adamlea.ch Open in urlscan Pro
2606:4700:3031::ac43:d9df  Public Scan

Form analysis
0 forms found in the DOM

Text Content

ADAM LEACH

views of a developer

Home About

© 2023. All rights reserved.


HSBC POOR SECURITY POLICIES

23 Mar 2015

HSBC for several years have provided a key fob to login and authorise
transactions in their web site.

Recently they have upgraded their mobile applications to have the ability to
generate secure codes, therefore removing the need to have a separate device,
that probably gets lost.

During signup it asks a few questions and for a new password. The text states
that passwords must be over 6 characters, so for security i used LastPass to
generate a 30 character password.

This was accepted, however only 8 characters were shown on the screen. After
double checking it turns out that the application silently ignored the other 22
characters and set my password to a 8 character password without warning.

I feel this is especially dangerous for the following reasons:

 * If i hadn't of paid attention i wouldn't have noticed
 * If you follow the XKCD recommended password system of 4 words joined together
   your password will be very insecure.
 * Who thinks 8 characters is acceptable.

So I asked HSBC Help UK on Twitter.

@HSBC_UK_Help why are passwords for digital secure key limited to 8 characters?
Not very secure 4:03 PM - Mar 22, 2015

@addersuk Hi Adam. It is a business decision, as we believe it’s long enough to
be secure but short enough to be remembered.^JB — HSBC UK Help (@HSBC_UK_Help)
March 22, 2015

@HSBC_UK_Help so why does your app let me enter a longer password and then
truncate the password

@addersuk I am sorry if this has caused you any inconvenience Adam. Have you
managed to set up a password now?^JB — HSBC UK Help (@HSBC_UK_Help) March 22,
2015




I feel this raises security concerns about HSBC if they are willing to have poor
security on their systems.


ALTERNATIVES TO MICROSOFT SQL SERVER

10 May 2014

Microsoft SQL Database licensing is expensive, however you do get the benefit of
very good development tools and integration. They have three versions:

 * Web – no performance tools, SSIS or replication
 * Standard
 * Enterprise

Alternatives to Microsoft SQL Server are:

 * MySQL – Currently owned by Oracle and is slowly being moved away from
   Opensource. Its a quick database, however is misses alot of features of SQL
   Server and it very slow at stored procedures and views that your current
   system uses extensively. MySQL simplifies database development and this is
   why it is the most popular database system. There are a number of compatible
   databases including MariaDB and Percona Server.
 * Postgres – Fantasic open source database that has excellent performance and
   features. Originally based on the Ingres database system (which is the
   original base of SQL Server), it is under
 * constant development and they have recently added a number of features to
   compete against nosql databases like MongoDB.
 * Ingres – Sadly neglected by owners over the past 10-20 years
 * Other commercial databases – IBM DB2, Oracle, etc all very expensive

If i had to choose a database system for a new system, i would go for
Postgres, however there are a number of risks with Postgres when migrating an
existing project:

 * Current system will need changing to work. Postgres driver and database might
   not have the same abilities and features as provided by Microsoft drivers.
 * Migrating to a different database will be difficult and possibly need
   training and support for current staff. You would need significant downtime
   to migrate the data from one system to the other
 * Less used in industry, so experienced staff are not easily available.
 * Development tools are not fully integrated into development tools like Visual
   Studio etc.
 * Less documentation/blogs/advise available due to lower usage.

Unfortunately there is no simple replacement and although you might save money
on licensing fees, you may end up spending the savings elsewhere.

However if your starting a new project, i would use it.


INSTALLING RUBY 1.9, RUBY 3 AND PASSENGER ON DEBIAN LENNY OR SQUEEZE

30 Apr 2012

The following is how i got a Ruby on Rails app running on Debian Lenny.

First edit your apt sources list to add Squeeze backports to get a stable Rails



apt-get install ruby1.9.1-full gem1.9.1 install rails gem1.9.1 install
rubygems-update gem1.9.1 install rake

These commands will install the ruby libaries in /var/lib/gems/1.9.1/.  You can
now to deploy the Ruby on Rails app to the web server. You may need a few
development pacakage for mysql, xml and xslt, so you may need to install the
following.</p>

apt-get install libxml2-dev  libxslt1-dev libmysqlclient-dev

Once this is complete change to the directory and run
/var/lib/gems/1.9.1/bin/bundle install

This will install all the required Gems for the application.

Now we need to install passenger.

gem1.9.1 install passenger

If you use Apache, you will then need the passenger apache module.  This
requires a number of development libraries, that might not be installed.  They
can be installed using: apt-get install build-essential libssl-dev zlib1g-dev
apache2-prefork-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev

Once that is complete run the following:
/var/lib/gems/1.9.1/bin/passenger-install-apache2-module



vi /etc/apache2/mods-available/passenger.load a2enmod passenger
/etc/init.d/apache restart


NETGEAR READYNAS BACULA BACKUP

08 Jul 2011

Bacula is a enterprise open source network backup system that can backup all
your servers to a central place.

It works by running a Bacula File Service on each server that communicates to a
central controller that manages the backup and restore requests to storage
daemons. I use a Netgear ReadyNAS and these can run the Bacula Controller and
Storage daemons therefore keeping your backup solution in one place.


SECURING SSH

11 Aug 2010

SSH is a great service, however it is open to dictionary attacks that can allow
hackers to get access of the server.

One great tool for limiting the success of the dictionary attacks against your
ssh services is DenyHosts. This monitoring the authentication logs of your
server and if it detects 3 failed logins from an ip address, it adds that ip
address to /etc/hosts.deny.



To improve the service further, it has an optional distributed service that will
notify you of ip addresses that are actively attempting to login to ssh servers
by synchronising with a central server. Therefore you can block an ip address
before it even attempts to login to your server.

The only downside of DenyHosts, is useless developers/users of your servers have
a tenancy to forget their passwords occasionally and they then get totally
blocked from the server, but that can be easily fixed.

Older Newer