The Problem with the New Generic Top-Level Domains (gTLDs)

Over the last year the number of generic top-level domains (gTLD) has been greatly expanded. gTLDs are what you see at the end of a domain such as .com, .net, .org etc. This was clearly felt to be too limiting and so a whole raft of new gTLDs were proposed and adopted. These include .london, .furniture and even .blackfriday. You can find a fuller list here.

To me these were interesting but not ultimately useful until I started on a new side project and needed a new catchy domain. After going through countless .com domain variations and finding that all the best ones were taken but available for sale. I took a look at the new gTLDs and found the .tools domain which would work perfectly for what I wanted. So I went and registered ever.tools which looks a bit odd but really is valid.

All was fine and dandy until I tried to register for third party services with my new email address admin (at) ever (dot) tools and quickly found that I wasn’t as welcome as I expected to be. Both Amazon and Twilio rejected the email address although the error messages in both cases were misleading. In the case of Amazon their issue seems to be that they are expecting the gTLD to be no more than four characters.

Twilio___Try_Twilio_Free

I was interested to see if this was a generic problem so I put together the following to see how PHP handled the new gTLDs and all I tried passed without problems.

<?php

	$email = "admin @ ever.tools";

	if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    	echo "This ($email) email address is considered valid.";
	}else{
    	echo "This ($email) email address is considered invalid.";

	}
	
?>

I have reported the issue to both companies and Amazon have acknowledge that it is an issue. Now I just need to wait for a fix to be rolled out.

Instagram’s Hyperlapse

Instagram, Facebook’s $1B lovechild, this week released a new iOS app called Hyperlapse that allows time lapse videos to be shot without the shakes that are usually associated with such videos.

I took a quick example on the bus into town yesterday and as you can see it is really steady. With hindsight I wish I had held the camera in landscape mode!

If all this sounds familiar that will be because Microsoft Research documented just such a technique earlier this year which got widespread attention including on the BBC. So congratulations to Instagram for getting this out so quickly.

The app itself is simplicity to use. There are very few controls just a big red button to start and stop the recording and the ability to change the speed of playback before rendering the video and that’s it.

As with anything that Facebook has it’s claws into privacy is a concern but Hyperlapse doesn’t make you login nor does it insist that you publish to either Instagram or Facebook you can simply download the video and upload wherever you wish.

All in all a great little app and free too. Download it from the App Store here.

 

An iPhone Remote Shutter? It’s a Snap!

For a while now it has been possible to take a picture with your iPhone using the volume controls on the phone and this also extends to the controls on the headphone mic too. But what if you need to be further away than the length of the headphone cable? Turns out that there is a cheap (under three quid) device for that.

This little two button widget works over bluetooth and emulates the keyboard for sending the command to trigger the camera shutter. It is incredibly simple to use in that you pair it with your device, start the camera (it works with the stock camera app and Camera+ in my tests) and then press the appropriate button, big for iPhone, small for Android. The button also works as a toggle when taking videos so you can start and stop the recording.

And that’s it. Simple and works well. Grab your’s here from Amazon.

IMG_9080

Is My Tile Here Yet?

About a year ago, well to be accurate as I write this it was 382 days ago, I ordered some tiles. No not bathroom tiles but a small bluetooth device about the size of a postage stamp that you can stick to almost anything and then using a companion app hunt them down when you have mislaid them. This also included a neat feature that allows you to effectively declare a tile lost and every other tile user can then be on the look out for your lost item, which is pretty neat.

The downside of them are that they are a sealed unit and so once the battery dies (after about a year) you have to return them and buy replacements at a price that doesn’t seem very clear. Much, much worse is that over a year later the tiles still have not arrived and don’t seem to be coming anytime soon. Tile also seem pretty blasé abut the whole situation and why wouldn’t you when you have been sat on mine and plenty of other peoples money for quite a while.

So I have knocked up a quick website to keep you up to speed with whether my Tiles have arrived:

http://neilthompson.co.uk/tile/

They had better be fucking awesome when they arrive is all I can say.

What to do in the event of an NTP attack

Earlier this week the server that hosts this blog and other sites that I run became unreachable. I know this because it is being monitored by New Relic and I got notifications emails. I couldn’t access the server either via HTTP or SSH so all I could do was reboot it and hope I could hop on. The issue had the feel of a DoS attack and so once I was back on the server I stopped Apache and inspected the logs. A while later, I restarted the service and all seemed ok.

Then I received this worrisome email from the company that hosts my server:

We received an abuse complaint from your server (below). Please respond within the next 48 hours with a resolution. Please let me know if you have any questions.

A public NTP server on your network, running on IP address 17x.254.25x.9x and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target.

Clearly this is not what you want to receive but at least it did explain the issues. With it being so easy to host your own servers these days it is possible to get into these problems without realising. For me I turned off NTP Server as advised below. This seems to be a bit of standard text sent in the event of an issue such as this. I will now be applying to all my servers.

  1. If you run ntpd, upgrading to the latest version, which removes the “monlist” command that is used for these attacks; alternately, disabling the monitoring function by adding “disable monitor” to /etc/ntp.conf file.
  2. Setting the NTP installation to act as a client only. With ntpd, that can be done with “restrict default ignore” in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.
  3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses.

If you don’t mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses — silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one.

Fixing open NTP servers is important; with the 1000x+ amplification factor of NTP DRDoS attacks — one 40-byte-long request can generate up to 46800 bytes worth of response traffic — it only takes one machine on an unfiltered 100 Mbps link to create a 100+ Gbps attack!

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

Further reading:

https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
https://isc.sans.org/forums/diary/NTP+reflection+attack/17300
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&smlogin=true

Using Kindlegen with PHP on Linux to Create Kindle Files

I’m working on a side project at the moment that requires the conversion programatically of a page of html to something that can be consumed by an Amazon Kindle. I did a quick search to see if anything existed as a PHP class library that I could use and while there was they were either hugely bloated or too alpha for my needs.

I then stumbled upon Amazon’s command line tool KindleGen which allows conversion of HTML and ePub docs to the MOBI format that the Kindle requires. This is a multi-platform too and, crucially, a version for Linux is available.

Installation is a simple case of copying the single file to an appropriate place on your server, such as /usr/local/bin. Then create a new folder somewhere and make sure that the web process has write access to it. On Ubuntu this would be, for example, by :

sudo chown www-data:www-data /var/www/kindle

In my case I needed to convert some HTML to MOBI format and while experimenting found that it was very important to have well formed code, particularly with html and body tags. The other thing that you might like to consider is including a title tag as this is what is used as the name in the Kindle library and if this is omitted Amazon will use the name of the attached file instead.

To convert the file you simply need to pass to kindlegen the name of the html file and the output filename – note that you don’t need to give the path for the output file as it is created in the same place as the source. In PHP you can use “exec” to call a Linux command:

exec('kindlegen ' . '/var/www/kindle/input.html' . ' -c0 -o ' 
. 'output.mobi' );

If you were allowing a user to enter their own HTML that you were going to process this way I would highly recommend sanitizing the input first!

As a full example of this the following code stub will convert html in the $content variable and then send the resulting file to your Kindle email.

<?php

$content = "<html><head><title>Your title</title></head><body>
            <p>Your Content</p></body></html>";

// create the input file
$filename = date('Ymd_His');
$body = file_put_contents($filename.'.html',$content);

// convert to mobi format
exec('kindlegen ' . '/var/www/kindle/'.$filename.'.html' . 
     ' -c0 -o ' . $filename.'.mobi' );

// send the file as an attachment to your Kindle
$mail = new PHPMailer();
$mail->IsSendmail(); 
$mail->AddReplyTo('registered @ domain.com'
 ,'First Last');

// this address must be registered with your Amazon account
$mail->SetFrom("registered @ domain","First Last");

// this is the email address of your Kindle
$mail->AddAddress("your_address @ kindle.com", "First Last");

// the next two are required by PHPMailer but not by Amazon
$mail->Subject  = "";
$mail->MsgHTML(" ");

// add the mobi file
$mail->AddAttachment('/var/www/kindle/'.$filename.'.mobi'); 

// send the file
if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!";
}
          
// delete the files created
unlink('/var/www/kindle/'.$filename.'.mobi');
unlink('/var/www/kindle/'.$filename.'.html');

?>

Creating Good Looking Product Shots on Devices

A while back I wrote about what I described as “One of the most amazing websites” I had seen and it was great. Placeit allows you to create screen mockups by uploading a screenshot that is then rendered into a chosen device. Unfortunately when I went back recently the prices had sky rocketed. To download even the most basic image now costs $8 a pop and a “casual” plan is $29 a month. For someone that uses the service about once a year that was prohibitively expensive.

I should state at this point that I have absolutely no issue with a software developer charging for their work, in fact I would say that was pretty essential, however, the amount I am willing to pay has to be in proportion to the value that I think that I will get. In this case the service didn’t meet that threshold. So I went to look for an alternative solution.

I could learn to use Photoshop which can do these in a breeze but, of course, it costs a fortune to get. Then I discovered Insta Mockup for iOS which is a free app that has a number of templates that you can use to create good looking screen mockups, such as the one below. It is easy to use and while doesn’t have the range of device mockups that Placeit has it is cost effective. You can download a low-res version of an image for free or upgrade and get higher resolution for only £1.49. It’s a bargain and works well.

Download it here.

IMG_1100