Yahoo hacked

A security group called d33d has recently obtained over 400,000+ accounts stored within Yahoo. The breach includes plaintext passwords — they were all unencrypted.

To check if you have been affected, you can use a small tool I developed to quickly check if your account is listed.

http://rickyhewitt.com/tools/2012/d33d-yahoo-disclosure/

You can read more about the breach on BBC News.

 

Why Amazon’s seller system is completely broken

I think Amazon is awesome. I really do. But after a nightmare of trying to sell with them, I don’t think I’ll be trying again and I certainly won’t be advising anyone else too — unless they sort their shit out.

Think of this as Amazon’s version of the Blue Screen of Death

I got my card information wrong? What’s the big deal?

The issue with the system isn’t just one issue. It’s a plethora of issues that are related to something that isn’t even technically incorrect. Let me explain.

My card details are completely correct. That’s why this is annoying. Am I missing some critical detail? Not exactly. Does reading the amazon help files solve the issue? If you can access them. While some help is available, a huge amount of functionality on the site, including accessing support information is unavailable when this error occurs. You’re also unable to remove any of the previous cards. You are left with a completely broken system, and you’re unable to contact support in order to resolve the issue.

After giving Amazon a quick call, they had a member of the sellers team get back in contact with me (the support team is A+, no issues there) and I proceeded to explain my numerous gripes with the system.

Allegedly this error occurs when Amazon is unable to reserve money from your account (specifically, £30…. quite why a free account would need to do this is completely beyond me, and they seem to have no idea either). This then prevents you from accessing large parts of the system, or even accessing support information in order to resolve the issue.

Also, there isn’t a single mention in the help documents I was able to access that mention ‘reserving’ £30 from my account. I asked the support team to refer me to them, but they were unable to do so.

I have ‘advised’ them to fix these issues and report them to the higher ups/technical teams, but I doubt that will actually happen — which is unfortunate as I generally think Amazon is a good company.

 

Fully replacing FTP with SFTP

Recently while setting up a new server, I realized that I really didn’t need to run FTP anymore. I typically use SFTP where possible, and it made sense to go the extra mile and migrate to using SFTP completely, while also allowing other users to access my server and use SFTP, without allowing them a shell.

What is SFTP?

SFTP is similar but not the same as FTP. Technically, SFTP isn’t just a secure FTP, but is a completely different protocol. For the ease of explaining things, however, SFTP is essentially like FTP running through SSH. It provides you with fully encrypted sessions, and brings other benefits that SSH provides such as key based authentication.

Not many commercial web hosts use SFTP. I’m not 100% sure why, but I have a feeling it’s just general misconception that SFTP is a risk as it requires the user having an account on the server and allowing them to potentially have shell access, although I’m sure it has a very slight performance impact too, which could potentially be a large performance impact when scaled to thousands of users.

The only qualm I have with this is that with the majority of setups I have seen, they already have a system account in order for FTP/Apache to run and for them to have a home directory and such.. so there isn’t a difference.

These accounts (lets call them members of the www-data group) should already have disabled shells anyway, so running SFTP isn’t going to compromise the security of the system in any way.

Configuring SFTP

The first step will be to ensure you have openssh installed. This guide assumes you are using Debian (Squeeze), and already have a running server with users on.

 

Install SSH

apt-get install openssh

 

Prepare chroot

You will need to modify the home directory permissions for each user in order for the SSH chroot to work correctly. Each users directory needs to be owned by root. We’ll use bobdole as an example.

chown root /home/bobdole
chmod 775 /home/bobdole

 

Modify users default shell

In order to prevent the user from gaining shell access, we set the default shell to /bin/false, and add bobdole to the www-data group.

usermod -s /bin/false bobdole
usermod -aG www-data bobdole

 

Modify sshd_config

You will need to modify the Subsystem option..

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

 

We will need to add a clause specifically for members of the www-data group (bobdole, etc..) in order to apply options to them, and enable the chroot specifically for them.

# Specific configuration for www-data
Match group www-data
ChrootDirectory /home/%u

 

You can also add other declarations to the Match directive. For instance, if you only allowed key based authentication to your server previously, but wanted to allow www-data members to log in without a key, you could set PasswordAuthentication to yes, only for those specific members…

# Specific configuration for www-data
Match group www-data
ChrootDirectory /home/%u
PasswordAuthentication yes