HaaS: Honeypot as a Service

in tech

My team at CZ.NIC finally introduces a stable version of HaaS, Honeypot as a Service. Who knows Czech can read it in an official blog post (edit: English version). For non Czech readers, CZ.NIC is mainly known for Czech domain registry, but does much more. For example secure router called Turris which had honeypot included a long time ago. We decided to provide honeypot for anybody, not just Turris owners.

What is honeypot, exactly? The honeypot is special application simulating operating system and allows potential attacker to log in (we support SSH only now) and do any command or download malware. It's not easy to install such application for ordinary users and mostly it's not very secure. We decided to do it for you. :-)

Unfortunately, still, it's not super easy to join the project. At least now you need to install only very small proxy. The proxy has to be there so we can know small but important detail: IP address of potential attackers. Without proxy we would know only the IP of our user, which is useless.

The collected data are used by our CSIRT.CZ team to inform owners of infected servers and computers by some botnet about the issue. Currently the biggest source of the attacks to our users is coming from China so we share our data with the security team in Taiwan. We plan to share data with other CERT/CSIRT teams as well.

If you want to join the project, you can do that on the page haas.nic.cz. Register new account and install proxy (available as deb/rpm package, on PyPI or as simple tar). In case of interest into analysis, we provide data on page with global statistics. Well, except passwords, because we experienced more than one oversight where the user logged into the honeypot…




Dancers, don't be sorry

in dance

Well, be sorry. Of course when you hit or step on someone, apologise. Or when you refuse to dance with someone, it's also better to say no with sorry than without it. But don't feel bad at all in cases you just didn't catch some move. It's totally all right to do something else than leader wanted. Of course I mean when it's within the limits; going to the bar instead of the turn is not in those limits. :-)))

You know, even when I try to not be the same all the time, in the end, I have some set of variations, some set of crazy and funny moves and if all followers would be the same, I would be bored. It's good to do something else. Even if it's a mistake, it's good because then I cannot continue as I would do in most cases. It brings a lot of variations and I like it.

So, please, next time you messed up something, don't say sorry. Smile and do what you like and feel instead. :-)





Django CSRF bug

in code

We had this problem: our application worked well on desktop but on phone any action had CSRF problem.

Mm, strange. Soon we discovered it's problem only with Android. Later we were sure it's only Chrome on Android. Even stranger!

Next step we did was to check what we are using exactly for CSRF validation. Django. Without customization. Of course, no one had this issue by checking Google, so it had to be some problem with our configuration. But it worked everywhere else…

We found that same cookie was used for our top domain and our application runs on sub-domain. It could be an issue, all browsers can handle it but Chrome on Android has some problem with that, we thought. We changed it. Deployed it. And nothing!

Ok, time to plug the phone and open debug tool to see what's happening. In development environment, everything worked just fine. That's very strange and because of that we were still checking configuration for few more minutes. Without success.

After hour or so we noticed that token was really wrong. Token in response from the server was different than which was then set up to the session. We didn't know what to check next so we did the worst thing possible. Add some logging on the server and see what's happening. We noticed some regeneration of token. Why it's regenerated? And why there is more then one request when using phone?!

And then we finally saw it. Android is doing one request for a page user wants and one for some special 96px version of icon it could be used… somewhere. Which generates 404 page and we have some form at every page. But Django (it took us another half an hour, probably more) doesn't use CSRF middleware for 404 and 500 pages! Which means Django is not going to take token from cookie and when token is needed, new one is generated!

Fix is to use decorator for 404 and 500 views, as described in Django documention. It's there, but who would expect that.

Half of the day. We spent half of the day, two of us, to figure out this issue. I really don't know how to explain to people why development of simple websites cost so much money. Better to just laugh, take a glass of whisky and watch Django Unchained. Much more fun than debug Django app. :-P




Can you help with a political question?

in life

Ok, so I have those struggles. I think I'm not alone. Actually, I know I'm not.

Let's start with a little bit different question. In how many fields anyone could be an expert? My personal feeling is like about three, but the average will be definitely less, probably just one. For example, I think I'm an expert in one field, computer programming. I feel when I decide how to solve some problem, I know for sure the result is not going to be a disaster. Because I put a lot of energy to always read, learn, try, use, everything. It's my daily??? job and I also do some projects at home. Without programming at home, I wouldn't feel as an expert at all, yet. So it's like 8+ hours a day. Every day. For more than ten years already.

I have also other hobbies (for example biggest one right now is dancing and helping salsa community), into which I put a lot of energy as well, but I'm unable to say if what I'm doing is right or no. I need much more time and practise. I'm not sure about any decision, I decide only based on intuition. You could see that on results, sometimes it makes perfect sense, sometimes no.

Of course those two hobbies take a lot of energy that I don't have time for anything else. The day has only 24 hours…

Now comes my first struggle: if to be able to decide properly takes a lot of study, how could I vote some candidate I barely know? It seems it's better off to let vote people who keep an eye on politics at least every other day. But actually it means let vote people who think they know what's happening in politics. Which sounds just horrible.

I think I know what many of you are going to think now, like to read a little bit about what's happening in my government every day is not too much of work. Ok, try to think of something you like and something you don't like and compare results. Definitely result of something you like is going to be far more effective and better.

To put it into my second struggle: many people say people have short memory and cannot remember past of candidates. I would for sure fall into that category. Because politics isn't something I like, I would have a problem to remember all details, even major ones! Another question is if that even matter. People can change and deserve a second chance, right? Let's be honest, who of us has a perfect past?

That question reminds me another struggle: let's say I don't have previous struggles at all and I want to vote, but there is no perfect candidate for me (by perfect I mean the best option available). Whom I should vote for, the most perfect one available (but unpopular, so help to some popular bad one for me) or tactically vote for someone who could defeat that bad one (for me) and would be okayish?

Yeah, politics is very complex. Probably I shouldn't care about that at all and just pick some newspapers, let them do the job of watching every move and keep me notified. Problem is, when I did that, I wasn't feeling this was working. I'm not saying it was better before and nowadays there is problem with fake news and so on so it cannot work anymore. It's the same as before as I dig into history from time to time. But this is like a chicken-egg problem because now I need to choose not candidate, but source of information about candidates. Which source is trying to be as objective as possible? Which source is not connected with any side? So many aspects!

This is also my last struggle: which source to follow not to be disgusted? Because many reports are subjective, side-oriented, topic-oriented, … For example right now in the Czech Republic it looks like everybody wants to just defeat current president. I don't care if it's right or not, but it's not quality journalism I want to follow.


To summarise it, everyone should vote during election, right? But how I can vote with a clear conscience? Tell me your opinion!

Maybe I just should ignore everything, vote by feeling and don't care later if it was a good decision. And without any feeling not vote at all. Because life is short to do something you don't like.




Why I don't trust recommendation systems

in tech

I liked Google Now. Liked. With the new Android it's changed and isn't very useful anymore. Before, you could just swipe to the left on your home screen and see all important stuff. Like how much time it takes you to go to work right now. Or when is your meeting. How is traffic. Updates about your flight. Hotel reservations. Exchange rate. They even notified you about the most important stuff.

It was scary, but very handy. At least for those who travel a lot. (Scary in a way how much Google knows about you.)

And they changed it. All important stuff is hidden behind one more click and even when I open that section, there is not as much as before. In place of all useful stuff they placed feed of articles Google thinks you would like. Well, it can be useful as well, to stay updated. But…

…but when I upgraded to the new Android there was new Marvel movie and I was looking for some info. Of course Google though “hey, he likes Marvel!” and very quickly I stayed in the Marvel bubble. I even didn't want to click to any of those articles, but I was used to to find important stuff by sliding to the left and then whenever I did that, I saw some tempting title. I would say click bait.

Good recommendation system would do the best to not keep you in some bubble. Well, Google did. I didn't want to use it and so Google kept showing me news about Marvel movies. Google started to care only about what I clicked on in that feed and not what I was searching for. Totally different attitude from previous Google Now functionality. Two years ago, my phone could detect that I go regularly every Wednesday to the same place at the same hour just based on my location and after few weeks I got card saying I should go sooner because traffic is worse that day than usual. Today I'm in some weird bubble.

Of course I noticed that and wanted to turn off that feature. To see again directly useful cards. And you guess correctly, there was no way how to turn it off. Google created something useful to get us used to to swipe left and then they changed that to something which can bring Google a lot of money.

Finally, with the latest Android (at least on Pixel phone) you can turn it off. If you like yourself, swipe left, touch three dots, settings and then under Your feed uncheck Show feed. Then the screen will stay blank, there will be no cards as before. At least it will stop trying to seduce you.

As you can see, not even Google can do recommendation system well. And this is one example why I don't trust them. I don't follow anyone on Twitter or Facebook or YouTube, I don't read any page aggregating articles, nothing. I created my own reader with support of RSS, Twitter, YouTube and so on with my own system of how I want to prioritise articles. It's not perfect and needs some help from the user, but at least I'm not in the bubble.

I think everybody should ignore and disable (if possible) any feed managed by someone else than you.

P.S.: If you would like to try my app, well, it runs on my personal server. I could give you invitation token, feel free to write me, but I cannot promise anything. :-) Anyway, this post is not about my app, but about the problems with recommendation systems.




How Twitter support works

in tech

I had problem to log in into my Twitter account because I couldn't get SMS code so I sent them message about that. They responded:

Hello,

Thanks for writing in. Many people who have reported issues with login verification have found the following tips helpful:

  • Having trouble receiving push notifications? You can access pending login requests from within your Twitter app on your device:

    1. Open the Twitter app and navigate to “Settings”.

    2. Tap “Account”, then tap “Security”.

    3. Select “Login Requests” to see a list of all requests available to approve or deny.

    4. Pull down on the list to refresh and see the most recent requests.

  • When you enrolled in login verification from your device, did you generate a backup code? If so, you can use that code to log in to your account on twitter.com from a desktop or laptop computer. Additionally, if you still have access to your app, you can generate a new code from your device. More information can be found here: https://support.twitter.com/articles/20170409#backup-code.

  • If you’re not receiving SMS notifications, but you are still logged in to your Twitter app:

    1. Navigate to your account’s “Settings”.

    2. Tap “Account”, then tap “Security”.

    3. Tap “Login code generator”.

    4. Use the code shown to log in to your Twitter account.

  • If the above tips do not work, and you can still access your account from your device, you can disable login verification by following these steps:

    1. Navigate to your account’s “Settings”.

    2. Tap “Account”, then select “Security”.

    3. Disable “Login verification”.

You can also check out our login verification troubleshooting article for more helpful tips: https://support.twitter.com/articles/20170409.

If you’ve tried the above options and still need help accessing your account, please reply to this email for further assistance. For security reasons, we can only process this request if you contact us from the email address associated with your Twitter account.

If you need to file a new report, you can do so here: https://support.twitter.com/forms/signin.

Thanks,

Twitter Support

I still need assistance as I wrote in the original message. :-)

Hello,

We may be able to help you regain access to your account by disabling login verification.

First, we'll need to confirm you as the account owner. Please try logging in once more on https://twitter.com (from a desktop/laptop computer or a mobile web browser) with your correct username and password. This will generate a notification on our end, and we may be able to use this to confirm you as the owner of the account.

Please reply to this email once you've done that, and we'll do our best to help.

Hello, I did right now.

I was able to find device where I am logged in so I could deactivate SMS confirmation. Also I know where is the problem. My phone is set up correctly but I got no confirmation code. I tried to change phone number, nothing, I tried to set up SMS confirmation again and also nothing. Probably you have problem to send SMS to my country or something? Because it was working just fine when I set it up for the first time...

Hello,

Thanks for letting us know! We're happy to hear that you have resolved the issue.

If you have any other questions, you can always check our Help Center for relevant articles: https://support.twitter.com.

I haven't. I'm logged in but I still cannot use login verification because I don't get any text message... this is bug.

Hello,

If you already have a Twitter account, your next step is to add your phone so you can send and receive Tweets on the go. You can do this via SMS commands, or by going to www.twitter.com.

Via SMS:

  1. First, send START to your Twitter code (40404 in the US).

  2. Reply with YES since you already have an account.

  3. When prompted, send us your username and password. You will receive a message when your sign-up is complete.

  4. Turn Tweets off or on by sending "OFF" or "ON" to Twitter from your phone.

More information can be found here: https://support.twitter.com/articles/14589#add-phone-sms

Via the web:

  1. Log in to www.twitter.com and navigate to your Mobile settings: https://twitter.com/settings/devices

  2. Enter your phone number and click "Activate Phone".

  3. You will then be prompted to send GO to your short code from your mobile device.

More information can be found here: https://support.twitter.com/articles/110250-adding-your-mobile-number-to-your- account-via-web

Hope this helps!

Do you even read my messages or is it just some automat? I didn't received any SMS! My phone number is correct and working, I got verification SMS before but not now. There has to be some problem on your part... Can you look at it?

Hello,

We found a page in our help center that we think will help you out: (https://help.twitter.com/en/search?q=received+sms)

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!

Really? Please, read my messages. You have somewhere bug because I don't get any text message to my phone. Please check where is the problem. I would like to use 2FA but cannot because of that.

Hello,

We found a page in our help center that we think will help you out: https://help.twitter.com/en/managing-your-account/two-factor-authentication

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!

Yeah, I'm stuck, I guess, with your support to not look into the bug I reported. What page you would recommend me to visit now?

Hello,

We found a page in our help center that we think will help you out: (https://help.twitter.com/en/managing-your-account/issues-with-login- authentication)

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!

My phone is working and I waited more than ten minutes and still didn't get the code. Really, can you fix it or say to me what's wrong?

Hello,

You tried to update a case that has been closed. Please submit a new case at http://support.twitter.com/forms. You can also visit our help center at http://support.twitter.com for self-help solutions to common problems.

Hm.

So… who is afraid of AI? Not me. I just hate how it's used everywhere nowadays and it just sucks. Pretty hard.




Zápisky z cest: Šibenik

in travel

Už jsem tu jednou psal o návštěvě Chorvatka, to bylo s cílem týden se plachtit na vodě. Chorvatsko mne hodně překvapilo, ale stále mne neláká jeho návštěva jako taková. Přesto jsem tam byl už třikrát, po druhé a po třetí v Šibeniku kvůli skvělému salsa festivalu. Jeden z nejlepších, které tu jsou. A to neříkám proto, že to byl můj první. :-)

Resp. minimálně byl. Zatím má oblíbená trojice je Mamboland, protože jsem zatím lepší způsob jak se hodně posunout na festivale nezažil, El Sol, protože tam jsou téměř všichni, které znám, aneb taková celá salsa rodinka pohromadě, říkejme tomu malé Vánoce, a pak právě Šibenik, protože párty.

To jsem řekl hodně stručně… tak jinak:

Jediná nevýhoda Šibeniku je, že letos už nebyla párty celý večer na pláži (přesunula se tam až po páté) a na příští rok se ubytování v Chorvatsku hodně zdražilo. Aneb pokud se jinému festivalu podaří mít na pláži stan pro noční párty, dávám ihned Šibenik na druhou kolej!

Jo a taky jsem byl ve městě. Krásné. :-) Architektura v Chorvatsku je velmi fotogenická!




Whisky I like

in life

I will not give you a professional analysis of whiskies. I'm really bad at describing the flavor of food and drinks. Take it just as my few notes which can maybe help you to find something new you could also like.

Let's start with something more soft you can drink all day long. O:-)

Something more sharp, for real men. :-)))

And now my favorite section, smoky ones.

Note to my list: bold ones are those I like very much and those with an exclamation mark are my tops. Sadly, often also very pricey ones.

Please, share also which ones you prefer and why. Winter is here so is good to keep our self warm!




Open letter to salsa organizers

in dance

Dear organizers,

I like to travel very much. It's amazing that I can have dancing as an excuse to go so often. Two-in-one! Actually, it's three-in-one. I dance for awhile now so it means I travel more because of people I can see there than because of the salsa itself. You know the following joke, right? :-)

But I have problem… that jet lag thing. Ok, that's not true. Luckily for me, I'm from Prague, which makes it very easy for me to adjust anywhere in Europe. But there is another lag, I call it salsa lag. With all those parties until 6am and later and party animals, who want to hear the last song, it forces people to come to the party later than sooner. Which looks like we dance in another time zone!

It has several flaws. Some attendees need to adjust twice because of two time lags, first jet and then first salsa party of the festival (or congress or whatever you want to call it). That means we are more zombies. Don't get me wrong, I like zombies! But in movies, not on the dance floor… :-))

Also during winter time it's much harder to see the sun. Or daylight at least. It's very depressing to go sleep during sunrise and get up between 3pm and 5pm when it's already sunset. I think smiling people are much better (on the pictures) than depressed ones. :-))

It also makes harder for cleaning ladies to clean the room. Very often they don't have a chance to clean it at all because I always sleep during cleaning hours. They have to be so confused!

Could we do something about that?

Let's not confuse cleaning ladies. Let's start the party right after the workshops (those who attend workshops cannot go to the whole party so it doesn't matter if they will miss the start or the end) and end it much sooner. If you need to do shows, do them between workshops and party which makes time for people doing workshops time to rest a little bit. And if you do marathon concept, just cut it sooner to force people come in the morning. :-)

What do you think?

Thank you and best regards, Michael




It doesn't have to be scrum

in code

I have a feeling that when there is something about agile, it means scrum or kanban. But it's not just that. It's definitely one way how to be agile, but it's not a synonym. The most important thing about being agile is communication. You can actually use any system (at least I think so) but without communication you will be hardly agile. To explain what I mean I just describe two current situation.


First from my day job: I work with a small team on a project which should help to build a better Internet. We have no planing (as described in the scrum), no stand-ups, no boards, no retrospectives, no regular meeting. But everything works very well and in a very agile way. I visit company in London once in a while, usually once per two months, where we discuss several things:

Those points are, I would say, very important to be agile. Of course, we do more. Another very important for us is to visit people for whom we are building that project. We are lucky that it's actually friendly community with many opportunities to hang out with those people. We use those opportunities because it's very useful and important. In this project is involved a lot of people from many places around the World. Any project where you cannot simply go and solve issues face-to-face, it's becoming harder and harder. But we know why, what and for whom we are building that software and we can do a lot of decisions alone.

Anyway, there will always be many situations when we just don't know. In that case, we prototype. We create some base structure first and then we add as many details as we know are safe. By safe I mean those details which are very easily changed or there is a small chance we will throw it away. That's very important because to show example is much easier than to describe anything. This way we simplified a lot of things; for example, there was a very complicated feature and we weren't sure why it has to be so complicated and created a mock-up of simpler solution. We had problem to explain it, but when we showed it, that solution won immediately.

I think it's clear, but to be exact, we don't have any specification. We don't write any detailed issues (or tasks or user stories, whatever you want). We really rely on communication. We benefit from knowledge of why and that we know our users. And I think it's much better for both sides than any specification. I haven't seen in my life good specification (of any kind) which would help us (programmers) to understand the problem better. I'm very glad that we just discuss everything and then we (developers) create issues in our issue tracker.


Second, my home projects: I had two ideas in the last months, but I didn't know how exactly it should look like or even how exactly it should work. Well, I just started with a base structure. Some mock-up with proof of concept that it can work. As I saw first versions I got a lot of ideas how it could be better. How it could fulfill my needs much better.

I was creating many issues, but a lot of them was just not worth to do it. I would spend a lot of time doing them and would bring me as much value as others. That's something not even me knew at time time when I got the idea. But I was end user, product manager, designer and programmer at the same time so I could decide which issue do first and which later and which just ignore very quickly. I could decide that in milliseconds. Actually, I could change the way right away, but the main goal (without specification) stayed the same.


You probably see what I'm trying to say. If you will focus on all meetings and proper specification and everything… it's nothing compared to have proper communication. If product owner can explain to you well goal and why they need some features, then you are free to do it your way and change decision any time if the goal stays same. I'm not saying not doing scrum or other agile techniques, I'm saying that those regular meetings have some meaning, to bring this communication. Just bringing those meetings to the team doesn't mean anything.

I wanted to also say to programmers to not be afraid to work without specifications. I made that mistake before as well. I was asking for better specification and if there wasn't good one we're complaining and it was also our excuse for many problems. I was so wrong! I could see thanks to my last two projects that even me was unable to create a specification. It was much better to create a functional mock-up, try to use it, change it and continue with next details and features. Finally, I'm not afraid to delete the code. To be a better programmer, don't be as well.

P.S.: Of course every project and team needs something different but communication is main tool which has to be there.

P.S.2: Go watch my favorite video describing agile in nutshell.

P.S.3: If you are curious about what am I building, stay tuned. I will share that soon. :-)