What does this mean for you? Well, to put it succinctly:

Say you upload a video of yourself to YouTube, and since you’re a cool guy you record the first 20 seconds of Madonnas olde time hit, “Vogue” as your title theme. Now, if a Sire records executive happened to see that you were using copyrighted material in your video on Youtube, they could have Youtube SHUT DOWN IMMEDIATELY. Today, just searching for “Vogue” on Youtube returns over 176,000 hits. Can you imagine how much user created content will be lost because of fear if SOPA passes? Scary. Granted, this is an extreme case, and probably wouldn’t play out exactly this way. But the real question is, do we want people who understand nothing about technology making decisions like this about the future of the internet? I vote no.

I digress. The reason we’re here is to protest the evil of the registrar world that is GoDaddy. Not only do they practice misogyny in their advertising campaigns, but they inundate their web interfaces with ads and upsells for crap that the average user doesn’t need. And in this day and age, most average users will buy it without understanding that they don’t need the ridiculously priced garbage that GoDaddy pushes onto them at every page reload.

So lets say for a moment, that you’re okay with GoDaddy using provocative ads and promises of pornography on their TV commercials to get you to buy domains from them. You’re even okay with them trying to sell you products you don’t and never will need, much like a car salesman (or Fry’s sales “associate”). Heck, you don’t mind that their CEO goes big game hunting and shoots elephants for sport. The one thing that you should at least mind is that GoDaddy, through this whole SOPA thing, has been the biggest damn liars ever to grace the internet. And there are some big liars.

In the beginning, GoDaddy supported SOPA fully. Hell, they even helped pen the sections where registrars are exempt from the bills nasty internet destroying side effects. Then, the Reddit troves came in, started transferring all of their domains, and GoDaddy started to lose money. So, GoDaddy said, “Okay, we no longer actively support SOPA”. Of course, that means that they passively support SOPA, which is just as bad. So the transfers continued. Today, they released another statement here. At first glance, it would appear Reddit has won and GoDaddy is receding their support of SOPA.

but NOPE, it’s Chuck Testa!

If you read carefully, you’ll notice that GoDaddy doesn’t say they’re actively opposing the bill. Bad form, GoDaddy.

At any rate, like everyone else, I suggest you migrate your domains to a better, friendlier registrar.

I suggest Namecheap.

Thanks

1. Local storage. On the workstation that I pull the images off of the various cameras on, I store the media locally. This provides easy access, but sadly no redundancy in case of a hard drive failure. My hard drive on that computer is almost new, so I do have some sense of reliability.
2. Fileserver with ZFS storage (OpenIndiana). I have a fileserver that I use for media and various data storage needs that has a large ZFS RAID on it (raidz). It’s basically RAID-5 across five 1TB SATA hard drives. This provides insurance in that if one of the drives fail, I’ll still be able to get at the data.
3. Cloud storage. The cloud storage provider I chose to use is SpiderOak. This gives me 100GB of offsite, cloud storage for $8/mo.

So to explain my SpiderOak choice, I found that it provides a good subset of features/security/space for price. There are many other places that offer offsite cloud storage at a comparable or better price, but for the compatibility with Linux and so many glowing reviews, I thought I’d give these guys a shot.

For you guys who are going to say “Use Dropbox!” I say no. Heres why.

No Linux Support – This is big for me. Linux is a huge player in the home/small business market and to not have a client for it shows either that the company is too poor to hire a few Linux developers, or they just don’t care. Either reason is good enough for me to not use it. And yes, I know I can fudge it by having the dropbox client on a windows box, and then sharing the dropbox folder on the network, and then copy the files from the fileserver to the dropbox folder over the network. You know the problem with that? I have to rely on windows. With patch tuesday, and OS failures on days ending with ‘y’, I figure that wasn’t such a good idea for data I actually care about. (Yes, it’s Windows 7. Yes, I have an 6.4 experience index rating). It’s simple file backups. I should be able to do it on an 486DX with 32MB of RAM.

And I can.

With Linux.

Just sayin’

So a while ago, I upgraded my Samsung Fascinate to a custom ROM (this one here), mainly to help with some battery issues I was having, and to get a custom kernel that had some lag fixes. Anyway, after I did this, I noticed that every time I tried to open my Camera app it would just give me a “Camera failed” error and close. Checking dmesg, I found a bunch of errors relating to the camera driver in the kernel (notably, this one: “ce147_get_fw_data: Failed: Reading firmware version”). So, some googling led me to an obscure forum post (whose forum is down for some reason), but I’ll post the gist of the procedure here:

1. Download “LauncherPro” from the App Market. Its free, don’t worry.
2. Launch LauncherPro, and hold click on your home screen. Choose create new shortcut, and then choose activity, and then click “Camera Firmware”.
3. Choose the option ending in _user.
4. Click Ok, then click the shortcut you just made on your desktop.
5. Choose “Phone to Cam FW write” and set your phone down.

Once it gets done, your camera should magically work again.

Disclaimer: This worked for me, but it doesn’t mean it will work for you. Heck, it may burn your house down or bring about the apocalypse. I’m not liable if any of these things (or anything else) happens as a result of following the above instructions.

I’m sure we’ll see some copycat groups pop up in the next few years, but one thing will resonate with everyone from the LulzSec hacks: We should all pay more attention to security.

Now I realize that as companies get larger and larger, they let information security fall by the wayside. Everything from Security Awareness training to systems hardening and review *should* be implemented for every company who services any users.

Instead, we get corporations with unpatched Windows XP machines sitting unfirewalled on the internet. Secretaries that will gladly tell you information you shouldn’t know, with just a few kind words. Systems that are 10 years old that have had no patches for at least that long because everyone forgot they existed.

I won’t lie. I haven’t been dedicated to the security game in a long time. I make a concerted effort to prevent remote exploitation of my machines, and I keep them up to date with security patches and scans. I also don’t face known vulnerable systems to the internet, because I’m not dumb. Most of what I do with my personal systems is just best practice to me.

And I’m not even close to secure. Those of you who don’t follow any of these sorts of practices are just inviting hackers in.

LulzSec showed everyone that there is a big problem with the way many large corporations/government affiliates handle security. If we take anything from their brief 50 day run at the internet, we should take this: security should come first.

I realize I’m posting when I’m less than coherent. And I’m also 99% sure that my site will be hacked as soon as I hit “Post”.

Just please remember, “Security First”. Protect your poor data, because it can’t protect itself.

Personal computers have proliferated the home much like automobiles did once they were affordable by the general public. When automobiles became popular, chains of mechanical service stores started popping up all over the place. Some were reputable, giving you a fair price for honest car service and diagnosis, where others were not as trustworthy, maybe convincing you that you needed a new air filter with that oil change a few thousand miles early. Yet the worst of all are the ones who prey on people who don’t know anything about cars. You know which ones I’m referring to, the ones that not only convince a little old lady that she needs a new muffler, air filter and oil change, but also nicks the oil line with a razor so that she’ll be forced to come back for even further repairs.

Now what you’re probably asking yourself is, what does this have to do with computers?

Much like the mechanical service chains I referenced above, computer service stores have become commonplace these days. They are plagued with the same sort of problems, everything from incompetent technicians to flat out sabotage. And there are now online “service stores” where you “simply” run a program you download from the site, and it solves all of your software problems and computer slowness, just like magic. Or at least that’s what the commercials will want people to believe.

Side rant: This is the way I see computer technology: Everyone needs at least some access to a computer. Be it for email, internet, keeping a log of how often you milk the cows or how many inches that iceberg has drifted south. People need them. Now, of course there are going to be people who are so in love with that area of technology that they get very knowledgable about it. It’s cool. Every science has its passionate practitioners. But I think it’s our responsibility as those who are knowledgable to help protect people who don’t want to know how the magic happens, they just need it to happen. Grandma checking her email, the kids surfing the internet, they all need a hand from time to time, and we’re there to help.

But there are wolves in the woods.

Getting back to the companies who are just trying to make money off of users who don’t care to know much about the technology.

You’ve all see the commercials. Claims that a piece of software can fix every problem with a computer seemingly magically. Warnings that failure to do so could cause “PERMANENT DAMAGE” to your computer.

And sadly, there are plenty of people who fall for this and gladly shell out the money, only to find that the program doesn’t work as advertised, or they end up with more problems than when they began.

As another side note, being someone who was very interested in computer malware for a long, long time. There are only two examples of computer viruses that can actually cause damage to the hardware of a computer, and neither of them work on any current operating system/hardware (This means if you’ve bought your computer new from a store after 1996, you are probably okay).

Is your computer running slow? Take it to a reputable computer repair shop. I usually don’t recommend the Geek Squad or Office Depot though. Know a relative who is savvy with computers? Ask them to take a look. Know me? I’ll have windows screaming again in 10 minutes, just ask. Ask your friendly IT employee at work. Maybe they’ll take a look, or know a good repair shop that will.

Just please, do not support MyCleanPC by buying their software. I’m not saying it won’t delete some rogue junk off of your computer, but I would never trust a company that makes such outrageously false statements in their advertising just to monger fear. There are claims floating around the internet that the MyCleanPC application installs spyware, malware or a virus as well (remember sabotage?) but these are unsubstantiated.

I’ve strongly considered trashing a test machine installed with XP and running MyCleanPC on it to see what it does, and reporting back the results. Maybe I’ll do that.

At any rate, just like anything, buyer beware. Sometimes it’s not the wolves in the woods you need to worry about, but the one that snuck in wearing a little red dress.

What? It made sense to me.

I should note that Brielle inspired me to write this post, as this MyCleanPC nonsense has apparently outraged her as well. Read her article over here.

On an off note, if you’re the owner of BlueBear and need to host your content somewhere, I’ll donate some of my VPS space for free. Your project is awesome and the world needs it. Particularly since VMWare and Citrix don’t care enough about Mac and Linux users to make a client for them.

* – stolen from Kodiaks splash screen.

I’ve gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I’m removing actually do. Well, I’ll explain.

First Rule: 960010
SecRule REQUEST_METHOD “!^(?:get|head|propfind|options)$” \
“chain, t:lowercase, deny,log,auditlog,status:401,msg:’Request content type
is not allowed by policy’,,id:’960010′,severity:’4′”
SecRule REQUEST_HEADERS:Content-Type “!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)”

This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn’t respect this rule in posts.

Next, 960015
SecRule &REQUEST_HEADERS:Accept “@eq 0″ \
“chain,skip:1,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
SecRule REQUEST_HEADERS:Accept “^$” \
“chain,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”

This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.

Next, 960032:
SecRule REQUEST_METHOD “!^((?:(?:POS|GE)T|OPTIONS|HEAD))$” \
“phase:2,log,auditlog,status:401,msg:’Method is not allowed by policy’, severity:’2′,,id:’960032′,”

This says any methods other than POST, GET, OPTIONS or HEAD aren’t allowed. While generally this is true, and I don’t know why Drupal will occasionally hit this rule, I just remove it out of completeness.

And Lastly,

Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “@validateUrlEncoding” \
“chain, deny,log,auditlog,status:400,msg:’URL Encoding Abuse Attack Attempt’,,id:’950107′,severity:’4′”
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})”

This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.

I haven’t actually run through the Drupal code and figured out why these are completely necessary, however I do know that they’ve fixed quite a few peoples problems.

Anyway, hope that clarifies some things for people.

The End.

Wait, I think I lost the focus of what I was doing. Oh. Use Max. Doitnow.

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

It’s pretty cool, actually. I wont include all of the scanning output here, but I will show the results of a scan from a (somewhat) default CentOS 5 install. Take a look if all of this magic security stuff interests you.


================================================================================