PhillipBlanton.com

"Save me, oh God, from people who have no sense of humor."
— Ludlow Porch

Deploying a website to AWS CloudFront with SSL/TLS and AutoRedirect to https.

Today I deployed a website I'm working on, to AWS CloudFront and enabled SSL/TLS using a free Amazon certificate with a correctly configured https redirect. To see it in action, hit these links...

You shouldn't be able to view anything on http. All insecure requests should automatically redirect to https. Examining the certificate will reveal that it is a valid Amazon SSL cert.

The site is running server-less using Amazon S3 and CloudFront. It should be a very cost-effective way to deploy a simple business website that may need to scale, without purchasing hardware and infrastructure and the associated costs.

If you want to use Node.js and Lambda, start with a simple HTML/Javascript site configured as follows, then add in the Lambda/Node.js functionality. I'm a big fan of accomplishing complex tasks in baby steps. For now the site is pure Javascript/HTML so there is no overly complex Lambda configuration involved. Let me show you how I did it. I presume you have a Javascript/HTML web application and a registered domain name to point to it. The domain name I used, "gort.co" is registered with GoDaddy, so I'll cover switching the DNS from GoDaddy over to AWS Route 53 while leaving the name registered with GoDaddy; but if you're getting a new domain, you can register it with AWS Route 53 to simplify things if you wish. I also like NameCheap.com

If I've made any mistakes or important omissions, please comment below and I'll fix it.

Configuring your AWS S3 Bucket:

Log in to your Amazon AWS Console. If you don't have an Amazon account (dude, really?), you can create one and then sign up for the AWS Free Tier. You'll get basic services for free for one year. Read about it here. The free tier gives you up to 5GB of S3 storage which should be plenty for your website.

In the AWS Console...

  • Select the [Services V] button in the top-left corner.

  • Under the Storage section, select "S3"

  • In the S3 console, select [Create Bucket]
  • Give the new bucket a name (no dots and no capitalized characters) and save.
  • Click on the new bucket, select the Options tab and click the [Upload] button.
  • Drag your website files onto the Upload dialog and click [Upload].
  • After the files have finished uploading, back in the bucket details window, select the Properties tab. Click "Static Web Hosting" and configure it as follows...
    • Select "Use this bucket to host a website"
    • Configure the Index Document and Error Document to point to the respective documents. Mine is configured like this...

  • At the top of the Static Website Hosting window is a link to the endpoint.

    Copy that into your paste buffer, then click Save.
  • You should have a website up and running at the endpoint mentioned above. Browse to it to make sure it works. If not, fix any issues with your web files so that the site runs.

Configuring CloudFront:

In order to support SSL/TLS and our custom domain, we need to use CloudFront. There are ways to configure a custom domain with just the S3 bucket, but CloudFront makes it easy to configure it all with Route53 and an Amazon-issued SSL/TLS cert, so we'll use that.

  • In the AWS Console, select "Services V" again, and this time click on CloudFront, under Networking & Content Delivery.

  • If you already have a distribution created for your new S3 bucket, then click on the distribution's ID. If you don't have one, then click on [Create Distribution] and [Get Started] under "Web".
  • Under Origin Domain Name, type in the S3 bucket's endpoint URL (minus the http:// part).

  • Under Default Cache Behavior Settings, leave everything set to default values.
  • Under Distribution Settings | Alternate Domain Names, enter your domain name(s). I wanted mine to work with the naked version as well as the "www" sub, so I set it like this.

  • Under Distribution Settings | SSL Certificate, choose "Custom SSL Certificate" and click the button [Request or Import a Certificate with ACM].
  • In the SSL Cert Request form, be sure to add the naked form of your domain name (without the "www") if you want users to be able to hit your site securely without any sub-domain. Here's how I configured mine...

  • Click [Review and Request] and follow the steps to get the cert approved and issued.
    • An email will be sent to the domain name owner of record. You (or that person) will need to approve the request in each email in order to get an SSL cert issued.
    • If you get multiple emails, then you will need to approve each one before the cert will be issued.
  • Back to the Create Distribution dialog, under Custom SSL Client Support, be sure NOT to select "All Clients" unless you absolutely need to serve clients using IE on Windows XP, or anyone on a very old version of Android on old hardware, and are willing to spend $600 per MONTH for the privilege.

  • Under Default Root Object, enter your default document. Mine is "index.html".
  • Enter a comment for the CloudFront entry under Comment.
  • Accept the rest of the defaults and click the [Create Distribution] button.

Configuring auto http to https redirect:

Now we'll configure the auto-redirect from http to https.

  • In your CloudFront distribution list, click on the new distribution for your website.
  • Click the "Behaviors" tab.
  • You should already have a behavior for the Default (*) pattern. Select it by clicking the check box on the left, and click the [Edit] button.
  • Under the Viewer Protocol Policy, select Redirect HTTP to HTTPS...

  • Leave the rest of the settings alone, scroll to the bottom and select [Yes, Edit].

Lets test it before we move on to configuring the domain name under Route 53...

On the General tab, under the CloudFront Distribution for your website, copy the value of "Domain Name" into your paste buffer.

Try navigating to it. You should be able to hit it at both http and https, but when you hit the http version, it will auto-redirect to https for you. If that all works, then you're ready to configure Route 53.

Configuring your domain name with Route 53.

My domain name (gort.co) is registered with GoDaddy so this tutorial will be configuring the Gort's DNS to use Amazon's Route 53 servers instead of GoDaddy's and configuring the Route 53 DNS for my CloudFront site.

  • Go to the AWS Console, and select "Services V" again. This time, under Networking & Content Delivery, select "Route 53".

  • In the Route 53 console (you might have to "Get Started") Go into Hosted Zones and click the [Create Hosted Zone] button. Fill out the "Create Hosted Zone" dialog as follows...

  • Create the following record sets...

    The A and AAAA records are aliases that point to the CloudFront domain you tested before setting up the DNS.
  • Make a note of your name servers, and go log into GoDaddy's client console.

I'm getting an error on GoDaddy's console right now. Apparently they're having issues and I can't use their DNS management system at this time. I'll come back and edit this to show the steps later, but for now suffice to say you need to edit your GoDaddy DNS to use custom name-servers, then add in each of the nameservers specified under NS above. Be sure to use yours, not the ones assigned to me in the image above.

Give it a few minutes for GoDaddy's DNS and the new Route 53 DNS settings to propagate before testing it. If it doesn't seem like it's propagating fast enough, you can flush the DNS cache on your machine in order to force the issue. These commands will flush your system's DNS cache, forcing it to query the DNS system for the latest information on the requested domain name. Depending on the DNS Servers your system is using, this may force DNS propagation to happen faster.

Windows:
At a windows command prompt, type
    ipconfig -flushdns
then restart your browser.

Linux:
There are a number of different ways to skin a penguin, depending on the version/distribution you're using. Try one of these...
    # sudo /etc/init.d/named restart
or
   # sudo rndc restart
or
   # sudo rndc exec

Apple:
At a command terminal, type
    sudo dscacheutil -flushcache
then restart your browser.

Cyber-Security Talent Shortage.

An article published in CSOOnline back in September of 2016, stated that unemployment in the Cyber-Security field was zero percent, and that there were over 1 million un-filled jobs with nobody chasing them. Now I may be a bit over-critical, but isn't that the textbook definition of something of a NEGATIVE unemployment rate?

Many experts are saying that we are currently sitting on a -5% unemployment rate in the Cyber-Security world and expect the shortage in qualified candidates to grow to upward of 3.5 million by 2020.

http://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html

Some think that part of the problem is companies trying to "hire a unicorn" by writing job descriptions for with cross-cutting requirements that no single person is ever going to have; hence recruiters are unable to find anyone who's qualified.

https://securityintelligence.com/news/cybersecurity-talent-shortage-zero-unemployment-no-unicorns/

I keep getting calls from recruiters trying to place cyber-security experts in cubicles. Some are offering relocation packages and some are not. One client was willing to let a good candidate work remotely as long as they were willing to spend one week each month traveling to the client's offices in Northern Virginia... AT THE EMPLOYEE'S OWN EXPENSE.  :-/

Current roadblocks are...

  1. There just aren't as many cyber-security experts as are desperately needed. Each reported cyber-attack or data-breach represents only a small percentage of the actual activity, and creates more demand for experts to help mitigate the issue.
  2. Universities can't graduate cyber-security experts fast enough, because a freshly-minted undergrad doesn't have the requisite experience.
  3. Existing hiring practices are woefully inadequate to address the problem.
  4. Managers are unwilling to pay cyber-security experts the salaries necessary to lure them away from their current positions. In many cases this will be an amount far above what the manager himself makes.
  5. Most people are unwilling to relocate in order to take a job that can very easily be done remotely. 

 

Enabling the audio controls in Chrome's tabs.

Some web pages start playing ads and bellowing at you when you load them. I HATE it. On Chrome I have to right click the tab and select "Mute tab". The result is that the little speaker icon on the offending tab shows a slash across it.

To allow the tab to play again, you have to right click it, and select "un-mute tab".

It sucks. I hate it and I wish muted tabs were the default. Short of that, this is a quicker way to shut the tabs up...

Use the Mute Tab Shortcuts extension.

    1. Type chrome://flags/#enable-tab-audio-muting into your address bar and press enter.
    2. Click Enable and restart Chrome.

Now, when you encounter a lousy, people hating noisy tab, you can just click the audio icon on the offending tab to mute or un-mute it.

mute icon

Reversing the mouse wheel scroll on Windows 10.

Update 5/2/2017: My Windows 10 computer took a new, large update yesterday called the "Windows 10 Creator's Update", and it broke this fix. My mouse now scrolls in the un-natural Windows way again. After checking the registry, the FlipFlopWheel parameter had indeed been switched back to 0 because of the update. This isn't OK Microsoft. I had specifically set that value so that my mouse scrolls the way I want it to. The only way that value is going to be set to something other than 0, is that the user set it that way. For you to come in with your updates and break the user defined functionality is certainly NOT OK! 

I am used to macs now and I have come to like the reversed mouse scroll wheel setting that they use. When I have to use a Windows or Linux machine, I always have to "fix" the mouse scroll because it drives me crazy.

Here's how to fix it on Windows. Copied from Volker Voecking's blog where he shows how to do it on Windows 7. Luckily it still works on Windows 10...

  1. Find the hardware ID of the mouse

    • Go to the mouse control panel
    • Select “Hardware” tab
    • Click “Properties” button
    • Select “Details” tab
    • From the drop-down list choose “Hardware IDs”
    • Save the VID*** entry ( e.g. VID_045E&PID_0039 )

  2. Find and change the corresponding configuration settings in the registry

    • Run regedit.exe
    • Open Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HID
    • Here you should find an entry for the hardware ID of your mouse
    • In all sub-keys of the hardware id key look for the “DeviceParameters” key and change the “FlipFlopWheel” value from 0 to 1

  3. Make it work

    • Unplug the mouse
    • Count to five :-)
    • Plug the mouse back in

For Linux... 

I use Ubuntu Gnome and this works for me. Different distros / desktops may require different instructions. Good luck!

Create a file in your home directory called ".Xmodmap"

    • Run a terminal
    • Type cd ~ to get to your home directory if you're not already there.
    • execute the following command
      sudo gedit .Xmodmap
    • Type your password if it is required
    • *Type the following line in the text file...
      pointer = 1 2 3 5 4 6 7 8 9 10 11 12
    • Save the file
    *Note that the 5 and 4 are reversed in the number list above. This is what flips the scroll wheel's direction.

Unplug the mouse for five seconds and then plug it back in.

Expecting Professionalism

This is a great presentation by Robert C. Martin. If you care about doing software development right, then watch...

Notes:

  1. We Will Not Ship Shit!
  2. We Will Always Be Deployable after each sprint.
  3. Stable Productivity.
  4. Inexpensive Adaptability - Easy change.
  5. Continuous Improvement over time.
  6. Fearless Competence thanks to unit tests.
  7. Extreme Quality with consistent issue tracking.
  8. Don't Dump On QA.
  9. No fragile system components.
  10. Cover For Each Other. Make one's self replaceable.
  11. Give honest estimates
  12. Say "No" constructively
  13. Continuous Aggressive Learning
  14. Mentoring - Perpetual Inexperience.

Shame on you CIA

Cisco recently announced a vulnerability in 300 OF THEIR SWITCH MODELS in the recent Wikileaks Vault 7 dump. Apparently the CIA discovered the vulnerability and created an exploit for it for their own nefarious purposes, rather than informing Cisco so they could fix it.

http://thehackernews.com/2017/03/cisco-network-switch-exploit.html

Those of you who blindly trust your government to "keep you safe", there you go. There should be sanctions levied against the CIA for this clear violation of public trust. There won't be though.

If you're using Cisco switches, you should disable telnet immediately and keep it disabled until further notice. Cisco will be pushing out the updates as soon as possible.

Did Your New High-End Android Smartphone Come With Some Un-welcome Software?

Probably.

http://thehackernews.com/2017/03/android-malware-apps.html

Apparently security researchers have scanned a number of smartphones from the major manufacturers and found 36 types that came with malware pre-installed. Hacked Phone

The malware didn't come from Google, Samsung, or any of the manufacturers. Rather it was installed somewhere along the supply-chain before it arrived at the distributer's warehouse. The two malware applications found were Loki and SLocker. Loki is a back-door app that gives the attackers full access to the phone and all data on it; and SLocker is a ransomware app.

How would you feel knowing that your new Android smartphone was already pre-installed with ramsomware, and the attackers are just waiting for you to get a bunch of valuable data on it, before locking it down and demanding a $1000 ransom, payable only in bitcoin? 

Would purchasing your phone from a known entity like Best Buy help to mitigate the risk? I don't know and I'm not sure anyone does at this time.

Here's the list of smartphones found to be pre-infected:

Galaxy Note 2 Galaxy Tab S2
LG G4 Galaxy Tab 2
Galaxy S7 Oppo N3
Galaxy S4 Oppo N3
Galaxy Note 4 Vivo X6 plus
Galaxy Note 5 Nexus 5
Xiaomi Mi 4i Nexus 5X
Galaxy A5 Asus Zenfone 2
ZTE x500 LenovoS90
Galaxy Note 3 OppoR7 plus
Galaxy Note Edge Xiaomi Redmi
Lenovo A850  

 

Why? How? WHY? are people falling for this?

And I presume they are constantly falling for this, because these just keep coming.

         

Even if it were a real shipment, why on earth would I need to review the shipping label? When the package arrives the label will be on it. Can't I just review it then?

And hey Alberto, if that's your real name (It isn't), why did you ship a package "at" December 8? And why Mr. Haley the <wink wink>postal worker</wink wink>, are you emailing me from a german domain, glady.de? Too lazy to properly spoof USPS.gov or USPS.com?

How dumb are you if you open that attachment? DON'T OPEN THAT ATTACHMENT! You didn't order anything, and if you did this phishing email has NOTHING TO DO WITH IT.

Jeez. If people will just stop falling for this obviously clear-cut BS, the internet would only have 5.2 million other terrible things on it.

I haven't opened one and don't have time to do it now, but maybe after work tonight I will spin up my forensics machine, snapshot a Kali VM and open up the attachment to see what's in it.

Stay tuned.

Using Dark Patterns Against Your Customers.

This is a good description of "Dark Patterns" and why honorable software developers should push back against this type of design. People will naturally gravitate towards evil and must be guided toward doing good. Evil is the norm while good is an aberration.

Strive to do good in all things.

http://darkpatterns.org/

Clint Eastwood Banned from Twitter?

I got this in my Twitter highlight feed...

EastwoodUSA Tweet

I clicked on it to see the response and I got this...

Suspended

Quite surprised about this I was! Everyone knows Clint Eastwood to be staunchly conservative and this is a pretty benign tweet; so I did a little digging. It didn't take long to determine that @EastwoodUSA isn't Clint Eastwood's Twitter name. His real Twitter name is, "@Eastwood_". Apparently someone who wanted to make him look bad, created a fake account and posted all sorts of stuff on Twitter. The media was awash with consternation for Clint Eastwood, until someone tipped off Twitter that it wasn't actually him.

You'd think our media would be a little smarter about falling for that kind of stuff. What happened to journalism; to checking one's sources? Here is one of the retractions that the media had to issue. This one from the Washington Post, here...

wapo retraction