När skall bankerna komma på att det är 2018?

Digitaliseringen i Sverige 2018

Härom dagen skulle jag ansöka om Swish till mitt minderåriga barn. Hos banken som jag haft i över fem år. Hos banken där barnets andra förälder har varit kund i över fem år. Där barnet själv redan har ett konto med föräldrarnas godkännande. Hem kommer, med papperspost, en blankett där barnets båda vårdnadshavare skall kopiera i sin legitimation samt få kopian vidimerad av två andra personer. Detta är alltså 2018. Inte 1998. Jag kan tömma hela mitt bankkonto via Internet med hjälp av BankID, som bankerna för övrigt själva står bakom. Jag kan ta del av min sjukvårdsjournal via Internet med hjälp av BankID, som myndigheter godkänt för sekretessbelagda uppgifter. Men jag kan inte godkänna att ett av mina barn skall få Swish utan att det blir en massa pappersadministration av det.

Digitaliseringen i Sverige når nya höjder. Med bankernas alla miljardvinster samt bank- och finansinspektionen tycker man att det borde finnas en liten liten möjlighet att få fram ett bäst-före-datum för den här typen av idiotiska beteenden.

Jag får redan idag känsliga uppgifter skickade till en av flera digitala brevlådor som finns och kan som sagt redan identifiera mig i väldigt känsliga sammanhang med BankID.

Några dagar senare får jag ett brev till företaget, också det skickat med papperspost. Från en annan bank. Där ombeds företaget redovisa för “Verklig huvudman”. Även här skall legitimationer kopieras, frågor besvaras och allt vidimeras för att sedan skickas tillbaka, med papperspost, till banken. Detta är alltså 2018. Inte 1998.

Med risk för att låta tjatig så blir man ganska orolig när bankerna klart och tydligt visar att de har så dålig koll att de skall gardera sig med både hängslen och livrem, på fysiskt papper. Samtidigt gör de miljardvinster och skyller ständigt den bristande digitaliseringen på att “Vi har ännu inte kommit dit, men vi tar med oss din fråga”.

Var är miljötänket i detta beteende? Varför skickas det papperspost för saker som kan hanteras både säkrare och snabbare den digitala vägen? Var är bank- och finansinspektionen? Hallå, det är 2018, inte 1998. Wake the fuck up.

 

No Lufthansa, this is not breakfast

I’m not sure what’s going on at Lufthansa, but someone needs to talk to their food administrators who manage in-flight food. This “breakfast” tasted like candy, for obvious reasons. Come on Lufthansa, it’s 2018, ever heard of “healthy living”? I know this crap is cheap to produce, but maybe “cheap” is not a word you want to associate with your company.

Apache goodies for WordPress security

The list of things to do to harden a WordPress site with Apache is long, but some things that could be done include:

FileETag None                                                                                                                       
                                                                                                                                    
<Files wp-config.php>                                                                                                               
    Require all denied                                                                                                              
</Files>                                                                                                                            
                                                                                                                                    
<Files xmlrpc.php>                                                                                                                  
    Require all denied                                                                                                              
</Files>                                                                                                                            
                                                                                                                                    
<LocationMatch "/wp-content/uploads/.*(?i)\.php$">                                                                                  
    Require all denied                                                                                                              
</LocationMatch>

SSH tunnel to use other mailserver than localhost

Because I have a lot of virtual machines, laptops, work environments, and so on, I never seem to find the time to setup SMTP authentication everywhere. I typically use Linux for everything except hardcore gaming, so it’s only natural that I have some sort of mail server installed like Postfix. The problem in using that mail server to send e-mail is that I also quite often have dynamic IP addresses on these machines, which doesn’t work well with “e-mail protection” (well..) like SPF.

So instead of making my life very complicated, I have a trusted server on the Internet through which I send e-mail.

If you were looking for something fancy in this article, you can move along now, there’s nothing to see 🙂

To make all my Linux work instances believe they’re talking to an SMTP server locally, I simply setup a tunnel from the given Linux instance to this trusted server on the Internet using the ever so versatile OpenSSH / SSH. I know there are a lot of ways to do this, but this is what works for me:

Local machine or “where I work”

I have a private/public key keypair on all of these machines. The public key is placed in the /root/.ssh/authorized_keys file on the trusted server that is running the mail server.

On this machine, as root, I setup a tunnel that looks like this:

ssh -N -L 25:localhost:25 root@mail.example.org -p 2222

This will create a tunnel from “localhost” port 25 (where I work) to “localhost” port 25 on mail.example.org. It will connect the end point of the tunnel to mail.example.org on port 2222. If the mail.example.org server is running an SSH server on its standard port (22), you can remove the “-p 2222” part.

Mail server

On this server, I only need to put the public key from the local machine “where I work” into /root/.ssh/authorized_keys to allow the tunnel to come up.

When I access port 25 on my local machine “where I work”, it will be sent through the tunnel and then attempt to access “localhost” port 25 on the mail server. The mail server software, Postfix in my case, will never know this connection did not actually originate from “inside” the machine, but rather through the tunnel.

Closing thoughts

You can (obviously) make this somewhat more automated with tools like AutoSSH, init scripts, and what not. The above only intends to show how uncomplicated it is to create useful SSH/SMTP tunnels 🙂

 

Securely overwrite unused space on Windows 7, 8, and 10

Overwriting “unused space” on Windows 7, Windows 8, and Windows 10 is quite simple. Open a “Command Prompt” window, and type:

cipher /w:DD

Where “DD” is your drive without a suffix, e.g.

cipher /w:C

to wipe unused space on drive C.

Why is this useful? Well, when you delete files from most modern operating systems, they aren’t really erased, even after you “Empty the trash”. The file system on your drive is simply updated to indicate that the space previously occupied by the file is now available. But the file data is still there. Overwriting such “unused space” with nonsense/garbage data will make it harder to recover the file data.

Setting PHP.INI path (or file) for PHP CLI shell scripts

Running a PHP script from the command-line, or CLI, is quite useful at times and is often used to perform some automated task, like a CRON cleanup script, to send out reminders, etc.

It’s common that these CLI scripts need some, but possibly not all, settings that are similar to the main application’s. I may, for example want to include the database configuration settings shared with the main application. So I often create a separate php.ini file for this purpose.

Running /usr/bin/php -c /my/very/special/path cronScript.php is simple enough, but what if I want to be able to create an “executable” PHP shell script? The obvious answer would be something like:

#!/usr/bin/php -c /my/very/special/path

at the top of the .php file, followed by my PHP code, right? Except that may not do what you want. I could not get the PHP interpreter to load anything in /my/very/special/path by using the above construct, even if it works from the actual command-line. After banging my head against the wall for a while, this turns out to work for these “shell scripts”:

#!/usr/bin/php -c=/my/very/special/path

Note the use of the = (equal) sign between the -c and the path (or file).

Carry on.

Coding for Microsoft browsers like Internet Explorer and Edge

Having been doing battles with things like Internet Explorer 4 (yes, I’m that old), it seems to me like Microsoft have really gotten themselves into a bind when it comes to Edge.

With a user-agent string like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299

It’s no wonder Microsoft seems to be suffering from a split personality when it comes to its browser(s).

Once and for all Microsoft, please just join either of the Chrome/Chromimum/Opera/Firefox projects. Please?