyone with the right state of mind (and who doesn’t have a fully trustworthy 24/7 security team to pry the keys from that lock, close the door and secure the premises for you) would get up, go to the front door, close it and lock it, before proceeding back to bed with the confidence that an unwanted person won’t be getting in.

Your computer wide open like that proverbial front door, and even so if you use your administrator account for your day-to-day, and let’s face it, who doesn’t these days when you can have a computer each?

I decided to write this article after I read about a tool which claims to break bitlocker drive encryption, and one of the described methods was to get a hold of the computer whilst it was unlocked on an administrator account, install the software, then do evil.

This is done by using the default UAC (User Account Control) settings to gain applications privileged access without the need for actual administrator input.

Not on my computer, heres how:

Part One – Telling the computer what to do when evil brews

In this part we will fiddle with some of the darkest depths of security settings available to make administrator privilege requests (UAC elevations) much harder for an evil person to make a computer do evil stuff

Step One

Open up the Local Security Policy by going to Run and typing secpol.msc
Hit enter and it should open up the local security policy (if you are requested to allow it privileges, click yes. Notice how you just get a yes or no, and anybody with access to your computer can click ‘yes’ or ‘no’ for you (to do very evil things)).
Turns out that by default you don’t get this prompt. Evil people could be changing them for you!

Step Two

Navigate to Local Policies/Security Options and scroll to the bottom of what should be a long list of stuff

Step Three

Find these three entries entitled User Account Control, and check they are set to the following, if not set it to them by double clicking the option and selecting it from the drop down menu:

User Account Control: Admin Approval Mode for the Built-in Administrator account
    Default: Disabled
    Setting: Enabled
User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
    Default: Prompt for consent for non-Windows binaries
    Setting: Prompt for credentials on the secure desktop
User Account Control: Behaviour of the elevation prompt for standard users
    Default: Prompt for credentials
    Setting: Prompt for credentials on the secure desktop

Part Two – Telling the computer to be more picky

Now that we have prevented evil people breaking past privilege requests without an administrator present, we need to make it so that the computer calls for an administrator more often. Doing this also prevents an evil person undoing all the good we did in part one.

Step One

Go to Start, open up Control Panel and in the search box, type ‘UAC’ and click ‘Change User Account Control Settings’

Step Two

Click ‘yes’ to the UAC prompt (the last time you’ll ever click yes) and set the slider to ‘Always Notify’, as seen below
UAC Notification Selection Screen

Your computer is now protected from evil people at the cost of you having to enter your password every time you do something administrative, which shouldn’t happen with average day-to-day computer usage.

If you do get the UAC prompt, before you enter your password, think: Why am I doing this?
The UAC is there to tell you that you are doing something that is potentially dangerous, so take the time to take a step back and ensure that you are making the right decision

Stay Safe and have a Merry Christmas everyone!

DNS woes on OS X 10.10 Yosemite

Today I spent the better part of two hours setting up a BIND9 nameserver on my raspberry pi server, and I quickly ran into an issue:

The DNS cache on OS X was not updating. There are two methods circulating of solving these, which are:

dscacheutil -flushcache
sudo discoveryutil udnsflushcaches

So, I had to find another way.
And I found one. The super easy way of fixing this is to lower your TTL in your zone file, do the ping, and set it back again (or leave it)

e.g. take this here:

ben.local. IN SOA server.ben.local. hostmaster.ben.local. (
        1               ; serial
        5H              ; refresh
        4H              ; retry
        4W              ; expire
        1D              ; minimum

In this case, the TTL (refresh) is set to 5 hours. You won’t be able to get a lot of work done in that time, so set it to 5 to force a refresh every 5 seconds, i.e.

ben.local. IN SOA server.ben.local. hostmaster.ben.local. (
        1               ; serial
        5               ; refresh
        4H              ; retry
        4W              ; expire
        1D              ; minimum

Oh, and you don’t need to change the serial unless you have slaves waiting for an update. Make the changes, then run sudo service bind9 restart to restart the nameserver, and voilĂ ! You can get back to work.

In future, if this is a private nameserver which only receives a few queries a second, then feel free to set it to something reasonable, like a minute. or five. or ten. Keep the five hour TTLs for high load servers where you need to cater for tens of thousands of DNS requests a second

Floating Spam

I am bored, and therefore I intend to transfer my boredom to the internet.

Whilst looking from my spam folder (I really was that bored), I noticed that there were a bunch of messages at the top which had been there since I last looked (a long while ago)

At first, I dismissed it as my spam filter not working, but upon closer inspection, it appears that they were sent in October…

October 2018, that is. 4 years from now.

I therefore conclude that a type of spam designed to bug you to open it is what I have dubbed ‘floating spam’. That is, spam which was sent to you from the future. It will appear in your inbox if you perhaps run a small business, and are using a cheap mailserver to server you mail without a built in spam-filter and you only access your mail through webmail. If it’s all poorly put together, you will theoretically end up with these spam messages stuck at the top, hiding your other mail.

Of course, for me, the fact it was sent 4 years from now indicates to my spam filter that I am either involved in some Doctor Who plotline involving complicated timey-wimey stuff and email, or I have been sent some spam. It’s pretty obvious which one it is.