All posts by Bryan

Who we trust | Building a computer

I thought I was being smart.  By not buying through AVADirect I wasn’t going to be using an insecure site to purchase my new computer.

For the curious I ended purchasing through eBay (A rating) and Newegg (A rating) a new Ryzen (very nice chip!) based machine that I assembled myself.   Computer is working mostly ok, but has some stability issues.   A Bios update comes out on the MSI website promising some stability fixes so I decide to apply it.

The page that links to the download is HTTPS, but the actual download itself is not.
I flash the BIOS and now appear to have a brick.

As part of troubleshooting I find that the MSI website has bad HTTPS security, the worst page being:

Given the poor security and now wanting a motherboard with a more reliable BIOS  (currently I need to send the board back at my expense for an RMA) I looked at other Micro ATX motherboards starting with a Gigabyte which has even less pages using any HTTPS and the ones that do are even worse:

Unfortunately a survey of motherboard vendors indicates MSI failing with Fs might put them in second place.   Most just have everything in the clear, including passwords.   ASUS clearly leads the pack, but no one protects the actual firmware/drivers you download from them.

Main Website Support Site RMA Process Forum Download Site Actual Download
MSI F F F F F Plain Text
AsRock Plain text Email Email Plain text Plain Text Plain Text
Gigabyte (login site is F) Plain text Plain Text Plain Text Plain text Plain Text Plain Text
EVGA Plain text default/A- Plain text Plain text A Plain Text Plain Text
ASUS A- A- B Plain text default/A A- Plain Text
BIOSTAR Plain text Plain text Plain text n/a? Plain Text Plain Text

A quick glance indicates that vendors that make full systems use more security (ASUS and MSI being examples of system builders).

We rely on the security of these vendors for most self-built PCs.  We should demand HTTPS by default across the board.   It’s 2017 and a BIOS file is 8MB, cost hasn’t been a factor for years.

Juju’s localhost LXD now works with offline images

Some environments require no direct Internet access.   Previously to Juju 2.1.x it wasn’t possible to use Juju locally with LXD without the Internet.

Prereq: Setup Juju 2.1.x and LXD however you usually do in the environment

  1. Get an LXD importable image and move to the offline machine
    wget https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-lxd.tar.xz https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-root.tar.xz
  2. Import the image and assign it an alias so Juju knows to use it
    lxc image import xenial-server-cloudimg-amd64-lxd.tar.xz xenial-server-cloudimg-amd64-root.tar.xz --alias juju/xenial/amd64
  3. It’s a good idea to confirm that LXD can launch the image fine
    lxc launch juju/xenial/amd64
  4. Bootstrap and start deploying charms
    juju bootstrap localhost

This is just one part of running offline.   This may only work if you have a local package mirror that the LXD image will be able to detect as it does need to install some packages.

Additionally,  some charms may download software directly from Internet sites so those would also need more workarounds for them.

Fixed bug: https://bugs.launchpad.net/juju/+bug/1650651

RSS Reading – NewsBlur

Bye Tiny

Some recent hacking attempts at my site had convinced me to reduce the number of logins I had to protect on my personal site.   That’s what motivated a move from the -still- awesome Tiny Tiny RSS that I’ve been using since Google Reader ended.   I only follow 13 sites and maintaining my own install simply doesn’t make sense.

* None of the hacking attempts appeared to be targeting Tiny Tiny RSS ~ but then again I’m not sure if I would have noticed if they were.

Enter NewsBlur

My favorite site for finding alternatives to software quickly settled on a few obvious choices.  Then I noticed that one of them was both Open Source and Hosted on their own servers with a freemium model.

It was NewsBlur

I decided to try it out and haven’t looked back.  The interface is certainly different than Tiny (and after 3 years I was very used to Tiny ) but I haven’t really thought about it after the first week.   The only item I found a bit difficult to use was arranging folders ~ I’d really prefer drag and drop.   I only needed to do it once so not a big deal.

The free account has some limitations such as a limit to the number of feeds (64), limit to how fast they update, and no ability to save stories.   The premium account is only $24 a year which seems very reasonable if you want to support this service or need those features.  As of this writing there were about 5800 premium and about 5800 standard users, which seems like a healthy ratio.

Some security notes: the site get’s an A on  SSLLabs.com but they do have HSTS turned explicitly off.   I’m guessing they can’t enable HSTS because they need to serve pictures directly off of other websites that are HTTP only.

NewsBlur’s code is on Github including how to setup your own NewsBlur instance (it’s designed to run on 3 separate servers) or for testing/development.   I found it particularly nice that the guide the site operator will check if NewsBlur goes down is public.  Now, that’s transparency!

They have a bunch of other advanced features (still in free version) that I haven’t even tried yet, such as:

  • finding other stories you would be interested (Launch Intel)
  • subscribing to email newsletters to view in the feed
  • Apps for Android, iPhone and suggested apps for many other OSes
  • Global sharing on NewsBlur
  • Your own personal (public in free version) blurblog to share stories and your comments on them

Give NewsBlur a try today.  Let me know if you like it!

I’d love to see more of this nice combination of hosted web service (with paid & freemium version) and open source project.  Do you have a favorite project that follows this model?   Two others that I know of are Odoo and draw.io.

Once your organization get’s big enough…

it’s harder to keep everyone on the same page.  These are two emails I got from Mozilla in the last month.

Short Story:
MDN (their Wiki) is requiring everyone use a GitHub account now.
While add-ons.mozilla.org (addon authors/reviewers) is requiring everyone use a Firefox account now.
(Bugzilla can do a local account, a Persona account, or Github)

Just to be clear, this isn’t an issue specific to Mozilla, but I’d expect them to support OpenID more if their Persona initiative failed.

Aug 18
“Dear MDN contributor,

You are getting this message because you use Persona to log in to your account on MDN.

We are discontinuing Persona as a sign-in method. If you want to keep access to your account, you must link your profile to a GitHub account.

If you do not have a GitHub account, you will need to create one.

If you do not link your profile to a GitHub account by Oct. 31, you will not be able to log in to MDN using your current profile, create or update pages, or update your profile. We recognize that this is an inconvenience, and we apologize.

If you have questions, please let us know. You can also read more on MDN about this change.

Thank you,
The MDN Team”

July 28th
“In February 2016 we turned on Firefox Accounts as an authentication source for addons.mozilla.org (AMO). Since then, 80% of the developers who have visited AMO have migrated their account to a Firefox Account. We are writing to remind you to migrate your account as well.

We urge you to do so in the next few weeks, when the migration wizard will close and you will no longer be able to log in using your old AMO credentials. You can start the migration flow at https://addons.mozilla.org/users/login today.

After migration closes, you can still log in to your AMO account, but first you’ll have to create a Firefox Accounthttps://accounts.firefox.com/ using the same email address you use for your AMO account.

Sincerely,
The AMO Team”

When should i386 support for Ubuntu end?

Are you running i386 (32-bit) Ubuntu?   We need your help to decide how much longer to build i386 images of Ubuntu Desktop, Server, and all the flavors.

There is a real cost to support i386 and the benefits have fallen as more software goes 64-bit only.

Please fill out the survey here ONLY if you currently run i386 on one of your machines.  64-bit users will NOT be affected by this, even if you run 32-bit applications.
http://goo.gl/forms/UfAHxIitdWEUPl5K2