All posts by admin

john-hunt.com back online

After quite some time I’ve managed to get my server back online. The issue was that running it on a raspberry pi 3 alongside other things pretty much ensured the OOM killer would kick in and start killing things off.

I got one of those HP elitedesk PCs for only £40 off eBay to host this and it’s superb! This is now running in a docker container on a low powered 8gb system. You get far more bang for buck compared to a raspberry pi this way.

In terms of comments, it turns out I have about 3500 unmoderated comments, so it’s likely I’ll have to just bin them all due to time constraints. Apologies if you’ve written something useful.

I’ve got some interesting posts coming soon, including how this is all hosted now (major upgrades all around in that sense, but for no (big) extra cost. Some cool things I’ve been playing with and much more.

Docker OS X / Homebrew quick start

This post is mostly for my own reference. I’m still in the very early stages of understanding and using docker.


# The docker cli client app
brew install docker

# Tool for installing a docker machine (VM and or docker layer for holding containers (the whale))
brew install docker-machine

# Create a local docker machine using virtualbox as the VM, call it 'dev'
# Assuming this is where it gets clever as we can create docker machines for reference locally way off in the cloud
docker-machine create --driver virtualbox dev

# Nothing worked properly until I did this, not sure what it actually does, probably sets the active docker environment
eval "$(docker-machine env dev)"

# Pull down and register the whalesay container
docker pull docker/whalesay

# Run the cowsay command on the whalesay container with the argument 'boo'
docker run docker/whalesay cowsay boo

Of course, this gets more interesting when you’re running redis, nginx etc.. Not sure about dockerfiles yet, probably fairly simple. Really not sure about deployment.

Hashcat quick start!

I recently had to use hashcat to verify some user credentials. Here are the commands I used:

# Salted md5 passwords (all the same salt in salt+password format):
hashcat -o found-passwords.pot -e salt.txt -m 20 -a 0 input-passwords.txt hashkiller.dic

Input file is just hashes from the database, one hash per line. I think you can put a :salt after each hash and omit the -e salt.txt from the command to use unique salts.

Why you shouldn’t trust WhatsApp’s end to end encryption

Recently, the instant messaging app “WhatsApp” announced that it is using end to end encryption. While this is generally seen as a good thing, what most people seem to have forgotten is that we have absolutely no reason to trust WhatsApp.

Just because you’re told WhatsApp is using end to end encryption doesn’t really mean anything.. what algorithms are they using, how can we verify this. Most importantly, if the NSA (or someone else, perhaps with lots of money) asks WhatsApp to disable end to end encryption for a specific user – what’s to stop them? How would you know your instant messages are no longer encrypted?

What this means (at least to me) is that your supposed end to end ‘bullet proof’ encryption is probably worse than nothing – it’s lulling you into a false sense of security.

You can’t trust closed source encryption. Ever. Don’t start now.

2015 – The year of virtual reality

For some time now I have been keeping myself abreast of the Oculus Rift project – a brand new virtual reality kit which is due for release this year.

Normally I wouldn’t be interested in things like this but I believe this new VR headset will change the face of not only gaming but many aspects of our lives, and not always for the better.

Back in the 90’s I had a go with a VR headset in London and it really put me off the idea. The terrible low resolution, the neck ache, the lag… It was really crap. From that point on virtual reality got forgotten about for another twenty years or so while the technology caught up with the concept.

Oculus aims, and supposedly delivers an experience which can effectively trick (part of) your brain into feeling the experience is very real. In a nutshell, virtual reality is here and this time it’s not going away.

So many people see this as just another gaming platform. That’s cool, but I believe it will be used for many other applications such as virtual meetings, and even eventually working.. Imagine working on a desk on a beach with palm trees?

It’s not all good news though. In this internet based age people spend less and less time going outside and talking to each other. VR could well be the ultimate end to people leaving their homes.. Maybe not for our generation, but I think the next generation will really struggle with this.. Games like World of Warcraft have already made lots of young people reclusive gaming addicts, but with this level of reality it could do some very serious damage if not used in moderation.

Either way, 2015 marks the beginning of the virtual reality age. Personally I think this is going to be as big, if not bigger than the internet in terms of its impact on society. This won’t happen this year, but in the next 5 or 10 years things will be very different in the western world.

Heartbleed – why you should be really worried

If you’re not already familiar with the heartbleed bug, have a look at this website: http://heartbleed.com/ – I don’t want to talk about what it is exactly as lots of people have done that.. just why you should be more worried than you are.

If you were (or still are?!) running an affected version of openssl:

  1. You almost certainly have NO way of telling whether someone attacked your server
  2. You may have been attacked through any service using SSL.
  3. All passwords & usernames, root or otherwise may have been logged by a remote attacker. These can be used unless changed
  4. All keys public and private, SSH, SSL or otherwise may have been logged.
  5. If your server was attacked you should consider ALL the contents of the servers hard disk revealed to the attacker.
  6. Even the memory of the server may have been compromised… this could be things like credit card details and other stuff you wouldn’t dream of storing un-encrypted anywhere.
  7. Your server may have been compromised ‘quietly’, you probably have no way of knowing this unless you run an IDS or something similar.

The worst bit is, you almost certainly won’t know if this stuff has happened. I’m not a fear monger, but this really is very, very bad.

If you’re just a person that used a website or service that used/uses an affected version of openssl:

Anything you did with that service is essentially in the hands of an attacker. For example, your usernames and passwords, your credit card information, your emails, your uploaded dropbox photos and work documents.

All in all, if you’ve used the Internet in the last two years, there’s a chance that your data has been stolen and you won’t know until it’s too late.

The only small amount of good news is that hopefully nobody has been exploiting this vulnerability. Hope is never a good security measure.

My biggest concern with the whole thing is not that my server or gmail might get attacked in the future, but that it may have been attacked without my knowing in the past. There’s not much anyone can do about this. Personal data may well have been taken – this is something you can’t fix.

For now, update your passwords, keys, revoke your old SSL certificates. Lock down your servers, secure your firewalls, set up IDS. Nuke your server and start again? Hope nobody really did anything too nasty. This bug may prove much worse than first thought.