Why editing is impotrant

I thought I would take the opportunity to highlight the need for editing technical documents (really, all documents).

Take these three captioned screen shots:

Apple's well-known ports, listing ARD as tcp/udp 3283

Apple's well-known ports, listing ARD as tcp/udp 3283

Apple's ARD help documentation, listing tcp/udp 3283

Apple's ARD help documentation, listing ARD as tcp/udp 3283

And now, for something completely different:

Apple's 10.4 firewall configuration pane, listing ARD as tcp/udp 3238

Apple's 10.4 firewall configuration pane, listing ARD as tcp/udp 3238

If I had not drawn attention to the inconsistency, you may not have noticed, either. It is, however, a significant discrepancy!

Posted in Writing. Tags: , , . Leave a Comment »

Google Wave

If you haven’t seen this yet, welcome back from the Moon!

http://www.youtube.com/watch?v=v_UyVmITiYQ

When I saw this demo, I hit DND on my phone and watched this demo very carefully.

Google Wave seems to offer a lot of potential benefit for my industry. I’ve submitted a request to access the Google Wave Sandbox so I can start developing some widgets and testing out the system.

Cross your fingers for me!

What would I really like to see in Dropbox? Signed binaries!

A few months ago, I asked the Identi.ca community what I could use to (more or less) securely synchronize my documents across the three major platforms (Linux, Mac OS X and Windows), for free. I was introduced to Dropbox.

The dropbox logo; an open translucent blue packing box with Dropbox to the right.

The dropbox logo; an open translucent blue packing box with "Dropbox" to the right.

On a recent episode of Security Now!, Steve Gibson mentioned a neat freeware tool for Windows called prio. Among the various extremely useful functions prio offers (it’s chiefly designed to make process priority sticky across launches), it will also highlight, in green or red, in the Windows Task Manager, services and processes which contain a valid digital signature.

Sample prio screenshot (from the authors site) of the Task Manager showing red and green processes.

Sample prio screenshot (from the author's site) of the Task Manager showing red and green processes representing, respectively, unsigned and signed binaries.

As I have become increasingly aware of the security implications of running a Windows-based machine, I’ve become very sensitive to things such as digital signatures in executables. To quote from prio’s manual (which explains the topic quite well):

What is a digital signature for?
An electronic digital signature is an attribute of an electronic document used to protect it against forgery and verify its authenticity. A lot of malicious software disguises itself as Windows system processes. It is possible to forge the name of an executable file, but it is impossible to forge its digital signature. With Prio, you can always analyze the list of running processes in order to check the digital signature of their files or their network activity.

The bottom line: Dropbox, please sign your binaries! I’m entrusting your service with my documents, photos, and other personal or work data. More importantly, I’m letting the binary reside in memory and read and write arbitrarily to my hard disk. A valid signature on the Dropbox.exe binary would help me know that nothing foul is going on to the extent that Dropbox.exe hasn’t been highjacked or otherwise trojanized.

Got a look at the Gdium Liberty 1000 at FOSSLC

Last week I attended the Free / Open-source Software Learning Centre’s (FOSSLC) SummerCamp 2009. Among the many interesting, informative seminars was a talk on the Gdium Liberty, a (nearly) completely free and open source notebook computer:

Gdium Liberty 1000

Gdium Liberty 1000

Besides the many advantages of open-source, it also happens to be solid-state and cleverly modular: the black protrusion below the trackpad is the ‘Gkey’, the USB key on which the operating system and filesystem is stored. The advantages of this architecture are clear and elaborated on Gdium’s web site.

It feels light yet very sturdy, the pointer tracks well, and the wifi works.

Linux laboratory

Linux laboratory

Linux laboratory

A Linux laboratory (next to the Fibre optic lab) at Algonquin College I spotted while at FOSSLC SummerCamp 2009. Why doesn’t every school have one of these?

How do you deal with twitter spammers?

I recently discovered twtpoll.com, a free, no-hassle polling system originally designed for polling the twitterverse, though it certainly has promise outsite micro-blogging.

Following from a recent discussion with a fellow twitter-er, Carlos–who abhors Twitter spam so much that I will refrain from using his Twitter handle for fear that he may be auto-followed–I created a poll about Twitter spam and spammers.

How do you deal with twitter spammers?

I’m not a social media expert trying to refine my own spamming technique; I’m just curious.

I’ve gone through phases of protecting my timeline, of blocking spammers, of not doing anything at all, and back again…

Protecting /server-status and /server-info, sort of.

Just turned on server-status or server-info?

I have previously not made much use of Apache’s server-status and server-info functions, but recently I’ve found a use for them as traffic and development increases on my new server.

After a bit of reading online, I noticed that The Apache Software Foundation doesn’t even protect their own server-status page. I asked for peoples’ opinions of this practise, since, at first glance, there is very little to be concerned about serving server-status information to the general public.

Thankfully, I took a second glance.

As my friend and highly skilled programmer Nebu Pookins soon pointed out:

What can you do with server-status besides regexp for “GET .*\?.*pass(word)?\=.*” (in which case you got bigger problems)?

I glibly replied that no programmer worth his salt would implement a password mechanism using an exposed method like a GET variable. However, there are many other parts of your site that server-status can expose which should probably remain private. For instance, if you have taken pains to hide your web-based administrative tools, you will expose them to the world.

How can you go about protecting server-status and, equally importantly, server-info?

The first thing to realize about these two “pages” is that they are internal functions to httpd, and can not be protected by any mechanism above the server layer (like a PHP script or a /server-status/.htaccess file).

The answer is extremely simple: embed the directives you would otherwise put inside an .htaccess file directly into the <Location /server-status> directive, like so:

<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the ".example.com" to allow
# access from other hosts.
#
<Location /server-status>
    SetHandler server-status
    Order deny,allow

    AuthType Basic
    AuthName "Developer Zone
    AuthUserFile /etc/apache2/extra/mod_status.htpasswd
    Require user developer_joe
</Location>
</IfModule>

Exactly the same can be done for server-info.

I should point out that this method has all of the pitfalls of httpd’s Basic htaccess method and is not foolproof. This will, however, allow you at least to password protect some sensitive information, while still allowing you access to it from outside your LAN.

If your development machine always has a FQDN, you can also add that above in an “Allow from name.com” drective.

For additional security, you can change the name of the path to the server-status to some random string, which will make it difficult to find in the first place. Security through obscurity is among the weakest methods, but another layer never hurts.

I welcome your commetns and experience(s).