The kernel of my home office

I'm not a computer security expert, but it's been part of my work for many years, in different forms.  A very long time ago, a friend hired me to write up a primer for internet security, and ever since then it's been a theme that's sat in the background and pops up every now and then . But lately, it's started to feel like more than a theme, and but indeed a passion. You may consider computer and internet security to be a dry subject, or maybe you imagine feelings of smugness or righteousness, but "passion" is the right word for what I'm feeling. Here's google's definition: Passion: 1. a strong and barely controllable emotion. 2. the suffering and death of Jesus. Okay, let's just go with number 1. for now. If you followed my link above to other posts about security, you'll notice one from eight years ago where I mused on the possibility of the discovery of a flaw in how https works. Weirdly enough, a flaw in https was discovered shortly...

What Are Managed Services? " Managed services " is an offering of many businesses that provide Internet services. In the past couple of years, it's a term I've used to describe what I offer in my Blackfly Solutions Drupal and CiviCRM hosting business . You may not know whether you would want such a thing, since it's a very badly named thing.  This post will try and give a reason for why managed services is a thing at all, how it can be a good thing, and why it may be what you want. Here's the short version: managed services exist to fill the gap between what machine automation can reasonably provide and what people actually want. In a subsequent post, I'll explain how containers can be a useful tool for delivering managed services. What Do You Mean by Services? A "service" in the "managed services" context is the consumer-oriented one, i.e. something a consumer wants that they get from a service provider. For example: "hosting for ...

In my previous two posts, I provided some background into why I decided on using containers for a boutique Drupal + CiviCRM hosting platform, and why Docker and its micro-services approach is a good choice for building and maintaining containers. Although I promised to talk about orchestration, that was getting ahead of the story - first I'm going to look at the challenge of keeping your application containers up-to-date with OS and application-level updates. There's a fair amount of work in that, but the tooling is mature and there is lots of good documentation. A great place to start is to visit the official Drupal docker hub page . From there, you can pull a working Drupal code container, and it gets re-built frequently with all the OS and Drupal-code updates, so you just refresh your containers whenever you want (i.e. whenever a security release comes out, or more often to stay up-to-date). A nice thing about that project is that it demonstrates a technique for mainta...

This is a short story about how I've ended up learning more about Docker and it's associated technologies than I had planned. I'm not calling it "my docker journey" because, while Docker has done a great job of making Linux containers useable, there's no need to conflate container technology with the company. I'm a late-bloomer kind of person, not an early adopter, so it's a bit surprising to find myself in this position. I manage Drupal and CiviCRM hosting for a collection of non-profits in Canada. I started doing this 11 years ago, in spite of planning to avoid it, and after finding out that I could do a reasonable job of it, I kind of enjoy it. I'm a mathematician by training, and a (lapsed) Quaker by religion, so by nature I have a minimalist aesthetic. Add to that, my goal with hosting is to be as invisible as possible by keeping sites fast and reliable, so I really have minimal interest in experimental technologies. I generally do a strateg...

I've been having a conversation with a client about PCI compliance and realised that there's a basic fact that really should be made very clear. Any provider that tells you that they're going to solve all your PCI compliance issues only by switching payment providers is lying. PCI compliance cannot be solved purely by switching providers. PCI compliance involves how you handle credit card credentials everywhere, not just on your website. If you are inputting credit cards numbers that someone has sent you by email, phone, or letter, then you have a compliance issue. Anyone who is selling you a service to solve your PCI compliance issues and doesn't explain that to you is not trustworthy. In this case, it was a Braintree salesperson that I'm calling out. Braintree is a division of Paypal, and I would expect better of them. To be fair, some aspects of PCI compliance may be easier with some providers compared to others. But you're not off the hook, you can't...

Yesterday I posted this: https://www.newschallenge.org/challenge/2014/submissions/a-new-open-transport-layer-security and sent the link off to some friends and family. They had some good things to say, and some of that helped me clean it up a bit. But the feedback and discussions I had also helped me to step back a bit from the specifics of that proposal and think more generally about the problem. The problem I'm talking about is a mash-up of technical detail, privacy concerns, security concerns and good old fashioned apocalypse with a dash of conspiracy anti-government kind of stuff. So there's definitely more than one way to look at it. I like to think of it as "collapse of trust on the Internet as we know it". Here's the scenario: at some point in the next 5 years, a method is discovered that allows people with enough computer power to decrypt 'secure' https connections. Once this is generally known to the public (e.g. via a leak like that of Mr...

Twice now I've run into this class of problem and so I'm documenting it here for my future self and anyone else with a similar problem. Most recently, a server I manage was generating a rather baffling error, seemlingly randomly Warning: file_put_contents(temporary:///.htaccess) [function.file-put-contents]: failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed in file_create_htaccess() (line 498 of /[documentroot]/includes/file.inc). Baffling because apache (and pretty much any other process on a linux server) has access to read and write to the /tmp directory, and extra baffling because the file was there, created. It seemed to be mostly when editing, but not uniquely. After doing a stack trace, I discovered this about file management in Drupal: As a security measure, Drupal checks for an .htaccess file in all directories it writes to. That includes the temporary directory [which is good, because sometimes that directory is ins...

For the past few weeks I've been unable to access the TDEasyweb site. Today I discovered that it's because "TD made a corporate decision to only support Windows and Mac". I have a few problems with this. Personally, it's a hassle because I can no longer use their easyweb site unless I go borrow someone else's computer. This seems like an anti-security measure. It's extra insult because of the way it was not communicated responsibly. I have a bigger problem because the response I got when I talked to a manager was that the only way of dealing with it was to write to a customer feedback email address. And the reality is, if not enough people complain, then they won't do anything about it. Basically, treating my issue as one of personal preference, rather than one of technical choices and security. But on-line security is not at all a matter of personal preference. If a majority of users decided they didn't want as many security precautions as ...

I've been running my own server for a year and a half now, and have been surprised at how trouble free it's been. I attribute this to: luck good planning a decent upstream provider the maturity of linux distribution maintenance tools (e.g. yum) In this case, good planning means: keeping it as simple as possible doing things one at a time i'm the only one mucking about on it And so this month, inspired by some Drupal camp sessions, I decided to take some time to make a good thing better. My goals were: Optimizing my web servicing for more traffic. Simplifying my Drupal maintenance. Automating my backups. And here's the results ... Web Servicing Optimizations This was relatively easy - I just finished off the work from here: http://homeofficekernel.blogspot.com/2008/02/drupal-centos-optimization.html Specifically, i discovered that I hadn't actually setup a mysql query cache, so I did that. And then I discovered that it was pretty easy an...

I'm hosting the Ontario Green Party's site , and am also the Drupal developer for it. There's currently an Ontario election campaign taking place, so I'm keeping busy. Someone sent me a dead link on the Ontario NDP site, so I started looking at the other party's sites. It reminded me of a discussion we had at the Toronto Penguin day a couple of years ago about the relationship between open source software (and Drupal in particular) and politics. I think there's something there - for example: the Toronto Drupal Users' Group's (supposed?) left-leaning politics the Howard Dean campaign (which was the beginning of the civicspace distribution of drupal) Richard Stallman's involvement in Venezuela I'll let you use google to confirm or deny any of the above ...but also to be noted, there's nothing that prevents any cause from making use of open source technology for nefarious and/or right-wing causes (oops, my bias is showing!). So, I tho...