More mod_security

 Technology  1 Response »
Jan 292010
 

After I wrote my piece about mod_security, the people at Packt Pub­lish­ing offered me a copy of their book Mod­Se­cur­ity 2.5, with the pro­viso that I review it. This soun­ded like a reas­on­able idea to me.

Over­all, I would recom­mend the book to people who are run­ning Apache and need to know more about rel­at­ively simple ways to add secur­ity to their web sites. The book motiv­ates the use of mod_security and con­vinced me that any­one host­ing a web site should have it installed, ready to deal with any prob­lems you encounter. The book goes through com­mon scen­ari­os and what mod_security can do to deal with them, includ­ing recent events such as an attack on Twit­ter in April 2009. All the examples are explained clearly, and the rule con­fig­ur­a­tions will look famil­i­ar if you’ve had some prac­tice writ­ing either Rewrit­eEn­gine dir­ect­ives or httpd.conf vhost con­fig­ur­a­tions. It also shows how to send alert emails or count the num­ber of times a file has been down­loaded, which I thought were nice additions. 

As is the case with any secur­ity sys­tems, there are lay­ers upon lay­ers of things you can do, and the book includes quite a few that I think are overkill unless you sus­pect you’re being tar­geted for some reas­on (such as fin­an­cial or con­tro­ver­sial sites). If you do have one of those sites, the chapter on block­ing com­mon attacks alone could save a lot of pain. Many of the com­mon attacks are covered (SQL injec­tion, XSS, etc.), along with ways to com­bat them. 

The book includes instruc­tions on installing a couple of GUI tools to help mon­it­or incid­ents; I did­n’t have time to install all of these giv­en the OpenSolaris/Linux dif­fer­ences and it’s less import­ant for me giv­en the fact I’m not run­ning sites that are likely to be attacked (my high-band­width sites are on com­mer­cial host­ing). If you’re run­ning import­ant web sites, you’d prob­ably want to set up these tools to work prop­erly to save hunt­ing through log files yourself.

I tested a few things out on the OpenSol­ar­is box in the base­ment; get­ting it installed was a little dif­fer­ent to the book (which is writ­ten mostly assum­ing a Linux web stack).

mod_security is installed with 2009.06 ver­sion of the OpenSol­ar­is web stack, but not act­ive. To activ­ate: pfexec cp /etc/apache2/2.2/samples-conf.d/security2.conf /etc/apache2/2.2/conf.d/security2.conf. Restart the serv­er with svcadm restart apache22 and check that mod_security is installed by see­ing if the logs are avail­able under /var/apache2/2.2/logs. You can also check if the mod­ule is loaded by cre­at­ing and execut­ing a phpinfo file.

Bluetooth (Time) Sync

 Technology  2 Responses »
Jan 272010
 

One of the annoy­ing things about mov­ing to the 64-bit Win­dows 7 is that Palm decided not to sup­port USB syn­chron­iz­a­tion. Since my phone/PDA is a Treo 680, that’s a nuis­ance. In the­ory, I can sync via bluetooth. In prac­tice, it’s not as easy as it used to be.

First off, I had to get a bluetooth-USB dongle to use with my desktop PC. I plugged it in, Win­dows found it and installed the driver. That much worked. The page linked to above shows the steps to go through to enable the bluetooth syn­chron­iz­a­tion with the Treo; fol­low­ing those steps worked just fine (although s‑l-o-w-l‑y) the first time. And then it stopped work­ing, with an error mes­sage “unable to ini­ti­ate hot­sync oper­a­tion because the port is in use by anoth­er application”.

I tried unplug­ging the bluetooth device, dis­abling it, noth­ing worked. I then fool­ishly installed the soft­ware that came with the device, which was a bad mis­take, as it made everything bluetooth-related stop work­ing. And even though I tried to unin­stall it after­wards, noth­ing worked.

I used Glary util­it­ies to clean the registry, it found a lot of entries that CCle­an­er, my pre­vi­ously favour­ite registry clean­er did­n’t. Res­ult: sup­posedly a clean­er registry, but no joy on the bluetooth device settings.

Pok­ing around on the web uncovered this, and since web­sites have a habit of dis­ap­pear­ing, tak­ing their use­ful inform­a­tion with them, I’m going to take the liberty of rewrit­ing the sali­ent points here.

Unplug the device. Go to the con­trol pan­el, then search for “ser­vices”. From the Ser­vices win­dow, browse the list of ser­vices and find the Bluetooth Sup­port Ser­vice, and double-click the entry. Select Auto­mat­ic from the Star­tup type and then click OK. Plug the device back in.

This at least meant that I could access the set­tings on the bluetooth device, which was an advance, even if I still could­n’t hot­sync. In the end, I dis­covered that if I added anoth­er couple of COM ports, that the Treo would hot­sync. Slowly, of course. And the next time I wanted to sync, I had to delete all the COM ports that the bluetooth dongle knew about, and add another.

My next phone/PDA will come from a com­pany that does allow USB syn­chron­iz­a­tion. On present form, it looks like it won’t come from Palm.

Moving to Windows 7 — Part Two

 Technology  No Responses »
Jan 252010
 

After the pre­vi­ous set of Win­dows 7 adven­tures, I dis­covered that the box I bought does­n’t sup­port hard­ware-assisted vir­tu­al­isa­tion, which is needed for the Vir­tu­al XP mode. Option 2 for the scan­ner: try out a sep­ar­ate applic­a­tion called VueS­can, which claims to sup­port a large num­ber of scan­ners. Except for, this pro­gram needs the Can­on scan­ner drivers to first be installed. Which don’t exist. On to the next attempt: install Vir­tu­al Box, and put Win­dows XP on that as a vir­tu­al machine. The prob­lem with this was that the USB port kept claim­ing it was busy, and none of the vari­ous tips I found worked. Ver­dict: I could­n’t find a way to sup­port the Can­on 3000F scan­ner under Win­dows 7 64-bit, and will have to use my old XP laptop as a scan­ner driver until I have suf­fi­cient motiv­a­tion to buy a new scanner.

Mind you, installing the vir­tu­al­box + Win­dows XP combo ended up being use­ful any­way. Quick­Books 2003 installs, but does­n’t run, under Win­dows 7. I gath­er that even the latest ver­sions of Quick­Books have issues with Win­dows 7, so I simply installed the one I have in the Win­dows XP vir­tu­al machine. There was a bit of fid­dling involved in mov­ing data around, that involved installing the vbox guest addi­tions and set­ting up shared folders, but in the end it all worked. I sus­pect more than a couple of pro­grams will end up in that vir­tu­al machine.

Over­all, I prob­ably spent close to a week of work time set­ting up my work envir­on­ment to be more or less where I was before my old PC died. It’s obvi­ous they bor­rowed quite a bit from the Mac OS X envir­on­ment, includ­ing hid­ing some of the use­ful func­tions. The menus fad­ing in and out were start­ing to make me sea-sick until I found out how to turn that off (Con­trol Pan­el -> Sys­tem and Secur­ity -> Sys­tem -> Advanced -> Per­form­ance Set­tings). I’m sure I’ll find more issues as I get more used to the envir­on­ment, along with more pro­grams that won’t install or work. For­tu­nately cyg­win does work under Win­dows 7, along with Office 2003 (which I need for cli­ent compatability).

Memories of Sun

 Technology  No Responses »
Jan 212010
 

The EU has approved, the Sun/Oracle deal all but done, wait­ing for China and Rus­sia. James Gos­ling’s post shows the poignant side. How long, I won­der, will the blogs.sun.com web­site still be avail­able? How long to give space to memor­ies and reminders?

Some of my own memor­ies of Sun, in roughly timeline order:

Work­ing on the Sun booth at CeBiT in Ger­many (I was work­ing for a Sun reseller at the time). Watch­ing the US mar­ket­ing video at the after-clos­ing party, since the Ger­man mar­ket­ing team decided the video was­n’t appro­pri­ate. I still have the “Power of Sun” music CD, and a scarf with images of Sun workstations. 

Won­der­ing why Sun did­n’t sup­port Motif prop­erly, when all the oth­er Unix vendors did.

Find­ing a pos­i­tion at Sun that made use of the skills I have.

Meet­ings at Menlo Park; long, involved dis­cus­sions on all sorts of secur­ity and iden­tity subjects.

Sit­ting out­side the cafet­er­ia at the Menlo Park office, talk­ing to people.

The Sun-intern­al innov­a­tion con­fer­ence, mix­ing intel­li­gent, innov­at­ive, hard­ware, soft­ware, and oper­at­ing sys­tem people togeth­er, with din­ner on the beach.

The most fun I’d had at work in a long time on a good pro­ject with great people, that unfor­tu­nately fell vic­tim to the Great Fin­an­cial Crisis.

Really good people, know­ledge­able. Sun seemed to have a lot of people with integ­rity and ded­ic­a­tion. Also its share of less-know­ledge­able posers, of course, but the trenches were filled with good people.

There are lots of memor­ies out there; Sun was one of those com­pan­ies with an influ­ence lar­ger than its nom­in­al size. Those of us who were part of it, even if for a short time, won’t for­get it quickly.

Moving to Windows 7 — Part One

 Technology  5 Responses »
Jan 192010
 

The mother­board on my old Win­dows XP box quit while I was tak­ing a break for lunch one day, and I decided to replace it with an updated Win­dows box. So I’ll keep on using a Snow Leo­pard laptop, OpenSol­ar­is serv­er, and Win­dows 7 as well. 

Maybe I was ask­ing for trouble, going with the 64-bit ver­sion of Win­dows 7 Pro­fes­sion­al, but with a quad core Intel box it seemed a shame to not do so. Most of the tools I use every day (like Fire­fox and Pidgin) are easy to rein­stall and thus ignor­able. But there are some that cost me a little more time to fig­ure out. Admit­tedly, it’s a some­what eclect­ic collection.

First off, mail. I use Pegas­us Mail, have for many years, and it suits the way I work. Every time I’ve upgraded, it’s worked flaw­lessly. This time, it took a while before I figured out that I needed to not take the defaults in the install, but rather uncheck the “cre­ate user con­fig­ur­a­tion” box, and then in the fol­low­ing con­fig­ur­a­tion step select “single user only”. After that, copy­ing across the mail and con­fig­ur­a­tion file worked per­fectly to set it up right.

The Palm desktop presents more of an issue. It turns out that you can­’t use a USB con­nec­tion to syn­chron­ize under the 64-bit ver­sion of Win­dows 7, so I’ll have to get a bluetooth adapter to syn­chron­ize my Treo 680. Or get a new phone. I’m still mulling the options on that one.

Print­er: the HP Col­or Laser­jet CP1510 drivers and soft­ware won’t install from the CD. This isn’t really an issue; the default Win­dows 7 driver works fine but does­n’t show you the toner status etc. For­tu­nately, the HP.com web­site has an updated “advanced” driver. Except for, it does­n’t do all the status stuff either, appar­ently. Oh well.

The scan­ner is an ancient one from Can­on, the 3000F. The scan­ning applic­a­tion won’t install. There are no drivers or updated applic­a­tions on the Can­on web site for Win­dows 7. The tool­box applic­a­tion for scan­ning and copy­ing shows up on c|net, at http://download.cnet.com/CanoScan-Toolbox/3000–2094_4-10972136.html (it may be a dead link by the time you read this), but without the drivers it isn’t much use. Hunt­ing around on the web showed that this is a case for the Vir­tu­al XP mode. This con­sists of 2 down­loads, the first of which is 500 MB. The cur­rent estim­ate on our cur­rently floaky DSL link is almost 2 hours to go, so I think I’ll go and do some real work while wait­ing for it to trickle in, and con­tin­ue this post when I’ve made some more progress.

Meeting Productivity

 General, Project Management  No Responses »
Jan 052010
 

Some months ago, Time magazine pub­lished an art­icle called Why the Office Oddball Is Good for Busi­ness, about how really pro­duct­ive meet­ings need someone in them to stop too much con­sensus too early. The art­icle starts

Want to get the most out of your next brain­storm­ing ses­sion at work? Bring in an oddball. If you can­’t find an oddball, try a naysay­er or even a mere stranger — any­one who can keep things vaguely uncom­fort­able. If that sounds like a pre­scrip­tion for one of the worst meet­ings you’ve ever had, suck it up and go any­way. It might also be one of the most productive.

It does sound like the recipe for an act­ive meet­ing, one in which every­body has to be on their toes, listen­ing for the real mean­ing behind the words. A meet­ing in which those catch­ing up on their email will miss some­thing import­ant. A meet­ing which may not pro­duce agree­ment, but will pro­duce more clar­ity on pre­cisely what it is you dis­agree about. If you’re going to have a meet­ing, isn’t that what you want? A meet­ing to pro­duce res­ults, not just nods around the table from people who aren’t really pay­ing attention?

Which is not to say that every meet­ing should be uncom­fort­able; lots of meet­ings are to hash out details where people agree on the basics. But it’s amaz­ing how often people think they agree about some­thing until they’re chal­lenged to explain it in detail, which is where they dis­cov­er they dis­agree on the explanation. 

Wheth­er any per­son rais­ing uncom­fort­able issues is wel­come depends on who’s run­ning the meet­ing, wheth­er they’re look­ing for res­ults or, instead, look­ing for uncrit­ic­al approv­al of what they want. I’ve also seen cases where the per­son run­ning the meet­ing claims to want the uncom­fort­able ques­tions asked, but in real­ity does­n’t. it’s hard, allow­ing the dif­fi­cult ques­tions. Answer­ing them is tough, admit­ting you don’t have answers to all of them can be tough­er. So the tend­ency is to squelch the ques­tions, usu­ally by squelch­ing the ques­tion­er. I sus­pect this tend­ency con­trib­utes to a cer­tain num­ber of busi­ness failures.

/* ]]> */