Category Archives: IT

IT related posts, technical stuff

Improving your privacy with a custom email domain

This blog post is a follow-up to It’s Time to Ditch Gmail. It began as a review of Fastmail, and my experience of moving to it from Gmail, but I quickly found myself going on a tangent. Since privacy was the main driver in my decision to move to Fastmail, and using a custom domain is one of the ways that I protect my privacy, I figured it was important enough to warrant its own post.

One of the factors that made it easier to move away from Gmail is my use of a custom domain for most of my mail. Before moving to Fastmail, this domain was tied to a GSuite account which forwarded everything to my standard Gmail account. This made switching in anger much easier, as I had fewer accounts to log in to and update my email address, and those that were still pointing directly at Gmail tended to be older low-value accounts that I no longer use anyway.

In this article though, I want to take a detour to explain why I use a custom domain, and how it can aid your privacy. Continue reading

Provisioning Vault with Code

A couple of years ago, Hashicorp published a blog post “Codifying Vault Policies and Configuration“. We used a heavily modified version of their scripts to get us going with Vault.

However there are a few problems with the approach, some of which are noted in the original post.

The main one is that if we remove a policy from the configuration, applying it again will not remove the objects from Vault. Essentially it is additive only, and while it will modify existing objects and create new ones, removing objects that are no longer declared is arguably just as important.

Another problem is that shell scripts inevitably have dependencies, which you may not want to install on your shell servers. Curl, in particular, is extremely useful for hackers, and we don’t want to have it available in production (in our environment, access to the vault API from outside the network is not allowed).

Finally, shell scripts aren’t easy to test, and don’t scale particularly well as complexity grows. You can do some amazing things in bash, but once it gets beyond a few hundred lines it’s time to break out into a proper language.

So that’s what I did.

The result is a tool called vaultsmith, and it’s designed to do one thing – take a directory of json files and apply them to your vault server.

Continue reading

Upstream Bug? Fix it.

This is a blog post I originally wrote more than two years ago, in reaction to “spirited debates” I was having with developers. I didn’t post it, but perhaps I should have! Anyway the ideas within are as true to me now as they were then, so I thought I’d post it today after a bit of revision.

How many times have you had a developer shrug their shoulders at you and say “it’s an upstream bug”?

I heard it today, and it is so, so wrong, that it is practically an admission of guilt.

Do you say that to your customers when their personal data is leaked from your database? When your app crashes their device? No? Good, because it’s your problem.

It’s great that you can use third party libraries to do your job more efficiently, but doing so does not absolve you of responsibility if the product breaks. You made the decision on what library to use, and you are ultimately responsible for delivering functionality. Continue reading

From Ivy Bridge to Threadripper Part 1 – A Water Cooling Retrospective

Some of the links in this article are Amazon affiliate links, which pay me a commission if you make a purchase.

I could have brought a plain old Ryzen, a Core i7 or even another Core i5. But with Intel sitting on its hands the past 5 years in the face of no competition, I decided it was time to splash out and reward AMD for not only investing in CPUs again, but making an interesting high-end desktop product while not nickel & diming its customers over PCI-E lanes.

And so, I brought a 1920X.

I don’t really need 12 cores. Other than general browsing, my PC is used for work, (coding) plus a bit of gaming, and a gaming CPU this is not. Running multiple VMs and M.2 devices without slowing down will be nice, but this build is mostly overkill for my needs. And that’s really the point! Continue reading

Vimperator, Vimium and the switch to Qutebrowser

Much to the chagrin of anyone that uses a web browser on my PC, with particular apologies to my girlfriend, I’ve been an enthusiastic user of Vimperator for several years. Vimperator is a Firefox extension that turns it into a keyboard-driven browser, one that behaves much like the text editor Vim. Unfortunately, Mozilla has deprecated the XUL extension API that vimperator and many legacy extensions depend on, in favour of the web extension standard pioneered by Google with Chrome.

I can understand why they made this change. Legacy extensions are a large source of pain, can pose a security risk to host systems, and make invasive, sometimes unstable changes to the behaviour of the web browser. Mozilla often took flak from users for poor performance caused by poorly-written extensions, which were sometimes installed without the users’ knowledge or consent (Skype click to call extension, I’m looking at you).

What’s more, XUL extensions are partly responsible for the slow roll-out of their multiprocess implementation, called Electrolysys.

All this probably explains why Mozilla decided to adopt Google’s extension standard, and drop XUL. Unfortunately, Vimperator, a volunteer project, looks as though it will be a casualty of this decision, and it is highly likely that it never work after the legacy extension APIs are removed in Firefox 57.

So with Vimperator effectively dead, what’s a Vim user to do? Continue reading

Building and Packaging a Python command-line tool for Debian

python-logo-notext-svgPython packaging has a chequered past.

Distutils was and still is the original tool included with the standard library. But then setuptools was created to overcome the limitations of distutils, gained wide adoption, subsequently stagnated, and a fork called distribute was created to address some of the issues. Distutils2 was an attempt to take the best of previous tools to support Python 3, but it failed. Then distribute grew to support Python 3, was merged back in to setuptools, and everything else became moot!

Unfortunately, it’s hard to find reliable information on python packaging, because many articles you might find in a Duckduckgo search were created before setuptools was reinvigorated. Many reflect practices that are sub-optimal today, and I would disregard anything written before the distribute merge, which happened in March 2013. Continue reading

Mechanical Keyboards – Stop reading if you like your money

filco_tenkeyless_ninja_uk_largeAs a Sysadmin who works on a keyboard all day, I was enamoured by Jeff Atwood’s post about his CODE Keyboard, that he developed in partnership with WASD Keyboards. Essentially, the CODE Keyboard is a pre-spec’d standard WASD keyboard, with Cherry MX Clear switches.

If you have no idea what I’m talking about, you should read WASD’s Mechanical Keyboard Guide, which covers the different types of switches and their characteristics.

I’ll admit I didn’t do a lot of research. After a quick read on the site about the switches, I figured brown would probably suit me best, as I didn’t want to annoy my neighbours too much, and I chose the smaller Ten-Key-Less layout to keep the mouse closer (rarely am I entering large numbers in sequence, so the numeric keypad simply wastes space most of the time).

The problem: I can’t go back. Continue reading

Ubuntu Home Server 14.04

I had grand intentions.

This home server article was to be a detailed masterpiece, a complete documentation of my home server setup.

It hasn’t turned out that way, and many pieces are missing. Turns out, that writing a detailed article on setting up a server is much harder than just doing it! So what you see here is what I finally managed to publish, 5 months after actually building it. I hope you find it useful, and I don’t rule out the possibility that I may update parts of it in future. Continue reading

Ubuntu Home Server 14.04 – A DIY NAS

It’s been more than 4 years since I wrote about home servers, but my Ubuntu Home Server article was, for a while, the most popular post on this blog. Since moving to the UK though, I’ve taken a more appliance-based approach to my home network. For the last few years I’ve been using a Boxee Box for media playback, and a 4-bay Netgear ReadyNAS duo NV2+ for storage, mainly to keep the bulk of my possessions to a minimum.

The appliance approach does have advantages. It is power efficient, easy to setup, and very low maintenance. But after getting an internet connection with decent upload speed, I wanted to run CrashPlan on the NAS without having to have another PC running. I managed to get it running by following directions I found here.

There’s just one problem:

3.3 months to upload 350GB is a little too long

3.3 months to upload 350GB is a little too long

Performance is abysmal, and I’ve only selected the most important data – my photos. I’m limited not by my internet connection, but by the NAS’s anaemic CPU and lack of ram (just 256Mb). Furthermore, it’s always had very slow read and write speeds – generally around 2Mb/sec, and loading a large directory via its Samba shares can take a while.

So I started to look for a replacement. My requirements:

  • Minimum 2GB ram
  • Strong CPU, preferably x86
  • 4+ drive bays
  • Linux based OS
  • Root access to said OS

The best pre-built option I could find which meets those requirements is the Thecus N5550, but at £383 it is a long way from cheap. And it barely meets the specs; an Atom CPU is strong for a NAS but not by modern x86 standards.

While the customised software shipped with a NAS does offer some conveniences, it also gets in the way of using newer Linux features such as BTFS RAID 5/6 (which is currently not considered stable but should be within the next 12 months). You’re also reliant on the vendor for distribution upgrades, and the priority is going to be shiny features which consumers will appreciate, not keeping the foundation OS up to date. The ReadyNAS NV2+ is currently running Debian Squeeze, and will be until the day support ends.

At this point I realised that a pre-made NAS with the level of power and flexibility I wanted doesn’t exist at a realistic price point. And with the end of Boxee support its days as a useful device are numbered, so a HTPC could be on the cards as well. It’s time to build my own server again.

Continue reading

Google commits privacy seppuku at BT’s request

Update – Since this was posted, Max Allan and Damion Yates have investigated further and found that BT are intercepting DNS queries and replying with doctored DNS results, which I didn’t notice when originally researching this article. The title is therefore not entirely accurate, and BT are most probably doing this without any special treatment from Google, but the point that Google is facilitating this (by performing http redirects) stands. Please keep this in mind as you read :)

–Alex 25/11/2014

As I’m currently in temporary accommodation I have found myself without a permanent internet connection. 3G service in the area is pretty spotty, so I bit the bullet and ended up purchasing a single month BT Wifi pass, effectively piggy-backing a neighbours connection. I’m guessing they see very little of the £39 I paid.

It is well-known that BT has filtering in place, supposedly for the protection of children, as required by the UK government. I don’t agree with this policy, but accept that many do.

However when it starts to affect privacy, I feel that BT’s meddling of my internet connection has gone too far.

Case in point, when using Google on BT Wifi I happened to notice a new message on the side:

SSL search is off

This network has turned off SSL search, so you cannot see personalised results.

The security features of SSL search are not available. Content filtering may be in place.

Learn More | Dismiss

After digging into it, I’ve found that statement to be demonstrably false. In actual fact what it should say is; “We have disabled SSL search on behalf of your network provider.”

To which I say, thank you for giving me another reason to use duckduckgo.

Continue reading