Planet ALUG

Syndicate content
Planet ALUG - http://planet.alug.org.uk/
Updated: 26 min 58 sec ago

Mick Morgan: cameron meets corbyn

Sat, 28/11/2015 - 20:01

(With thanks to David Malki!)

Categories: LUG Community Blogs

Mick Morgan: christmas present

Mon, 23/11/2015 - 19:12

Like most people in the UK at this time of the year I’ve been doing some on-line shopping lately. Consequently I’m waiting for several deliveries. Some delivery companies (DHL are a good example) actually allow you to track your parcels on-line. In order to do this they usually send out text or email messages giving the tracking ID. Today I received an email purporting to come from UKMail. That email message said:

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service. Where the law prevents such exclusion and implies conditions and warranties into this contract, where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again. If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping. You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

I /very/ nearly opened the attached file. That is probably the closest I have come to reacting incorrectly to a phishing attack. Nice try guys. And a very good piece of social engineering given the time of year.

Virustotal suggests that the attached file is a malicious word macro container. Interestingly though, only 7 of the 55 AV products that Virustotal uses identified the attachment as malicious. And even they couldn’t agree on the identity of the malware. I suspect that it may be a relatively new piece of code.

Categories: LUG Community Blogs

Jonathan McDowell: Updating a Brother HL-3040CN firmware from Linux

Sat, 21/11/2015 - 13:27

I have a Brother HL-3040CN networked colour laser printer. I bought it 5 years ago and I kinda wish I hadn’t. I’d done the appropriate research to confirm it worked with Linux, but I didn’t realise it only worked via a 32-bit binary driver. It’s the only reason I have 32 bit enabled on my house server and I really wish I’d either bought a GDI printer that had an open driver (Samsung were great for this in the past) or something that did PCL or Postscript (my parents have an Xerox Phaser that Just Works). However I don’t print much (still just on my first set of toner) and once setup the driver hasn’t needed much kicking.

A more major problem comes with firmware updates. Brother only ship update software for Windows and OS X. I have a Windows VM but the updater wants the full printer driver setup installed and that seems like overkill. I did a bit of poking around and found reference in the service manual to the ability to do an update via USB and a firmware file. Further digging led me to a page on resurrecting a Brother HL-2250DN, which discusses recovering from a failed firmware flash. It provided a way of asking the Brother site for the firmware information.

First I queried my printer details:

$ snmpwalk -v 2c -c public hl3040cn.local iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2 iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.1 = STRING: "MODEL=\"HL-3040CN series\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.2 = STRING: "SERIAL=\"G0JXXXXXX\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.3 = STRING: "SPEC=\"0001\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.4 = STRING: "FIRMID=\"MAIN\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.5 = STRING: "FIRMVER=\"1.11\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.6 = STRING: "FIRMID=\"PCLPS\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.7 = STRING: "FIRMVER=\"1.02\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.8 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.9 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.10 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.11 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.12 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.13 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.14 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.15 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.16 = STRING: ""

I used that to craft an update file which I sent to Brother via curl:

curl -X POST -d @hl3040cn-update.xml https://firmverup.brother.co.jp/kne_bh7_update_nt_ssl/ifax2.asmx/fileUpdate -H "Content-Type:text/xml" --sslv3

This gave me back some XML with a URL for the latest main firmware, version 1.19, filename LZ2599_N.djif. I downloaded that and took a look at it, discovering it looked like a PJL file. I figured I’d see what happened if I sent it to the printer:

cat LZ2599_N.djf | nc hl3040cn.local 9100

The LCD on the front of printer proceeded to display something like “Updating Program” and eventually the printer re-DHCPed and indicated the main firmware had gone from 1.11 to 1.19. Great! However the PCLPS firmware was still at 1.02 and I’d got the impression that 1.04 was out. I didn’t manage to figure out how to get the Brother update website to give me the 1.04 firmware, but I did manage to find a copy of LZ2600_D.djf which I was then able to send to the printer in the same way. This led to:

$ snmpwalk -v 2c -c public hl3040cn.local iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2 iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.1 = STRING: "MODEL=\"HL-3040CN series\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.2 = STRING: "SERIAL=\"G0JXXXXXX\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.3 = STRING: "SPEC=\"0001\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.4 = STRING: "FIRMID=\"MAIN\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.5 = STRING: "FIRMVER=\"1.19\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.6 = STRING: "FIRMID=\"PCLPS\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.7 = STRING: "FIRMVER=\"1.04\"" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.8 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.9 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.10 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.11 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.12 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.13 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.14 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.15 = STRING: "" iso.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.16 = STRING: ""

Cool, eh?

[Disclaimer: This worked for me. I’ve no idea if it’ll work for anyone else. Don’t come running to me if you brick your printer.]

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Newstalgia

Tue, 17/11/2015 - 23:57

Well, well, after talking about my time at university only yesterday, tonight I saw Christian Death who were more or less the soundtrack to my degree with their compilation album The Bible.

I'm pleased to say they seemed like thoroughly nice folks and played a good gig. Proving my lack of musical snobbery (which, to be honest, generally goes with the goth scene), I only knew one song but enjoyed everything they played, from new stuff to old.

The support band was a local act called Painted Heathers who (for me, at least) set the scene nicely and represented an innovative, modern take on the musical theme behind the act they were supporting. Essentially an indie band with goth leanings (I wonder if they agree), they suit my current musical bent (I play keyboards in an indie band) and the mood I was in. They're very new, young, and I shall spread their word for them if I can :)

Categories: LUG Community Blogs

Steve Engledow (stilvoid): More ale

Tue, 17/11/2015 - 00:35

There are several reasons I took the degree course I did - joint honours in Philosophy and Linguistics - but the prime one is that I really felt I wanted to study something I would enjoy rather than something that would guarantee me a better career. To be honest, my degree subject versus the line of work I'm in - software development - is usually a good talking point in interviews and has probably landed me more jobs than if I'd had a degree in Computer Science.

The recent events in Paris, leaving politics aside, were an undeniably bad thing and the recent news coverage and various (sometimes depressingly moronic) Facebook posts on the subject got me thinking about moral philosophy again. Specifically, given we see conflicts between groups of people ostensibly because they live according to different moral codes (let's ignore the fact that their motivations are clearly not based on this at all) and those codes are complex and ambiguous (some might say intentionally so), can there be a moral code that's simple, unambiguous, and agreeable?

My 6th form philosophy teacher, Dr. John Beresford-Fry (Dr. Fry - I can't find him online. If anyone knows how to contact him, I'd love to speak to him again), believed he had a simple code that worked:

Do nothing gratuitous.

To my mind, that doesn't quite cut it; I don't think it's actually possible to do anything completely gratuitously; there's always some reason or reasoning behind an action. Maybe he meant something more subtle and it's been lost on me.

Some years ago, I thought I had a nice simple formulation:

Act as though everyone has the right to do whatever they wish.

or

You may do whatever you want so long as it doesn't restrict anybody's right to do the same.

Today though, I was going round in very big circles trying to think that one through. It works ok for simple, extreme cases (murder, rape, theft) and even plays nicely (I think) in some grey areas (streaming movies illegally) but I really couldn't figure out how to apply it to anyone in a position of power. How could an MP apply that rule when voting on bringing in a law to raise the minimum wage?

Come to think of it, how could an MP apply any rule when voting on any law?

Then I remembered the conclusion I came to when I was nearing the end of my philosophy course: the sentimentalists or the nihilists probably have it right.

Oh well, it kept me busy for a bit, eh ;)

Note to self: I had an idea for a game around moral philosophy, don't forget it!

Categories: LUG Community Blogs

Mick Morgan: torflow

Tue, 10/11/2015 - 12:19

Yesterday, Kenneth Freeman posted a note to the tor-relays list drawing attention to a new resource called TorFlow. TorFlow is a beautiful visualisation of Tor network traffic around the world. It enables you to see where traffic is concentrated (Europe) and where there is almost none (Australasia). Having the data overlaid on a world map gives a startling picture of the unfortunate concentration of Tor nodes in particular locations.

I recently moved my own relay from Amsterdam (190 relays) to London (133) but the network needs much more geo-diversity. Unfortunately, international bandwidth costs are lowest is the areas where relays are currently located. Given that the relays are all (well, nearly all…..) run by volunteers like me and funded out of their own pockets it is perhaps not surprising that this concentration should occur. But it is not healthy for the network.

There appears to be a particularly intriguing concentration of 16 relays on a tiny island in the Gulf of Guinea. Apparently this is an artifact though because those relays are all at (0, 0) which I am told GeoIP uses as a placeholder for “unknown” (in fact, GeoIP location is a somewhat imprecise art so there may be other anomalies in the data.)

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Dear diary...

Tue, 10/11/2015 - 01:17

It's been quite some time since I last got round to writing anything here; almost two months. Life has been fairly eventful in that short time. At least, work has.

During every performance review I've had since I joined Proxama, there's one goal I've consistently brought up: that I wanted to have more of an influence over the way we write and deliver software and the tools we use. That's the sort of thing I'm really interested in.

Having made it to head of the server delivery team, I had a good taste of the sort of oversight that I was looking for but a few weeks ago, I got the opportunity to take on a role that encompasses both server and mobile, development and QA so of course I jumped at the chance... and got it!

Naïvely, when I took on the role, I thought I'd be doing more of the same as I was before (a bit of line management, code reviews, shaping upcoming work, architecture, occasionally writing code), just with a larger team. This is turning out not to be the case but in quite a positive way - so far, at least. I feel as though I now have the opportunity to sit a little further back, get some thinking time, and right a few wrongs that have built up over the years. Whether I'm achieving that remains to be seen ;)

Another thought that occurred to me the other day is that way back when I was at school, I never really imagined I'd end up in a technical role. I always imagined I'd either be a maths teacher or that I'd be a writer or editor for a newspaper or magazine. I'm finding out that my new job at Proxama requires me to write quite a lot of papers on various technical subjects. Double win.

In short, I'm enjoying some of my days more, trying very hard (and sometimes failing) not to worry about the details, focus on the bigger picture and trust that the other things will fall in to place (and sort it out where they don't). Is this what it's like going "post technical"? I'm slightly worried I'll forget how to code if I don't do a bit more of it.

Today, I spent a very, very long time fighting Jira. That wasn't fun.

Note to self: book some time in to write some code.

Categories: LUG Community Blogs

Jonathan McDowell: The Joy of Recruiters

Mon, 09/11/2015 - 17:45

Last week Simon retweeted a link to Don’t Feed the Beast – the Great Tech Recruiter Infestation. Which reminded me I’d been meaning to comment on my own experiences from earlier in the year.

I don’t entertain the same level of bile as displayed in the post, but I do have a significant level of disappointment in the recruitment industry. I had conversations with 3 different agencies, all of whom were geographically relevant. One contacted me, the other 2 (one I’d dealt with before, one that was recommended to me) I contacted myself. All managed to fail to communicate with any level of acceptability.

The agency hat contacted me eventually went quiet, after having asked if they could put my CV forward for a role and pushing very hard about when I could interview. The contact in the agency I’d dealt with before replied to say I was being passed to someone else who would get in contact. Who of course didn’t. And the final agency, who had been recommended, passed me between 3 different people, said they were confident they could find me something, and then went dark except for signing me up to their generic jobs list which failed to have anything of relevance on it.

As it happens my availability and skill set were not conducive to results at that point in time, so my beef isn’t with the inability to find a role. Instead it’s with the poor levels of communication presented by an industry which seems, to me, to have communication as part of the core value it should be offering. If anyone had said at the start “Look, it’s going to be tricky, we’ll see what we can do” or “Look, that’s not what we really deal in, we can’t help”, that would have been fine. I’m fine with explanations. I get really miffed when I’m just left hanging.

I’d love to be able to say I’ll never deal with a recruiter again, but the fact of the matter is they do serve a purpose. There’s only so far a company can get with word of mouth recruitment; eventually that network of personal connections from existing employees who are considering moving dries up. Advertising might get you some more people, but it can also result in people who are hugely inappropriate for the role. From the company point of view recruiters nominally fulfil 2 roles. Firstly they connect the prospective employer with a potentially wider base of candidates. Secondly they should be able to do some sort of, at least basic, filtering of whether a candidate is appropriate for a role. From the candidate point of view the recruiter hopefully has a better knowledge of what roles are out there.

However the incentives to please each side are hugely unbalanced. The candidate isn’t paying the recruiter. “If you’re not paying for it, you’re the product” may be bandied around too often, but I believe this is one of the instances where it’s very applicable. A recruiter is paid by their ability to deliver viable candidates to prospective employers. The delivery of these candidates is the service. Whether or not the candidate is happy with the job is irrelevant beyond them staying long enough that the placement fee can be claimed. The lengthy commercial relationship is ideally between the company and the recruitment agency, not the candidate and the agency. A recruiter wants to be able to say “Look at the fine candidate I provided last time, you should always come to me first in future”. There’s a certain element of wanting the candidate to come back if/when they are looking for a new role, but it’s not a primary concern.

It is notable that the recommendations I’d received were from people who had been on the hiring side of things. The recruiter has a vested interest in keeping the employer happy, in the hope of a sustained relationship. There is little motivation for keeping the candidate happy, as long as you don’t manage to scare them off. And, in fact, if you scare some off, who cares? A recruiter doesn’t get paid for providing the best possible candidate. Or indeed a candidate who will fully engage with the role. All they’re required to provide is a hire-able candidate who takes the role.

I’m not sure what the resolution is to this. Word of mouth only scales so far for both employer and candidate. Many of the big job websites seem to be full of recruiters rather than real employers. And I’m sure there are some decent recruiters out there doing a good job, keeping both sides happy and earning their significant cut. I’m sad to say I can’t foresee any big change any time soon.

[Note I’m not currently looking for employment.]

[No recruitment agencies were harmed in the writing of this post. I have deliberately tried to avoid outing anyone in particular.]

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): A haiku about Haiku

Sun, 01/11/2015 - 14:59

I know I don't mention a season, and I'm a few hours late for hallowe'en, but here's a haiku about Haiku:

A death, once again,
The master sighs, and fixes,
It rises up, undead.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in October 2015

Sat, 31/10/2015 - 21:32

Here is my monthly update covering a large part of what I have been doing in the free software world (previously):

Debian

My work in the Reproducible Builds project was also covered in more depth in Lunar's weekly reports (#23, #24, #25, #26).

LTS

This month I have been paid to work 11 hours on Debian Long Term Support (LTS). In that time I did the following:

  • DLA 326-1 for zendframework fixing an SQL injection vulnerability.
  • DLA 332-1 for optipng correcting a use-after-free issue.
  • DLA 333-1 for cakephp preventing a remote Denial of Service attack.
  • DLA 337-1 for busybox fixing a vulnerability when unzipping a specially crafted zip file/
  • DLA 338-1 for xscreensaver preventing a crash when hot-swapping monitors.
Uploads
  • redis — New upstream release as well as changing the default UNIX socket location and correctly supporting "cluster" mode config file hardening and redis-sentinel's runtime directory handling under systemd. An update for jessie was also uploaded.
  • python-redis — Attempting to get the autopkgtest tests to finally pass.
  • debian-timeline — Making the build reproducible.
  • gunicorn — New upstream release.
Patches contributed RC bugs

I also filed FTBFS bugs against arora, barry, django-ajax-selects, django-polymorphic, django-sitetree, flask-autoindex, flask-babel, genparse, golang-github-jacobsa-ogletest, healpy, jarisplayer, jsurf-alggeo, kmidimon, libmapper, libpreludedb, mathgl, metview, miaviewit, moksha.common, monster-masher, node-connect, node-postgres, opensurgsim, php-xml-rss, pokerth, pylint-django, python-django-contact-form, python-pyqtgraph, python-pyramid, qlipper, r-bioc-cummerbund, r-bioc-genomicalignments, rawdns, ruby-haml-rails, ruby-omniauth-ldap, scute, stellarium, step, synfigstudio, tulip, xdot, & yelp.

Categories: LUG Community Blogs

Jonathan McDowell: Thoughts on the LG G Watch R Android smartwatch

Sat, 31/10/2015 - 15:06

Back in March I was given an LG G Watch R, the first Android Wear smartwatch to have a full round display (the Moto 360 was earlier, but has a bit cut off the bottom of the actual display). I’d promised I’d get round to making some comments about it once I’d had it for a while and have failed to do so until now. Note that this is very much comments on the watch from a user point of view; I haven’t got to the point of trying to do any development or other hacking of it.

Firstly, it’s important to note I already was wearing a watch and have been doing so for all of my adult life. Just a basic, unobtrusive analogue watch (I’ve had a couple since I was 18, before that it was pretty much every type of calculator watch available at some point), but I can’t remember a period where I didn’t. The G Watch R is bulkier than what I was previously wearing, but I haven’t found it obtrusive. And I love the way it looks; if you don’t look closely it doesn’t look like a smart watch (and really it’s only the screen that gives it away).

Secondly, I already would have taken my watch off at night and when I was showering. So while the fact that the battery on the G Watch R will really only last a day and a half is by far and away its most annoying problem, it’s not as bad as it could be for me. The supplied charging dock is magnetic, so it lives on my beside table and I just drop the watch in it when I go to bed.

With those details out of the way, what have I thought of it? It’s certainly a neat gadget. Being able to see my notifications without having to take my phone out of my pocket is more convenient than I expected - especially when it’s something like an unimportant email that I can then easily dismiss by swiping the watch face. My agenda being just a flick away, very convenient, particularly when I’m still at the stage of trying to remember where my next lecture is. Having walking directions from Google Maps show up on the watch (and be accompanied by a gentle vibration when I need to change direction) is pretty handy too. The ability to take pictures via the phone camera, not so much. Perhaps if it showed me roughly what I was about to photograph, but without that it’s no easier than using the phone interface. It’s mostly an interface for consuming information - I’ve tried the text to SMS interface a few times, but it’s just not reliable enough that I’d choose to use it.

I’ve also been pleased to see it get several updates from LG in the time I’ve had it. First the upgrade from Wear 4.4 to Wear 5.1 (probably via 5.0 but I forget), but also the enabling of wifi support. The hardware could always support this, but initially Android Wear didn’t and then there was some uncertainty about the FCC certification for the G Watch R. I can’t say I use it much (mostly the phone is within range) but it’s nice to see the improvements in support when they’re available.

What about the downsides? Battery life, as mentioned above, is definitely the major one. Mostly a day is fine, but the problem comes if I’m ever away. There’s no way to charge without the charging dock, so that becomes another things I have to pack. And it’s really annoying to have your watch go dead on you midday when you forget to do so. I also had a period where I’d frequently (at least once a week) find an “Android Wear isn’t responding. Wait/Restart?” error on the watch screen. Not cool, but thankfully seems to have stopped happening. Finally there’s the additional resource requirements it puts on the phone. I have a fairly basic Moto G 4G that already struggles with Ingress and Chrome at the same time, so adding yet another thing running all the time doesn’t help. I’m sure I could make use of a few more apps if I was more comfortable with loading the phone.

The notable point for me with the watch was DebConf. I’d decided not to bring it, not wanting the hassle of dealing with the daily charging. I switched back to my old analogue watch (a Timex, if you care). And proceeded to spend 3 days looking at it every time my phone vibrated before realising that I couldn’t do that. That marked the point where I accepted that I was definitely seeing benefits from having a smart watch. So when I was away for a week at the start of September, I brought the charger with me (at some point I’ll get round to a second base for travel). I was glad I’d done so. I’m not sure I’m yet at the point I’d replace it in the event it died, but on the whole I’m more of a convert that I was expecting to be.

Categories: LUG Community Blogs

Mick Morgan: lancashire police fail

Thu, 29/10/2015 - 14:18

This is simply depressing. Today I received a classic phishing attack email – the sort I normally bin without thought. According to virustotal, the attachment, which purported to be an MS Word document called “Invoice 7500005791.doc”, was a copy of W97M/Downloader, a word macro trojan which Symantec says is a downloader for additional malware. So far so annoying, but not unusual.

However, the email came from an address given as “@lancashire.pnn.police.uk” (so it looked as if it came from a Police National Network address allocated to Lancashire Police). Intriguingly, the “From:”, “Return-Path:” and “Return-Receipt-To:” headers all contained the same (legitimate looking) address at that domain. Only one header, “Disposition-Notification-To:” was slightly different. It gave the email address as “@lancashire.pnn.police.au”. Now that header is used to request a “Read Receipt” and most email clients will obey that and display a message of the form “This message asks for a return receipt” along with a “send” button. Had I pressed that button, a message /might/ have gone to the “police.au” domain address. I say “might” because there is no such domain, so this could simply be a mistake on the part of the attacker. All the “Received:” headers (i.e. the addresses of mail servers the message went through en route to me) were shown as network 77.75.88.xx – whois records this as belonging to an entity called “Farahnet” registered in Beirut. Unfortunately the whois record does not give an abuse, or admin contact email address.

Most phishing emails simply have a forged “From:” address and all other headers are obviously wrong. This one looked distinctly odd and a little more professional than most. I therefore decided it might be a good idea to tip off the Lancashire Police to the misuse and misrepresentation of their domain name. This is where it got depressing.

Nowhere could I find a simple email address or other electronic contact mechanism to enable me to say to Lancashire Police “Hi guys, see attached, you may have a problem”. The Lancs Police website has a “Contact Us” page giving pointers to various means of providing feedback – but no immediately obvious one for reporting email attacks. Here the banks are way ahead of the Police. All banks I have ever dealt with have an email address (usually of the form “phishing@bank.co.uk”) to which you can send details of the latest scam. However, the bottom of the contact page on the Lancs Police site shows a link to “online fraud” under the heading “popular pages”. This link takes you to their on-line safety advice page which then has a further link to “Action Fraud“, the National Fraud & Cyber Crime Reporting Centre, that site in turn does actually give you a means of reporting phishing attacks. But it takes too long. I had to click through four pages of feedback with Radio buttons asking what I wanted to report, how the attack arrived, where it purported to come from etc. before I was given a page with the email address NFIBPhishing@city-of-london.pnn.police.uk and an instruction to email them giving the details I should have been able to provide on the damned form I had just spent ages finding and filling in.

Having obtained this email adddress, I was given a “Fraud Report Summary” (see below) which is precisely useless for anything other than simple statistics. My guess is that this information is collated simply to be used to provide the sort of banal analysis beloved of senior management everywhere.

Not good enough guys, not nearly good enough.

But it gets worse. In my attempts to find what should be an obvious contact point, I plugged “lancashire police cyber crime” (I know, I know) as search terms into my search engine. The first likely entry listed in response (after rubbish like facebook pages or comments on non-existent fora such as cybercrimeops.com) was https://www.lancashire.police.uk/help-advice/online-safety/online-crime-fraud.aspx
(note the https). This is a supposedly secure link to the very same page I later found on the Lancs Police site. Try clicking that link. If you use Firefox, this is what you will get (chrome will give you something similar):

So – the site is not trusted because it uses an X509 certificate which is only valid for the commercial domains of the service on which the Police site is presumably hosted. Idiotic. If I got that sort of response from a bank I’d be deeply worried. As it is, I’m just depressed.

Categories: LUG Community Blogs

Chris Lamb: ImportError: cannot import name add_to_builtins under Django 1.9

Tue, 27/10/2015 - 09:20

Whilst upgrading various projects to Django 1.9, I found myself repeatedly searching for the following code snippet so I offer it below as a more permanent note for myself and to aid others.

If you used django.template.base.add_to_builtins to avoid tedious and unsightly {% load module %} blocks in your template files, under Django 1.9 you will get the following traceback:

Traceback (most recent call last): File "django/core/management/__init__.py", line 324, in execute django.setup() File "django/__init__.py", line 18, in setup apps.populate(settings.INSTALLED_APPS) File "django/apps/registry.py", line 108, in populate app_config.import_models(all_models) File "django/apps/config.py", line 202, in import_models self.models_module = import_module(models_module_name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "myproject/myproject/utils/models.py", line 1, in <module> from django.template.base import add_to_builtins ImportError: cannot import name add_to_builtins

The solution is to move to defining settings.TEMPLATES instead of calling add_to_builtins. This replaces a number of your existing settings, including TEMPLATE_CONTEXT_PROCESSORS, TEMPLATE_DIRS, TEMPLATE_LOADERS, etc.

For example:

TEMPLATES = [{ 'BACKEND': 'django.template.backends.django.DjangoTemplates', 'DIRS': [ os.path.join(BASE_DIR, 'templates'), ], 'APP_DIRS': True, 'OPTIONS': { 'context_processors': [ 'django.template.context_processors.debug', 'django.template.context_processors.request', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', 'myproject.utils.context_processors.settings_context', ], 'builtins': [ 'django.contrib.staticfiles.templatetags.staticfiles', ], }, }]

Simply add the modules you previously loaded with add_to_builtins to the builtins key under OPTIONS.

(You can read more in the release notes for Django 1.9, as well as read about settings.TEMPLATES generally.)

Categories: LUG Community Blogs