geekwisdom's blog

Outlook and Outlook Express Users Want to Reply to Digitally Signed E-mail

Fri, 25 Apr 2008 11:17:03 -0400

You are probably reading this post because you are an Outlook or Outlook Express user and you tried to reply to a digitally signed e-mail from me. The result was a warning/error notice stating, "You cannot send digitally signed messages because you do not have a digital ID for this account." or some such thing. You are receiving this notice because Microsoft made a mistake in the default configuration settings when it packaged Outlook and Outlook Express for distribution.

/bin/rm: Argument list too long

Thu, 06 Dec 2007 10:44:58 -0500

Do this instead: find . -name '*' | xargs rm

Don't send me unsolicited commercial e-mail

Thu, 15 Nov 2007 14:04:31 -0500

Dear [spammer's name here],

Please don't send me unsolicited commercial e-mail anymore.

I don't want to be nasty. So here's a little free end-user feedback on your marketing technique. These are the thoughts that went through my mind when I received your e-mail:

If I need something like this I'll do the research and pick the product.
However, because you spammed me about yours I'll probably contact "the other guy" before I contact you. That is, if I ever contact you.

Thanks for removing me from your list.

----------

But alas, who replies to spam? It was at least good to get it off my chest.

Populating a PostgreSQL Calendar Table

Sun, 28 Oct 2007 16:01:59 -0400
I'm using PostgreSQL for my data warehouse. I needed a calendar table for doing joins and a quick way to populate it. So I created my calendar table with:

CREATE TABLE "CALENDAR" ( "YYYYMMDD" date NOT NULL );

Then I populated it with the following SQL:

INSERT INTO "CALENDAR" ("YYYYMMDD") select to_date('20000101', 'YYYYMMDD') + s.a as dates from generate_series(0,36524,1) as s(a);

This quickly puts records into the CALENDAR table for every day starting with 1/1/2000 and ending with 12/31/2099.

Focus your energies on commonalities between threats

Fri, 15 Jun 2007 10:47:19 -0400
In Rare Risk and Overreactions Bruce Schneier writes, "If you want to do something that makes security sense, figure out what's common among a bunch of rare events, and concentrate your countermeasures there. Focus on the general risk of terrorism, and not the specific threat of airplane bombings using liquid explosives. Focus on the general risk of troubled young adults, and not the specific threat of a lone gunman wandering around a college campus. Ignore the movie-plot threats, and concentrate on the real risks."

Accounts everywhere!

Fri, 15 Jun 2007 10:47:19 -0400
I've been thinking about all the Internet sites that I've created an accounts on for one reason or another. It has to be in the hundreds. Of those sites I wonder how many of them would let me delete my account completely. Very few I bet. Probably the most universal method of deleting my account--at a site I no longer want to have a relationship with and does not offer a "delete me" mechanism--is to poison the account with bogus information. I could change all the information about me to false information and, if allowed, change my e-mail address to something bogus as well. I guess I'd have to read the terms of use policies but isn't this my account?

Stop form spam by using CSS to hide a field

Wed, 30 May 2007 12:10:07 -0400

I hate form spam. Whether the form is a contact form, a survey, or something else spamming can make life a pain. SANS has an interesting piece on techniques that can be used to reduce or prevent form spam. In my opinion the solution that has the least impact on legitimate users, is easy to implement, can be implemented in numerous ways, and has the highest negative impact on spammers is the best. That's why I like the idea of including a form field that is required to be empty. To make it easier on legitimate users the field can be hidden using CSS. This way legitimate users aren't bothered with it, yet spambots are compelled to fill it in.

Change your e-mail password

Mon, 12 Feb 2007 16:15:34 -0500
When was the last time you changed your e-mail password? If you're like most people, you probably can't remember. That means it's been too long. How about some external motivation? Consider the number of Internet processes that assume you have control of your e-mail account:

e-commerce applications

Web site membership enrollment processes

domain registration and management

hosting providers

What would happen if a bad guy figured out your e-mail password? He could change your password. But why would he do that when he could use your account at the same time as you. He could request a password change from any Web site that uses e-mail confirmations. Perhaps one of the worst things that could happen to you is to lose your domain name. Imagine if the bad guy transferred your domain name to another registrar into an account that he controlled. How much damage would that cause?

Configuring Firefox 2 for Increased Security

Tue, 12 Dec 2006 21:41:28 -0500

Web browsers have become the de facto client interface to Internet based applications. As we travel around the Internet, whether for pleasure or business, we find ourselves creating personal profiles for various Web sites. These profiles usually include access credentials (usernames and passwords). Good password management practice calls for many distinct passwords. But this proliferation of passwords results in the need for strong password storage. In addition to password management we need to give some thought to encrypted communications. We typically just install a browser and start surfing without any thought for the decisions other people have made for us about who we should trust or how we should communicate. The default settings for SSL/TLS are a good example of this.

High Availability Web Services Using HAProxy

Thu, 09 Nov 2006 14:36:23 -0500

I was recently tasked with increasing the up time of my employer's main Web site. The site uses a content management system that lives on two Windows/IIS servers. (I know, the system was purchased before I was hired.) One server is for making changes to content (design-time server) and the other is the public web site (run-time server). The design-time server has a complete copy of the site which is replicated to the run-time server. Unfortunately the run-time server has a habit of refusing to serve pages at the most inopportune times, usually when I'm on vacation or somewhere without a computer.

Butt Kicking Chair

Thu, 27 Jul 2006 09:23:28 -0400

A couple of years ago I was sitting in one of those mind numbing meetings about stupid users or some such thing when I began to doodle and hit upon an idea. Wouldn't it be cool if all of our users sat in specially designed (or retrofitted) chairs that were capable of producing a shot to the sitter's posterior. The idea called for a chair, a boot, a lever, an actuator, a small computer with a network connection (wired or wireless), and some custom software. The computer would provide a network interface that would allow an administrator or help desk person to send a request to the chair and the person sitting in it would get a single kick in the pants. The idea for the interface later morphed into a web page and/or XML-RPC interface that listened to requests from authorized administrators which would trigger the butt kicking as well as various presets (single kick, small whooping, smack down, death by boot, etc).

Sending Cache-control Headers Using Apache 2.x and mod_expires

Wed, 29 Mar 2006 12:44:42 -0500

About a year ago I wrote about how use mod_header with Apache 1.3x to send Cache-control headers. It worked so well that I want to configure my Apache 2.x servers to send the same headers. It's even simpler with Apache 2.x since mod_expires is included in most default installs. Here's what I did.

I added a configuration directive for the main server configuration (inside the Directory block) which sends the Cache-control header for common graphics.

Mitigate the risks of a stolen laptop

Wed, 15 Feb 2006 16:45:59 -0500
Think about it for a second. What would you loose if someone stole your laptop (or desktop) computer? What kind of damage could be done to you with the information retrieved from your laptop? The theft of a computer brings with it all the problems associated with a failed hard drive plus the added risks of the data on the drive being out of your control and potentially used by an unauthorized person for things that are likely to impact you negatively.

Javascript Password Strength Meter

Fri, 20 Jan 2006 22:49:56 -0500

What makes a strong password? This quick and dirty password strength meter is meant to help users learn how to create stronger passwords. Because it's written in Javascript the password is never sent over the network. Feel free to audit the code and recommend some better regular expressions, weightings, or bug fixes by submitting a comment.

Constructing event-driven services in a service-oriented architecture

Tue, 17 Jan 2006 14:23:08 -0500
In the article Event-driven services in SOA Jeff Hanson provides a helpful overview of how to use Mule to construct event-driven services in an SOA. We are investigating the use of Mule and ActiveMQ as foundational components of our messaging framework for our identity management project at my day job.