Enable Complete support for SSL on Wordpress

By 'complete' I mean: required SSL on the login and register pages as well as the entire admin section, and optional SSL for the entire blog for private reading. And when there is SSL, everything is transfered over SSL.

The first step is to enable SSL for administration. This is well documented within Wordpress, just add the following statement to your wp-config.php:

Read More

Offline Virus Scanning

I’m writing this mainly codify my recent attempts to improve the state of offline virus scanning. I’ve just recently been adopted as a junior threat analyzer. Parts of my duties include assuring that flagged machines are double checked with multiple antivirus vendors. (This is a side-effect of using equipment designed for malware analysis and log parsing, minor forensic reports.) Because of this, I’ve become accustomed to using bootable live media to assure semi-static scans. I’ve also noticed a few problems.

Read More

Proxied Email Addresses per-Application

Abstract: I wanted some mechanic in email, such that I could tell how a person found my address. Since I post my email address to many web sites, I wanted a way to track which web sites knew which emails. So I wrote a small script which allowed me to think of email addresses on the fly and distribute them. When someone responded to the emails they would be analyzed and forwarded to my inbox with a reply-to address that would take the opposite route and be sent as the 'on-the-fly' email address.
Read More

Interesting Shorewall Logs

I've been messing around with centralized syslogs and I found one of my boxes logging MBs of "kernel" information. :O The problem started when I moved all the boxes to syslog-ng. It turned out that the intense logging was a repeated 2 or 3 lines. I searched for the particular log and couldn't find much, so I hope this helps anyone else in a similar position.

The log entries come in the form of BANDWIDTH_IN and BANDWIDTH_OUT, prefixed by kernel: [time.inseconds].

Read More

Dependency Problem Installing sun-java6-plugin

The other day I tried to use a Java applet in my Chromium Browser on Ubuntu 9.10. The other day I found out I didn't have the java plugin. I also had a bit of trouble installing the plugin package for Firefox/Chromium/Chrome. You can check the plugins loaded in Chromium/Chrome by typing the following into the URI bar:

about:plugins
Read More

Fun with Home Network Forensics

This semester I took a course called network forensics. It was a very interesting course, project based, which allowed the students to design any network forensics-related project they wished. For our project, completed with a classmate of mine, we analysed Cisco NetFlow data for our Fraternity house. There was quite a few administrative hoops to jump though, including authorization by the university's IRB (since we collected information about their students). I thought I'd share some of my experiences from the project. This summary will try to guide anyone interested in simple forensics with setting up a collection environment for their home network. Unfortunately it isn't a HOWTO or drop in system. Though if you try what I describe, you're bound to have some fun!

Read More

Tunneling (Proxying) ntop through Apache

ntop is a great application. One of its best features is the ready-to-go web server it comes with. You can tell ntop to launch an http or https only (or both) server when it starts. By default ntop will listen on port 3000 for incoming http/https requests.

Unfortunately I like to keep everything organized. I'd like to access my ntop without having to poke any more holes into my firewall. Optimally I wanted to configure an apache virtual host to point to some tidy folder (perhaps /usr/share/ntop/webserver) and then rely on my already configured apache to host up the ntop web files. Well it's not the easy, but it is possible!

Read More

Keeping Documents Synced and Organized

I've spent a lot of time thinking and rethinking my current solution to document synchronization. I've included the word "organized' in the article title because when I say sync, I really mean organize. When using multiple computers I want to maintain an organized view of all my work, at anytime.

Here's a bit of history on how I arrived at using Subversion to keep myself synchronized and organized.

One day, long long ago, I sat down and took a look at every important personal file on my computers. I don't consider downloaded application installers or most executable files important. I also don't consider music as my "phone" keeps my music synchronized and I couldn't really care less if I lost it all. Pictures are tough for me as I a) don't take a lot of pictures and b) mostly upload them to other websites.

I determined that I have an overwhelming amount of school-related files, a ton of misc programming files and a whole lot of other junk. So I created three folders, one for programming, one for school work, and one for files. (I do realize that 'files' implies school work and programs but w/e.) Within the nexus that is the files folder I have sub-folders for financial documents, backups binaries, professional documentation, etc. Then I took some time and evaluated popular options for keeping those three folder organized:

Dropbox: (http://www.getdropbox.com/)


Dropbox Logo

Dropbox has a ton of great reviews, from both my friends and the internet peoples. They provide you with a user account with a limited amount of storage space (up to 2GB as of now). Dropbox installs as an agent on every computer you'd like synchronized whether it's running OS X, Linux, or Windows. You select a file folder or folders to act as your "dropbox". Every time you update a synchronized file on your computer the agent will upload the change to the Dropbox server. They preform some bit of magic which aids in backup and storage, then push the update out to all other listening clients. If you need to sync more than 2GB you have the option of upgrading to a premium account. (http://www.getdropbox.com/terms#pricingterms)

Dropbox gets a little tricky when considering the types of access they provide. You have three types of "boxes", one for public access (all Dropbox users), shared (you and your friends), and personal (you and yourself). This irks me a bit when considering the types of files I need synchronized. I'm only concerned with personal files. Note: Dropbox has a strict Information Property stance (which is awesome), so syncing music is not a good idea.

I didn't choose Dropbox for two main reasons, first it's centralized, second they limit to 2GB. My files are personal and I'd rather manage the service syncing them. I also have a bit more than 2GB worth of files, not too much more but enough to need premium access.

Take a look at (https://www.getdropbox.com/features) for a comprehensive list of features.

SugarSync: (https://www.sugarsync.com/)




Surgar provides a similar service to Dropbox. Unfortunatly they provide less features for their free option. You get 2GB (the same as Dropbox) but you're limited to only two computers. They put a ton of advertising effort into their Mobile sync ability. Unfortunately for them Dropbox also has an iPhone/iPod Touch app. Fortunately for them they support a bit more than just Apple mobile devices.

I couldn't find anything about file restoration, only backup features. Dropbox does a good job including an "undo" feature. While this may dip into your 2GB worth of storage, it's invaluable when considering syncing only documents.

DYI


I wasn't very happy with either option and after reading their privacy policies I decided I'd find some software to manage my own synchronization. The only apparent downsides to this would be limited set of features and no awesome amount of server raiding with someone to blame if my files went missing. The upside is that I do own a raided server and and I can blame them if any data goes missing. One cool tool I found was Unison. Unison is simple, open source and free. The sad part is it only allows you to replicate on two computers (or collections). This is because Unison is meant as a backup utility, not as file synchronization software.

Eventually I decided to go with Subversion (SVN). I've used SVN immensely throughout school for group projects and gaining nightly builds of some software I test. Thanks to Tortoise SVN I can easily admin my updates and downloads. I'd say the decision to organize and synchronize my files using SVN is based on the features Tortoise SVN provides.

Tortoise SVN: (http://tortoisesvn.tigris.org/)


I'm not going into much detail about subversion as my fingers are getting tired. It's a simple way of synchronizing files using a centralized repository. Tortoise is a nice Windows GUI for using subversion (which is primarily used via the command line). Using SVN allows me to host the centralized repository. So at no time do my personal files leave my hands. I choose the type of encryption and I'm not limited by an artificial storage limit.

Another feature I enjoy about SVN is the ability to transfer files via SSH. That means I don't have to create any more holes in my repository's filewall or worry about any complex system of authentication. AND: if I'd like to have a complex system of authentication I can do so with SSH keys. Tortoise SVN will load PuTTY configuration files so storing my SSH configuration and keys is transparent (as I already have them configured in PuTTY).

Here's a bit of imagery to sweeten the post (Fig A.):

SVN Commit Dialog  Tortoise SVN (Fig A.)

Uploading (called commiting) has different levels of granularity. By this I mean I can choose different parts of my file-folder-structure to commit. Perhaps I am working on a homework assignment. I want to commit so I can access it from a few other computers, but I've also worked on other assignments I'm not ready to commit. With SVN I can choose to commit only that current assignment.

This is helpful because I can choose when I'm ready to be organized. I can sync those files I feel are properly sorted. This way, no needless binary or debug files get shipped off.

Now there are some gotchas (or so it appears). Let's say I work on the same file from two different computers, or drop in a file with the same name at the same place from two computers. If I try to commit both SVN will throw a conflicting error. Conflicts require manual review. Thankfully Tortoise SVN provides a nice diffing window to easily review and choose which changes should be uploaded. When finishing the review, simply right click, and choose 'Conflict Resolved'.

Tortoise's Addition to Right Click (Fig B.) Tortoise's Addition to Right Click (Fig B.)

Figure B. shows the changes Tortoise makes to the Right Click context menu. If a folder is not SVN enabled another option will appear called CheckOut. A CheckOut will let you subscribe to a Subversion repository. In the case of Figure B. I am right clicking on a folder that is already checked. Tortoise now asks to either Update from the repository or Commit (upload) to the repository.

The only issue I've encountered using SVN is keeping some encrypted files synchronized. The problem is, every time I modify and re-encrypt the files Tortoise will commit the entire file set again. (It sees the encrypted file as a binary file, as every time it's modified the entire contents change.) This is not a huge problem as I have plenty of storage space and the files are not very big. :)

A Friendly Approach to Hidding Passwords

I remember reading a few articles linked on BS's blog (http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html) over the summer. And I remember writing... gee I have a good idea. (Which is now buried somewhere in the comments.) But now that I have my own space to express opinions:

I agree that the traditional methods of hiding passwords are useless. I don't agree that passwords should be shown in clear text. As one commenter writes: many of us use passwords in public locations where shoulder surfing is common and expected. However, black indistinguishable dots are horrible solutions.

It's interesting that the first comment on Bruce's blog rants about Lotus Notes. (Don't worry, I hate Notes too.) But I felt that Notes could have solved the problem. If you take a look here: (http://homepage.mac.com/bradster/iarchitect/lotus.htm) at the bottom the author criticizes the login prompt. When I used Notes I loved the changing picture next to my password. What the author fails to mention is that every time you type your password correctly, you'll see the same picture. (Many to one.) It told me if I had typed the wrong password.

And therein is my proposed solution/replacement to black dots. A picture representation.

Imagine a hash algorithm with 100 or so buckets. (Notes uses much fewer.) Each bucket gets assigned to a picture. After each character of the password is typed, the hash is applied, and a picture is chosen. In the end, if you typed your password correct you'll see a familiar picture; the one you saw last time you correctly entered your password.

This feature of Notes helped immensely when changing passwords too. Obviously this would result in a new picture. And as humans it's much easier to notice a change in picture (which would remind of the password change) than a "new" set of black dots.

This: (http://www.aleveo.com/ideas/human-passwords) is also a very neat idea, but off topic.