23 Mar 2015
HSBC for several years have provided a key fob to login and authorise transactions in their web site.
Recently they have upgraded their mobile applications to have the ability to generate secure codes, therefore removing the need to have a separate device, that probably gets lost.
During signup it asks a few questions and for a new password. The text states that passwords must be over 6 characters, so for security i used LastPass to generate a 30 character password.
This was accepted, however only 8 characters were shown on the screen. After double checking it turns out that the application silently ignored the other 22 characters and set my password to a 8 character password without warning.
I feel this is especially dangerous for the following reasons:
- If i hadn't of paid attention i wouldn't have noticed
- If you follow the XKCD recommended password system of 4 words joined together your password will be very insecure.
- Who thinks 8 characters is acceptable.
So I asked HSBC Help UK on Twitter.
@HSBC_UK_Help why are passwords for digital secure key limited to 8 characters? Not very secure
4:03 PM - Mar 22, 2015
@addersuk Hi Adam. It is a business decision, as we believe it’s long enough to be secure but short enough to be remembered.^JB
— HSBC UK Help (@HSBC_UK_Help) March 22, 2015
@HSBC_UK_Help so why does your app let me enter a longer password and then truncate the password
@addersuk I am sorry if this has caused you any inconvenience Adam. Have you managed to set up a password now?^JB
— HSBC UK Help (@HSBC_UK_Help) March 22, 2015
I feel this raises security concerns about HSBC if they are willing to have poor security on their systems.
10 May 2014
Microsoft SQL Database licensing is expensive, however you do get the benefit of very good development tools and
integration. They have three versions:
- Web – no performance tools, SSIS or replication
- Standard
- Enterprise
Alternatives to Microsoft SQL Server are:
- MySQL – Currently owned by Oracle and is slowly being moved away from Opensource. Its a quick database, however
is misses alot of features of SQL Server and it very slow at stored procedures and views that your current
system uses extensively. MySQL simplifies database development and this is why it is the most popular database
system. There are a number of compatible databases including MariaDB and Percona Server.
- Postgres – Fantasic open source database that has excellent performance and features. Originally based on the
Ingres database system (which is the original base of SQL Server), it is under
- constant development and they have recently added a number of features to compete against nosql databases like
MongoDB.
- Ingres – Sadly neglected by owners over the past 10-20 years
- Other commercial databases – IBM DB2, Oracle, etc all very expensive
If i had to choose a database system for a new system, i would go for
Postgres, however there are a number of risks with Postgres when migrating an existing project:
- Current system will need changing to work. Postgres driver and database might not have the same abilities and
features as provided by Microsoft drivers.
- Migrating to a different database will be difficult and possibly need training and support for current staff.
You would need significant downtime to migrate the data from one system to the other
- Less used in industry, so experienced staff are not easily available.
- Development tools are not fully integrated into development tools like Visual Studio etc.
- Less documentation/blogs/advise available due to lower usage.
Unfortunately there is no simple replacement and although you might save money on licensing fees, you may end up
spending the savings elsewhere.
However if your starting a new project, i would use it.
30 Apr 2012
The following is how i got a Ruby on Rails app running on Debian Lenny.
First edit your apt sources list to add Squeeze backports to get a stable Rails
apt-get install ruby1.9.1-full
gem1.9.1 install rails
gem1.9.1 install rubygems-update
gem1.9.1 install rake
These commands will install the ruby libaries in /var/lib/gems/1.9.1/. You can now to deploy the Ruby on Rails app to the web server. You may need a few development pacakage for mysql, xml and xslt, so you may need to install the following.</p>
apt-get install libxml2-dev libxslt1-dev libmysqlclient-dev
Once this is complete change to the directory and run
/var/lib/gems/1.9.1/bin/bundle install
This will install all the required Gems for the application.
Now we need to install passenger.
gem1.9.1 install passenger
If you use Apache, you will then need the passenger apache module. This requires a number of development libraries, that might not be installed. They can be installed using:
apt-get install build-essential libssl-dev zlib1g-dev apache2-prefork-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev
Once that is complete run the following:
/var/lib/gems/1.9.1/bin/passenger-install-apache2-module
vi /etc/apache2/mods-available/passenger.load
a2enmod passenger
/etc/init.d/apache restart
08 Jul 2011
Bacula is a enterprise open source network backup system that can backup all your servers to a central place.
It works by running a Bacula File Service on each server that communicates to a central controller that manages the backup and restore requests to storage daemons. I use a Netgear ReadyNAS and these can run the Bacula Controller and Storage daemons therefore keeping your backup solution in one place.
11 Aug 2010
SSH is a great service, however it is open to dictionary attacks that can allow hackers to get access of the server.
One great tool for limiting the success of the dictionary attacks against your ssh services is DenyHosts. This monitoring the authentication logs of your server and if it detects 3 failed logins from an ip address, it adds that ip address to /etc/hosts.deny.
To improve the service further, it has an optional distributed service that will notify you of ip addresses that are actively attempting to login to ssh servers by synchronising with a central server. Therefore you can block an ip address before it even attempts to login to your server.
The only downside of DenyHosts, is useless developers/users of your servers have a tenancy to forget their passwords occasionally and they then get totally blocked from the server, but that can be easily fixed.