Tip: Firefox address bar, avoiding phishing scams

Paul Moore tweeted this demonstration of a rather devious phishing scam earlier, where someone has taken advantage of the fact a capital I can look virtually identical to a lower-case L in sans-serif fonts* (and therefore a hacker can register a domain with the incorrect spelling and provide a link that tricks people.). Letters can also be paired: an adjacent r and n make a convincing m if you’re not looking closely.

There is some protection in browsers against this nowadays: as soon as you press return (though not as you type or paste the URL in) the entire address is converted to lower case. In Firefox, the domain is highlighted in black while the rest – including, crucially, any subdomains that precede it – is greyed out, providing a further hint to the site’s real identity.

It’s common for phishing scams to use multiple subdomains to make you think you’re on the genuine site – e.g https://www.mytrustworthybank.com.somewhere.suspicio.us/login

You can go a step further.  The Firefox address bar can be customised via the userChrome.css CSS file –on a Mac you need to go to ~/Library/Application Support/Firefox/Profiles/[your profile]/chrome and create a copy based on userChrome-example.css

Add the following and restart:

#urlbar {
    font-size: 21px !important;
    font-family: serif !important;
}

This will make the font bigger and use the default serif font rather than a sans-serif one.  I and L are easy to distinguish and, for web developers, having a larger typeface probably helps, regardless of how good your eyesight is – we look at URLs more often than most people, after all. It ought to reduce the number of typos you make.

Firefox address bar

There are Add-ons that do similar things if you don’t want to write your own CSS.

GDS, the Government Digital Service, use a specially designed sans-serif font called New Transport based on Kinneir and Calvert’s work on British road signs.  Note the legibility clues, especially the curve at the bottom of the lower-case L.

Over time we’ve recognised text inputs are better when they’re bigger and made it easier for users to change the zoom level, but the address bar has remained resolutely small and in a font that’s not as legible as it might be. Perhaps we should fix that.

* It can happen the other way round too (in this case it was Sky’s fault for forcing a screenshot into the wrong aspect ratio, making a lower-case L slightly fatter and easily mistaken for a lower-case I, particular after it’s been bounced sent through the vision mixer and the presenter has to read it off a screen several metres away.)

Apple launch Safari “Technology Preview”

Equivalent to Chrome Canary and Firefox Developer Edition. Fortnightly updates. Requires 10.11.4 (El Capitan).  New features that interest me:  javascript-based clipboard cut and copy (not paste) and improved Content Security Policy support.

What’s encouraging is this may mean Apple are allocating greater resources to Safari development.

Narrowing the cause of the iOS Spotlight bug

Preamble: This isn’t a usable solution.

It does work  100% of the time for me, and it is quick, the trouble is the bug typically reappears so soon afterwards it’s not worth the effort if you have to go through this procedure every time you want to use Spotlight.

Normally, I’d only write about bugs I’ve found how to fix. I’m choosing to write about this one primarily to save you wasting your time on other workarounds that won’t help.

The bug: A common iOS 8/9 problem is that Spotlight search suddenly stops —permanently or intermittently — returning any results.  You type in a query and wait (or press Search) and nothing happens; the screen is completely blank.

This is frustrating because when it does work, Spotlight is an extremely time-saving feature, but when it doesn’t you’ve actually wasted your time.

Old fixes (limited success):

  • Reboot (always works but only for a short time)
  • Send an email to yourself (once worked for me, usually doesn’t)
  • Toggle various (or even all) apps on/off in Settings > General > Spotlight Search (very time consuming – you could easily have over 100 apps installed, no guarantee of success)

New fix (100% success so far):

  • Force close every single app.

i.e. double-press Home button, then move through all your apps, swiping up on each.  It won’t take very long. Faster than restarting. Now try a search and it should work straight away.  Losing the history isn’t a great disadvantage; typically, people will only swipe to the last few apps they’ve opened.

Unfortunately, it only takes opening one or two apps for it to break again.  Sometimes opening tabs in Safari trigger it, and terminating that alone will work, often it’s another app or apps.  Quite hard to guess which in my experience.

Speculation as to cause:

  • The good news is this seems to rule out the possibility  Spotlight’s search index has become corrupted. (I wouldn’t waste your time reinstalling / resetting your device.)
  • It feels like it’s a memory issue.  I’m using this on an iPhone with 1GB of RAM. I’d be very interested if you’re using a more recent phone with increased RAM and have/haven’t seen it.  (Note I’ve never experienced it on an iPad.)

I will file another bug report with Apple but I’m not very optimistic given people started seeing this in iOS 8.

Workaround for broken Yahoo! Weather apps

Update – 27 July 2016 – the alternative URL stopped working in mid-April, however you can get weather data via a simple plain, unsigned YQL GET request. See my example.

As indicated in this Reddit thread as well as numerous blogs this past week, Yahoo! have changed their XML weather feed (which provides get current observations and a forecast for the city of your choice) from an open service that responds to simple HTTP GET requests to a locked-down API using OAuth.

Unfortunately – though entirely predictably, given it’s widespread use – this has broken things all over the place. It doesn’t help that the Yahoo Developer blog hasn’t been updated since July 2013.

Fortunately there’s a quick workaround by changing the URL if you don’t have time (or the skills, or the suitable web-hosting) to setup OAuth.

Old broken URL for London:

http://weather.yahooapis.com/forecastrss?w=44418&u=c

New working URL, no OAuth required:  Now doesn’t work either

http://xml.weather.yahoo.com/forecastrss?w=44418&u=c

Caveat: Clearly there’s no guarantee whether [sic] this will continue to work.

Other options: OpenWeatherMap looks promising.

Opinion: A public weather feed shouldn’t require authentication. I mean, it’s the weather. Caching? Yes. Rate limiting? Perhaps. API keys? No (or at least, not a legacy service with a single endpoint.)

Also, if you’re providing a service for free, great, but it’s probably worth also creating a blog or mailing list for announcements and encouraging everyone to sign up to it.

Further light reading (if a little tangential): Adactio on Digital Preservation (2012)

OS X El Capitan upgrade tips

(updated Sun 3 April 2016)

Yesterday I upgraded my primary computer (a 2012 Mac Mini) to El Capitan (OS X 10.11).

It’s normal for me to wait 6 months or so for the .3 or .4 OS X release, to allow Apple to fix hardware, networking, performance problems or random bugs and – crucially – for other developers to do the same with their applications (by no means everyone is actively testing software on the beta versions.) I’d recommend this to others.

Installation notes/tips:

  • Backup first (obviously.)
  • I recovered around 40GB of free space after installation (and 17GB on a Macbook Air upgraded soon after.)
  • performance is generally snappier (the CPU graph in Activity Monitor looks flatter when the system is idle, also considerable improvements when previewing files – not just PDFs but video as well)
  • performance will degrade considerably immediately after installation (less so on an SSD, but the Mac Mini’s HDD + Fusion Drive suffered a lot) as Spotlight reindexes everything (you’ll see sustained high disk IO and high CPU from md5 and associated processes.) If there is more than one user of the computer, this will happen the first time each user logs in, as each has a separate Spotlight database.  If you use Dropbox, temporarily quitting that will help it complete faster.  Keep Activity Monitor open and once indexing has finished, disk IO will return to zero.
  • I recommend a clean restart after that to check everything is ok.
  • You’ll need to upgrade the usual things, e.g. XCode, any Text to Speech voices you have installed.
  • Homebrew requires a change of ownership for /usr/local/ – see discussion on Stack Exchange – to the best of my knowledge chown -R is perfectly safe, but you certainly shouldn’t start messing around disabling SIP.
  • SuperDuper – a program that does disk backups and cloning – requires you delete and recreate any existing scheduled backups, otherwise they won’t run.  More info
  • Expect to do one large Time Machine backup afterwards (again, this was smaller on the Macbook Air.)

Software compatibility:

  • I only had one program that was incompatible, a version of GPG (encryption).
  • If you still have Photoshop CS4, it needs the old version of Java. This is painless – on attempting to run it a Dialog Box informs you of this, the More Info button links to an Apple support page with a direct download to the file. You just install it and it works straight away.
  • No issues at all with PhpStorm (Jetbrains had display problems last year because of java bugs.)

Security:

Previously, Apple developed two-step authentication, with El Capitan they added two-factor authentication.  The former is still supported, the latter is more secure – “It uses different methods to trust devices and deliver verification codes” – but it requires first turning 2-step off, adding security questions (note your answers are max 32 characters) and then setting up 2-factor on an iOS device (which’ll discard the security questions you just created.)  Instructions (9to5mac)

Note that, given the current Apple/US government iPhone case, if you can’t get in with two-factor there is a recovery process (unlike if you lose your FileVault recovery key, say) but it’s not immediate.  The KB article refers to a confirmation email to your registered account, possibly being required to confirm credit card details etc.

How to turn off Fail2Ban email notifications

Updated 23 Mar 2016 with corrections.
(These instructions based on a CentOS machine I’m responsible for.)

You may find yourself getting multiple emails per day from a server running Fail2Ban, each and every time it blocks an IP address after several failed SSH logins, e.g.

Subject: [Fail2Ban] SSH: banned 123.123.123.123 from myserver

It’s not terribly obvious how to disable these – you’ll find plenty of threads from people asking how to turn Fail2Ban notifications on, not so many asking how to turn them off, also the concepts and syntax takes a bit of getting used to…

In /etc/fail2ban/jail.conf` there’s a section that describes various actions – look for action_, action_mw and action_mwl.  You’ll see they vary in scope, from just writing to the logfile to emailing the sysadmin (or even administrators identified in whois lookups) or automatically banning IPs from 3rd-party services like CloudFlare.

Further down is this:

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

In other words, you can have a single definition in /etc/fail2ban/jail.conf and reuse it in jail.local without writing it out again in full.  It will need to go in the correct [section] (or “jail”) or under [DEFAULT].

I’d recommend changing one thing at a time – many of the checks (FTP etc.) will be disabled by default anyway.

Note: your jail.local file may have the actions written out in full as well (mine did) in which case you can just manually remove the sendmail line.  Adding a duplicate action won’t produce a warning anywhere, fail2ban will just use the last one one.

But there’s no [ssh] section? Which of these “jails” do I use?

[ssh-iptables]
[ssh-tcpwrapper]
[ssh-route]
[ssh-iptables-ipset4]
[ssh-iptables-ipset6]
[ssh-iptables-ipset6]

Check fail2ban’s status to get a list of which jails it’s using, e.g.

sudo service fail2ban status
fail2ban-server (pid  9427) is running...
Status
|- Number of jail:    1
`- Jail list:    ssh-iptables

Your default jail.local will likely already have enabled=true or false lines for each jail too.

Remember to restart the service.

sudo service fail2ban restart

Checking what Fail2Ban doing now you no longer have email alerts

See the entries in /var/log/messages, such as:

Mar 21 13:41:54 myserver fail2ban.filter[3306]: INFO [ssh-iptables] Found 123.123.123.123
Mar 21 13:41:55 myserver fail2ban.filter[3306]: INFO [ssh-iptables] Found 
123.123.123.123
Mar 21 13:41:56 myserver fail2ban.filter[3306]: INFO [ssh-iptables] Found 123.123.123.123
Mar 21 13:41:57 myserver fail2ban.filter[3306]: INFO [ssh-iptables] Found 123.123.123.123
Mar 21 13:41:58 myserver fail2ban.filter[3306]: INFO [ssh-iptables] Found 123.123.123.123
Mar 21 13:41:59 myserver fail2ban.actions[3306]: NOTICE [ssh-iptables] Ban 123.123.123.123

Apple Beta Software enrollment bug fixed

There was a bug where if you wanted to enroll (or possibly just re-enroll) an iPhone into the iOS 9.3 public beta, you’d get as far as Step 2 (Download Profile), and on clicking the blue button the server would hang for 10-15 seconds or so then present you with an error message and an MD5 hash.

They’ve fixed it now. So you can install iOS 9.3 in advance of the Apple event on the 21st (the final version might be the same build — 13E5233a — as the current beta and they might release it on Monday, or they might wait until one week later. Who knows?)  At version 7 it’s looking pretty polished now though.