This list of lists of falsehoods is a great read. The programming ones are good for for me, especially, but everyone should read the ones in their speciality. Better still, it’s on GitHub, so you can add to it!
I especially like the Big List of Naughty Strings. This is something software testers should use daily. Dates, times, timezones, names and addresses are all problematical.
When I installed ubuntu 20.04.3, I expected the ubuntu networking to Just Work. That was wrong. And apparently, there’s a new network management subsystem to worry about. A quick Google search led me to the Ubuntu docs and thence to create the file /etc/netplan/01-netcfg.yml:
I put all my GitHub/GitLab checkouts in ~/workspace, a hangover from BBC days, along with using VMWare Fusion. Although I tend to use docker more these days. I tried mounting it from within VMWare but no luck. A pointer from a chap on Reddit led me to these lines:
sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other
Or alternatively, add the following to /etc/fstab:
This is an initial list of Cardiff Tourist Stuff. Assume most places here, except the really remote ones, have cafés, and even some of the remote ones have pubs close by. It’s also biased towards the West of Cardiff because that’s where I live. Look on Google maps for interesting green spaces and interesting (hopefully free) things to do.
Do check opening times, things are currently higgledy-piggledy because of the plague. If you want to do many of these, it’s worth getting Cadw or National Trust membership, depending on where you want to go.
Bear in mind you can always do a Google search and get the information I’ve left out, like the official sites for these attractions.
If you only see one thing in Cardiff, let it be Cardiff castle. The original Norman keep is impressive in itself and it’s well worth climbing up to take in the view over the city. Cardiff uses the castle periodically to host other concerts or Welsh language events. It’s well worth a trip to see.
Obviously, the castle got taken over by a rich mining family who took it upon themselves to build apartments. These are well worth a guided tour, through bedrooms, offices, sitting areas and at the end, the library which, like many places in Cardiff, has starred in Dr Who. There are also leftover WWII bomb shelters set in the walls that are well worth a look.
The castle and Bute park were given to the City after WWII to avoid death duties and are well worth a look. Again, events take place here from theatre to horticultural events to street food. At the top end are sports fields.
Owned, built and extended by another mining family, this house, this little gem in the Fairwater/Llandaff borders is well worth a visit. You can look in the house into the kitchen and various drawing rooms. You can pay to go upstairs to see a history exhibition. The gardens are lovely and they have a nice allotment at the side.
St. Fagans, owned by the Earl of Plymouth after whom Plymouth Great Woods is named, is the bane of any Welsh schoolchild’s life. Set in 100 acres, it encompasses Welsh life from Iron age roundhouses to more recent prefabs with a visitor centre and museum rooms packed with Welsh history.
The house/castle itself is worth a viewing and the Italian gardens are pretty. This place is worth a day of anyone’s time. Beautiful gardens, interesting reconstructed buildings and a decent pub in the village.
The main museum in Cardiff is well worth a look, filled with fossils and art and so much more.
Llandaff Cathedral in the heart of Llandaff village heading down to the Taff is impressive. It’s been there since 500AD or so, fell into disrepair and was rebuilt into the form we see today. If you can get it on a Cadw open day get the guided tour and have your mind blown. Like much CofE it has military connections. There are cafés in the village. And pubs. One of which is very good.
It also has a Rosetti. With it comes a story.
The seat of Welsh democracy, important for making decisions that don’t matter when the real stuff happens in Westminster. Still, it’s how a modern parliament should look.
Norwegian Church Arts Centre
Another historic little building built for sailors back in the day when Cardiff was a throbbing port. It usually has arts and crafts displays and a café obviously.
Another Bute building, this was once the beating heart of the docks. Currently home to some historic exhibitions and the occasional conference.
Cardiff Bay Wetlands Reserve
A little patch of land tucked away in the docks, supposedly home to rare birds and even most recently a seal. I’ve never seen more than pigeons, ducks and swans. Oh, well.
Cefn Onn Park
To the north of Cardiff in Lisvane, straddling the M4 and reassuringly close to Ty Mawr a good pub, this is a lovely garden heading towards Caerphilly founded by Ernest Prosser, Director of the adjacent Rhymney Valley Railway.
It’s lovely when the rhododendrons are out. Also good for collecting golf balls apparently.
There’s not a lot to say about this. It’s a reservoir and probably good for walking the dog. I’ve heard mutterings about building a visitor centre and having boating of some sort on it, but we’ll see.
Grangemoor Park, Cardiff
Despite this being practically on my doorstep, I’ve never been. The river Ely here used to be a lot twiddlier but there was a landfill and now it’s an IKEA and a trading estate.
FForest Farm/Radyr Hydro Scheme/Melingriffith Water Pump
Supposedly this is one of the more radioactive areas of Cardiff (there were metalworks here back in the day), this is one of my favourite places in Cardiff, on the Taff. Park your car in Radyr railway station for free, go under the railway and over the Taff then turn left and walk up to the weir.
There are birdwatching hides here and the old canal water pump.
Opened in 1894, it’s well worth a circumnavigation. You can even go boating on it if you’re brave. There’s a café there and some more locally if you fancy a stretch.
Set on top of a hill in unromantic Ely, bordered by the A4232 with a commanding view of the City lies an Iron Age hill fort that was in use until Roman times and beyond. Having had Time Team do geophys and had several archaeological digs, it’s recently acquired a visitor’s centre. The story of the church ruins is a sad one.
Castell Coch/Fforest Fawr Car Park
Another Bute property, this time North of the M4 and close to Taff’s Well railway station. There might be a café, but Tongwynlais has one or more pubs and maybe some cafés. Further up the hill is a car park with a nice walk and a sculpture trail.
And the sculpture trail…
Chapter Arts Centre
Previously a secondary school, it became an arts centre showing films, live performances and so on. There’s a decent café with a well-stocked bar. I’ve been to various meetups there. Canton is a throbbing little village.
An oasis at the back of Canton opened to the public in 1891 with ponds, birds and set on two levels. Nice. Take a coffee and peruse.
Penarth Pier Pavilion
Penarth is lush. It has a pier, a pavilion with a café and a theatre/cinema. The estuary front is nice for a stroll with shops and cafés.
Not Quite Cardiff
Another one of South Wales’ great castles, this is well worth a visit. Pay Cadw and go inside and wander around. Caerphilly has a rail station.
Cowbridge Physic Garden, The Butts, Cowbridge CF71 7BD
Cowbridge is a cute little town just a short bus hop or a drive from Cardiff. This picture is of the physic garden, but there are lots more things to see. Cowbridge has a ruined castle and a Waitrose. What more do you need?
Cosmeston Country Park
Cosmeston is a former quarry now turned into lakes and a wildlife refuge. It has a visitor centre with a café (obviously) and is good for a wander.
Though dating back to the seventh century it was bought by the wealthy John Cory in 1891 whose son collaborated in making the gardens. The house itself is well worth a look. Again, easy access by bus or car, it’s halfway to Cowbridge.
National Trust – Lanlay
Out in Peterson-super-Ely, there’s very little to say about this except it’s nice to walk there and there are a couple of decent pubs in the village. There are even occasional buses.
In the vicinity of Hensol or the A48, you can park up and take a nice walk to this fishing lake. Take a thermos and some chocolate.
Situated towards Newport, this was the home of the Morgan family since the 17C. Lovely rooms, amazing gardens. This one is another National Trust property.
This one is definitely a drive although there might be a weekly bus. Actually hourly to either Llantwit or Bridgend. It’s nice to see the lighthouse buildings, the sheep and maybe clamber down the cliffs to the estuary.
We were trying to move our Selenium tests into a docker container and were getting the above error response. First Google suggested increasing the memory of the container to 2G. We increased it to 3G to no effect. Deeper Googling then suggested increasing shared memory. Initially, it was 64m. We raised it to 256m and it magically worked! Our script for creating the container:
Despite the supermarkets staying open during the lockdown, we’ve been getting far more food delivered; not just supermarket food but heat-at-home restaurant meals and fruit and veg from Wellocks, suppliers to Michelin-starred restaurants.
That said, two things have been standout in the last 12 months: climate change and Welsh independence.
Living in a country that contributed hugely to the increase of CO2 into the atmosphere helps concentrate the mind. Because of the lockdown, we’ve been taking that car out only once or twice a week and I see an electric car in our future. As it is, we live in a wood-clad “green” flat and are surrounded by trees in a borderline countryside area. Wales is 3rd in the world for recycling. I’m not sure what more we could do for the environment.
On the subject of Wales, in the last year, the subject of Welsh independence has started to gain traction. The non-political group yes.cymru have gone from nothing to nearly 20,000 paying members and 50,000 Twitter followers. Welsh Labour and Plaid Cymru supporters are behind the idea too. The electorate polls at 25%-40% in favour.
As I’ve said before, Wales has a GDP per head which puts it on a par with Spain. We’re shy between £5-£10 billion pounds a year but hey, with European support we can claw our way back as Ireland did. I’ve blogged about Wales’ potential before. Also, accounting properly for water, electricity and HS2 would help by a few billion in our favour. Oh, and we pay a disproportionate amount for defence, another £1.9 billion. It doesn’t help their case that we appear to have a bunch of incompetents in Westminster.
So there you have it. These are two things that are now occupying much more news space, internet space and headspace.
These are all things you can find elsewhere but a couple of password issues came as a surprise to me
These are all things you can find elsewhere but a couple of password issues came as a surprise to me when a legacy system got the MySQL 5.7 upgraded to 8.0.
Firstly, password policies are much tighter. There’s a plugin that by default demands an uppercase letter, a number and a punctuation character. That foxes our legacy system whose installer just generates lowercase letters and numbers. Uninstall it.
Being green is all the natural resource we’ve got left in Wales pretty much.
Being green is all the natural resource we’ve got left in Wales pretty much since the rich folks and the English took our coal, tin, copper and so on.
This blog is also going to come from an Indy viewpoint. Welsh independence has gone from nothing to 40% in the last few years. Independence is worth bearing in mind whichever side you fall on. I’ve fallen foul of people who think the world revolves around Westminster on Reddit. We got annexed in 1284 and made a union in 1536, not on the same basis as Scotland.
40%. It’s only time.
A poll suggesting that backing for independence among Welsh citizens is at a record high should serve as a warning for the UK government and prompt it to work harder at its relationship with the devolved nations, supporters of the union have said.
Put energy creating lagoons around the harbours. This has come and gone but apparently is back again.
“Providing low-carbon, predictable renewable energy, tidal lagoons will deliver reliable and flexible electricity whatever the wind conditions or time of day – ensuring grid security and stability. Moreover, tidal lagoons have an exceptional operating life, at over 120 years, over three times a wind farm and twice a nuclear plant, and significant co-benefits that other schemes do not bring, such as protecting communities and businesses from rising sea levels.
Healthy peatland and raised bogs in good condition absorb carbon from the atmosphere which means they are important in the fight against climate change. If raised bogs are not in good condition they release harmful carbon into the atmosphere.
Treble public transport in Cardiff? No brainier. Fuck all has happened with this in the seven years I’ve been in Cardiff. Allegedly some things are happening. In all that time there’s been a “Metro Plan”. Maybe we’ll move on from horse-drawn open-topped trains.
The South Wales Metro is an integrated public transport network that will make it easier for people to travel across the Cardiff Capital Region, transforming rail and bus services as well as cycling and walking.
Build energy efficient houses. I’m lucky enough to live in a B rated place. All places should be this efficient.
Our seafood is amazing. Shame Westminster fucked that up.
There’s 3x as many as there are people. We should probably have more, within their environmental impact.
Restore the Cambrian mountains. There’s a 300km2 dead zone.
In the southern Cambrian Mountains, in central Wales, there’s a Terrestrial Dead Zone of around 300 km². It’s composed of degraded blanket mires, entirely dominated by a coarse grass called Molinia, in which other lifeforms, such as birds and insects, are scarcely to be found.
Cardiff is nice and green, there’s plenty of woods, open fields and so on to just go hang in. Sadly a few green spaces are under threat. That’s not surprising in a growing city. The rivers could do with cleaning up. We used to have eels and way more fish. I’ll blog about this at another time. I’ve exported all my saved pins from Google maps.
There’s so much potential but nothing will happen while we’re under Westminster’s thumb. In EU terms, we are by no means the smallest country in Europe and our GDP is OK. I’d like to see more action. In the last year of lockdown green issues have come more to the forefront. I want a green future for Wales.
SQL injection – could someone get at your database remotely? Escape your SQL!
Broken auth – is your login system safe?
Data exposure – is your web server locked down? -Indexes in the Apache world.
XML External entities – XML can execute files. Don’t do that!
Broken access control – are important files inaccessible?
Security misconfiguration – is your security software properly configured
XSS – has someone uploaded a malicious JS script?
Using components with known vulnerabilities – keep up to date!
Insufficient logging and monitoring – know what’s going in and out of your system
Insecure deserialisation – be careful of the serialised data you accept
Make sure you have DDoS protection. I use Cloudflare. Is has the added bonus of running my DNS. I trust them. Snort or equivalent. This is part of your monitoring. Snort is an IDS or Intrusion Detection System. On WordPress use a security plugin. I use Wordfence.
Site attackers can:
Inject SEO spam on the page
Drop a backdoor to maintain access
Collect visitor information or credit card data
Run exploits on the server to escalate access level
Use visitors’ computers to mine cryptocurrencies
Store botnets command & control scripts
Show unwanted ads, redirect visitors to scam sites
Host malicious downloads
Launch attacks against other sites
Asset inventory and management can be taken one step further into the following subcategories:
Web servers and infrastructure
Plugins, extensions, themes, and modules
Third-party integrations and services
Monitoring should be in place to verify the security state of:
File integrity – monitor file modification times of plugins and themes
A proper incident response plan includes:
Selecting an incident response team or person
Reporting of incident to review findings
Mitigating the event
The incident response process, as defined by NIST, is broken down into four broad phases:
Preparation & planning
Detection & analysis
Containment, eradication & recovery
Post incident activities
You can base all further actions on the following tips:
Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
Update directory and file permissions to ensure the read/write access is properly set.
Update or remove outdated software/themes/plugins.
Reset your passwords immediately with a strong password policy.
Activate 2FA/MFA wherever possible to add an extra layer of authentication.
The best practices for you to have a strong password are:
Use a password manager,
Do not reuse your passwords: Every single password you have should be unique.
Have long passwords: Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
Use random passwords: Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing the letter O with the number 0) is not enough. There are several helpful password managers out there, such as LastPass (online) and KeePass 2 (offline). These tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.
The principle of least privilege centers around a principle that looks to accomplish two things:
Using the minimal set of privileges on a system in order to perform an action
Granting those privileges only for the time the action is necessary
Here are the things to look for when deciding which extensions to use:
When the extension was last updated: If the last update was more than a year ago, it’s possible the author has stopped working on it. Use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if security issues are discovered. Furthermore, if an extension is not supported by the author, then it may stop working if core updates cause conflicts.
The age of the extension and the number of installs: An extension developed by an established author that has numerous installs is more trustworthy than one with a few number of installs released by a first-time developer. Not only do experienced developers have a better idea about best security practices, but they are also far less likely to damage their reputation by inserting malicious code into their extension.
Legitimate and trusted sources: Download your plugins, extensions, and themes from legitimate sources. Watch out for free versions that might be pirated and infected with malware. There are some extensions whose only objective is to infect as many websites as possible with malware.
A good backup solution should fulfil the following requirements:
First, they have to be off site. If your backups are stored in your website’s server, they are as vulnerable to attacks as anything else in there. You should keep your backups off-site because you want your stored data to be protected from hackers and hardware failure. Storing backups on your web server is also a major security risk. These backups invariably contain unpatched versions of your CMS and extensions, giving hackers easy access to your server.
Second, your backups should be automatic. You do so many things every day that having to remember to backup your website might be unthinkable. Use a backup solution that can be scheduled to meet your website needs.
To finish, have reliable recovery. This means having backups of your backups and testing them to make sure they actually work. You will want multiple backups for redundancy. By doing this, you can recover files from a point before the hack occurred.
Here are a few best practices to add for a particular web server:
Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. Use -Indexes in Apache.
Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. Other locations, like admin areas, can be locked down. You can also restrict PHP execution in directories that hold images or allow uploads.
Here are some free website security tools:
SiteCheck – Free website security check and malware scanner
Sucuri WordPress Security Plugin – Auditing, malware scanner, and security hardening for WordPress websites
Google Search Console – Security notifications and tools to measure websites search traffic and performance
Bing Webmaster Tools – Search engine diagnostics and security reports
Yandex Webmaster – Web search and security violation notifications
Unmaskparasites – Check pages for hidden illicit content
Best website security software – Comparison of paid website security services
Best WAF – Comparison of the best cloud-based web application firewalls
Netsparker – (Free community edition and trial version available). Good for testing SQL injection and XSS
OpenVAS – Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product.
SecurityHeaders.io – (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
Xenotix XSS Exploit Framework – A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.
Are you using GitHub or similar? I’ve used Gitlab most recently, and I especially like Docker in Docker. Within that, how close to GitFlow are you? Having experienced an awful version control system, this is key. GitHub is really flexible and gives you enough rope to hang yourself in the foot. A fun thing is commenting commits correctly.
What’s your branching strategy? How long do you expect a branch to live? Branch lifetime should be of the order of a day. Any longer than that, have a quiet word with your SCRUM master.
How automated are your deployments? Do you create .rpms/.debs? Packages make deployments and rollbacks so much easier. Add YYYYMMddhhmmss to the name so you can keep track of them, or a build number so you can identify them.
Which CI system do you use? If not Jenkins, GitHub or Gitlab, why not?
Test automation is great. It builds, runs tests and creates modules. And anything else that makes your life easier. It’s also the ultimate in QA. If you have good test coverage and your tests pass, you’re good to go. It’s part of CI, right? Do you measure test coverage?
CI is also a good time to run code hygiene tests like pylint or perlcritic even if you have them on your commit hook. OWASP recommend some code security scanners and Snyk seems quite plausible.
How is your test data managed? Do you create a temporary database and populate it or do you have one database and run your tests within a transaction?
Security? How close to the developers is this managed? Separate security departments are often understaffed. Do you keep an eye on the OWASP top ten? Are you religious about escaping strings when composing SQL queries?
How close to continuous delivery are you? How long do rollbacks take? Do you use something like Ansible or puppet to manage your systems? Bonus points for terraform or docker. How fungible are your live servers?
How loosely coupled is your architecture or is it a big ball of mud? This is another thing that burned me recently. With mod_perl potentially going away in some form, parts of the system should have been moved to a new framework.
What other tools do you have and who chose them? Are you running popular systems for monitoring or code review or some open-source system that might wither on the vine?
Are you agile? Do you do SCRUM or KANBAN? Do you have a SCRUM master and a product owner? So many teams think they are agile when they’re merely doing some agile type things sandwiched in a blob of waterfall.
Who authorises changes? Do the developers do it or do you have a separate approvals board? It’s so much better to have decisions made at the lowest level by team members than to be farmed out to some remote change approvers.
What system monitoring do you have? What is your average time to fix?
What is your ticketing system, and why isn’t it JIRA, GitHub or Gitlab? Does your SCRUM master visualise progress and use all the tools to measure the team performance. Does your SCRUM master measure project velocity?
Has management bought into the k8s kool-aid? Are you using kompose and rancher to help manage it?
So there you have it. How to extend an interview beyond the allotted time.
Did I miss anything? Comments, as always, welcome.