Some cool scripts I’ve found

Posted by jerry as Uncategorized

I have way too many domain names, and last weekend I decided to try to put some of them to productive use.  I had the idea of pull all of my RSS feeds from my various sites to one common site.  Initially, I looked at LeafRSS, but it wasn’t quite what I was looking for.  If you are aggregating a homogeneous set RSS topics, then it makes sense - like Bip Bip for example.  I looked around and found rnews.  It was about as close to what I was looking for as I was going to find.  So, I set up my domain www.invires.com with a rnews pulling from all of my sites (the ones that offer feeds, anyhow).

I was pretty pleased with the result.  I had the idea to aggregate the various tropical fish forums out on the Internet into one site.  So, I registered a new domain - www.tropicalfishnews.net to serve that purpose.  I am hoping to have some time to tinker with rnews in the coming weeks.  I would very much like to add an ajax type update mechanism, and some sort of scrolling ability.  So, for each of the panes, the news would scroll down and a new entry would be added to the top, as the RSS feeds were updated.

Authentication in the real world

Posted by jerry as Uncategorized

There is an interesting prank being pulled on CEO’s and CFO’s of many large public companies that highlights the trouble of authentication in the real world.  The wall street journal has a report about a prankster who dials into a quarterly earnings call and gives a bogus name and company to the operator.  A well known name and well known company.  See, few people are allowed to ask questions on these calls to prevent just this sort of thing.  But, there is no good way to validate the caller’s identity. 

 The story was well timed for me.  I picked my son up from preschool last week with my wife - the first time I had done so.  We waited in a line of cars and as we approached the building, my wife pulled out a paper plate that was clipped to a clothes hangar.  She dutifully hung the plate from the rear view mirror.  A worker called out plate numbers via radio to signal to bring him outside to wait to be picked up.

I was really struck by this authentication mechanism.  I have to use several passwords to connect to near meaningless data at my office, but to pick up my kid, it only takes a paper plate and a magic marker. 

Google to buy Sprint?

Posted by jerry as Uncategorized

Google’s open wireless phone initiative has been discussed frequently, but apparently now there is rumor of Google wanting to buy Sprint.  Certainly it seems to make sense as a way to jumpstart things, but I see a couple of critical flaws that will almost certainly render this just a rumor:

• Sprint (S) has a market cap of about $46B USD.  Google has about $18B USD of assets, and a market cap about over $200B USD.  Sprint would cost more that Google can afford.  Since Google is not in the business, there won’t be synergies similar to other telecom rollups.
• Financing of what would likely by a $50B deal will be very hard to come by in the post apocolyptic credit market. 
• Organizationally, Google and Sprint would tear each other apart, if combined.  The old telecom culture of Sprint would likely be untenable in Google’s fast paced world.
• The bits that I’ve read about what Google wants to do with their phone service leave me wondering if owning Sprint really buys them anything.  If all of the infrastructure needs to be replaced to support some fundamentally new technology that costs say $20B to implement, why would you first spent $50B on a phone company then immediately dump $20B more into gutting and replacing it’s infrastructure. 

So, to me at least, this doesn’t add up.  Given that the stock market is in the toilet, I suspect that if Google did announce such a deal, it would be a boost to the overall market, but I suspect that Google would suffer a beating on Wall Street if they did.  In fact, I would expect rumors of the acquisition to have a negative impact too.

Bad deal.  Buy a start up with the tech you want.  Hire away the talent needed from ATT, Sprint, etc.  Just don’t buy a dinosaur.

Web Site Security Guide

Posted by jerry as Security, Uncategorized, hosting, php, web site

So, in the aftermath of my little incident, I decided to write an article for NetworkStrike on how to keep your website secure.  I’ve included it below: 

Background

The “cost of entry” to run a website is very low now, and we have seen an explosion of small sites on the Internet. Supporting this trend has been the availability of free and open source applications that allow site owners to do nearly anything they want, from blogs to wikis to forums. 

Unfortunately, nearly all of the software has inherent bugs that can be exploited by bad people. The exploitation of such bugs has matured in a similar fashion to the applications themselves.  Compromised web sites are a foundation to many threats currently on the Internet. Site owners are unknowingly supporting illegal activities such as:

• Hosting warez
• Hosting copyrighted files
• Hosting tools to compromise other sites
• Sending massive amounts of spam
• Host phishing sites to steal money
• Become part of command and control for botnets

Running a web site properly is truly becoming a social responsibility. If you are not part of the solution, you are likely part of the problem. 

This guide outlines some general and basic security measures that you MUST take if you want to make sure your site is not defaced or otherwise compromised.

Key elements needed in a web hosting platform

Try as you might, if another site on the server you share does not follow prudent security measures, then your site it still vulnerable. Suphp executes php scripts as the user-id and group-id of the account – not the userid/group id of the web server.

This will allow more restrictive permissions on your directories and will prevent an attacked from being able to read your php files.

Some hosts will not want to use suphp, as it can cause performance problems.

Build a relationship with provider on dealing with security issues

Firewall outbound connections

 This is not always practical or possible, but firewalling traffic originating from the server – other than what is expected – can prevent backdoor tools from phoning home.

Run suhosin patch for php

Suhosin can stop the exploitation of many different types of coding weaknesses and some vulnerabilities in php itself.

Keeping up with the web software you use

• Subscribe to mailing list for any application software used as part of your site.  Nearly all such applications have an “announcement” list that is low traffic.
• Attempt to participate regularly in the forums or discussion lists for the software you use. You will often get advanced warning of security issues and interim fixes.  You will also know if the software is at risk of being abandoned and not updated.
• Upgrade after a security fix release within 3 days.  Vulnerabilities are often exploited soon after they are discovered.
• If an application you use becomes abandon, plan to migrate your site to a new tool as fast as possible.
• Try not to customize software.  This will slow down your ability to patch or upgrade, because you’ll have to rewrite code, test, etc, and that can be difficult to do when it’s not on your timeline.
• Attempt to remove ‘powered by’ and version number references.  Nearly all open source web applications proudly, but this has turned out to be an extrodinarily efficient way to systematically identify sites running vulnerable software. 
  
• Create a file with a random name in your html directory. Do not reference the file in your site. Grep your web logs daily for the file being accessed. Any hits may indicate that your site has been compromised.
  
• Scan for file differences and notify of differences
  

Your responsibilities as a site owner

• Perform frequent off-site backups.  Even if you have a local backup strategy, such as to another server, it is imperative to maintain an offsite backup.  While it doesn’t happen often, datacenters are broken into and servers are phyically stolen.
• Do not store sensitive data like credit card numbers.  Just don’t do it.
• Change account passwords regularly

Site updates

Posted by jerry as Uncategorized

So, I’ve taken some time to do things I’ve been intending to for a while.  I deep 6′d Pligg on the NetworkStrike.com site.  Pligg is a very nice package for what it does, but it really doesn’t do what I needed.  After some investigation, I settled on drupal.  Drupal turned out to be even better than I expected.  I was ready to write an RSS importer, but found that there were already some very mature importers available, and unlike a lot of tools like this, it actually worked out of the box.  I’ll be slowly getting Networkstrike back to where it was previously.  It was interesting to watch Pligg go unmanaged.  Most of the story submissions were about alien abductions and other crazy things like that.

On syslog.org, I added a new section that specifically deals with syslog-ng.  Having moderated the syslog forums for many years now, I’ve finally come to the realization that syslog-ng is a great tool, it’s just not well organized or supported on the Internet.  How-to’s, docs and whatnot are spread far and wide.  So I decided to try to fill the void.  We’ll see how useful it is.  As it’s a wiki, I’m hoping that people will opt to contribute their bit of knowledge as well.

On a related note, I added a link to syslog.org into a few entries in wikipedia.  Wow, that site must get some serious visitors, because the number of referrals from wikipedia to my site is pretty impressive.  An order of magnitude lower than google provides, but on par with what Yahoo does.

New Aquarium site

Posted by jerry as Uncategorized

So, a while back I had bought the domain aquariu.ms.  I thought it was pretty clever anyway.  For those that know me, I am a big freshwater aquarium nut, so I was looking for something that intersected my two loves - tech and aquariums.   The main part of the site is a wiki, with a blog and a forum.  I’ve been playing around with pmwiki a bunch, and I’ve figured out how to use the simplemachines forum user accounts to manage access to update the wiki pages. 

My hope is that I can get it to be a consolidated and organized place for useful information on the aquarium hobby.  I’ve found many many different resource sites out there, but they tend to be really badly organized and incomplete.  For now, I’ll be contributing to the chaos, until it gets more meat on the bones.

 The site is here: Aquariu.ms

Idea for new site

Posted by jerry as Uncategorized

A while ago I had an idea for a site that would track the stocks currently being spammed, the relative effort of the spam jobs, and the stock’s performance over the time of it being spammed.

 I had this idea that there is probably a way to make some money off of the pump and dump stock scams.  Certainly other people have thought about this before, so I do wonder if it’s a losing game, but it’s hard to tell until you are able to look at the trends and patterns of performance relative to the pump and dump scheme.  I’m interested in ideas in what and how this should be tracked.

The Acura is back

Posted by jerry as Uncategorized

I got my car back yesterday afternoon.  I was quite skeptical up to the end that I would get it back in time, but they delivered on the date.  They also replaced my windshield, which I wasn’t expecting, but I’m happy they did.

 They also very thoroughly cleaned the car - very impressive.  So far, the car so far drives like it did before the accident.  I was pretty skeptical about that too.  The driver’s door had a slight rattle before the accident which seems to be gone now - nice bonus.

 I’ve had several people suggest I get the deer whistles for the front of my car, but I’ve heard (can’t seem to find any sources now) that they don’t really work. 

Deer update

Posted by jerry as Uncategorized

The bodyshop came and picked up the car the same day with a tow truck.  The driver said he had just left an accident where a lady hit a deer - a male deer and one of his antlers skewered the driver’s shoulder after it came through the windshield.  Yikes.

 I talked to the bodyshop a few days after they picked up the car to find out the story.  They estimate $6700 and 5 weeks to repair it.  Fortunately, I had just bought my wife a new Odessy, and we hadn’t sold our old one yet, so I have something to drive while they put around with my car.

 I have to day, I’m pretty skeptical that the car is going to be repaired adequately.  I hope I’m wrong, but the great things about the TL are it’s quiet ride, good performance and handling.  It’s always been my experience that rattles, vibrations and the like crop up after having a major repair like this.

So, the list of parts to replace looks like this:

• Driver front fender
• Plastic fender insert (protects the inside of the fender from road debris)
• Driver side headlamp assemby
• Driver side front turn signal light
• Driver side mirror
• Front bumper
• grill
• hood
• left and right hood mounts
• battery box
• 3 structural members under the fender

All-in-all, it could have been a lot worse.  On the one hand, $6700 seems really cheap - my wife clipped a drive-thru pole and did some minor sheet metal damage to a sliding door, and it was $2400, and on the other hand, it seems like if those are the only things that have to be replaced, 5 weeks is an awfully long time.

 Ah, well.  I can’t wait to have my XM radio back.  Driving an hour each way sucks without CNBC.

In other news

Posted by jerry as Uncategorized

It was a particularly bad day to be a fish at my house.   I took a close look at the fish in my main (office) show tank, and they were quite fuzzy with fungus.  In my family room tank, I found the half eaten remains of a poor swordtail.  I’m starting to think that I’m running a concentration camp for fish. 

Jerry: 55

Fish: 0