Recently in Security Category

It to the point now that a few of my Norton AntiVirus 2002/2003 installs subscriptions' are set to expire. I've heard bad things about NAV 2004; things like it has MS like activation, and that is sucks up more resource than the older versions.

So, I figure it's time to snag some new AV software. I've had bad experiences in the past with McAfee, but I hear version 7/8 is pretty good.

There's also TrendMicro and Panda. I want something that works and paying $49 for Norton AV is a retarded price anymore.

What do you use on Windows?

While I really like the Firebird 0.6 browser, there is one annoying thing that is keeping it from being my only browser: the apparent lack of SSL certificate options or management; forcing me to still load Mozilla on occasion..

When I installed my latest servers last year, I decided to protect things like IMAP, POP3, SquirrelMail and the MovableType admin pages with SSL using custom signed SSL certificates. In IE and Mozilla, this meant loading a client side certificate to gain access to those services. I haven't yet found a way to do that in Firebird, which means it can't access my MT and webmail pages. :-(

Once again, showing how much ass IE really does suck. Now you can DDoS IE with a single line of code (The link is safe. It goes to a security notice).

And the magic line is (drumroll please....) :

<input type>

Nice. Very impressive indeed.

Well this is an eye opener. Apparently, the way Citibank creates/stores/verifies ATM PIN numbers has a few huge security holes. Oh what fun. Even better, they are filing for a gag order to keep it a secret (whoopsie).

Day 1 of 365. Place your bets and sit down for the show. In no certain order I set forth the following degree of intents for the day:

• Upgrade MT from 2.5 to 2.51 - Done.
• Reapply / Recreate MT patches.

  There are two things that bug me about MT in my situation.

  1. Trackback URLs.

     I rewrite the URLs on this site to avoid page/language specific file names, make them easy to remember, and make them more durable even if the page names change. See "How to succeed with URLs" and Slash Forward over at A List Apart for more info.

     So, /blog/perl/ is really /blog/perl.xsp. While all of the links on my site use the /blog/perl/ method, Trackback pings still send /blog/perl.xsp which means that if I ever change the file name , all external Trackbacked links will be broken while all the others will work. I know. I know. I can add another rewrite to remap .xsp to .chl. But I'd prefer to just have control over the Trackback URL format to begin with.

     So, it's time to get all proper and patch the admin interface to allow me to change the Trackback URL before it get's sent. Easier said than done.

     I think the least intrusive way to do this is to add hooks into the $MTEntryLink$ tag handler to call or use plugins.

     Ouch.. I just realized after all this time that my Trackback urls are completely bogus because an Entry's Trackback Id IS NOT the same as the Entry Id. To make matters worse, there is no $MTEntryTrackbackID$ tag. The only way to get the Trackback ID is via the $MTTrackbackURL$, which uses $MTCGIPath$. Even worse. If your CGIPath/Admin GUI is on a secure site, THAT is the url used, not the url of the local site blog url. :-(

  2. Outgoing HTTP Traffic

     I love having MT send out pings to the "Recently Updated" list on the MovableType homepage. I would also love to have MT send out pings to other sites in both Trackback and Updated form. However, this is where paranoia kicks in.

     I'm a big proponent of Egress filtering on the firewall/servers. In the unfortunate event that a server gets hacked or catches the viri of the week, the server will still not be allowed to initiate a connection to an external server on it's own; especially to common ports like port 80 to further spread the love. This cause a problem becuase MT Trackback/Updated pings need to be allowed out from the server to anywhere using port 80. Bummer.

     The solution? Well, in theory, the outgoing ping code using the LWP module could be told to bind itself to a different non-default ip/port on the server. The we can filter on the firewall/server to allow port 80 from this special address out to the internet port 80. This would allow pings out from MT, but all normal outgoing port 80 traffic on the machine to still be blockedd.

     We shall see.

     Update

     Well, the good news is that I patched the docs and modules to add a new blog preference: ping_interface. Now I can specifiy an alternate ip:port to bind to when sending out pings. Once I get my Trackback URLs fixed, I'll work up some patches and submit them to the MT crew. Hey, why not right?

If I get those two things done. I'll be happy.

Looks like a new version just hit pavement over at OpenSSH.com. Read the announcement here. Damn. I just got finished upgradeing and patching. Guess I know what I'll be doing this weekend.

If there ever was a time to start using *pgp products, this will be one of them. From News.com :

Replied Freeh: "I have not given up on encryption." In his statement at the time, he said that "law enforcement remains in unanimous agreement that the continued widespread availability and increasing use of strong, non-recoverable encryption products will soon nullify our effective use of court-authorized electronic surveillance." ... Soon after the Sept. 11 attacks, Gregg said he would introduce legislation to limit the availability of encryption without backdoors for government spying. After encountering widespread criticism, however, Gregg chose not to introduce the proposal.

God forbid we should be able to keep other people from seeing what we type, especially Big Brother. Outlaw guns, only criminals have guns. Outlaw encryption, yadda yadaa. Just ask Australia how well outlawing guns went and what it did for their crime rates.