Bluetack.co.uk

No Comments

Unfortunately Bluetack.co.uk is down and is unlikely to come back. I will share here the last 3 posts made to the blog on their site before it’s demise. I have put this here so that people know what has happened and what they need to do to clear up some lose ends.

The post are as follows, two of made by Moore and another by The Netweasel, unfortunately the site suffered two major blows that have put it out of business:

Posted By:  The Netweasel @ Aug 11 2015, 08:26 PM
My dear friends,

I am so sorry to have to write this at this terrible time, but events conspire to rob me of whatever time there might have been. The website may run out of operating funds any day now, and I am also set to expire soon. I had hoped to wait a little longer before making this announcement, but I can’t afford to.

Just as we were learning as a group that our cherished Tozzano is gone from us, I was learning personally that I have terminal, stage-four lung cancer. The progression of the disease is such that I think I am probably down to days, but it’s impossible to say. Nonessential organs are shutting down, and my ability to think is diminished and intermittent.

Thanks for the leadership and kindness everyone has shown me here. I love you all and wish you the best!

Richard Reed
a.k.a. The Netweasel

 

Posted By:  Moore @ Jul 27 2015, 06:55 PM
Dear all,

With the death of Tozzano, our premium subscription system is finished. Tozz is the PayPal account holder and I do not have access.

For all Premium subscribers who have an recurring subscription, please accept my sincere apologies.

Recurring subscriptions will continue to be charged indefinitely. You will need to cancel your BISS Premium subscription from your PayPal account

I’m sorry, but PayPal will not give anyone else access to the account, and they won’t close it either without a whole lot of information I will never be able to get.

Without access to the PayPal funds, I will not be able to maintain the payments for the server, nor will I be able to keep the site running on my own without Tozz.

I don’t have the resources to fight a legal battle with PayPal to prove that Tozz has died, so I can’t close the account either. I can’t find anyone from Tozz’s family to help.

The PayPal requirements for closing an account are difficult if you aren’t a direct relative :
https://www.paypal.com/ca/webapps/helpcente…COUNT&m=TCI

We tried to get a death certificate online and got scammed $25 instead. It’s very difficult when you live in another country to cope with a situation like this.

Tozz has been our heart, soul and backbone for many years. He was the one who kept us going all these years when no one else could. I always looked to him for help and advice and he never once let me down.

Tozz was our senior systems administrator, SQL DB admin, PHP programmer, Blocklist Manager developer and my closest friend. It’s hard for me to find a file on the server that doesn’t have a helpful or funny comment somewhere from Tozz in it. I miss him.

We were working towards setting up an LLC for BlockList Pro, launching a new site and new projects to replace our old stuff.

I’m sorry for the situation that we are now in, I wasn’t prepared for something like this to happen.
I’ll do my best to keep the site running as long as possible for all current subscribers, but at some point soon the site / server will be closed down.

I would like to thank everyone for your support, we couldn’t have done all this without you.

 

Posted By:  Moore @ Jul 7 2015, 07:55 PM
Dear friends,

It breaks my heart to bring you news about the passing of our much loved administrator Mike Tozzano.

For over 10 years Tozzano has been my best friend, and part of our family. He is the most caring and dedicated person I’ve ever known.

Everything we’ve accomplished would not have been possible without Tozz, and I don’t know how we will survive without him.

What I do know is that Tozz will always be with us in our hearts and it will be impossible to ever forget him.

QUOTE
Nothing is easy and goodbye is always hard

In peace may he rest

SSLv3 POODLE Bug CVE-2014-3566

No Comments

What is it:
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3 which was release in 1996. It does not affect the newer encryption mechanisms known as Transport Layer Security (TLS).

I’m Just an Average Person, Am I affected?:
Most likely yes, you can test your web browser by going to https://www.poodletest.com/

How Can I Fix my Browser?
Follow some recommended steps to disable SSLv3 support in your browser. Patches and software updates are mentioned latter in this article.

Chrome – Windows

Chrome had an update released in February that added a feature that in theory protects against this vulnerability, however someone people have claimed the adding –ssl-version-min=tls1 to the short cut will disable SSLv3 and earlier but I have not seen this work as in actually disabling SSLv3.

Chrome – Linux (Ubuntu) – gertvdijk on AskUbuntu

Open /usr/share/applications/google-chrome.desktop in a text editor
For any line that begins with “Exec”, add the argument–ssl-version-min=tls1
For instance the line Exec=/usr/bin/google-chrome-stable %U should become Exec=/usr/bin/google-chrome-stable –ssl-version-min=tls1
Reboot

Firefox

Put “about:config” in your address bar and press enter
Search throught he list of entries for “security.tls.version.min”
Double click on this item and enter the number 1, click ok

Internet Explorer

Launch “Internet Options” from the Start Menu
Click the “Advanced” tab
Uncheck “Use SSL 3.0”
Click “OK”

I’m a Server Admin What Can I Do to Protect My users:

Disable SSLv3 or lower on your servers, review your SSL Settings & make sure things are in the right order & following best practice which is pretty much to use TLS 1.0 or greater.

In large networks it may be necessary to deploy a group policy setting to disable SSLv3. Guide

How to I disable SSLv3 on X?:

I don’t feel that I’m experienced enough to give advice on Apache or any Linux HTTPS Deamons so I would advise that your check out the Linux community for your distro as they will most likely have information on securing your servers.

As I’m more familiar with IIS (Internet Information Server) I’m happy to  provide a link to Nartac Software Inc. GUI tool that allows you to set YOUR SSL settings, I recommend you set you server to the FIPS-140-2 standard using this software.

Changing the settings on windows will also effect other services on you system so make sure you test production environments after making these changes.

How do I know if a Site I’m Visiting is Vulnerable/How do I test My site?:

Qualys, Inc. provides a wonderful tool, SSL Server Test, it can tell you how well your server is doing when it comes to your SSL configuration in general. If you don’t have an A- A or A+ ratting you seriously need to look at your websites security then again maybe you don’t give a site about the people who visit your site. (Your pretty negligent aren’t you)

But remember even if you have an A ratting your site might still be poorly configured or have other issues. e.g. Some sites preference SSLv3 over TLS even though they have TLS enabled.

When are the software updates going toe be available?:

SSLv3 = Never, the Bug is a fundamental design flaw of the protocol.
Firefox = Mozilla has indicated that a patch will be available on the 24/25th November 2014, this update will remove SSLv3 from Firefox
Chrome = Google has not specified when or iff SSLv3 will be removed yet but claims that “Any version of Chrome since February 2014 (Chrome 33 onwards) is protected against this vulnerability.” They have also said “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”
Internet Explorer = “Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs” , Microsoft provides updates after or on the Second Tuesday of the month unless need arises that it be fixed sooner. (Should be on November 11 or the day after)

Fibre vs. Wireless Performance & The NBN

4 Comments

I’m sick & tired of people saying wireless is a better alternative to Fibre in regard to the NBN debate in Australia. I have thralled the net looking for some really world results & finally am satisfied with what I have found I’m not after marketing claims or anything like that, I’m not quoting some peace of policy, these are results recorded through the one and the same site, speedtest.net.

Below is a video recorded in the US, it compares Verison LTE vs. Sprint 4G. The results are less than impressive, Verizon LTE modem clocked in speeds of 7.40 Mbps down & 1.40 Mbps up while the Sprint 4G 1.76 Mbps down and 0.40 Mbps up.
Sprint 4G vs. Verizon LTE Speedtest in San Francisco

This next peace is the results from my own Internode ADSL2+ connection from October last year, I’m not going to retest because it’s much the same now:

Speedtest.net Result 7th October 2010
Web White Noise – Speedtest Time

Finally a speed test from a customer with iiNet connected to the NBN:

iiNet NBN Speedtest.net Results
Whirlpool – I’m on the NBN! Forum Thread

The numbers based on performance speak for themselves.

Update 19/05/2011 – New Phone

I’ve got myself a new phone & have now done a speedtest on the Telstra NextG / UMTS 850 / US3G network (what ever standard they want to call it), using the USB tethering capability. The results are unsurprising for wireless.

Update 20/01/2013 – Telstra LTE 4G (1800Mhz) in Southport

For those who keep wanting to say that 4G is better then Fibre to the Home (FTTH), I think not.

2013-01-18 14.11.37

How Do I Delete My Facebook Account

No Comments

Follow these instructions:

  1. Make sure you are logged on to Facebook
  2. Go to: https://ssl.facebook.com/help/contact.php?show_form=delete_account
  3. Click on the submit button
  4. Enter your password
  5. Type in the words in the security check
  6. Click Okay
  7. A notice will be displayed saying that you account has been deactivated, and that the account will be deleted in 14days if you do not log into the account in the next 14 days.
  8. You will then be taken to the Main Facebook login page.

Remember don’t try to log into the account until the 14 days have passed or your account will be reactivated.