Category: Security

Self-hosting with Kamal: Watch your ports when shipping.

Post author By Yoav Aner
Post date 11 March, 2024

I’ve been playing around with Kamal from Basecamp (previously called MRSK) for deploying simple apps on a single server.

There’s a lot to like about Kamal’s ergonomics and principles. But there were a few things that I struggled with or that confused me.

It mostly boils down to Kamal offering some kind of a layer of abstraction over docker, SSH and some linux commands. But perhaps more importantly, DHH, the creator of Kamal quite explicitly says that:

“[It] is designed for multi-server operation”.
DHH

Why is this distinction important?

Because it implicitly avoids some of the nice (and more secure) features of docker on a single host, primarily: internal network connections and name resolution.

[It] is designed for multi-server operation, so the internal network idea breaks down pretty quick with that. You’d have to unstrip all of that when you go to scale it. So I think we’re better off keeping the network host transparent.
DHH

This is a completely fair design choice, and simplifies a lot of complexity for Kamal. However, when you’re running your new startup or a hobby project, you want to keep things simple and run it all on one host.

But you don’t want to compromise on security and unintentionally expose your Database or Redis to the outside world, right?

privacy Security Technology

Does iOS 14 protect your privacy?

Post author By Yoav Aner
Post date 22 November, 2020

A few months ago I wrote a post: Does Apple care about your privacy?

In the post, I looked at Apple’s IDFA – ID For Advertising, and how it’s abused by companies like Facebook and many more to track you. I believed then, and still believe now, that what Apple is doing is not ethical and also not legal under the European GDPR.

Since then, Apple actually announced that iOS 14 would change the way IDFA was accessible to all apps by default and that it would start “Asking Permission to Track”. This is a welcome change. Sadly, despite iOS 14 rolling out already, and despite Apple’s claims on this page, this change is still not in place.

Luckily, however, I was able to collaborate on this issue with NOYB (None Of Your Business: a privacy organization; please consider donating if you care about your privacy). NOYB brought forward an official complaint against Apple. The complaint was not a GDPR complaint, but rather highlighting an ePrivacy violation. This is another legal framework which explicitly forbids the kind of stuff Apple is doing.

Security Technology

Protecting TimeMachine backups from itself

Post author By Yoav Aner
Post date 8 November, 2020

Going down the time machine rabbit hole…

I love the fact that MacOS comes with TimeMachine built-in, and I also really appreciate its simplicity. It makes backups easy and accessible even for non-technical people. It gets messy though if you also want to have real offsite backups however.

TimeMachine works great with a USB external HD, but things get tricky over the network.

I own a small Synology NAS, and I managed to mount a TimeMachine volume and get it to backup to that volume. The problem started when the volume size started to grow. I could set a quota on the volume, but for some strange reason, when the quota is reached, TimeMachine just started failing without a clear reason. There’s no way to tell TimeMachine to only keep X versions, or keep disk storage below a certain threshold. It’s supposed to prune backups automatically, but seems to fail with my network volume.

hosting privacy Security Technology

Why is Backblaze tracking me?

Post author By Yoav Aner
Post date 8 August, 2020

This is a follow-up to my previous post: hey.com is onto something with its tracking-pixel blocker. I mentioned contacting Backblaze about their email tracking there.

I didn’t think too much of it at the time, and honestly (or naively?) was expecting some kind of a “Oh, yes, you’re right, there’s no need to track those emails”… But it didn’t unfold in quite the same way.

TL;DR

This is my own interpretation, obviously. Backblaze seems to think that tracking emails is totally fine, even under the GDPR. They’re not going to stop doing it until further notice.

hosting Security Technology

Disposable emails: I gave Fastmail a second chance

Post author By Yoav Aner
Post date 6 August, 2020

About 4 years ago I wrote a rather lengthy rant about Fastmail, and why it didn’t fit my needs: Why I’m not using Fastmail. A few weeks ago, I gave it another chance, and this time the experience was way better.

privacy Security Technology

Does Apple care about your privacy?

Post author By Yoav Aner
Post date 23 February, 2020

I’ve been an Apple user since 2005 or so. Well, unless you consider my Apple IIc, in which case I guess I was a customer since 1987. I managed to negotiate with my parents to bundle two birthdays (my 12th and my Bar Mitzvah, that’s a big one) to get one of those. It was a turning point in my life… But I digress.

I really admire Apple’s push for security without compromising convenience, with Touch ID and Face ID making things safer. Apple’s touting their efforts to reduce web tracking, and Tim Cook publicly stated that “We at Apple believe that privacy is a fundamental human right”.

But when it comes to their own backyard, does Apple even meet the requirements of the GDPR? (The European privacy directive). I don’t think so.

docker hosting Security Technology

envwarden and kubernetes secrets

Post author By Yoav Aner
Post date 21 July, 2019

envwarden is a simple open-source script that lets you manage your server secrets with Bitwarden.

Introducing envwarden – manage your server secrets with Bitwarden

Security through obscurity with Bitwarden

Post author By Yoav Aner
Post date 6 April, 2019

I never thought I’ll write something negative about Bitwarden. I love it. It’s an incredible password manager, and I even created envwarden: a small open-source wrapper to handle server secrets with Bitwarden.

But I recently bumped into a small issue that looks like Security through obscurity to me. And I thought it was odd for a security-focused product.

The issue was that I couldn’t export the items in my company’s vault. Even though I had access to the cards ^[1].

I contacted Bitwarden about it, and they said that:

An Organization user cannot export the Organization’s Vault without being an Admin or Owner.

After trying to understand why, since I did have access to cards in my organization, so why couldn’t I export them? I was told:

We do not allow people to export the Organization Vault unless they are an Admin simply because this has been requested by demand from our customers. Being able to dump all passwords in one quick action is different than having to access every one individually to copy them out.

I explained that this seems like Security through obscurity, since I had vault access, and also it’s trivial to dump all passwords using the Bitwarden CLI anyway.

rails Security Technology

simple and secure cron using AWS Lambda

Post author By Yoav Aner
Post date 13 February, 2019

Many apps require some tasks to execute on schedule: cleaning up inactive user accounts, generating daily, weekly or monthly reports, sending out reminders via email, etc.

cron is a simple and trusted scheduler for unix, and used on pretty much any unix-based system I come across.

So cron seems like a natural candidate for triggering those job executions. But it’s not always the best solution.

In our case, we’ve used the whenever gem for rails successfully for a long while. The gem acts as a cron DSL and lets you inject and manage cron entries from your rails app.

The problem starts however when you start growing, and your app spans more than one server. Or even if you only use one server, but want to be able to fail-over, or switch from one server to another.

Why? suddenly you have more than one cron launcher, and jobs that should execute once end up executing once on each server. This can cause some weird and unexpected lockouts, duplication and other issues.

So what’s the alternative?

rails ruby Security Uncategorized

invisible reCAPTCHA v3 with Rails and Devise

Post author By Yoav Aner
Post date 5 January, 2019

We’re recently being hit with more and more bots.

Some of them are crawling our site and hitting valid or invalid endpoints. We’ve seen plenty of credential stuffing attacks as well. Most of them distributed across different IPs, with each IP hitting us at low frequency.

And most recently, someone abused our registration form to spam their recipients via our system.

It was quite clever actually. When you register, you enter your name, email and password. We then send a confirmation email saying something like

“Hey Roberta, thanks for joining. Please click here to confirm your account”.

Now those guys used their victim’s email address, and used the name field to link to a URL. So those users would get an email

“Hey lottery tickets http://some.link, thanks for joining. Please click here to confirm your account”.

Slimey. Naturally our own email system took the hit of sending spam. Double ouch.

Luckily, we had some anomaly detection in place, and we blocked those guys quickly. They used some browser automation from a fixed set of IPs, so it was easy to block. At least until the next wave…

I’ve been dealing with those types of scenarios with fail2ban, and it’s really quite effective. We define regular expressions to inspect our log files matching certain patterns, and then ban if we see repeated offensive behaviour. fail2ban is limited though in some aspects.

First of all, those rules are a bit of a pain to create and maintain, and you need to make sure the offending IP appears on the application log record you want to capture. In some cases it’s easy, but not always. The bigger problem however is that fail2ban doesn’t scale. The more servers you have — let’s say in a load-balanced setup — the less accurate fail2ban becomes. Or you need to aggregate all your logs on a single fail2ban host, creating a single point of failure or a bottleneck…

So I was searching for a better solution. Sadly there aren’t many. Cloudflare, which we also use, offers some degree of protection. But it’s not as flexible. And of course there’s reCAPTCHA. You know, those annoying things asking you to pick traffic signs, or even just click “I’m not a robot”?

Now I was initially hesitating to use it. I’m not sure why, but the fact that it doesn’t really have any real competition bothers me. Plus, as a user, I’m frequently annoyed by those challenges, and I hate this experience.

Luckily, the latest version of reCAPTCHA (v3) doesn’t present any user-facing challenges. It’s completely invisible. The no-competition problem is not something I can solve. I discovered that even Cloudflare itself uses reCAPTCHA in some cases! And these guys have their own Javascript challenge and what not… So I decided to bite the bullet, and give it a shot.

Setting it up is surprisingly simple, and from my limited experience, quite effective. That is, the scores it produced were surprisingly accurate. Albeit my ability to test different scenarios was limited.

I’ll try to give some pointers for implementing reCAPTCHA v3 with Rails 5.1 and Devise 4. The implementation can work on any form or controller however, and not just with Devise.