Personal writing:

• Holy Cross Posting Web Integration Life Caching Nirvana
• Gnome Conduit – Oh How I Hate to Love You
• coComment and Why It’s Important to Your Life Caching Needs
• Slashdot – Not Really Ready For Data Portability
• Bypassing Your Corporate Firewall Filtering or How to Torture The Firewall Admin
• Feedwordpress – De-Duplication Possible?
• Virtualizing Your Training Environment For Quick Restoration With VMware
• The GFQ5 Story About Creeva
• My Great Internet Data Clean-Up
• Why Can’t We Get Past Race and Gender

Links:

• Creeva’s Daily Link List 02/08/08
• Creeva’s Daily Link List 02/09/08
• Creeva’s Daily Link List 02/10/08
• Creeva’s Daily Link List 02/12/08
• Creeva’s Daily Link List 02/13/08
• Creeva’s Daily Link List 02/14/08

Posts on other Web Services:

• Twitter Updates for 2008-02-08
• Twitter Updates for 2008-02-09
• All Consuming: Creeva 02/10/08
• links for 2008-02-11
• Twitter Updates for 2008-02-10
• coComments by Creeva
• All Consuming: Creeva 02/11/08
• Twitter Updates for 2008-02-11
• coComments by Creeva 02/12/08
• Twitter Updates for 2008-02-12
• coComments by Creeva 02/13/08
• Photos from Creeva 02/13/08
• links for 2008-02-14
• Twitter Updates for 2008-02-13
• links for 2008-02-15
• coComments by Creeva 02/14/08
• Twitter Updates for 2008-02-14
• Twitter Updates for 2008-02-15

I will first start off a couple disclaimers. I don’t do this at work, I don’t need to. I respect my corporate policies and completely recognize why they are there. This being a mental exercise that stemmed out of a misconception on how our local firewall works. I love the mental exercises on how I would do something and then drop it since I’ve essentially completed my goal and do not need to test it. If however you do feel the need to test this at your school or work I take no responsibilty for your actions. You are on your own and responsible for your own actions.

I’m also too lazy to give explicit step by step instructions on setting

Step 1.

You have two choices you need to decide on depending on your capabilities, either setting up your home computer to proxy for you while your at work or buying a cheap hosted website online. It all depends on if your ISP allows you to get to your home machine or if they block it. (Yes with a hosted it will cost you money but the link I gave you gives you your first domain for free). I would use a hosted solution personally.
Step 2.

At this point I hope you have decided on which solution you are going to go with. Essentially the steps are going to be the same either way, configuration is on your head though. You are going to setup your web server to allow you to connect to it via SSL. This allows your communication to what your network administrator to see as a random web host to be encrypted. This means they will not be able to look inside the packets. The steps depending on operating system and web server capabilities is different in each scenario, so please Google to find how to setup an HTTPS web server for your desired operating system/hosting capabilities. You may need to setup a dynamic dns solution to get back to your home PC if you choose that route.

Step 3.

At this point you should have nice web setup that you can login into via SSL. What to host on the site? You need a site that can go out and fetch pages for you acting as a proxy within the web browser. Their are multiple solutions for this, and this is really is another step I’m not going to walk you through. This is the point where you are committed and going to violate corporate or school policy. If someone wants to right directions for it in the comments I won’t censor them, I’m just not going to be the one that explicitly tells you.

Step 4.

If you can figure it out now what you have is a random SSL that you can use to browse anything your network administrator doesn’t want you to. Sure you could have just used Google’s Cache, but then filtering software still could get contextual information about what your surfing based upon the words in the HTML code. This allows you encrypted anonymity.

What if the network administrator blocks access to my SSL site?

Well this shouldn’t happen unless you share the site with people. If you want your own private surfing enjoyment I would suggest keeping it to yourself. If however you kept it to yourself and you still get blocked there are a couple options to check.

Can you still get anywhere or has your Internet Access been removed?

If your Internet access has been removed do not pass go, do not collect 200.00, within the scope of this article I can’t help you.

Is it blocked by DNS name?

If it’s blocked by DNS name meaning that it’s checking to see if your going to www.bobssecretsslsite.com then you will have to use a new domain name with your hosting provider or a new dynamic DNS name. Yes this might cost you 6.95 (look for coupons through GoDaddy or another cheap hosting registrar, but you really want the Internet your way unfiltered right? If not why are you still reading this, commitment and freedom are not free.

Is it blocked by IP Address?

Well if it is your almost screwed, you need to either get another hosting provider or hope your home computer (if you using that approach) has a random DHCP that will reset when you power cycle your modem.

What if you looks at my Internet Cache?

This is really how they will catch you. There are a few choices you can do. The first is set your browser to clear your Internet Cache every time you log out. This will leave behind file traces if they use undelete utilities on you, but these steps is for the overly paranoid. If you are worried the your network administrator is browsing your temporary Internet Files looking for porn.jpg or some such you have two solutions. The first is using a USB drive and firefox portable installed on that USB drive. This allows you to take your browser whenever you leave your desk.

If your company has a policy banned USB device and you don’t want to break a second policy on top of the one you have already broken, download truecrypt. Follow truecrypt’s step on setting up an encrypted partition. Install firefox portable into the encrypted partition. Now your whole browsing history is saved into an encrypted partition that only you have the password to decrypt.

For bonus points use a combination of truecrypt and the USB key. Encrypted data you can take with you that allows you access to your own web site that can allow you access past any web filtering software.

Warning

Your images are still theoretically stored in your computers memory so , if you computer generates a memory dump you could still get caught.  Also some companies track the flow of information across their networks, theoretically this type of software can also see what you have in memory.  These are the only real flaws I find in this scenario.

Bonus Round

For bonus points on annoying your network administrator who is overly happy about his web filtering solution. Create a new igoogle theme with a bit flesh you crop from a picture you have of someone’s arm and name it porn.job. Have this has the background in your igoogle theme. Double bonus points for making two more jpg’s, one for each corner of your igoogle them. A picture of Richard Nixon named d-ck.jpg and a picture of your cat name p-ssy.jpg. You’ll set of his filtering software everytime you go to google.

Have fun.

P.S.

If this sounds too geeky, too techinical, too complex, or pain in the butt……..then you don’t deserve this solution.

The IETF has maintained the RFC database which defines Internet protocols into the nitty gritty sections that allows other individuals to implement them.  This is all great in theory the problem is some protocols out live their usefulness.  The problem is the insecurity and unfeasibility of these protocols remaining in existence compromises design that should be far more streamlined and elegant.    Without further ado here is my top 10.

1.  FTP

Yes even I use ftp since my hosting provider has made this the only efficient method of getting groups of files on to my hosting page.   A better scenario would be an SSH tunnel or a full webDAV implementation that allowed me access.   Back when I was doing firewall tech support FTP and explaining to people the difference between active FTP and passive FTP.  Here is part of the snippet I used to send to customer to understand at a high level:

In passive mode the computer sends out two data streams – one to request which data to download and another to actually download the data on a random port.   In active mode the computer sends out a data stream requesting the data – then the remote computer connects in on a random port to the requester.

Now  FTP has a bit of usefulness left in since I myself admitted to using it, so where is the complaint?  My complaint a modern protocol should be able to make a connection and transfer files without requiring two ports, a data port and a control port.   This causes havoc on a firewall especially in active mode.   They have tried to shoehorn in encryption as an after thought but this has issues traversing proxy firewall since the proxy firewall has no idea what the data port is going ot be since the connection is encrypted.   Please move on to HTTP for downloading across the web, or bittorrent, or WebDAV – lot’s of modern protocols could be used to address this instead of trying to fix FTP.

2. NFS

I wrote my diatribe about NFS here – I have no reason to rehash it twice in one day.

3.  Gopher

Gopher was the protocol that predated modern web browsers.   Granted I had a grand old time on gopher hosts back in my college days and later crawling through the Internet from the library’s card catalog computers, but enough is enough.  Gopher has no relevance or usefulness in todays internet.    I still see a strong point for the lynx web browser compared to what I could ever fathom using gopher again – HTTP won get over it.

Web Wandering Dump

Male Monkeys ‘Pay’ Females for Sex, Study Finds [del.icio.us] Posted: 03 Jan 2008 09:29 PM CST

5 tips every new Linux user should know [Digg] Posted: 03 Jan 2008 12:47 PM CST We’ve been thinking about what we most wished we’d been told on our first foray into Linux-land. These tips run the gamut from installation planning to how to best ask for help. We chose these tips because they are not distribution-specific, but rather general enough to be used by any new Linux user.

How to surf the web even if Internet Explorer is disabled [Digg] Posted: 03 Jan 2008 12:19 PM CST Crazy trick on how to use the Help function from basic Windows programs to surf the internets.

Why Facebook will never give your data back [Digg] Posted: 03 Jan 2008 10:54 AM CST Facebook won’t join Open Social, and you can forget about the pipe dreams of the Data Portability movement. The simple fact is, as the market leader, there is no benefit for or strategic advantage in Facebook making your data available to you in any format you wish.

TSA To Punish Fliers For “Facecrimes” [Digg] Posted: 03 Jan 2008 09:29 AM CST Transportation Security Administration (TSA) screeners are learning to recognize a special set of forbidden facial expressions. If your face slips into one of these during a TSA inspection, you will be taken aside and given a more detailed screening

Top 50 Design Posts of 2007 [Digg] Posted: 03 Jan 2008 08:32 AM CST Superb reference posts on what happened in the design year of 2007, covering everything from the basic principles of design, via typography and colour to advanced design tips & tricks.Highly recommended!

Third Reich Fortune 500: 5 Popular Brands the Nazis Gave Us [Digg] Posted: 03 Jan 2008 07:41 AM CST You know who else liked popular brands?

IPv6: coming to a root server near you [Digg] Posted: 03 Jan 2008 12:18 AM CST On February 4, 2008, ICANN will add IPv6 addresses for four root DNS servers to the root zone file, making full IPv6 Internet connections a reality. Time to check that DNS software and those firewalls to avoid any possible trouble.

Ohio Election Workers Sentenced to 18 Months for Rigging 200 [Digg] Posted: 02 Jan 2008 11:17 PM CST Judge Says He Believes the Conspiracy Goes Higher…

The Politico: Fred Thompson may drop out [Digg] Posted: 02 Jan 2008 10:22 PM CST GOP sources say a poor finish in Iowa may cause him to give up and endorse John McCain.

Creator of First Computer Virus to Take On Google [Digg] Posted: 02 Jan 2008 09:58 PM CST Rich Skrenta, who created the first computer virus (Elk Cloner), co-founded the Open Directory Project, and co-founded online news site Topix, may have bitten off the biggest challenge of his career – taking on Google. In search.

All the Evidence You Need to Impeach Bush and Cheney [Digg] Posted: 02 Jan 2008 09:42 PM CST The past year has seen the public exposure of enough evidence of old, ongoing, and new crimes, abuses of power, and impeachable offenses by George Bush and Dick Cheney that in any remotely representative democracy, these two thugs would be out of office and behind bars. Here’s the evidence and why we should continue to push for impeachment.

Questions to Consider in the Coming Privacy Wars [Digg] Posted: 02 Jan 2008 07:40 PM CST It seems obvious that privacy is going to be a major point of contention in the near-term future. It’s only going to get hotter as major online services compile huge amounts of data about us. There are a lot of “little questions” that we need to engage with as soon as possible. Here’s my list of important questions, what’s on yours?

Sears: Come see the softer side of spyware [Digg] Posted: 02 Jan 2008 06:16 PM CST When you join an online “community,” are you joining so that you can interact with like-minded users, or so that companies can track your every move on the Internet? Sears is banking on the latter, despite heavy criticism from security researchers.

couple banned from shopping center for photoing grandkids [Digg] Posted: 02 Jan 2008 12:41 PM CST for taking a photoraph of their grandkids in a shopping center the security “police” have banned them for life. sure this happened in the UK, but “authorities” here in the US want to play the same way, this is totally outrageous!

Creeva’s Shared items in Google Reader

Rare Atari Breakout handheld shows up on eBay Posted: 03 Jan 2008 04:58 PM CST Filed under: Gaming It’s certainly not the first bit of super rare Atari gear to show up on eBay, but those looking to expand their collection may want to take stock of their bank account right about now, as the Super Breakout handheld prototype pictured above (apparently one of only two known to exist) is now up for auction with less than a day to go. As you might have guessed, it doesn’t actually work, or even have the finished branding, but it apparently is the real deal — purchased directly from the handheld’s designer, no less. If that’s got you all nostalgic for what could have been, you’ll only have to beat $385 (as of this writing) to be the top bidder, although you can be sure you’ll have to drop a good deal more than that if you actually want to get your hands on it.[Via OhGizmo!]   Read | Permalink | Email this | Comments

Plaxo Flubs It Posted: 03 Jan 2008 12:22 PM CST News leaked prematurely today about a new Plaxo Pulse feature that allows users to match Facebook contacts to Pulse contacts, and then import contact data about the matches into Pulse. Plaxo has been testing the feature with a number of journalists and bloggers. It involves running a script against Facebook. You tell Plaxo your Facebook account credentials; Plaxo then goes in to Facebook, looks up every one of your friends, and pulls down their contact information. Plaxo could have done most of the work via the Facebook API (and in fact we covered a startup called FriendCSV that does just that). But the Facebook API doesn’t allow exporting of a crucial piece of data, email addresses. In fact, emails are shown as images instead of text on Facebook so that scripts cannot easily download them. So Plaxo avoided the API and went with screen scraping. They developed optical character recognition software to recognize email addresses and add them to the export. Facebook doesn’t like this, of course. But it isn’t Plaxo that’s paying the price. It’s the journalists and bloggers who’ve been testing out the service. Robert Scoble was banned yesterday from Facebook for running the script. He received an email from Facebook that said “Our systems indicate that you’ve been highly active on Facebook lately and viewing pages at a quick enough rate that we suspect you may be running an automated script. This kind of Activity would be a violation of our Terms of Use and potentially of federal and state laws.” Plaxo was certainly aware of the risk. In an email from the company asking me to try the service last week, they said “We don’t know whether Facebook will try to shut us down (despite their increasing verbal support for the concepts of open-ness), so we want to let a few key folks have access to the functionality before we make it available to everyone.” Yeah, they guessed right. Plaxo started running automated scripts against Facebook without any warning or discussion with them beforehand, in violation of their terms of service and, I’ll add, common sense. Of course users were shut down. Facebook must regulate this kind of behavior, without it the service would crumble. Beyond the automated script issue, Facebook also has a very good reason for protecting email addresses – user privacy. Robert Scoble may be perfectly fine with having my contact information be easily downloaded from Facebook, but I may not be. Ultimately it should be me that decides, not him. And if Plaxo wants to push the envelope on user privacy issues, again, perhaps they should at least have given Facebook a heads up. And be prepared to take the consequences themselves instead of passing them off to their users. Robert Scoble was Plaxo’s lab rat in this experiment. I’m glad I wasn’t one, too. Update: Loren Feldman basically agrees with me. Plaxo Loading information about Plaxo… Facebook Loading information about Facebook… Crunch Network: MobileCrunch Mobile Gadgets and Applications, Delivered Daily.

A fair use primer for online content creators Posted: 03 Jan 2008 11:31 AM CST Fair use wasn’t just bolted on to copyright law; it stems from the very purpose of copyright. A new report hopes to teach creators of user-generated content about when using other material is fair and when it might not be. Read More…

IPv6: coming to a root server near you Posted: 02 Jan 2008 11:43 PM CST On February 4, 2008, ICANN will add IPv6 addresses for four root DNS servers to the root zone file, making full IPv6 Internet connections a reality. Time to check that DNS software and those firewalls to avoid any possible trouble. Read More…

Iowa State Presidential Primary: Online Caucus Coverage Posted: 02 Jan 2008 05:40 PM CST Share This

Creeva’s Shared items in Google Reader

The first step in minimizing your organization’s exposure to a phishing attack is to educate users and have policies they can refer to.The best approach to this is to train them when you first adopt them as users.If you are a bank you post your policies on password and account policies when they first sign up for online service.If you are a private website send them a blurb of information in the verification email (users will glaze over at long privacy agreements so have a summary ready for the email body and append any policies after the main text).If you are an organization/company you educate the users when they are in their new hire orientation.For companies there should be a follow-up yearly or bi-yearly on policy changes and a short training session may be required depending on the amount of education you need to impart on entrenched employees.

Companies should have a corporate website that states if there is a time where the IT needs to request your password how this will be handled.It is inadvisable to have users to respond to any password request with their username and or password in email form.This trains the users to accept this type of reply no matter if it’s a real request or a phishing attack.The same holds true for attempting to collect or update their password information on an internal website.

Some companies to alleviate helpdesk calls have set up a password reset web site internally.Users should be taught to verify they are going to the correct URL before entering any information.To secure these configuration users should login while they know their passwords and have 2-3 challenge/response questions before it will allow you to change their password.To make this more secure allow your users to make up their own questions, since they will recognize the questions they have written themselves and make it harder for attackers to just spoof the site and auto accept answers to things that are industry default questions such as “Mother’s Maiden Name:”.

Unfortunately since all authentications are tied together you normally would not want to send a verification email before resetting the password, since the user probably isn’t able to get into email either.You can however make the change temporary for 24-hours unless they click the verification email to confirm they did this make this change.If they do not click the email the account automatically locks and users then have to call the help desk.Inform users of this behavior before implementing this and have it state so implicitly on the password reset page.

We have discussed how to raise user awareness and lower the chance of users unwittingly entering in their information but how do we reduce exposure to the users on these attacks?The easiest approach is to handle this at your border infrastructure.For simplification I am going to lump the email infrastructure together in my explanations, these parts are your border firewall, any internal firewalls, your anti-spam solutions, and your internal mail server.I am grouping these together because depending on which product you use for these functions different options are available to you.

The first step for locking this down is to have all of your internal users authenticate before sending mail.Authentication requirements may include authenticated SMTP or IMAP sessions, VPN to the internal network, Webmail, or any other options that give you some sort of confidence level that the user you are responsible for is who they say they are.It will also make the next step a lot easier to implement depending on your current corporate policies.

The next thing you do is disallow any mail from outside your organization allow a “Sent From:” address.For example if your domain is “mydomain.com” your mail server will not accept mail from bob@mydomain.com going to sally@mydomain.com unless they have been authenticated via one of the earlier proscribed methods or through a desktop email client internally.Make sure that your external firewall does not perform NAT on incoming packets or otherwise your mail server will think all the mail is from an internal source.

Implement a policy to disallow your internal mail server to accept mail connections via telnet.This can be done by smarter firewalls that inspect layer 7 packets and some mail servers.These devices can distinguish the difference between a mail server or client sending the mail by packet length and activity type compared to manually typing in the message by telnetting to port 25 on your mail server and sending mail via telnet.

For phishing and other reasons your organizations should develop or subscribe to a real-time blackhole list (RBL).Anytime an individual attempts to your internal mail server in an attempt to spam or perform a phishing operation unsuccessfully against your mail server they can be added to the RBL database.This allows you to track and block attempts from the same IP over and over again and reduce overhead on your internal mail server.

To reduce rogue mail servers on your internal network and enforce traffic to traverse the internal mail server the best methods for performing this is to block port 25 on all of your internal routers unless the traffic is destined for your internal mail server.Include another rule that allows only your mail server to send email to the internet on port 25 on your firewall.This helps against internal users that may attempt a targeted phishing attack against another internal user.

The next step depends on how smart your mail filtering software is.Have a queue where suspect email is forwarded if they include strings similar to your own domain (example bob@my-domain.com, bob@mydomian.com, or bob@mydomain.com.com)this is all dependent on how well your mail filtering software can detect these misspellings.From this queue have a trusted administrator verify if that these mailing are not spam (if so implement appropriate filters) or not a phishing attack (add IP address to your RBL).Since in the scope of this document I can not scope out how similar your domain is to another domain that may be sending you mail I suggest this as a last resort if you are under a heavy load of phishing attempts.I would not recommend outright blocking this type of mails since it may interfere with legitimate business.

If you discover a phishing attack that has bypassed your border and made it directly to the user the recommended approach is to immediately send a mail to all the effected users as soon as this is detected.When sending the email alert about this include your standard policy on if, how, and when you will collect passwords or usernames from them when it is a legitimate email.This informs the users that you are paying attention; they can gain confidence that you are monitoring for this type of attack, and they are reinforced when and where to give out their private information.

Phishing attacks will never be stopped one hundred percent, but repetition and education can greatly minimize it’s impact on your organization.

Going through my DHCP server I managed to track down the IP address it obtained and managed to log in via the normal Linksys default tight security – username admin password admin. After this point I managed to change the device to use a static IP address.

After this I signed up for the Vonage service and had phone calls delivered through the home phone line. We do not usually use the home phone line and off the top of my head I can not even tell you the phone number it uses. So here is how we are going to wire the house.

From the main phone junction box there is going to be a working jack – from this jack we will place a DSL line filter – from here we will place the DSL modem on the non-filtered side and a stand alone non wireless phone and an answering machine just in case. Behind the modem lies a Linksys firewall that handles PPPoe dialing and behind here lies the Linksys PAP2.

From the PAP2 we filter the other main phone line to the house into from the wiring closet I started in the basement. and from here all the phone wiring in the house will filter through to give whole house phone coverage through the Vonage device.

Whew.

The advantages of having a central wiring area in your house is the biggest benefit you can ever have especially for instances like this.

Ever find that the equipment manuals are terrible or you just can not find a yes or no answer on how something functions?

That is my problem.

Buried in a closet downstairs is a wireless router that is not being used. In my new network design – I want to use it, but I need it to have NAT disabled so I can go between both segments with their real IP addresses. So I need it to act as a true wireless router and the manual says nothing about this type of function.

The router is a MN-700 Wireless b/g router by Microsoft. When I lived in Oregon it served the purpose for a couple of years but got replaced when I moved back to Ohio. With my new network design though I’m going to have at least 2 wireless zones (2 more planned in the future when I have cash) . So I’m stuck on that question until I have time later to hook it all up and configure it. But the manual should have this information.

But what else am I going to do with it beyond complain about the lack of text in the manual?

Well let’s look at the rest of the purpose of this machine (other machines mentioned we will go into detail in a later examining equipment.

The MN-700 will ideally be put into a configuration such as the following off the firewall

Wired Clients MN-700 Firewall
|
Wireless Clients |
Wireless Bridge

I will be using WPA encryption on the Clients and the wireless bridge as this wireless network is going to be behind my main firewall (which has 4 interfaces) I want natting disabled since I’ll be coming through the firewall to the wired clients at the very least – and would like to be able to reach all the computers.

Why do I need to reach all the computers?

Remember the mantra to follow is central management and ease of use – while my network setup when we get through this whole series may not be the easiest to understand nor to configure. When we get to the end users they should not be able to see any impact on their normal usage and it should make everything easy and transparent. Hopefully it will also make everything more functional where the users are interacting with services they didn’t know existed on the network.

Being able to reach all the computers means that I can VNC (covered in a later article) across the network to any machine from any other machine I’m on (as long as I know the password.) This fulfills centralized management and since most my servers run headless (without a monitor attached) it allows me to administrate them without have the electric bill compounded by the electricity that a monitor would use.

I also have at least one computer on that segment where VNC communication is imperative and there is a file share on that same computer. The reason for this will be covered in a later article when I get to that computer.

What other functions will this router offer?

This router on top of his WPA encryption will be filtering client by mac address and not all the clients will have a static IP address. So the router will also be the DHCP that services this network segment ( for the record there will be 2 other DHCP servers on the network and no I don’t want to go DHCP repeater services so I can have a central one). The DHCP pool is going to be wide enough for 20 addresses in case I get other remote device that need access via the secured wireless segment.

The router will allow for external management so from my central desktop or laptop I can adjust or make any configuration changes necessary in a future adjustment.

I’m sure this covers my working with this wireless router – I’ll have a follow-up later on the MN-700 which will include screenshots of the user interface.

1. What DNS is whether they know how to use it or not
2. If they have been an ongoing firewall administrator, they should know if they host DNS or not
3. How to use attrib
4. Know how to Alt-Tab
5. Know how to browse a drive
6. Know that double clicking opens a folder
7. How to Ping