Cyber Security Insurance

I’ve been thinking lately about how the web industry needs to change in order to improve. Cyber attacks appears to be on the rise and alot of the time they appear to be caused by someone doing something silly. Perhaps this is because everyone is a web developer, it certainly isn’t down to lack of available resources on the matter.

Thinking positively about cyber security, the card companies banded together to form PCI-DSS – Payment Card Industry Data Security Standard, with the goal to help businesses process card payments securely and reduce card fraud. Yes, it isn’t perfect, but it is a real benefit. Ideally this needs to be pushed beyond just card payments, it needs to be embedded (at least in the UK) with the Information Commissioner Office (ICO). It needs to be combined with software vendors like Microsoft, Canonical (Ubuntu), Redhat as well framework developers like Laravel, Revel, Ember.js and the end developers.

Security testing shouldn’t be a tick box at the end of the process. It should be embedded throughout the process and should be more like insurance with the more effort you put in, the less you pay.

Think about your house insurance. If you live in a dangerous area, the more you pay. If you use a “dangerous” software stack (like no framework), the more you pay. If you fit a security alarm, the less you pay. If you pen test your software, use 2FA, whatever, you pay less.

The way I would see it being pay for is at the point of sale to the end customer, the final cost would take into account the risk aspect in terms of the technologies used – are they mature, track record of vulnerabilities, etc. But also how long to fix – ie if (any) one of the upstream developers release a security fix, how long will it take before it is applied. Most companies don’t upgrade for fear of IT problems. Which ultimately results in more problems just later down the line. Forcing frequent updates reduces the risk. Testing is simpler as changes are smaller. Testing happens more frequently so staff are better trained.

This would ultimately give the end customers protection from cyber attack caused from a sloppy mistake, even by a third party. Which is what they are crying out off.

The insurance company would be required to have a solid security background in order to make this work – so much so that it might be easier for a large security company to become a insurance company. They would of course require some massive legal and (ideally) government backing to ensure they can enforce the requirements or at least some pretty major end customers who demand software vendors have the required insurance.

The final point is that the insurance company would need to proactively payout. By this I mean they need to pay bug bounties. After all, it’s like flood defences

Flood defences on average prevent £8 in future flood damages per £1 spent

Paying out for detailed vulnerability is cheaper then paying out damages, fines, repair costs (overtime, contractors, third parties) as well as loss of earnings and not forgetting rep.

SSRS support for both US Letter and UK A4

One of those annoying things about the US is they use different paper sizes to us Brits.

US Letter is 215.9 by 279.4 mm (8.5 by 11.0 inches)
The UK equivalent, A4, is 210 by 297 mm (8.26 by 11.69 inches)

One of our customers is based in the UK but has remote sales offices in the US, so their SSRS report are set to A4 and when they printed them in the US offices, the footer is cut off. The fix? Simple. Change the height to 279.4 mm.

Assuming you have a footer, it will now hover 17.6mm higher up the A4 page, which hopefully won’t be too terrible. It will now be American proof.

Windows Insider – new features

Today’s Windows Insider email included a few new cool features, here are my Top 3

Do more at once with the new Compact Overlay window. Keep watching a movie or video chat on one corner of your screen — even when switching apps to check email or browse the web. When an app window enters compact overlay mode, it’ll be shown above other windows so it won’t get blocked. Look for updates to the Movies & TV app and Skype Preview app to take advantage of this feature in the near future.

A smart way to lock your PC. Dynamic Lock automatically locks your Windows 10 PC when you’re not around, based on the proximity of your Bluetooth-paired phone. If your Bluetooth-paired phone is not found near your PC, Windows turns off the screen and locks the PC after 30 seconds.

Public Preview of Windows Analytics: Update Compliance. Update Compliance is a free service that provides you with a holistic view of Windows 10 update compliance for the devices in your organisation, including installation status for both monthly quality updates and new feature updates. Click here for details on how to set up the service for your organisation.

Rosetta@Home DNS Issue

If you ever need a lesson in the importance of picking a good domain registrar, then read about Rosetta@Home recent problems.

Dear Rosetta@Home participants,

We — like many of you who have contacted us — have been extremely
frustrated by the long project downtime. We ( had a domain
name registration verification lapse, and our registrar (
and ICANN turned off DNS for We went through the steps to
getting it verified again Monday afternoon. What should have been a
quick procedure is now stretching into 4 days. We apologize for the mass
emailing which we have tried to keep to a minimum throughout the course
of the project, but this is an extraordinary situation and we have no
other way of reaching all of you now.

Since being down we estimate that we have lost a total of around 3.1
million computing hours and continue to lose around 540 computing hours
per minute.

We greatly appreciate your help and contributions!  With your help, we
have been making rapid progress in our research which has been
attracting considerable attention, for example:

NOVA: (the 8
minute segment on our work starts at 20:30)

The Economist:

The Atlantic:

which is titled “Big data (and volunteers) help scientists solve
hundreds of protein puzzles”

Thank you very much for your continued contributions to and support of

David Baker

More info:

Automating WordPress maintenance

WordPress is an amazing blogging platform. However it does require a fair amount of love. Despite Mythic Beasts managing a large portion of my stack (hardware, OS, Apache, PHP, MySQL) and WordPress having automatic background updates I still find myself logging in and finding pending updates for WordPress.

The solution was WP-CLI. With the shell add-on, I SSH onto my account, then

What the above script does is download WP-CLI, grant it execute permission, then downloads my script and again, gives it execute permission.

Then its question of create a cron job using crontab, this can be done by running crontab -e then doing something like: (this runs the script every 15mins and redirects the output to a log file that gets overwrite each time it runs*)


> overwrites the file. >> Appends. I’ve not used append as I don’t want to deal with it growing and really I only want the last run details. Still your mileage may vary.

Below is the final script that executes WP-CLI


MSSQL server failed on Ubuntu on Windows 10

I’ve been getting errors with MSSQL server on Ubuntu on Windows 10. The error,

Failed to connect to bus: No such file or directory
dpkg: error processing package mssql-server (–remove):
subprocess installed post-removal script returned error exit status 1
Processing triggers for libc-bin (2.23-0ubuntu5) …
E: Sub-process /usr/bin/dpkg returned an error code (1)

I managed to fix it in the end by

Of course, you should try uninstalling correctly first, which is latter of the two

I’ve included remove Microsoft GPG key and un-register the Microsoft SQL Server Ubuntu repository. For more read Microsoft doc.

Resident parking

Been trying to find out the following from my local council:

  1. How many resident parking permits have been issued
  2. How many resident parking bays are available
  3. What exactly has the money been spent on in terms of fines issued.

To say they are being evasive is an understatement.

So far, I’ve got, the response of:

  1. This info is fluid as it is not only static residents who can apply for waivers within a given zone but also agencies who provide medical needs and other statutory services.At this time we have no plans to publish this level of information on our website
  2. We don’t hold this information, we don’t have defined bays, just areas – which I followed up with, well you must have a min size. FYI normally 5m is allowed per vehicle parked at the end of a bay and 6 m for those inside. Still waiting for them to A) publish the map so I can do the math, B) do the math and give me a number
  3. (A) making good deficits
    (B) paying for the provision or maintenance of off street parking
    (C) If (B) is considered unnecessary  then the provision or operation of facilities for public passenger transport services, highway or road improvement projects within the local authority area or environmental improvements in the local authority area.

Clear as mud. So if its been in place for 10 years and they bring in £400,000 a year in fines that’s £4 million been spent on? What? I assume the cost they charge for issuing the permits to residents counters A and B. Please Lord let it not be those stupid Real Time Passenger information*.


* I like the idea Real Time Passenger information, just not the solution SCC purchased. It runs on an out-of-date operating system that crashes. If it was me, I’d got the Uni to build something using a Raspberry Pi and got the local schools involved (would have looked pretty cool on the children’s CV)


Cloudflare parser bug

So once again we have another major security leak. You can read about it, here and below is the email CEO Matthew Prince wrote to customers:

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare’s systems. If you haven’t yet, I encourage you to read that post on the bug:

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers’ sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we’ve worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare’s customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

So lets be clear

  • …the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
  • Only customers who use Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation were affected.
  • …data that had been exposed from approximately 150 of Cloudflare’s customers across Free, Pro, Business, and Enterprise plans
  • CloudFlare is SaaS
  • Security hole was completely closed in 7hrs 11mins from being Tweeted about an issue
  • Security hole was mostly closed off in 1 hr 8mins
  • Production fix and service restored in 3 days 10 hrs 9mins
  • People are jumping on the problem making it sound worse then it was (don’t get me wrong it was bad, but no where as bad as Heartbleed, Heartbleed, still IS a problem)
  • CloudFlare have been very transparent

…And this is why I review code I take on-board, regardless if it works and advise others to review my code


Caching woes

Caching always seems to cause problems, still, we can’t have it all. Today’s caching problem was to do with Redgate SQL Prompt, a really amazing plugin that helps you write better SQL code. The problem with it is the cache of database object metadata was out-of-date. I had updated a table so when I typed select * then press TAB to expand the * into a list of columns, I got the old names. Luckily the fix is easy. Refresh suggestions.

As the screenshot shows, its either SQL Prompt > Refresh suggestions or just Ctrl + Shift +D.

Date Format

I’ve had a problem recently when it can to formatting a datetime as just date where FormatDateTime didn’t work

The fix was to change it to Format.

Oddly, despite the parameter being a datetime, I found I still had to cast it as a date.

FormatDateTime was introduced in Vs 2008. I’m not 100% sure why this didn’t work.