jonwatson blog

broadcasting useless crap to the internet since 1200 baud

CCTV camera

The “Internet of Things”, or IoT, refers to the ever expanding offerings of traditionally non-Internet connected things that can now be connected to the Internet. The array of things you can connect to your home wifi network is staggering and, to be honest, pretty dumb. Internet connected toasters, light bulbs and even hot tubs are all available to lurk on your home network and send god only knows what data about you to god only knows where.

Your home network should be a safe place where only trusted devices have access. Traditionally, this has meant your own computers, your own smartphones and perhaps a few other devices such as gaming consoles. The problem with attaching a new device to your trusted network is two-fold: does it make attacking my network easier and what is it doing with the data it collects?


Door knocker

I was thinking about port knocking the other day (yep, that’s how I roll) and while I consider it to be a valid security layer, it occurred to me that it would be pretty easy to set up a poor implementation of it that was susceptible to being gamed. Here’s how that thought process went.

Caveat: This is a proof of concept and has many points against it which I outline at the end of this post.

For the uninitiated, port knocking is a process whereby some port on a server can be fire-walled off until some pre-determined set of ports are ‘knocked’ on, and then the firewall can be reconfigured to open some other port. A practical example is a server where you need SSH access, but you don’t want to leave the SSH daemon running wide open to the world all the time. You can use a port knocking daemon like knockd, coupled with an IPTables firewall to protect that port. The normal configuration would be to have the SSH daemon running on some arbitrary port and have the firewall dropping connections to that port until a valid set of ports are knocked on, and then the IPTables would be rewritten, usually temporarily, to allow connections to the SSH port.


Binary map

Note: I wrote this in October 2016 after the Dyn DDoS attack.

There is a lot of blame to go around in the aftermath of the Dyn DDoS attack on Oct 21st. A good chunk of the bots look like Internet of Things (IoT) devices that were recruited by the Mirai botnet code. Mirai has dropped the traditionally high costs of building a botnet to near zero which means we’re seeing progressively larger and more effective DDoS attacks each week.


The Monoprice Select Mini is a very popular 3D printer. It’s inexpensive, small, and very hackable/fixable. For those reasons, it is a popular 3D printer among newbies and experienced printers alike. Having said that, it has one very significant flaw that affects pretty much 100% of units. The Mini comes with a heated bed which is a nice feature for an inexpensive printer. However, the wiring design is terrible and the movement of the bed while printing breaks the wires that control the bed temperature, usually within a few weeks. Mini owners are lumped into two camps on this – those who rewire the bed so that it will not break again, and those who just don’t care that the bed no longer heats. I was in camp 2, but eventually wanted to graduate to printing with ABS. It’s easy to print PLA on a 3D printer without a heated bed, but it’s much harder to get good ABS prints on a cold bed. So, I sent my printer back RMA to get it fixed up good as new, and then promptly rewired the bed when it came back to ensure the wiring would not break again.


Fiber patch panelIf you're working in data centers, you're going to need to know something about fiber optic connections. Fiber is the most common type of connection used for that last mile between backbone providers and your equipment. Just like any other cable, fiber cables have to connect to your equipment and this article is about two commonly used fiber connectiors: the SC and LC connectors.

A quick primer

First, some background. My exposure to data centers is generally a single cabinet in general population. My DC provider gives me rack, power, and a patch panel. The patch panel is the central part of this article.

The patch panel is generally mounted at the top of the rack because most data centers run their cables over head. The part of the patch panel that I use is referred to as the A-side and the other side is referred to as the Z-side.

When I deploy into a new DC, my backbone provider gives me a Letter of Authorization (LOA). I take that LOA and order a cross connect from the DC using that letter. The DC techs need that LOA because it is their authority to connect my backbone provider to my patch panel. The DC techs will run cable from the ports my backbone provider has specified on their patch panel in the bowels of the DC (the Z side) to the ports I dictate on the patch panel in my rack (the A side). I then show up and start plugging things into my patch panel (the A side).


Write Freely is the self-hosted version of I stumbled across on the Fediverse and immediately took a liking to it. It's spartan, clean, and has literally no distracting features to play with; it's perfect for people that put content first.

One of the features I liked as a user of was the ability to have multiple blogs. Write Freely has that feature as well, but not when you run it in single-user mode. Putting it into multi-user mode does indeed give you multiple blogs, but it also activates a landing page for users to log in, pay for services, etc. I was looking for a single-user setup with multiple blogs. That combination is not available out of the box so I documented what I did.


I find myself explaining my standpoint on this repeatedly. Usually, a few times a month, the topic of mobile security will come up on some social media site I am on, and I will have to re-explain why I think Apple is the better choice of mobile ecosystem from a security perspective.

I'm lazy by nature and repeating myself is a lot of work. It also gets tough to express myself in the fairly limiting characters allowed on most social media sites. So, this post is my evergreen post about the topic. If you've followed a link here, someone wants you to read this.

1. Both Apple and Google suck but for different reasons

Both companies have created a walled garden. That's a term that means it's really nice here, enjoy your time, but you can't easily leave. Both Apple and Google have created vast ecosystems that trap users by virtue of making it hard to leave. That's a shitty way to do business but it's the only way for now. You may think that all the good stuff you use daily is trivial to create but it's not. That smartphone you're holding in your hand represents billions of dollars of hardware and software investments by those companies. They get that money back in different ways. Read on.


Fail2Ban Logo

I’ve been a big fan of Fail2Ban for a decade or longer. It’s a quick way to introduce some brute force protection to your system and it generally just works “out of the box”.

Recently, however, I found a situation where it didn’t really work nicely so I found myself knee-deep in Fail2Ban documentation. I am installing the awesome Citadel Groupware and its logs are not very standard. For some reason, Fail2Ban basically has date formats that it understands hard coded into it. It’s pretty flexible but if you have an app that prints time stamps in a format that Fail2Ban doesn’t understand, it looks like you’re out of luck.


Data Center

Data Centres are made for servers, not humans. Consequently, they are inhospitable places and prolonged exposure to this adverse environment can quickly take a toll on your productivity and your health. Once your health starts to go, your attitude and your deep-thinking abilities go with it and the quality of your work drops. You owe it to yourself and your team to remain as effective as possible while onsite, and here’s some tips to help.

I’ve spent a few weeks in several different data centres around the globe this year, and here are some things I’ve learned that can help you out if your destined for one of these hell holes.



I installed my own instance of Pleroma today using an inexpensive VM from Luna Node. (referral link)

I created the least expensive instance for this, an m.1s instance. Previously I had tried to install Mastodon on this small instance but it did not have enough memory to compile. Pleroma is lighter and has no problem.

$0.0486 hourly ($3.50 monthly)
1024 MB RAM
1 vCPU
0.2 cpu-points
15 GB SSD storage
1000 GB bandwidth