ramblings of a {sys,net}admin…

I’m not a big fan of Instant Messaging, but since so many people that I know are, I decided to set it up again. Okay, so really Lindsey wanted to use it, but then I got an idea…

I already have an account on Google, and they offer an IM service which they call Google Talk. It’s based on the (open) XMPP standard and you can use any standards-compliant “Jabber” client with it. I already use Psi at work on our internal IM system (also Jabber) so I’m familiar with it.

Anyways, long story short, I’m using Psi to connect to Google Talk, and also using a gateway on msn.cs.princeton.edu to manage a contact into the MSN Messenger IM network for me. Since Google Talk uses SSL, this gives the added benefit of having everything between my client and the Google servers encrypted with SSL (this is good for me, for reasons I won’t go into here), which is good enough for me.

Regardless, I can now be reached via Instant Messenger in two ways:

• -Jabber ID: jlgaddis at gmail.com (I think), and
• -MSN: jeremy at linuxwiz.net

Obviously the “at” should really be an “@” sign, just like an e-mail address. Shoot me an IM sometime!

So I finally got the “ok” from the powers that be to begin the process of migrating our web servers from IIS on Windows 2000 to Apache on Red Hat Enterprise Linux. I sent out what I thought was a pretty convincing e-mail to all of those who are somewhat involved in the whole deal voicing my opinions and thoughts. I was going to include it here, but it’s reallllllly long, so I won’t.

Long story short, it worked. I was actually off work at the time I composed the message, due to a surgery I was having. After I got back, six or seven of us got together in a meeting to discuss, among other things, the pros and cons of migrating the site over to Linux. I got the okay.

Now, the last week or two I’ve been looking into various issues. I mentioned I could do this whole project on existing hardware with minimal financial costs. Now I’ve got to prove it. We had just ordered some new PCs to replace some aging ones, which proved to be good timing. I’ve now come into possession of a number of those “aging ones” and am going to be utilizing them for this project. Right now, I have two PCs that have dual 650MHz CPUs, 512MB of RAM, and plenty of drive space to host our website. Thus far this year, we’re averaging around 1.15 million hits/month, so we’re not outrageously high traffic or anything like that and these PCs should be plenty sufficient to do the job. I also have plenty of spare parts on hand in case any should die, and I can always beef up the RAM and such a bit, if necessary (I don’t think it will be).

I’m also going to be doing a bit of “rearranging” of hardware. I currently have two unused 73GB SCSI drives and a couple of servers that I’m going to “swap around”:

• a dual 866MHz server currently doing nothing, and
• a 933 MHz server running Squid and a few in-house web apps.

The plan, which involves a lot of swapping of hardware, will end up like this:

• a 933MHz server running either MySQL or PostgreSQL, and
• a dual 866MHz server running Squid.

The server running Squid is by far the one that’s the “busiest”, as we have users (students, mostly) surfing the web all day long (duh!). It has the highest load average of any of them and will benefit the most (I think) from the extra CPU power. Then, the 933MHz server will be a dedicated database server to support the databases used by our website (which is currently completely static — more on that later) and other databases used internally (most of our database stuff is on Microsoft SQL Server).

There are a few things that I was still kinda unsure about, but that was pretty much taken care of today. The two PCs that will be running the web site will be using heartbeat in an active/passive failover mode. That way, if the primary server goes down or otherwise becomes unavailable, the other will step up and take its spot. This should help me sleep a bit better as I don’t have to worry so much about when one of them dies. Now, if they both at the same time, then we have issues. =)

Today I got the two PCs set up identically with most things set up before I “imaged” the second one (Apache, postfix, etc.) so those are ready to go. I just installed heartbeat tonight and I’m actually thinking about going back in tonight to install an extra NIC in each one (for monitoring with heartbeat — crossover cable, baby!) and hookup a modem cable between ‘em. Of course, I’ll have each of their NICs plugged into separate switches and such to help provide a bit more redundancy.

So, I still have some work ahead of me, but I have faith that everything is going to work out well. Oh, I mentioned earlier that our web site is completely static. If anything on it changes, it’s because someone changed it by hand. This wouldn’t be so bad if we didn’t have “dynamic content” on our site. Take our little “events calendar”, for example. Anytime a new event is announced or coming up or what have you, $webmaster has to go in and manually update the site. “Wouldn’t it be nice if he didn’t have to?” was one of the questions I asked in my initial persuasive e-mail. The thought being that we can set up a front-end web app so that authorized users can add their own events to the database backend. Then, whenever the web page is accessed, it will automatically pull the latest event info from the database. Common sense, yes, but evidentally it’s not so common. Oh, and have I mentioned that I hate ASP? Well, I do, and I won’t write any if I can avoid it. At least if it’s on Linux, I have my choice of C, Perl, PHP, etc. I shudder when I think about having to do this in ASP. Oh, and the same thing for podcasts. We just “launched” our first official podcast, and will have more coming up. It’d be nice if the right people could access a front-end to upload their MP3 files, provide the info (title, description, etc.) of the podcast and have it automatically made available via our XML feed. Once again, common sense.

So, long story short (have I said that already?), this is going to be a pretty fun project to get going. I’m a huge FOSS freak, so I view it as a victory for the open-source world. =) Stay tuned, and I’ll keep you updated on how it’s going.

For anyone out there running a combination of Exchange 2003 and Outlook 2003 and who aren’t doing it already, you should really do your users a favor and configure Outlook 2003 for RPC over HTTP, especially if you already have Outlook Web Access enabled from outside your networks (so that your users can check e-mail from home, for example).

I set up RPC over HTTPS maybe a week or so ago at $work, and I have to say it is GREAT! Before, I would just leave a Firefox tab open to my organization’s OWA server and manually refresh it all the time. Now, I don’t have to!

For those of you who don’t know, enabling RPC over HTTPS (don’t use HTTP) allows your users to use the full, “thick” Outlook 2003 client from anywhere that your Outlook Web Access site is available. It works by encapsulating RPC packets (which Outlook uses to connect to the Exchange server) inside of HTTPS packets. HTTPS is a secure protocol for web communications. It is also referred to as SSL, and is the same technology that gives you the little padlock symbol when you’re logging on to your bank.

I am not aware of any outstanding security issues with using RPC over HTTPS, but would be happy to know if there are any. For now, just members of my department (the I.T. department) are using this “feature”, but we about to start opening it up to our “general” employees that often need to stay in touch from home, off-campus meetings, vacation, etc.

Anyways, to sum it up, it’s just excellent. I know leave the “thick” Outlook 2003 client running on my laptop wherever I’m at so that I can stay caught up on e-mail without having to constantly refresh my e-mail tab in the browser. I’d be interested to hear about other’s experiences with using RPC over HTTPS.

Secunia Research has publicly reported another 0-day vulnerability in Internet Explorer. Microsoft apparently confirmed (with Secunia) the vulnerability on February 21st, but no patch during the March release. A “confirmation” of the vulnerability has been posted on the Microsoft Security Response Center Blog as well. They didn’t come right out and say it, but if you read between the lines…

The Internet Storm Center has raised the Infocon level to yellow, as they report seeing at least one proof-of-concept exploit (which fires up calc.exe).

The workaround is to disable Active Scripting in IE, but I’m wondering what all this is going to break. I’d love to be able to do it in my environment, but I can’t just blindly do that without understanding the repercussions. Any ideas? Thanks.

A month and a half or so ago, I wrote about some security podcasts I listen to on a regular basis. I was specifically looking for some good technical podcasts that I might be missing out on. Network security pro Martin McKeay (who hosts a security podcast himself) directed me to Security Catalyst and Sploitcast.

I’ve managed to find some others “on my own”, mainly thanks to the fact that I somehow stumbled across the Yahoo! Music Engine Podcast Plugin (thanks to Jeremy Zawodny). I’ve been using the Yahoo! Music Engine (YME) and subscribing to their service since just after Christmas. I had bought Lindsey a Dell DJ MP3 player for Christmas, so we subscribed to the Yahoo! Unlimited service so that she could keep it full of the latest music. Since Yahoo! lets you share the music between three PCs and two mobile devices, I also installed it on my laptop which usually travels back and forth to work with me. I started putting a few songs on my PDA as well, and the YME worked flawlessly transferring the files back and forth.

So, anyways, as I was saying… The YME is incredibly easy to use and sync’ing a mobile device with it is as easy as plugging your device in. I’ve been listening to podcasts for a while, but it’s been a manual job of downloading them using Juice then dragging them over to the PDA in Windows Explorer.

Now that I’ve got the Podcasts plugin installed, I’ve dumped Juice and subscribed to a bunch more podcasts inside of the YME application. It’s set to check for updates on a daily basis (it stays resident and active in the system tray) and will automatically download them. YME is configured to automatically sync with my device whenever it’s plugged in, so all I will have to do to get the latest podcasts is drop the PDA in its cradle and wait for it to sync. Kickass!

So, here’s a list of what I’m subscribed to now (in no particular order):

• -Technorama
• -Gillmor Gang
• -SABAGsecurity
• -Geek Muse
• -PodcastStudio.net Show
• -Geek News Central
• -Security Now! ¹
• -NerdTV
• -A Day in the Life of an Information Security Investigator
• -PaulDotCom Security Weekly
• -InfoWorld Daily Podcast
• -The Security Catalyst
• -We Hate Tech
• -KFI Tech Guy
• -Friends in Tech
• -Silicon Valley, Technology, Media InfoTalk
• -Z100 Phone Taps
• -Network Security Blog
• -Diggnation
• -In The Trenches
• -CyberSpeak
• -this WEEK in TECH

That’s all of ‘em, I think. Let me know if I’m missing out on anything worth listening to. I like the shorter ones as it’s only about a 10-minute commute to work (if I stop for gas or smokes). I usually let the longer ones build up until either I have to travel to Indianapolis or somewhere fairly far away or until I just finally decide to delete ‘em. Since I’ll probably be spending a day or two in the hospital, maybe I can catch up on some of ‘em then. The only thing there to do is watch TV, which I don’t do anyways, so at least I can listen to some podcasts.

Hmm, I do know two I.T. guys that work there at Bloomington Hospital, though — one of the Microsoft guys and one of the Information Security guys — and I did notice Cisco wireless AP’s hanging outta the ceiling on my way to X-ray. Wonder if I could get access to the wireless network while I’m there? =)

¹though Gibson is a f**kin’ idiot - “I WROTE MY OWN WEBSERVER IN x86 ASM!!!” –siglite, making fun of Gibson

From Wired News:

NEW HAVEN, Connecticut — On websites such as MySpace, teenagers can find people around the world who share their love of sports, their passion for photography or their crush on the latest Hollywood star. But authorities say teens are increasingly finding trouble in an online environment where millions of people can, in seconds, find out where they go to school, learn their interests, download their pictures and instantly send them messages.

Police in the central Connecticut city of Middletown suspect that as many as seven girls were recently assaulted by men they met on MySpace. The FBI says it regularly receives calls from police trying to figure out how to stay ahead of popular technology that puts children a mouse click away from millions of strangers.

Not really anything new here. As has been happening for the last 15 or so years, parents are increasingly relying on technology to “babysit” their children when they can’t. Teenagers these days are so much more familiar with computers and the Internet than their parents are and I’d wager that most parents simply don’t know that sites like MySpace and Facebook exist.

Kids, being kids, however, simply don’t understand the possible repercussions of putting all their personal information online. People that I encounter are often very surprised at the amount of information one can gather about another from the Internet. It’s worse when people, mostly teenagers and young adults, put their personal information right out there for anyone to see.

Wired: Teens Reveal Too Much Online.

Here’s something that will come in handy: Sending Free SMS Messages Via Google. I just recently cancelled the “feature” on my cell phone whereby they charge me too much for way more text messages than I use in a month. The only person I ever send them to is my fiancee and I’m usually on or near a PC when I do, so this will come in handy and save me a few dimes perhaps.

In today’s ever increasingly technological world, what’s the value of an online education?

I’m currently in the last semester (I hope) of an A.A.S. degree from a state College. I’ve been looking into my options as far as transferring into a four-year program go, as education is something that’s pretty important to me.

Just today I received an acceptance letter to Indiana State University, which is about an hour away. To be honest, I’m not real excited about that. Okay, I’m not excited at all. I don’t really care about their CS/IT programs. Security is where my interest lies, with networking coming in close behind. Information Security is my passion.

Recently, I came across Capella University, a fully accredited institution offering a B.S. in Information Security. They’ve received and evaluated a copy of my official transcripts and, if I transferred right now, I’d receive credit for nearly 50% of the courses in the curriculm. That’s pretty exciting to me, as I don’t want to have to “redo” the last few years worth of work.

I think I’m definitely not the typical college student. I started college a month short of my 24th birthday, and it’s taken me three years to get where I am now (three courses shy of an A.A.S.). That’s mainly because of time commitments — I work full-time at said educational institution, as well as running a business on the side.

Personally, I’m wondering how much educational value I’d get out of any CS/IT/IS program. My knowledge has been gained “in the field” and from hands-on work. I think that’s a much better way to learn myself, but I can’t deny that adding a bachelor’s degree to my resume is going to help things out.

My main area of interest right now, however, is in what others experiences have been when it comes to traditional classroom-based instruction versus the newer online instruction. Anyone think that one is better than the other? Feel free to post comments below or use the contact form available here to send privately via e-mail.

Thanks for any feedback.

As a follow-up to my previous article, “Yahoo! Hosting Phishing Site”, Yahoo! has finally shut down the phishing site.

After initially reporting it, I got back a response yesterday (one day later):

Hello,

Thank you for writing to Yahoo! Domains.

Thank you for informing us of possible abuse on Yahoo! GeoCities. We have investigated the site and taken the necessary action. We appreciate your concern and thank you for reporting this incident to Yahoo!.

Please continue to notify us of any content you believe violates the GeoCities Terms of Service, located at:

http://docs.yahoo.com/info/terms/geoterms.html

Your Yahoo! ID and password are your own confidential information. No Yahoo! employee will ever ask you for your password or personal information in an unsolicited phone call or email message. If you are ever asked for your password in an unsolicited manner, or by someone you do not believe to be a representative of Yahoo!, do not share your password with them.

For more helpful information on password scams as well as information on how to protect your password, visit:

http://security.yahoo.com/password_scams.html

For additional information on ways to protect your information online, please visit the Yahoo! Security Center at:

http://security.yahoo.com

Regards,

mila

Yahoo! Customer Care http://www.yahoo.com/

Well, I took a look and guess what? The site was still running.

I work in the I.T. department at a State College. We have a help desk. We have trouble ticket software that we use for tracking issues. It sends out e-mails similar to this when we close a ticket, meaning it is done, resolved, fixed. Am I wrong for expecting the same thing from Yahoo!? I mean, if they write me and tell me it’s taken care of, it should be taken care of, no?

Anyways, I hit “Reply”…

Yahoo! Domains wrote: > Thank you for informing us of possible abuse on Yahoo! GeoCities. We > have investigated the site and taken the necessary action. We > appreciate your concern and thank you for reporting this incident to > Yahoo!.

Oh, really? It looks to me that the site is still there. May I ask what that “necessary action” was?

…and almost immediately got a bounce (I mentioned they block using the RBLs).

So I forwarded it to my work e-mail account and then resent from there. Never got a reply, but as of today, the site is no longer operational.

Thanks, I think.

Just a quick blurb about Yahoo! hosting a phishing site.

The site in question is www.cemtral-bank.com. I got the usual phishing e-mail, yadda yadda, the “real” URL is www.central-bank.com (notice how they don’t even look similar?).

Anyways, I reported it to a guy named Chris that was listed as the tech contact in whois for the IP address originally used to send the phishing e-mails and within 15 minutes he had replied to me that “This has been taken care of” (”this” being the webapp that allowed the e-mails to be sent). Thanks, Chris.

On a side note, apparently it’s impossible to actually talk to someone to report this to at Yahoo! I can kinda see this, due to their size, but it’s still a pain in the ass. So I followed the suggestion on the audio recording I got when I called, which was to report it to reportabuse@yahoo-inc.com. Well, guess what. The IP address of my colocated server is apparently listed in the MAPS RBL. Yahoo! so conveniently filters on this, thereby blocking my abuse report from being received.

I thought it was a widely accepted practice that, even if you utilized services such as the RBL or other blackholes, that you always accept mail to certain addresses, such as abuse@, postmaster@, etc.

Anyways, I reported it using Yahoo!’s “Report Phishing Sites” web form. We’ll see how long it takes them to take care of this.

I never really did like Yahoo…