Recently in Housekeeping Category

I noticed this week that a site out there is using wp-o-matic to present my work as his own information security blog.

Some people incorrectly think that a RSS feed is a permanent license to do whatever you want with content. Its not. While it doesn't look like it, I do spend a lot of time on posts trying to make them semi-literate. Reposting withing credit or link-back steals my Google juice. Without attribution they are clearly plagiarizing my work. Not cool.

I think that presenting my work as his own is a violation of the CISSP ethics.

I may need to put a footer on each post in the RSS feed. "This post and more like it are available at Roger's Infosec Blog www.infosecblog.org"

If you're interested in learning more about your rights as a blogger regarding plagiarism check out CopyScape

This post is not about the people who have asked and the people who do link back. I appreciate that you like my work and provide some traffic back my way.

I've used Twitter as a follower for a while now. I've decided to create a Twitter account for Infosec related stuff. Mark Cuban says more people find his blog via twitter or Facebook than Google. That is generally going to be people sharing links. Lets face it, his controversial posts are designed to create a link-storm. My posts, not so much. However it is true that Twitter is used as a search engine for people looking for up to the minute information. Also while its kind of a no-no in my opinion to ask for link sharing on a website, follows in twitter of routinely done.

It seems a bit foolish to open another account to update when my updates to the blog have been less frequent. Fortunately the twitter lifestyle doesn't require a spell-check. Please shoot me if I ever spell "you" as "u" however.

Follow me on Twitter @InfosecTweet

A little housekeeping blog post.

I'm moving webhosts this week. My old host is progressively more annoying. A few years ago the owners sold out to a company that operates many web hosting brands. After quite a bit of migration headache, things seem to have stabalized. Nevertheless, my contract is finally up, and I've decided to move on. I have a real problem with the attitudes displayed by the moderators on the hosting companys forum. It was once a place of help. Now all they do is quote "we are not $company employees, contact $company support." So much for peer to peer help. The last straw for me was when many customers were hacked and the company didn't communicate beyond forcing a mass password change.

The new host has SSH access which should make routine maintenance a bit easier. They also offer 50 GB of space off for non-website related things like backups.

During the transition, I decided to refresh my style a bit. (although I am worried that this one is used by too many people already). The new style caused my AJAX comments to not work. So we're back to the default comment submission method. That means more spam in the moderation queue.

So pardon the dust as I find widgets to add/remove.

I installed the Facebook Connect Plugin for MovableType. Its supposed to allow you to login using Facebook credentials and share the comment back to your Facebook wall. The login seems to be working sort of ok in Firefox (once I allowed all the Facebook javascript to run). But in IE, its not working at all. I'm not sure if that is because I am using AJAX comments or if its caused by something else.

That is the state is going to remain in for a while.

I've upgraded the blogging software over the weekend so let me know if you spot any troubles. You can get an email address for me on the home page, just click on the link and solve a recaptcha.

Now that I've upgraded, I have OpenID 2 support which allows me to offer Yahoo logins for commenters. Unline the AIM openID login, Yahoo allows you to setup a alternative screenname (and by default uses a guid which is really unfriendly) so your email/IM address isn't disclosed in the process.

I was reminded by a commenter that I've missed my blogaversary.

Four years ago yesterday I began this blog.

Time sure flies by.

Thanks to search engines that found the site. Thanks to feedburner for letting me know how many people have subscribed via RSS (or ripped the site off via RSS). Thanks to the readers and to the commenters. Thanks to MovableType for providing the software.

Here's to another year securing computers and data.

I have installed the AJAX comment system. It has the side effect of requiring javascript being enabled in your browser to submit a comment.

I've also re-enabled anonymous comments. Hopefully the javascript will throwoff some of the automated comment spammers.

I've seen a press release from Yahoo stating they are implementing an OpenID beta at the end of the month. Hopefully shortly after that there will be a plugin to make using Yahoo accounts to comment here just as easy as using AIM accounts.

My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.

The first method used for trashing valid comments was a rule that http:// shouldn't appear in the commenter's name field. That wasn't a problem until openID. The crappy OpenID plugin I'm using doesn't put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.

The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that "ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist". The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.

A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, "The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users."

You're probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.

I've enabled feedburner. The way its setup you dont have to change your config. It should redirect transparently. Let me know in the comments if you see any issues.

I decided to upgrade from the Movable Type template that I've been using since version 2.6. You should now be able to use OpenID and Live Journal logins when commenting in addition to the typekey logon you could use before.

Three years ago I began this blog. How about that.

I've updated the Catagories archive so that rather than consisting of one long page for each catagory, the page will be break up each catagories by month. Not sure if that will be more search engine friendly or not. But it was somethign to try.

Comments and trackbacks are backonline.

Comments and Trackbacks are temporarily offline, sorry.

I had to get my webhost to fix the Internal Server error. When they migrated servers last summer they did something special to make the CGI work, I think that was blown away. At any rate, they got it fixed relatively quickly, so I'm happy.

After that was brought up, I think my autoban script blew away the .htaccess file. But I fixed that as well so the default doc is back.

Its pretty late, I"ll see about posting some actual content tomorrow.

I set up typekey authentication for the blog. Typekey is a form of authentication that can be used at many sites. Currently its set to require email address when posting a comment. It seems kind of funny to require that of people posting in a somewhat authenticated manner but still allow the quasi anonymous posting.

So for now you can do either. The main advantage is it allows me to "trust" certain commenter so they aren't moderated. For now I'll trust myself, and anyone I know personally. We don't get a lot of legit comments, so its not really a big deal. I just figured I'd point out the change.

I played around with Movable Type and made some changes this weekend.

To conserve space on the right hand column, I converted the Monthly Archives links to a pulldown menu. I promptly re-used that saved space by adding a blog roll. A blog roll is merely a list of sites (in this case infosec and information technology) that I view regularly.

I added a back arrow on the calendar over on the right hand colum. It takes you to the Monthly archive page for the previous month. I am thinking of adding the calendar view to the Monthly archive page. That calendar slows down the site build, but I like that I can easily see my post frequencey. I shoot for 5 days a week posting. As you can see, I'm not keeping up.

I registered for Google Analysitics. That may give me a more accurate count of visitors. Currently, I'm a really high unique visitor count thanks to blog spammers. Unfortunately, this method will not count the RSS readers unless they click through to the site to read the article. Since I put the full article info in the RSS feed, most readers won't do that.

Looks like last year Movabletype stopped updating index.rdf. I've deleted that file so if your RSS reader is looking for that and getting a 404, you should update to a current feed.

This is a test post, upgraded to MT 3.33 today.

Since a server migration, I've had nothing but trouble with trackbacks. The webhost support team resolved a problem with the cgi. But now, I seem to get so many spam trackbacks that Movable Type is throttling further trackbacks when it reaches a certain number per hour or per day.

All of the junk tracks are correctly tagged by the spam filter, but they still count against the throttle quota. The spammers are wasting their time since in addition to an effective spam filter, I am also moderating.

Its not as if people are beating down the door to send me a trackback ping, but I'd kind of like to actually receive it instead of having legitimate pings (including my own pings to older articles) throttled. Movable Type currently assigns a numeric trackback address to each post. This allows a spammer to send me a ping, without previously visiting the site. I hope this has been resolved in the new version of the software. I'm thinking about implementing a plugin which will rename the trackback links, and put the spammers in a tar pit, but I"m worried about the consequence.

My host fixed their issue that was breaking my blog's ability to receive trackbacks, which I mentioned here.

Looks like inbound trackbacks aren't working correctly. Comments are working though.

My webhost recently changed servers causing the problem. We'll see if we can figure out how to fix this.

After working at getting the site back to a point where I could post updates, I did a search over at search.msn.com to see who is linking here. The Mississipi Attorney General Cybercrime Center has a Blogs of Interest page (also titled Computer Security Blogs).

Guess whose blog is on it? Yep, this one. How about that!

Are we back live? A few days ago, I could no longer log into my blog. Database corruption is the achelies heel of Movable Type. When I started using MT they only worked with a native Berkley Database. In later versions, support for mysql was added but I didn't realize the importance of migrating. The Berkley database is apparently known for corruption and problems caused by the ISP performing upgrades (or downgrades) of some needed libraries. I tried to migrate to mysql to save the blog, but I got the same errors. I've not restored a backup that is a week old. I like the new MT look. I need to run out the door, but I'll be double checking things and making sure the templates stiill look good.

Odd that atom is the default rss feed. Is that better than rss 2.0? I'll have to put that on the list of things to address.

The comment spam filter was a bit overzealous and trashed some comments because the commenter didn't provide a url. I've turned the sensitivity down two clicks so hopefully that wont happen anymore. If you left a comment in December that didn't get posted, sorry, its gone. If you commented earlier this month, its up now, and I've probably replied with my own comment.

I've been trying to figure out why I am seeing so many 404s in the logs. It doesn't seem to effect humans, but search engine bots and comment spammer bots seemed to be having a hard time. That wouldn't bother me, but it was hurting my ability to send trackback pings to myself.

I changed one thing and now trackbacks seem to be working a bit worse, but the spammer comments are getting through. Really, I wanted that. The blog software is stopping it effectively. I'd rather the blog software stop the spammers than a misconfiguration. Now, I just need to find some time to fix the trackbacks. I have it set up so outbound trackbacks occur on links to this site and myitforum.com/blog only.

Really, you'd think the blog spammers wouldn't even bother attacking version of software known to have spam filters.

School and work and personal life are starting to press down on me.

School has two projects due this week. One is to create a SSL denial of service utility. That requires some coding ability and understanding the order of requests in SSL. Sort of like a TCP Syn Flood we'll try to give them a bunch of ssl client key exchanges. This will cause the server to be wasting a lot of processing on fake messages. As if this weren't enough, we have to spend cycles setting up a vpn connection to the test network where the ssl server is located. Once we have tested our code we need to submit it via CVS over SSH, which sounds like yet another layer of fun.

Work has me running around. I'm working on a IM Security product, and I just dont feel like the two products I'm looking at give me the security I want. What is going to happen at the end of my two months of testing when I say, neither solution really does it for me?

Work is forcing us to sign a non-solicitation agreement. It feels like the 8th floor is just looking for ways to annoy the employees. I'm not sure if I should be having a lawyer look at this or what. There are definately things in there that I don't agree with.

Work was supposed to register me for Shmoocon instead they waited until after the registration deadline to tell me that work wouldn't register using paypal and I'd have to do it myself.

Personal like, things are just starting to pile up. I need to get the yearly state inspection done on the car. It also needs an oil change. Its time for the fall furnace checkup. I need to set up a eye doctor appointment. And I'm going into the dentist in two weeks.

Something has to give soon...I'm going nucking futz!

Not much caught my eye this weekend to blog about. No patches from Microsoft this week. That is always good news. Firefox apologists had shuffle their feet, stare at the ground and blame Microsoft when asked why their secure browser has another critical security vulnerability.

I went to the Nationals game on Friday night. We had a thrilling come from behind win against the Braves. Nothing better to shut up the Atlanta fans at the game. :)

Things are crazy with both work and school. I have a number of projects at work and I'm not sure I can push any of them back. We also have performance reviews due soon, and I'm moving to the windows side of my office so I'll have to spend a day packing up and moving. With school, I am at the point of the year when I am already lost, and I dont know if I can do the assignments. Its just not a good feeling. I've got one class on Communicating Sequential Processes (which appears to be a formal method invented to torture Graduate students). The other class is in Advanced Network Security. I 've got a project coming up where my team needs to implement the PAKE protocol. I'm not sure anyone on my team can code. :( I'm freaking out.

I've upgraded from 3.17 to 3.2. This new version has some built in comment spam filtering. Its odd, the font size in my editing window is really tiny.

I'm looking for recommendations for an RSS Reader that supports enclosures. i.e. can be used with blogcasting/podcasting feeds.

I've been using SharpReader, and its not as big a memory hog as the last aggregator I used, but it doesn't support enclosures. Any new reader should also support OPML technology so I can import/export my feeds.

I performed an upgrade on the blogging software I use here. No worries thus far. Hopefully there aren't any security holes lurking. :)

back in town. It was definately a fun and much needed break.

Summertime and the living is easy. Well not so far. Been working too hard. So I'll be taking a break until around August 1st.

Today is my one year aniversary of blogging about Information Security. I think over the year I've been more or less faithful to my goal of updating 5 days out of 7. Hopefully some of it has been useful to the readership. I've certainly enjoyed doing it.

Here's to another year of securing our computers.

Note: this entry is in the housekeeping category. that means its about the blog itself or in this case blogging in general. Not a security related post.

I hate to quote Jim Rome, but it seemed kind of appropriate. Too many bloggers are just posting links to other people's content. I do that occasionally, but most of the time when I am not posting original content, I have comments that hopefully provide some added value.

I subscribe to a lot of RSS feeds. Its kind of silly when post after post its people doing a cut and paste job on the SANS Diary or the F-Secure weblog. Um, thanks. I know about those blogs. I went there first.

Its a fine line. I wouldn't have learned about some blogs like Robert Hensing's blog or Donna's Security Flash if someone hadn't linked to them in their own post. That doesn't mean its ok to turn your blog into a security link aggregator. Have an opinion about what you are linking to. Post original content every now and again. Hopefully you've got some security related project at work or at home that you can talk about. Perhaps you just had a flash of insight on how SMS can be used as part of creating a defendable network. Write it up!!

Have a take. Dont suck.

School is starting back up for the semester. That may give me some new ideas for thinks to write about, but will also suck up all available free time, making it less likely for me to write. We'll see how that goes.

Hope that all of you have a safe and happy holiday.

Unto you is born this day, a savior. Christ the Lord.

Normally right after I apologize for a delay in posting, I follow that up by not posting for an even longer period. So I'll try to avoid that trend this time.

Over the weekend we had a test of our disaster recovery procedures. The SAN containing our mail data, desktop backups and file server went south and we spent a bit of time recovering from that.

Here's some thoughts (not all of it had to be learned the hard way)
1. Alerting is always good. You want to find out about these things as early as possible. I had a page from Unicenter that I interpreted as being about disk size but apparently it was trying to say "disk gone". If I hadn't wondered through work, I wonder how long that would have gone unnoticed.
2. You need a hard copy of your disaster recovery plan, or at least some people's home phone numbers. Its not good for it to be on the server that is down. (apparently there was some concern at providing us low level people with everyone's home information because we might go egg their houses. We're all in I.T.. We can probably figure out where you live already.)
3. Plan for the worst case scenario. It could happen.
4. Backup software is worthless if it cant restore the entire server.
5. In time of a disaster, everyone is needed. Sometimes even if you dont have knowledge about specific software, you can be a sounding board, or just run out for donuts.

I've registered the domain name infosecblog.org and reconfigured the blog software to use that domain. Guess that should give me some incentive to continue blogging.