Tag Archives: Tech

Uncategorized

Microsoft Login Push Notifications

One of the podcasts I listen to is Security Now, hosted by Steve Gibson.

During last week’s show, he read an email from a listener who had just recently switched to using passkeys with his Microsoft account. The email mentioned using the Microsoft Authenticator app in the process, and the need to enter a two-digit code into the app.

Steve was a little confused by this mention of entering a two-digit code, but it was something I immediately recognized, as did co-host Leo Laporte.

Here’s a clip from this week’s show (episode 1026).

If you didn’t click the video, you’re depriving yourself of the chance to hear Steve Gibson reading an email I sent him.

Hi Steve,

I just listened to episode 1025 in which you read a bit of listener feedback that left you perplexed about Microsoft’s Authenticator app needing you to type in a two-digit number. I use Microsoft’s products in an enterprise environment and thought I might be able to shed some light on this.

What’s going on is that Microsoft offers the option of using a push notification instead of the TOTP (in the enterprises I’m familiar with allow you to use either as a second factor).

The problem with push notifications is, of course, “notification fatigue.”  People get used to seeing the notification and just click “Yes, it’s me” without thinking it through.  (So if someone figures out your password, and you blindly confirm it…. I’m sure you see where that’s going.)

To counter this, when you log in to a Microsoft system that uses push notifications, they display a two digit number.  You then have to enter that number into the pop-up from the authenticator app.  That way, it’s much more difficult for an end-user to accidentally confirm a third-party’s login attempt.

Hope that sheds some light one it.

Blair

SpinRite user, Club Twit member, and General Purpose Geek

Uncategorized

Installing PHP modules

I’m running a WordPress instance on a Zimaboard on the home network. Normally, that’s the kind of thing I’d put on the paid hosting service so I can let someone else worry about patching the OS and such, but since family calendars and the like don’t need to be on the public internet, I decided to do this one in-house.

Once I got WordPress up and running, I checked the “Site Health” and along with some old themes that needed to be cleaned up, there was a notice of a critical issue, telling me that “One or more required modules are missing.”

Expanding the dropdown, I saw the list included curl, imagick, zip, and gd. I tried to be thorough when installing PHP, but evidently missed a few. No biggie. Here’s how to fix it.

Performance warning that "One or more required modules are missing" PHP modules perform most of the tasks on the server that make your site run. Any changes to these must be made by your server administrator. The WordPress Hosting Team maintains a list of those modules, both recommended and required, in the team handbook. Warning: The optional module, curl, is not installed, or has been disabled. Warning: The optional module, imagick, is not installed, or has been disabled. Warning: The optional module, zip, is not installed, or has been disabled. Error: The required module, gd, is not installed, or has been disabled.

This is all running on Ubuntu, so the first step is to update the list of available packages. Because you always do that first.

$ sudo apt update -y

Next, install the missing packages. These are php modules, so the package to install is named “php-” and then the module name. (e.g. php-curl).

$ sudo apt install php-gd php-imagick php-curl php-zip

My machine is running PHP 8.1, so apt determined that the correct packages to install were php8.1-gd, php8.1-imagick, php8.1-curl, and php8.1-zip

Now I know the php-imagick module depends on ImageMagick, so I wanted to make sure that was installed, so after checking the apt command’s help text, I ran apt list -a ImageMagick

$ apt list -a ImageMagick
Listing... Done
imagemagick/jammy-updates,jammy-security,now 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3 amd64 [installed]
imagemagick/jammy 8:6.9.11.60+dfsg-1.3build2 amd64

Excellent. Everything should be good now right? That’s what I thought, but WordPress disagreed. Returning the Site Health page, the same message appeared, telling me that “One or more required modules are missing.”

I had to scratch my head for a bit on that one. Then I remembered, you don’t just install PHP modules, you also have to tell PHP you want to use them. (For example, Xdebug notoriously causes programs to run more slowly.)

You use phpenmod to enable modules and phpdismod to disable them. (Arguably, I should have included “-s apache2” so they would only be enabled for Apache, but I wanted to make them available for any use of PHP.)

After enabling the modules, you also need to restart apache so the new modules are loaded, so the final set of commands is:

$ sudo phpenmod curl imagick zip gd
$ sudo systemctl restart apache2

And now the Site Health report is a little bit happier.

Uncategorized

Set up a MySQL Database for WordPress

I keep losing track of the file where I have these steps written down. It’s past time to put them someplace where I can find them, and perhaps help a few others as well.

create database SOME_DATABASE;
create user 'SOME_USER'@'localhost' IDENTIFIED BY 'A_STRONG_PASSWORD';
GRANT ALL ON SOME_DATABASE.* TO 'SOME_USER'@'localhost';

The database permissions grant can be fine-tuned a bit, e.g. after installation, remove the DROP, ALTER, and GRANT permissions. (This does, of course, depend on what your plugins are doing, and potentially the needs of a particular major version upgrade.)

tech

Setting defaults for the dig command

Today I learned you can set default output options for the dig command by creating a .digrc file in your home directory.

Ordinally, running the command dig www.chaosandpenguins.com, the result is this rather hefty block of text.

$ dig www.chaosandpenguins.com

; <<>> DiG 9.16.1-Ubuntu <<>> www.chaosandpenguins.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40732
;; flags: qr rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.chaosandpenguins.com.      IN      A

;; ANSWER SECTION:
www.chaosandpenguins.com. 0     IN      CNAME   chaosandpenguins.com.
chaosandpenguins.com.   0       IN      A       216.92.152.175

;; Query time: 0 msec
;; SERVER: 172.28.224.1#53(172.28.224.1)
;; WHEN: Wed Nov 16 23:13:00 EST 2022
;; MSG SIZE  rcvd: 136

That’s a whole lot of text. So let’s add a couple options. +noall turns off everything. Running dig www.chaosandpenguins.com +noall would literally return nothing at all. To bring back the answer section (which is what I’m interested in most of the time), you add the +answer option.

$ dig www.chaosandpenguins.com +noall +answer
www.chaosandpenguins.com. 0     IN      CNAME   chaosandpenguins.com.
chaosandpenguins.com.   0       IN      A       216.92.152.175

That’s much more compact , but getting it requires some extra typing. And I want that version of the output most of the time, so wouldn’t it be nice if there was to make that the default?

This is where the .digrc file comes in. You create it in your home directory and just put in a single line containing the options you want. So, to make +noall +answer the defaults, I just run this command:

$ echo +noall +answer > ~/.digrc

And now when I run dig www.chaosandpenguins.com without any options, here’s the default output:

$ dig www.chaosandpenguins.com
www.chaosandpenguins.com. 0 IN CNAME chaosandpenguins.com.
chaosandpenguins.com. 0 IN A 216.92.152.175
tech

Sending mail from a script on a Raspberry Pi

I’m working on a project where I need to send email from my Raspberry Pi. Installing a full-blown SMTP server would be overkill, I just need something where I can send messages from a bash script.

A brief search led me to a forum post from 2013 which talked about configuring the ssmtp package. That post in turn referenced a step-by-step guide from 2009. Unfortunately, both seem to be out of date, and the latter is for installing it on CentOS?RHEL/RedHat/Fedora. So here’s my attempt at an updated version for the Pi (which should apply to any Debian-based Linux distribution).

Notes

  • These instructions send via Gmail. If you’re using two-factor authentication (and you really should), you’ll need to set up an application -specific password. Otherwise, you’ll get authentication errors.
  • The password is stored in plain text. This solution is not suitable for use on a shared system.

The Steps

sudo apt update -y && sudo apt upgrade -y
sudo apt install -y ssmtp
sudo vi /etc/ssmtp/ssmtp.conf

Make these changes to the ssmtp.conf file

mailhub=smtp.gmail.com:463
FromLineOverride=YES
AuthUser=Your_GMail_Address
AuthPass=Your_GMail_Password
UseTLS=YES

I also set the root= setting to my email address. I don’t believe this is necessary, but it does allow me to get notified when something goes wrong with one of my messages. (The way I first found out my configuration was working was a message from a cron job which had some unexpected output.)

Testing

Part of the installation is to set up a symlink so that sendmail becomes an alias for ssmtp. You can use either command.

The ssmtp command doesn’t seem to include command-line options for specifying the subject line or the name of the recipient..

So, here’s a command line you can use. Edit the email address as suits your needs. (The sender name and email address will be embedded by GMail.)

Ignore the word-wrap, this is all one line.

echo -e "Subject: Test Message\nTo: Your Name Here <you@example.com>\nThis message was sent via ssmtp." | ssmtp -t

Alternatively, you can put the recipient’s email address on the command line (the message will then be received as a BCC).

echo -e "Subject: Test Message\nThis message was sent via ssmtp." | ssmtp you@example.com

Troubleshooting

Four files are written to /var/logs

  • mail.err – contains an entry for each time there’s a problem sending a message.
  • mail.info – contains an entry for each attempt (successful or failed) at sending a message
  • mail.log – duplicates mail.info.
  • mail.warn – duplicates mail.err.

(Image via Pixabay user Deans_icons used under Pixabay License.)

Uncategorized

Typing Emoji on WIndows 10 ?

This has the potential to be dangerous. ? I was writing an email to a friend and wanted it to be perfectly clear that what I was writing was joke. I find the purely textual emoticons such as the sideways smiley 🙂 are often mistaken for punctuation and their intent lost, so I wanted to use a graphical emoji. We both use GMail, but I don’t care for the “melted lump” characters Google put in there.

On a whim, I did a search for how to type emoji on windows 10 and found a PC World article explaining how to type emoji if you have the Fall Creators Update. My immediate thought was to wonder if it was safe to assume everyone had it yet, and then I realized the article was from 2017! So the feature’s been there for a while and I just didn’t know about it.

So, if you on Windows 10, you can type emoji by pressing the Windows Key, followed by either the period or the semi-colon, and an emoji keyboard will appear. This is much more convenient – and universal – than any per-website or per-application emoji button.

Don’t get me wrong, I’m not a huge fan of emoji, but sometimes you just really want to type ? or ✈ without first visiting emojipedia. ?

(Only bummer on this is GMail replaces the emoji characters with the “melted lump” equivalents.)

By the way, Mac users can do the same by pressing and holding down both the [Control] and [Command] keys and then hitting the space bar.

Image by Pixaline from Pixabay. Used under the Pixabay license.

Uncategorized

Turn off Chrome notification pop-ups.

Talking to my Dad over the weekend, I learned he’d recently started seeing ads appear on his computer. These days, everyone’s used to seeing ads pop up in the web browser, but these were in the lower right corner of the screen, and would stick around if you moved the browser window.

My first thought was some sort of malware infection, but there didn’t seem to be any unusual processes running. The vital clue was when Dad mentioned that the ads only showed up when Chrome was running, and would disappear if you closed all the Chrome windows. An online search revealed a new suspect – Chrome’s browser notifications.

If you’ve used Chrome at all in the past year or two, you’ve very likely seen the browser display a message asking for permission from one site or another (or dozens) to display notifications. The idea behind notifications is that even if you aren’t actively browsing a particular site, you can still let it put up a message about an important update (e.g. event tickets going on sale). In this case, someone had decided to use notifications to display ads and Mom or Dad had accidentally given the site permission to display them.

Fortunately, once you know what’s going on, it’s pretty easy to turn notifications back off.

The steps below turn notifications off altogether; you should’t even be prompted anymore. I generally try to avoid distractions, but if you don’t want to turn them completely off, you can stop at step 6 to review and edit the list of sites where they’re allowed and/or blocked.

  1. In the upper right corner of the Chrome browser, click on the three vertical dots.
  2. Near the bottom of the menu, click settings.
  3. Scroll to the bottom of the page and click “Advanced.”
  4. Go to the “Privacy and Security” section and click “Site Settings”.
  5. Find the line for “Notifications” (there will be a small bell to the left).
  6. Click Notifications.
  7. At the top of the page, where it says “Ask before sending (recommended)”, click on the blue “slider” button.  It will turn gray.
  8. At the top, click on  the “Notifications” arrow.
  9. Click on the “Site Settings” arrow.

Done.

Uncategorized

Dynamic Type Selection in PHP

So, check out this block of PHP code:

class MyClass {
  public function doSomething() {
    echo "Hello there.";
  }
}
$class = "MyClass";
$method = "doSomething";
$instance = new $class();
$instance->$method();

The “new” statement is using a string variable to specify the class being instantiated! What’s more, on the very next line, another string variable is being used, this time to specify the method being invoked.

My background is C-like languages (C, C++, C# and Java), so I was somewhat surprised to discover that this not only executes, but does so without errors. Turns out, this is just how PHP’s new statement works.

In Java, you’d use Class<T> to get the class object, retrieve a specific constructor, and then call the newInstance method, passing any required parameters. So the above example would end up looking something like this:

package myprogram;

import java.lang.Class;
import java.lang.reflect.Method;

class MyClass {
    public MyClass() {}
    public void doSomething() {
        System.out.println("Hello there.");
    }

    public static void main(String[] args) {
        String className = "myprogram.MyClass";
        Class<?> class = Class.forName(className);
        MyClass instance = class.getConstructor().newInstance();

        Method method = class.getMethod("doSomething");
        method.invoke(instance);
    }
}

In a more complex code sample (e.g. passing arbitrary class objects into a method to be instantiated and used in a callback), the Java version has definite advantages in terms of compile time type checking.

But I can’t deny that the simplicity of the PHP version also has some appeal.

Uncategorized

Password rules

Some very basic rules for managing your passwords:

  1. Don’t even think about using “password” as your password. That’s the number one most used password in the world.
  2. Consider using a password manager. No one will ever guess that your password is qwb5Qauz36H9Kleqyotx and with a password manager, you won’t have to remember it.
  3. If you must use a password you can remember, at least use a passphrase. “SixSillySwansSangSonnets” is much more secure than “Tr0ubad0r” (and a darn sight easier to remember the correct spelling).
  4. Never, ever, ever use the same password on two different sites. In short: if one site has a breach and the bad guys get hold of your username and password, they’re going to try using them on other sites as well.

    5. Faithfully following those rules doesn’t guarantee that none of your accounts will ever get hacked, too much of that’s out of your hands. But they’re a solid start and they’ll definitely help limit the damage.

    A non-technical relative admits to not understanding why people would use a password manager. Couldn’t someone just hack your password manager?

    Yes. That could potentially happen. The aforementioned password rules also apply when setting the password for your password manager.

    And you have to ask yourself, which system is more secure? A well-vetted, “battle tested” password manager (and I’m referring to the likes of LastPass, 1Password, or KeePass), storing passwords which are composed of 20 random letters and numbers? Or just using the site’s name with a couple letters and maybe a number?

    And which is easier? Keeping track of a single strong password for the password manager? Or trying to remember what password you used for 30, 40, or more different web sites? (Hint: you’re gonna remember the Six Silly Swans example for a long time.) The main reason people re-use passwords is that they need to keep track of so doggone many of them!

    The idea behind a password manager is that you only have to remember one really good password, and then the password manager remembers the rest of them.

    And the good password managers (I personally use LastPass and KeePass) use heavy-duty encryption. If you use a good password, it’s extraordinarily unlikely that anyone’s going to break into your password manager by brute-force guessing.

    (Image via Life of Pix on Pexels.com under Creative Commons 1.0 Universal)

Uncategorized

Two Git bookmarks

I follow Mark Hamill on Twitter because I find him entertaining. For example, this exchange:

On the other hand, I primarily follow Scott Hanselman because he drops interesting tech nuggets, such as when he retweeted this:

Don’t get me wrong, Scott can be entertaining too, but the git config linked from that tweet is full of things I didn’t even know you could configure! (Six months in, I’m still finding entirely new realms within git that I didn’t realize I didn’t know about!)

Seeing the config sections for the merge and diff tools, I also verified that yes, the bc merge/diff tool referenced in the git documentation really is (or at least, can be) Beyond Compare. I’ve been using TortiseGit for my Git GUI needs, but I also like Beyond Compare. (The default vi-based diff tool is just painful.)

And then I find an article about how to configure Beyond Compare to work with Git.