HACKED

22nd and 29th April 2021

WordPress Security Workshop

Office Hours

Thursdays 10am-1PM GMT

Book a free 20 minute chat with Tim!

Week 1: Work notes

Welcome to the Random Mutterings Archive here you can find past copies of Tim Nash’s Random Mutterings Newsletters. For more information and to subscribe see Random Mutterings.

Fancy reading email from Tim?

Usual Disclaimer bits, putting in your email means I will spam you forever MUHHHHHAAAAAA!!!
Alternatively, subscribing means I will send you occasional emails about what I’m up to and cool stuff I want to share with you. I won’t sell your information, and the emails will be sent via the MailChimp platform.


This is part of Random Experiments, a departure from my Random Mutterings newsletter style with the intention  to come up with a new format we all enjoy. Also, just to avoid confusion, there is a bit of delay between writing and publishing.

Week 1: Work Notes

It’s been a busy old week. Before talking about what I have been up to, I just want to take a second to stop and go “Oh my!”.

You are all utterly lovely and the sheer amount of good luck and well wishes was quite overwhelming. If I didn’t individually reply to you I’m so sorry but thank you.

For those who might have missed it, I left my previous employer after 5 years, you can read my goodbye post.

Ok so this week has been oddly Lua heavy.

What’s Lua?

Lua is a scripting language sitting somewhere between Javascript and Python. I first started using Lua to build extensions to the Civ game series and its popularity certainly came from its use as a modding tool. So have I been spending my first post-34SP.com week gaming?

I’m afraid not, no, I have principally used Lua while tweaking OpenResty and Hammerspoon.

What’s OpenResty

OpenResty is a community-driven package based around Nginx (the webserver); you can think of it as Nginx with lots of goodies. It’s used by some fairly big folks including CloudFlare and the BBC.  At its heart it’s Nginx but pre-integrated with Lua and some additional modules. This means you can build incredibly flexible configurations within Nginx using Lua in your Nginx config files.

OK, so let’s give an example of what I have been up to. Let’s Encrypt certificates – whenever I add a site I always want it to have a SSL certificate, and my provider of choice is Let’s Encrypt, but I don’t want to handle working out when things expire. I could use something like Certbot to do the creation of SSL certificates. Instead I use the lua-resty-auto-ssl module  which automatically configures a SSL certificate on first visit to the site. So now I just need to add a new server block in the Nginx config, and the server provisions the SSL certificate keeps that certificate up to date.

Having built Nginx modules in Rust in the past, using Lua to work with nginx is just so easy, for example I wrote some basic auth checks in a few lines. It does come at a cost to performance but that performance cost is limited.

Some of the modules I make use of:

What’s Hammerspoon

At the other end of the spectrum, almost, is Hammerspoon which is a Mac-only automation toolkit that basically allows you to do automations on your Mac written in Lua. 

I use Hammerspoon principally for windows management, having relatively recently replaced Spectacle. There are a crop of window management tools for me; they never were quite what I wanted, so in a few lines of code I have been able to map out a windows management config I am happy with. Now I can move applications from one display to another, change the size, and tile applications with a couple of key presses.

If you are a Mac user I do recommend Hammerspoon if you want to take your setup to the next level. I have also started thinking what auxiliary tools I no longer need which is great for overall simplification of my setup.

One other application I came across for Mac this week is Fluor which allows you to change how your fkeys are set per application, for example it allows you to have your fkeys act as f keys in your editor, but still need to use the func key in other applications.

Other things I have been up to?

I pushed a little but significant change to my auto-activate-auto-updates  plugin, this plugin makes Auto Updates opt-out rather than opt-in, for WordPress plugins and the new auto update system. The change was how to handle the scenario where a plugin is opt-out then deactivated, then reactivated. The old behaviour would now be enabled for auto updates, which is not ideal. I couldn’t come up with an elegant system, so the plugin now keeps an opt-out list of deactivated plugins.

If you couldn’t tell, I have been tweaking my work setup, and one of the changes was cleaning and archiving lots of projects. As part of that I asked on Twitter “What does your dev folder structure look like?”

The answers were pretty much what I expected. People store projects in a single root folder, so /Dev or similar. A few people followed the Go Community convention of by source and this is the route I have taken so my new folder looks something like:

~/Dev/
~/Dev/github
~/Dev/local
~/Dev/codebase

Depending on where the “source” is.

I have been doing a fair bit of writing including a couple of articles that will be coming out around the time of this newsletter. One on how we rebuild trust in automatica updates after the recent snafu (spoilers, we don’t lose it in the first place) and another on the joys of what happens when you stop relying on your package manager (another spoiler, you get dependency hell).   

I also got around to setting up mail for the timnash.co.uk site, so now if you use the contact form it will send the email. This was just a case of pointing it at the correct SMTP server.

Finally I have been having some great conversations with folks. I have loved chatting with people and off the back of these am looking forward to working with a couple of organisations helping them with their security. I have also received some great advice and have been taking a bit of the weekend to mull through how specialised I should be when it comes to consultancy offering. Which reminds me, you can hire me! I know, cool huh! I’m available for projects, but I can also offer an hour’s consultancy, so if you have a problem or you would like some advice on next steps for your project we should totally talk

So, as I sit here sipping tea and looking out at the fog outside, I can’t help but think week 1 went ok, I’m looking forward to the fog burning away and to a great week 2.

Tim