Northern Voice 2006

 Conference  Comments Off on Northern Voice 2006
Jan 172006
 

I’m on the organ­ising com­mit­tee for North­ern Voice again this year, the small, non-cor­por­ate blog­ging con­fer­ence that was such fun last year. This year prom­ises to be just as good, although I’ll be com­ing in jet­lagged and won’t make it to the add-on Moose Camp (y’all have a good time there without me, ok?). 

We’ve finally put the sched­ule up, and the regis­tra­tion page is live, and it looks like we will have a full house again, with regis­tra­tions this year filling up much faster than for last year. So if you want to make sure you can attend, and you’re not milling around hop­ing for last-minute can­cel­la­tions, regis­ter­ing soon is your best hope! And no, we can­’t sneak more people in as we have strict num­ber lim­its due to fire reg­u­la­tions. Sorry.

Learning Identity

 Identity and Privacy  3 Responses »
Jan 062006
 

One of the things I’ve found about try­ing to fig­ure out iden­tity man­age­ment con­cepts and tech­no­logy is that there are lots of nuances, lots of things to worry about, and it tends to make you more wary (which I guess is all to the good). I now am more care­ful about wheth­er web­sites have believ­able pri­vacy policies before I sign up for them, I have a num­ber of free email accounts for the sole pur­pose of get­ting news­let­ters or regis­ter­ing at web­sites, and I more often fig­ure the inform­a­tion on these web­sites is unlikely to be worth the effort. 

It’s excit­ing though, being part of some­thing that is import­ant and where people are real­ising the import­ance more day by day, sort of like XML in the early days where people start­ing say­ing, yes I do have that prob­lem and maybe this tech­no­logy can help solve it. So part of what I hope to do in the com­ing year is help the Liberty Alli­ance fig­ure out how to help people learn what they need to know about some of these con­cepts, tech­no­lo­gies, and spe­cific­a­tions. Iden­tity man­age­ment is start­ing to expand bey­ond the “in group” now as more people start to real­ise the import­ance of build­ing it (and secur­ity) into sys­tems from the begin­ning rather than try­ing to bolt it on after­wards. Fig­ur­ing iden­tity out takes time – iden­tity man­age­ment is inher­ently com­plex (well, more com­plex than XML, any­way ;-)) and although Ein­stein’s fam­ous quote says things should be made as simple as pos­sible, it also says “but not simpler”.

One of the things that Liberty does to tell people about Liberty-related aspects of iden­tity is to host web­casts on a reg­u­lar basis. This month’s is on the People Ser­vice:

The Liberty ID-WSF People Ser­vice, a key com­pon­ent in ID-WSF 2.0, is the industry’s first com­pre­hens­ive plat­form for man­aging social inform­a­tion with­in an open fed­er­ated net­work envir­on­ment. People Ser­vice allows con­sumers and enter­prise users to man­age social applic­a­tions such as book­marks, blog­ging, cal­en­dars, photo shar­ing and instant mes­saging from a com­mon lay­er with­in the ID-WSF 2.0 frame­work. Liberty People Ser­vice has been developed to allow indi­vidu­als to eas­ily store, main­tain, and cat­egor­ize online rela­tion­ships so that oth­er socially-aware Web ser­vices applic­a­tions can lever­age inform­a­tion based on the con­sent and pri­vacy con­trols estab­lished by a user in the fed­er­ated social net­work. With Liberty Alli­ance People Ser­vice, con­sumers and enter­prise users can now cent­rally man­age all of their online social rela­tion­ships using a fed­er­ated net­work approach with pri­vacy con­trols built into the sys­tem allow­ing users to lever­age the pri­vacy func­tion­al­ity of Liberty Web Ser­vices to more eas­ily and securely share social and enter­prise inform­a­tion across applic­a­tions, plat­forms and ser­vice pro­viders. In this Web cast, we’ll over­view the func­tion­al­ity of People Ser­vice and provide some use case examples. You won’t want to miss this highly inform­at­ive session.

The web­cast is on this com­ing Wed­nes­day (Janu­ary 11, 2006) at 8 am Pacific; if you’re think­ing of listen­ing in please register soon (prefer­ably by Monday) so there will be enough phone lines booked.

Phishing Sophistication

 General, Technology  Comments Off on Phishing Sophistication
Jan 052006
 

I’m start­ing to be impressed by the (almost) soph­ist­ic­a­tion of phish­ing attempts. The latest one in my inbox today con­tained a mes­sage from someone pur­port­ing to have bought an item via eBay that they had­n’t received and unless they heard back they were going to com­plain to eBay and then the police — I can quite see some nervous seller who thinks there might be a mis­take in the sys­tem click­ing on the “log in to eBay mes­sage cen­ter” link (which of course does­n’t go to eBay at all) to try to rec­ti­fy it. 

Mind you, the spam fil­ters are also start­ing to become soph­ist­ic­ated — my ISP adds head­ers to the email mark­ing poten­tial spam and this one tripped a num­ber of meters, adding up to quite a lot of red flags. Some of them are, on their own, quite legit­im­ate of course, but not all:

    1.0 FROM_ENDS_IN_NUMS      
        From: ends in numbers
    1.3 RCVD_NUMERIC_HELO      
        Received: contains a numeric HELO
    1.0 MSGID_SPAM_CAPS        
        Message-ID =~ /^\s*< ?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
    0.1 HTML_TAG_EXISTS_TBODY  
        BODY: HTML has "tbody" tag
    0.4 HTML_70_80             
        BODY: Message is 70% to 80% HTML
    0.1 HTML_FONTCOLOR_BLUE    
        BODY: HTML font color is blue
    0.7 MIME_HTML_ONLY         
        BODY: Message only has text/html MIME parts
    0.2 HTML_MESSAGE           
        BODY: HTML included in message
     0.3 HTML_FONT_BIG          
        BODY: HTML has a big font
    1.1 MIME_HTML_NO_CHARSET   
        RAW: Message text in HTML without charset
    0.2 MIME_QP_LONG_LINE      
        RAW: Quoted-printable line longer than 76 chars
    0.4 NORMAL_HTTP_TO_IP      
        URI: Uses a dotted-decimal IP address in URL
    0.1 FORGED_HOTMAIL_RCVD2   
        hotmail.com 'From' address, but no 'Received:'
    3.0 FORGED_MUA_OUTLOOK     
        Forged mail pretending to be from MS Outlook
    0.6 MISSING_MIMEOLE        
        Message has X-MSMail-Priority, but no X-MimeOLE
    1.1 FORGED_OUTLOOK_HTML    
        Outlook can't send HTML message only
    1.1 MIME_HTML_ONLY_MULTI   
        Multipart message only has text/html MIME parts
    1.1 FORGED_OUTLOOK_TAGS    
        Outlook can't send HTML in this format
    3.0 SARE_MSGID_YAHOO       
        Message-ID is forged, (yahoo.com)
    1.1 HTML_MIME_NO_HTML_TAG  
        HTML-only message, but there is no HTML tag

After I saw this I promptly went and got the latest ver­sion of Pegas­us Mail, which I use for my per­son­al email. Pegas­us has always had good anti-vir­us pro­tec­tion, has had decent spam fil­ter­ing for some time, and shows the real URL that is being linked to on HTML emails, but it now advert­ises anti-phish­ing checks as well. It will be inter­est­ing to see how well they work in practise. 

Woody to Sarge

 Technology, WordPress  3 Responses »
Jan 032006
 

Ive been intend­ing on upgrad­ing my Debi­an firewall/blog box to the latest ver­sion, called ‘sarge’ (a.k.a 3.1) for some months now. Today was the day I decided to finally bite the bul­let. Since I’ve been using back­ports of unstable ver­sions of soft­ware, such as MySQL (see Upgrad­ing MySQL on Debi­an for that pro­cess, and Enabling Thumb­nails for the pro­cess to upgrade libgd) I figured this could be a little trick­i­er than I really like, and I should be pre­pared. Here’s the his­tor­ic­al record of actu­ally get­ting it run­ning. YMMV, of course!

First, the doc­u­ment­a­tion on the Debi­an web site is good. The upgrad­ing instruc­tions are writ­ten per hard­ware plat­form and seem com­plete. I star­ted, as recom­men­ded in Upgrad­ing your Woody sys­tem by repla­cing the word “stable” in the /etc/apt/sources.list file with the word “woody” and then check­ing I had woody’s ver­sion of aptitude installed.

After copy­ing the recom­men­ded files to a safe loc­a­tion (that’s a lot of files!), I deleted the /etc/preferences file after sav­ing a copy — this is the file that says which ver­sions of any soft­ware to use. Since to begin with I want to use a clean, stand­ard Debi­an sarge dis­tri­bu­tion, I don’t need this file. Then it was on to sec­tion 4.2.2, “Check­ing pack­ages status”. I found that apt-get showed no holds, but aptitude showed that php4 was on hold (I can­’t ima­gine why). So I got rid of the hold.

After that, I just fol­lowed the steps, tak­ing the defaults mostly (since I did­n’t under­stand some of the ques­tions, that was an easy choice! One day I might under­stand what pango and defoma are all about, but in the mean­time I’ve decided not to both­er). There were a couple of mes­sages that mostly seemed ignor­able (note to self: upgrade exim3 to exim4 at some stage in the future) and all in all the pro­cess ran smoothly, if not par­tic­u­larly fast on my old, slow Pen­ti­um box. 

Time to check the res­ults — try my web site and find it’s been replaced by a gen­er­ic “wel­come to an Apache web site” mes­sage. The web serv­er has been magic­ally upgraded to Apache 2.0, which I had­n’t quite expec­ted or planned for. Oh well, time to hit the Apache documentation.

There’s a big dif­fer­ence between Debi­an upgrade doc­u­ment­a­tion and Apache upgrade doc­u­ment­a­tion. Where the Debi­an upgrade instruc­tions are exactly that (“Do this, then this. Run this com­mand and if you get this out­put, do this, oth­er­wise do that”), the Apache doc­u­ment­a­tion on Upgrad­ing to 2.0 from 1.3 is basic­ally a list of fea­ture changes, rather than instruc­tions on how to upgrade or what modi­fic­a­tions need to be made to the con­fig­ur­a­tion files. Look­ing at the con­fig­ur­a­tion files them­selves in the Debi­an Sarge Apache 2 dis­tri­bu­tion you can see, for example, that httpd.conf has changed markedly from being the main con­fig­ur­a­tion file to con­tain­ing simply a com­ment say­ing it exists for back­wards com­pat­ib­il­ity only. The README file does have some clues to the new files, with short descrip­tions of what they’re used for. The most inter­est­ing new dir­ect­ory to me was sites-enabled, which seemed to have some­thing to do with set­ting up vir­tu­al hosts. So I typed sites-enabled into the Apache doc­u­ment­a­tion search engine and found no hits what­so­ever. The Vir­tu­al­Host part of the doc­u­ment­a­tion for Apache 2.0 says “Below is a list of doc­u­ment­a­tion pages which explain all details of vir­tu­al host sup­port in Apache ver­sion 1.3 and later.” Hmmm, things do seem to have changed some­what between Apache 1.3 and Apache 2.0. On the oth­er hand, it’s always pos­sible that this par­tic­u­lar con­fig­ur­a­tion and choice of dir­ect­ory names etc is due to Debi­an rather than Apache; the Debi­an dis­tri­bu­tions do have a repu­ta­tion for put­ting files in places that are unex­pec­ted and maybe this has exten­ded to the names used in the Debi­an fla­vour of the Apache install­a­tions. If this is the case it’s not sur­pris­ing it isn’t doc­u­mented on the Apache web site.

For­tu­nately oth­ers have writ­ten this up; I found Upgrad­ing to Apache 2 which described the pur­pose of the sites-enabled and sites-avail­able dir­ect­or­ies in ways that make sense and worked when I tried them out. The same prin­ciples apply to mak­ing the mod_rewrite mod­ule avail­able, which Word­Press uses for rewrit­ing the URLs for archives and categories.

So far, so good. My web site is avail­able again, just not my blog. The error mes­sage is “Your PHP install­a­tion appears to be miss­ing the MySQL which is required for Word­Press”. When I check, all the neces­sary pack­ages are installed. A quick search through the Word­Press sup­port site turns up that I’ve for­got­ten to uncom­ment the MySQL mod­ule in the php.ini file. I’m so used to Debi­an just doing the right thing that it seems odd to have to make that change, some­how. Now my blog is back as well, everything else seems to be work­ing, no files seem to have been lost, and over­all the upgrade was a lot less pain­ful than I had anticipated.

/* ]]> */