Friday, 24 June 2011

I have just upgraded to BT Infinity and am getting a good 37meg download and about 5.28megs upload (not that happy with the upload but its better than what I used to get).

After the BT engineer installed the new modem I asked him if the BT Infinity Modem (the kit that connects you to the new socket) supports PPoE. The engineer told me it did and I asked if I could plug in my trusty FritzBox instead of using the BT Home Hub (which I was less keen on) he was quite keen to see it work as he hadn't seen one before. I plugged the FritzBox I had setup previously for PPoE WAN over LAN port 1 into the modem and within seconds everything worked! The speed at first was dreadful as I was only picking up 5meg downloads and less than a 1 meg upload. The engineer tested the line and told me he was getting 40meg down and 10meg up. I knew then it had to be the FritzBox, I took a look at the settings and discovered my upstream was set to 5megs and my downstream was around 1meg. Ah ha! I set the Upstream to 5760 kBit and the Downstream to 6400 kBits. I know these values are a bit higher than what is supported on Infinity but it seems to have done the trick in giving me 37meg down and 5.28 meg up.

There is a little guide below for those of you who have a FritzBox. Mine is a 7170 but the FritzBox's are very similar. For those that do not have a FritzBox, you just need to check if your old ADSL router supports PPoE over one of its LAN ports or sometimes referred to as a WAN port. Note this is not replacing the BT Infinity modem which supports VDSL it is just connecting another device to it, other than the BT Home Hub using a standard network cable.

How its done on the FritzBox 7170

  1. Log into the admin interface on your FritzBox and click on Settings
  2. Go to Advanced Settings > Internet > Account Information from the left hand menu (your router may need to be in advanced mode to see these)
  3. Ensure you have the settings as illustrated in the diagram below. The important part is "Internet connection via LAN 1" and the other options should appear for you to select.Note the username is broadbanduser@btinternet.com you do not need a password.

    image

  4. IMPORTANT: Scrolling down the page, I set my Upstream and Downstream to the following values (below). You may need to experiment to see what gives you the better speed. Some FritzBox's may not have this setting as they may automatically configure these settings for you.
    image
  5. The next step is to plug LAN port 1 on the FritzBox into the BT Infinity Modem sometimes referred to as the BT OpenReach Modem. There should be some cables that came with your install to do this, otherwise a normal network cable should suffice.

That's really all there is to it, you are basically no longer using the DSL part of your FritzBox/ADSL Router you are just making use of its WAN feature, almost as if you were connecting to a cable provider.

posted on Friday, 24 June 2011 19:37:13 (GMT Standard Time, UTC+00:00)  #    Comments [3]

 Thursday, 16 June 2011
Setting up DasBlog on Windows Server 2008

I've been meaning to do a quick blog article about this for some time so I don't forget. I found setting up DasBlog on Windows Server 2008 pretty difficult. I currently run DasBlog on a Windows Server 2008 server with the following app pool ".Net Framework v2.0 Application pool in Integrated Mode"

One of the issues I discovered was setting up the permissions so that DasBlog could read and write the to the content folders. To do this follow the steps you find here http://learn.iis.net/page.aspx/624/application-pool-identities/ 

Basically you need to give the Application Pool that DasBlog is running under, permission to these folders. So for example setting permission on the content folder to allow the following user IIS AppPool\[your app pool name] read and write access.

posted on Thursday, 16 June 2011 20:12:10 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Friday, 03 June 2011
My morning roundup

Hackers attack Sony network.again
According to the BBC website a group called Lulz Security hacked into a database containing unencrypted passwords, names, addresses and dates of births of Sony customers.  It appears they only targeted Sony Music Japan.

Hyper-V to run Linux?
Missed this one yesterday, it looks like Microsoft may soon be supporting Ubuntu, Debian, CentOS, RedHat and SuSE on its virtualisation stack. This could also include Azure.

Microsoft may buy Nokia
According to this article on CNET's website "..an industry insider has claimed a Microsoft offer for Nokia is already on the table"

Apple signs Universal Music to iCloud
It appears Apple has had more success with its new cloud service by getting some of the major players to sign up to it in comparison to Amazon and Google ".it will be the first among the big three to offer licensed music."

Read more on CNET and Neowin

posted on Friday, 03 June 2011 08:51:15 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 02 June 2011
My morning roundup

Windows 8 First Look
A first look at Windows 8 and it seems to be a lot about "touch" my first impressions when seeing a video demo was "this looks a lot like Windows Phone". They appear to have reinvented the Start menu and it looks like a lot of thought has gone to usability it also appears as though some ideas have been influenced by the experience with the iPad.

See for yourself on  Neowin and Engadget  for some interesting commentary checkout this article on The Register

Hackers in China compromise Google e-mail accounts
According to the BBC website hackers from China have attempted to access the Google e-mail accounts of US Officials, military personal and journalists.

How clean is your keyboard?
Checkout this article on How-To Geek on how to clean your keyboard (without breaking it). Warning there are some gory infested keyboard images in the article!

UltraViolet (buy it once play it everywhere?)
Its the first time I have heard about it. UltraViolet is supposed to be a media service supported by all the big players in the industry (except Disney). Basically manufactures will create TV's, mobiles, etc that support UV. You as the user can purchase UV compatible content such as a BluRay or DVD disk containing a UV logo and will be able to watch the content on any UV compatible device (even if it doesn't have a DVD player).  It sounds as though the industry has realised the issue with having many different DRM formats where content I download on my PS3 won't necessarily work on my PC or mobile phone if I want to watch it on the train. See what you think?

posted on Thursday, 02 June 2011 09:55:22 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Tuesday, 31 May 2011
My morning roundup

BT upgrading its network to Multicast
According to this article on the Register's website. BT's network is suddenly going to become pretty IPTV friendly as BT upgrades its routers. I would imagine BT is getting ready for the launch of YouView?

ASUS's new Padfone at Computex in Taipei
Asus's new Padfone will be making an appearance at Computex computing show in Taipai, Taiwan. 

Not sure how I feel about this device. It appears to be phone that can become a tablet PC by plugging into the back of a tablet attachment. What happens when you upgrade your phone?

 

 

Google Chrome OS doesn't need anti-virus software
Interesting article questioning Google's claim that its new OS will not need anti-virus software. Saying that, it is an anti-virus company that is questioning that claim Smile

NASA finally pulls the plug on Spirit Sad smile
NASA has finally given up hope on its Spirit Rover which landed on Mars in 2004 and lasted much longer than its initially planned 3 month life.

A new Bionic Eye gets given the go ahead in Britain
Thousands of blind people have been given the hope of seeing again using an artificial retina implant according to this article on The Express.

Germany to shut down its nuclear power plants by 2022
Its a brave step and maybe Germany will lead the way in clean renewable energy. However I am not sure how Germany will deal with the shortfall not covered by renewable energy. Maybe they will become more reliant on imported gas?

posted on Tuesday, 31 May 2011 09:07:54 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Saturday, 02 April 2011
LizaMoon–Injection and Cross Site Scripting attacks

Following the news on the LizaMoon injection attacks which have been publicised a lot in the press lately really made me want to find out more. Being a technically minded person I wanted to scrape past the general media version of what was happening and get down to what this means to people who run websites that might be vulnerable.

Reading posts on Stack Overflow it seemed to be the same old vulnerabilities that have been around for a very long time were once again being exploited.   Even though I have checked many sites I have worked on in the past, you can't help but wonder if there is anything you have forgotten. Security vulnerabilities in websites is not something you can say "yes I fixed it" its an on going battle (a bit like an arms race) where you have to keep up to date with the latest vulnerabilities.

One of the classic vulnerabilities I have seen from such attacks in the classic query string SQL injection attack. Take for example the following url on a website.

readmessage.asp?messageid=234

or

readmessage.php?messageid=234

There is nothing wrong with the above urls as long as what happens behind the scenes makes sure that whichever SQL database you are using be it MySQL or MS SQL Server is protected from bad input. Basically you cannot trust any input you get from the web.

One of the things I like doing with the above type of input before I even reach SQL is to ensure that the query string I am being sent in this case messageid is an integer. So in what ever language you are coding in, a very simple step is if messageid is indeed intended to be a query string test it to make sure it is. If you find it is not a query string you can either boot the user back to the page they came from or just send them to a generic error page that basically says that you can't understand what they wanted to do. Never display a detailed error message that divulges SQL statements and lines of code.

If messageid is supposed to be a string such as say a GUID? Test that all the characters used in the GUID are in a whitelist of acceptable characters first so for example accept A-Z, a-z, 0-9 and -  and reject everything else. In addition you can also HTML Encode or escape the input before sending it along to your code that persists it to SQL. In your code that does SQL persistence you can also help prevent such attacks by trying to use parameterised SQL statements instead of building your SQL update or insert statements as strings.

Other methods I have seen being used (although not a fan of) is where no text input is expected is to literally remove words and symbols such as "update", ), (, ',"insert" and "delete" this however can only be done where you definitely know these words are not intended as text values in a table field. If not used properly this could backfire and you could end up loosing data in sentences a user may have been innocently entering into a system.

The other thing to remember is just because the content went into the database safely doesn't mean that when you display that same content back to the user its going to be safe. Take for example a message board that uses a SQL server to store its messages, its pretty easy to escape what a user enters so that its perfectly preserved in SQL. Lets for example say that happened to be some JavaScript and that the JavaScript functionality was to redirect a user to a malicious site.  If you do not HTML Encode the message board text when displayed in the users browser you are basically putting users that trust your site at risk. HTML Encoding what you display to the user ensures that the user sees text of what is being presented and that the browser doesn't suddenly kick in and starts to execute the code its been given. Remember that this is just about any text you display to the user including the browser title tag which may be  something like this..

<title>Does anyone know how to make green widgets?</title>

The above if not encoded could quite easily be changed to the following by a malicious user post on your message board.

<title>Does anyone</title><script>document.location='somesite'</script><title></title>

The code above could potentially redirect a user to a malicious site.

posted on Saturday, 02 April 2011 20:38:48 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 10 March 2011
Cookie Trouble

I read the following news article with interest about the European Unions new laws that basically state you have to ask the users consent to place a cookie on their machine.  Reading through the new legislation I found the paragraph below, which appears to be the only paragraph that refers to cookies.

"Third parties may wish to store information on the equip­ment  of a user, or gain  access to information  already stored, for a number of purposes, ranging from the legiti­mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive infor­mation when engaging in any  activity which could result in such storage or gaining of access. The methods of pro­viding information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical  storage or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by the subscriber or user
. Where it is technically possible and effective,  in accordance  with the relevant  provisions  of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ments should be made more effective by way of enhanced powers granted to the relevant national authorities.."

If you look at the second section of highlighted text it appears an exception to this rule is when placing a cookie onto the users machine is to do with the explicit working of the service the user was expecting. So for example if you log into your banks website with a username and password the placing of a cookie onto the users machine without their consent is legitimate as the service would not work without it as the user expected. This is basically how I understood this paragraph.

What I do think will be an issue are people that use analytics packages on their websites (it is unclear if this is covered), paid for advertising and  affiliate tracking programs. I can already think of several organisations such as Google, Yahoo and even MSN/Bing that may be affected by this. I don't feel much thought has gone into this legislation and I am not too sure how this legislation will be enforced. It will not stop affiliate or tracking sites that are not hosted in the EU. It could end up with companies hosting these services or making use of services from countries outside of the EU zone to get around this issue.

One thing that is incredibly difficult to do, and that is to govern how sites work on the Internet. It is not the job of governments but of International bodies how this should work.  What the legislation cannot protect against are spyware and illegal sites making use of this information or tracking users in this way. I also feel that not much thought has gone into how this legislation would be interpreted or if it could possibly destroy how some businesses work.

A rather funny take on this new legislation can be found here

posted on Thursday, 10 March 2011 00:25:18 (GMT Standard Time, UTC+00:00)  #    Comments [1]

 Thursday, 23 December 2010
The Fritz Box 7170

fritzI've always had a problem choosing ADSL modems. They've had a habit of letting me down and just being downright unreliable. As my wife works from home, reliable internet access is essential and we in the past have faced many issues with our Internet access, most of these issues being down to the BT Home Hub which for reasons only known to BT will drop the connection and suddenly choose to run an upgrade patch on itself. It did this without asking and with no thought to what important work was being done on the Internet at the time.

Other times Internet access would drop completely and the only way to get it back was to reboot the dreaded BT Home Hub. What was worse is that I had two SIP phone lines coming through my Internet connection. The BT Home Hub was awful at routing any traffic to the phones making them unreliable. 

Having put up with this issue for such a long time I told myself enough was enough and decided to trawl around the Internet to find the best solution. Just about everyone complained about the popular makes of ADSL routers when reading the reviews on Amazon. Then I spotted something called a Fritz! Box on Sipgates website, it was definitely more expensive than the others but doing more research found that people had nothing but good things to say about it. I decided to see if I could get it a bit cheaper. Searching Amazon I found the above model the 7170 for £73. It appeared to be an older model, but it still had many of the features found in the newer models so I placed my order.

The Fritz!Box was simplicity itself to setup. I moved the box over to the IP range I use at home unplugged by BT Home Hub, plugged in the Fritz!Box and it just worked! So far so good, I then decided to setup my SIPGate phone numbers on the box, in order to do this I turned advanced settings on the box on first. Then I entered my SIPGate details and tested calling the numbers, they worked first time and were crystal clear! There was no need to configure any ports on the box's in built firewall everything just worked out of the box. It was the first time I had ever managed to setup a SIP device so easily. I then decided to open port 80 on the firewall for my web server and that worked without any issues. The only thing I had left was my old BT Hub Phone number, after a little bit of research I found I was able to set this up on the Fritz!Box with no problems and it also worked first time. Not bad, not bad at all..

Looking through the screens for the Fritz!Box I realised it had a lot more to offer than I thought actually came with the box. It had built in multiple answer phones, a fax machine, NAS drive interface, UPNP Media Server, USB print server interface and a VPN client! The answer phone was easy to setup and I discovered I could also route calls based on caller id. So in theory I could route calls that withhold their numbers to an answering machine as they are more than likely sales calls.

A month on and the Fritz!Box has been nothing but reliable. Where we have had Internet problems the box has seamlessly detected them and reset the Internet connection in many cases without us even realising it. I suppose the old adage, you get what you pay for is so true with the Fritz!Box. The Fritz!Box has also reminded me just how reliable German engineering really is.

posted on Thursday, 23 December 2010 13:51:09 (GMT Standard Time, UTC+00:00)  #    Comments [0]