AWS Tips I Wish I'd Known Before I Started

Moving from physical servers to the "cloud" involves a paradigm shift in thinking. Generally in a physical environment you care about each invididual host; they each have their own static IP, you probably monitor them individually, and if one goes down you have to get it back up ASAP. You might think you can just move this infrastructure to AWS and start getting the benefits of the "cloud" straight away. Unfortunately, it's not quite that easy (believe me, I tried). You need think differently when it comes to AWS, and it's not always obvious what needs to be done.

So, inspired by Sehrope Sarkuni's recent post, here's a collection of AWS tips I wish someone had told me when I was starting out. These are based on things I've learned deploying various applications on AWS both personally and for my day job. Some are just "gotcha"'s to watch out for (and that I fell victim to), some are things I've heard from other people that I ended up implementing and finding useful, but mostly they're just things I've learned the hard way.Read More...

Protecting Yourself Against Insecure Websites

There's a big problem with the internet right now: there are a large number of websites storing passwords insecurely. It seems there are lots of bad developers out there who don't know how to store passwords properly. That's fine, it's not really their fault, everyone had to learn at some point, and some people just haven't come across the information yet. Perhaps "bad" isn't the right word, "inexperienced" would be a better description. The life of a programmer is one of constant learning after all (if you're a decent programmer, the worst code you've ever seen is likely to be code you wrote a few years earlier).

But nowadays, there isn't room for inexperience when it comes to basic security. Many websites out there are storing passwords incorrectly, plain and simple. Big sites are not immune to such issues, there's the recent stories of both LinkedIn and Last.fm, all of whom weren't storing their passwords properly, putting their users at risk. But do users even know they're at risk?

In the UK last Summer, there were a lot of tweets posted around about how Tesco, a supermarket chain, were not storing passwords properly. Does the average online grocery shopper really understand why it's bad that their password was emailed to them in plaintext? I highly doubt it.

As people who do understand why it's bad, what can we do? Sure, we could stop using such services in protest, but that's not always feasible. Having to use some websites is just a necessary evil, whether it's because we don't have a choice or simply out of convenience. But there is something you can do to protect yourself against sites storing your passwords incorrectly. Read More...

Fix Graphics in Ubuntu 10.04 Lucid Lynx on a Toshiba Portégé

This is a brief follow on from my previous note on how to fix networking for the same setup.

After recently purchasing the awesome Humble Bundle V, it became apparent that I'd never got the graphics working properly on my laptop with Ubuntu 10.04. For those crazy people out there who, like me, want to run Ubuntu 10.04 on their new laptop, here's how to get the graphics drivers installed and working.Read More...

Fix Networking in Ubuntu 10.04 Lucid Lynx on a Toshiba Portégé

It's been a while since I've written anything here, so I figured I'd start getting into the habit again with a quick note.

I recently got a new Toshiba Portégé laptop (Z835-ST6N03), onto which I immediately loaded Ubuntu 10.04. Unfortunately, 10.04 is getting a bit old, yet the hardware in the laptop is quite recent, so neither ethernet or wireless networking worked.

Now, I could have just put on 11.10, or even the 12.04 beta and it would work staight away (I know, because I tried). If you're happy to use later verions, then that's going to be the best way. Unfortunately, I cannot stand the direction Ubuntu has gone in. Despite being able to ditch Unity for Gnome, and to run Gnome in fallback mode so it's similar to Gnome 2, I still couldn't use the system the way I wanted to. Other applications had been "simplified" to such an extent that it was just excrutiating to use. So I resolved myself to using my favourite version and trying to get networking to work the hard way.

Since someone else may be just as crazy as me and want to get Ubuntu 10.04 up and running on their Portégé, I thought I'd document how I got it working.Read More...

Secure Session Management Tips

Most (if not all) modern websites use sessions to control the experience for individual users, and to maintain state between requests (since HTTP is a stateless protocol after all). Sessions are fantastic and incredibly useful, but if managed incorrectly they can expose your website to security vulnerabilities and potentially allow a malicious attacker to gain unauthorised access to user accounts.

Of course, the biggest tip is that you should really just use a pre-built framework which has tried and tested session management code where security experts have tested and verified it, and the bugs have been identified and fixed. But I never listen to myself...I've been building a new site in my spare time recently and got to the point of writing the session management code. This seemed like a good subject to try and get myself into the habit of updating my notes more regularly.

So while certainly not an exhaustive list, here are 11 of my tips on managing sessions and avoiding some common security vulnerabilities (yes, this post goes all the way to 11). I'm using PHP in the code examples, but the principles apply to any other language. In fact, PHP does a very good job of automatically protecting against most of the attacks the tips discuss, but this isn't necessarily the case for other languages, so the principles are still important to understand. Read More...

Cross Site Request Forgery (CSRF/XSRF)

If you're building a site that allows users to update any sort of information (so most websites), then you should probably think about protecting against Cross Site Request Forgery (referred to as CSRF or XSRF). Being susceptible to this type of attack can be annoying in some cases, but extremely dangerous in others. Unfortunately, it's not the type of attack that's easy to understand at first, and it's not immediately obvious how to prevent such an attack. Because of this, protecting against XSRF is often overlooked, even on some big name websites. Read More...

View older notes...