2013. október 24., csütörtök

London property renting traps for foreigners

This post tries to list the most common tips or advices for any foreign tenants who wish to come to live in London/UK to rent accommodation. There are many pitfalls I have gone through and experienced in the past 2 years myself, these tips are here to help for those who are unfamiliar to avoid falling into traps. Note that renting in UK or London is very difficult and is unlike the rest of the world. The property lobby here in the UK is very strong and they in fact rule the country. Safe to say it is a good, prosperous business to invest into. Nobody else, including the state and the Prime Minister, is that strong to change this in the near future. Also, beware of rental agencies. Most rental agencies are representatives of the landlords, do not trust them! They are there to make sure that everything will serve the landlords' interest and not the tenants' interest. If you rent through an agency, be prepared you will have to pay tenant fees, application fees and administration fees and, on the top of all that, you will have to get someone to act as a 'guarantor' to back you up in case you will become unemployed. If that happens, guarantor will have to pay the monthly rents on your behalf until the tenancy ends. This scheme in my opinion is completely thick-skinned, insensitive and is there to serve the greedy landlords.

*** BEWARE OF THE FOLLOWING TRAPS ***

Do not give up your rights as a tenant.
Landlords do not want you to be aware of your rights. They want you to give up your rights but they hold on to their rights. Note, that in the UK, the law ensures rights to tenants as well. For example, you have the right to be protected from unfair eviction. Look up your full list of rights online on the useful link section.

Always have a signed tenancy agreement which contains your conditions.
If you don't have a signed tenancy agreement, you can be evicted from the property any time, without any prior notice!!! Some landlords will offer you this option, saying not having contract is in both of your interest and make it easier for both of you. IT IS A LIE! Do not believe them. The real reason to this is that landlords do not want comply with local council regulations (landlords must comply with local councils if they want to let their property, some cases they need to get a licence to do that!) or want to avoid paying taxes. Therefore they will avoid negative consequences if things go wrong. However, do not worry if you already are in this situation. Having only a verbal agreement does not mean that it is not legal. Any verbal agreement counts as a legal agreement. Landlords can't take away your basic rights. The problem is that it will be very difficult to prove any verbal agreement in case of any disputes. I suggest you to secretly record any conversation with your landlord (i.e. use smartphone in your pocket, etc.).

Make sure your tenancy agreement is a 'tenancy' and not only a 'licence'.
If you only have a licence and not tenancy, it means you have less rights. Licence gives you less protection from eviction. If you live together with the landlord (i.e. landlord lives in the same flat or house), you most likely have a licence only and you are classified as a 'lodger'. You just have a spare room in the landlord's own property. You will have very few rights. This means among others, for example, that your deposit is not protected, meaning the landlord can deduct anything from your deposit when you leave without any real reason. It happened to me this year in London with a selfish landlord (name is Lyudmila Morar, Bulgarian national).

Make sure your deposit is protected with the DPS or other protection schemes.
After you made sure that you are a tenant, it is your right - unless you are a lodger - that your deposit is become protected. This is NOT OPTIONAL BUT MANDATORY. The deposit must be protected, this is a requirement by the law. I recommend using the state-supported Deposit Protection Scheme. Landlords must send the money to a central account within 14 days of the tenancy started. You will get an email stating that the deposit is stored securely in a 3rd party account.

Do not sign minimum time (6 or 12 months) unless you are sure you will stay for the whole length of the time.
If your life circumstances change (e.g. you are fired from your working place during the probation) and your income stops, you will have to keep on paying the monthly rent just as before. I know you can apply for benefits, but that comes with conditions. You cannot leave the room or property until your rental time is up unless you pay the remaining rents. The landlord can take you to court if you stop paying the rents. Other reason is that the living conditions laid out in the tenancy agreement do not meet reality (i.e. if you are sharing accommodation, one of the tenants are on drugs or noisy during nights). You must prove it to the landlord and demonstrate your case, (i.e. take video or sound recordings) but this is a difficult and tedious path to follow. The greedy landlord only wants their money but do not want to hear about your daily problems. Most agencies give you a contract with a 12-month duration with a 6-month review clause. This means that after 6 months you can leave the rented property if you don't like it. You will need to give 1 month notice.

Check IDs and insist to take photocopies of them.
There are many illegal activities going on, there are criminals in this country as well. If you don't check the ID of the landlord, you might as well rent from someone who is a conman, swindler or not actually the owner of the property. No further explanation is necessary.

Use example tenancy agreement instead of the one they give you.
Usually landlords or agencies give their tenancy agreement to you when you want to move in. They say there should be no problems. Yes, until you sign it. Then the problems come. After you have signed it, they will point it at you! DO NOT ACCEPT IT! You don't have to accept their agreement. Ask solicitor's advice before signing. I recommend using an example agreement, there is one online in the useful links section.

That's it for now. If you have found this article useful and want to add something to it, please let me know.

Useful links
http://england.shelter.org.uk/get_advice/renting_and_leasehold/renting_agreements
http://england.shelter.org.uk/get_advice/renting_and_leasehold/sharing_and_subletting/lodgers#what_tenancy_status_do_lodgers_have%3F
https://www.gov.uk/private-renting
https://www.gov.uk/tenancy-deposit-protection
http://www.depositprotection.com/
http://www.themovechannel.com/guides/Renting/Tenancy_agreements/Example_agreement/


2013. szeptember 10., kedd

ACK port scanning with nmap

I just found out about a very useful feature from the famous open-source port scanner, nmap. The ACK scan (-sA). When I want to find out what ports are blocked by the firewall or what ports are not, it comes in handy. At times you don't need to know whether the particular port is open or closed. You just want to know if it's reachable by any firewall (device or software firewall) along the network path. When it's unfiltered, it is reachable by the ACK packet. Both open and closed ports return an RST packet, filtered ones do not return anything. They are marked as 'filtered', we do not get any response from them, nmap is unable to determine their status, they give no response. The packet filter drops the port scanner discovery attempts. Scanning my internet router to demonstrate, here is a good example.

[qmi@localhost: ~]$
sudo nmap -sA 192.168.0.1
[sudo] password for qmi: 

Starting Nmap 6.00 ( http://nmap.org ) at 2013-09-10 18:11 BST
Nmap scan report for virginrouter (192.168.0.1)
Host is up (0.0027s latency).
Not shown: 994 filtered ports
PORT     STATE      SERVICE
23/tcp   unfiltered telnet
80/tcp   unfiltered http
443/tcp  unfiltered https
1900/tcp unfiltered upnp
5000/tcp unfiltered upnp
8080/tcp unfiltered http-proxy
MAC Address: XX:XX:XX:YY:YY:YY (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds

Look at the ports above on the list as , 'unfiltered'. They mean that they are either open or closed. Another quick port scan reveals those ports' real status.

[qmi@localhost: ~]$ sudo nmap -F 192.168.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2013-09-10 18:21 BST
Nmap scan report for virginrouter (192.168.0.1)
Host is up (0.0050s latency).
Not shown: 94 filtered ports
PORT     STATE  SERVICE
23/tcp   closed telnet
80/tcp   open   http
443/tcp  closed https
1900/tcp closed upnp
5000/tcp open   upnp
8080/tcp closed http-proxy
MAC Address: XX:XX:XX:YY:YY:YY (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

So simple. Job done. 

2013. szeptember 4., szerda

Web content providers: plan on serving content via IPv6 asap

As I was searching through the internet archives during my studies towards IPv6, I found an undeniable, unquestionable proof by the expert community that the transition to IPv6 cannot be postponed any longer. Look at the DEFCON18 YouTube video titled as, 'DEFCON 18: IPv6: No Longer Optional 3/4'. It has a 'Call to Action' banner to all web content providers saying, '(...) Plan on serving content via IPv6 in addition to IPv4 as soon as possible.'  The video was uploaded on 5 Oct, 2010 according to YouTube. This is contrary to Chris Skretowski Linux Specialist, who said in early 2013 (!) that introducing IPv6 protocol was not necessary yet. It was a completely wrong, professionally mistaken statement. In fact, the opposite is true! Introducing IPv6 is no longer optional. Watch the video and believe it, if you did not believe me. I told you! :)

2013. június 28., péntek

Host firewalls: last line of defense

Here are just a few thoughts about a host firewall which was triggered after looking at CompTIA Security+ (2011 Objectives) video. The host firewalls are software firewalls on modern OS which must not be turned off. This is a general security best practice which is to be followed by every IT System Administrator in every IT environment. Unfortunately, this totally contradicts poor Matt Hollingdale, a network and system admin from Australia, who recommended the opposite in one of our conversations for Linux iptables: "do not use it, completely turn it off. we don't need it." What are you talking about, man?!??!? Have you completely lost your mind? Did you ever learn basic OS and host security aside from networking and switching? The obvious answer is to this last question is NO. The host firewalls should have a default deny policy with explicit exceptions. You cannot rely on the network firewalls or ISP protection always, as they can be accidentally exploited. You blatantly failed in basic IT security. Please go, get some basic knowledge reinforcements, you'll desperately need it!

2013. június 17., hétfő

Where does the internet start?

It is so enjoyable that under Linux command line, you can use simple tool to find out where does the internet start! I mean, where does the DNS - domain name resolution - start. Without DNS, the Internet would halt and nobody would be able to browse. The following command will result in a simple answer to a name lookup of a SOA record. 

[qmi@localhost: ~]$ dig +short . SOA
a.root-servers.net. nstld.verisign-grs.com. 2013061701 1800 900 604800 86400
[qmi@localhost: ~]$ host a.root-servers.net
a.root-servers.net has address 198.41.0.4
a.root-servers.net has IPv6 address 2001:503:ba3e::2:30
[qmi@localhost: ~]$

 
The answer to the above lookup means that the SOA a.k.a. "start of authority" record starts at the a.root-servers.net computer which provides the domain zone for the "." domain. The "." (dot) is called the "root domain", which in the DNS hierarchy means the most top-level domain. The other result simply just an IP address entry to that highly important server (in fact, most probably it is a shared unicast load-balancer front-end that serves several back-end servers). Let's look at the top-level name servers as well by asking the NS records. This will show us the name servers responsible for the "." domain.  

[qmi@localhost: ~]$ dig +short . NS | sort
a.root-servers.net.
b.root-servers.net.

c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
[qmi@localhost: ~]$



That's where it all starts :) 



2013. május 10., péntek

using reverse IP entries is the recommended practice

This is a blog just to confirm my findings on the necessity on reverse IP addresses. On the contrary to recommendations of Chris Skretowski @ Flybe, registering reverse IP addresses  (along with forward entry) is the recommended way when setting up a DNS host entry. See RFC 1033, at "Adding a host" section,
"

 To add a new host to your zone files:

         Edit the appropriate zone file for the domain the host is in.

         Add an entry for each address of the host.

         Optionally add CNAME, HINFO, WKS, and MX records.

         Add the reverse IN-ADDR entry for each host address in the
         appropriate zone files for each network the host in on.
"

Told you! :-) The reverse DNS lookup looks for a PTR entry in the DNS database in the in-addr.arpa zone for IPv4 addresses.

2013. május 9., csütörtök

dig a little deeper into root servers' with dig

Here's an interesting thing I just figured out today after some inconsistencies with a company DNS records where my expertise was requested. The differing data was between the authoritative TLD servers and the company NS records. The glue records are provided by the TLD servers, in the ADDITIONAL SECTION. These are the IP addresses of the DNS servers. They've got a TTL set to 172800. That means two days. That means, if the zone is updated with the NS records containing glue records, some DNS servers might still contain the old IP addresses for NS servers until their TTL expires. So our local DNS servers still had the timeout value of 61476, showing the outdated IP address value for the secondary DNS server as well as the TLD DNS servers. 

[miklos.quartus@miklos-mac: ~]$ dig +norec @b.gtld-servers.net sdgtl.net NS

; <<>> DiG 9.8.3-P1 <<>> +norec @b.gtld-servers.net sdgtl.net NS
; (1 server found)
;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- 17165="" font="" id:="" noerror="" opcode:="" query="" status:="">

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:
;sdgtl.net. IN NS


;; AUTHORITY SECTION:
sdgtl.net. 172800 IN NS ns1.sdgtl.net.
sdgtl.net. 172800 IN NS ns4.sdgtl.net.


;; ADDITIONAL SECTION:
ns1.sdgtl.net. 172800 IN A 87.83.19.215
ns4.sdgtl.net. 172800 IN A 38.106.13.119


;; Query time: 37 msec
;; SERVER: 192.33.14.30#53(192.33.14.30)
;; WHEN: Thu May 9 17:51:22 2013
;; MSG SIZE rcvd: 95


[miklos.quartus@miklos-mac: ~]$

As you see above, the TLD responds with the TTL value of 172800, which is exactly two days. However, our DNS servers lagging behind due to their TTL value is still active and not yet expired. See below the query result of our servers. 

"


[miklos.quartus@miklos-mac: ~]$ host -v ns4.sdgtl.net 10.Z.X.Y
Trying "ns4.sdgtl.net"

Using domain server:
Name: 10.Z.X.Y
Address: 10.Z.X.Y#53

Aliases:
;; ->>HEADER<<- 32901="" font="" id:="" noerror="" opcode:="" query="" status:="">

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns4.sdgtl.net. IN A

;; ANSWER SECTION:
ns4.sdgtl.net. 61476 IN A 38.106.13.119

Received 47 bytes from 10.Z.X.Y#53 in 38 ms


Look above: the current value is 61476 seconds! I figured out that our DNS servers still have the old IP address value (38.106.13.119 is the old value, correct value is 199.249.231.119) and need about cca. 17 hours to have their TTL expire. In the meantime, I found out how to query any TLD domain's authoritative NS servers. Let's take for e.g. the .net domain. 


[miklos.quartus@miklos-mac: ~]$ dig +short net. NS
b.gtld-servers.net.
j.gtld-servers.net.
h.gtld-servers.net.
d.gtld-servers.net.
a.gtld-servers.net.
f.gtld-servers.net.
e.gtld-servers.net.
i.gtld-servers.net.
l.gtld-servers.net.
m.gtld-servers.net.
k.gtld-servers.net.
g.gtld-servers.net.
c.gtld-servers.net.


Voila! The above list shows the list of authoritative name servers for the .net TLD. Anyway. If the domain registrar's settings are wrongly containing the DNS server IP addresses, they continue to provide the wrong, outdated values for glue records, despite the right values are inside the authoritative domain zone. Solution: fix the domain registrar's values so that the correct IP address should be registered for the NS servers.

2013. február 22., péntek

on my way to become a Debian package maintainer

After months of research and catch-up on Debian package maintenance knowledge, last night I successfully uploaded an orphaned package called sysadmin-guide to the Debian mentors page. This is a placeholder for people who are not a package maintainer yet but upload orphaned or new packages that needed some work in order to look for mentors. The mentors a.k.a. sponsors are already Debian developers with upload rights who will help non-official developers and help them to upload the package to the official Debian archive. Once I find a mentor or sponsor, he/she will hopefully review my newly uploaded package and will help to upload my package to the official archive. Note that the path leading up to here has been a long process, it required to read up on a lot of Debian stuff, including introduction to package maintenance, package archives, how to compile a broken package and getting rid of the Lintian errors. It was not straightforward. Look at the Q&A page as well. As of today, I have become a non-official Debian Developer (DD). Good stuff! :)

2013. február 13., szerda

sudo secure path

It is nice to configure sudo with secure PATH. On newer Linux distros (last 2-3 years) you configure sudo with them, so when you invoke a command with sudo, you will know what PATH it searches. I never knew how it worked. For example, if you get:

$ sudo visudo
sudo: visudo: command not found
$ 

And this happens with other important binaries. This means you are screwed. This means your PATH is not configured to invoke commands from /usr/sbin , where the 'visudo' binary lies. Add the following to your /etc/sudoers.

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

You should be good to go now! :)