noel alanguilan

i’ve been receiving a lot of these emails of late. they’re scams in my view. the first one came from the “facebook team” saying that i have to “submit a new, updated account agreement” and that i should “unzip the attached file and run the agreement.exe by double-clicking it.” the other is supposedly from the “microsoft team” providing a system scanner to check and get rid of the conficker.b virus in your computer. these are email scams to get a user to run the attachment which is actually a virus. so when you receive them just delete them.

below are samples of the scams i received. i’ll likely post an excerpt any new emails that i think are scams.

from the “facebook team”:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement,
regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

from the “microsoft team”:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.
Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program.
We are supplying all effected Windows Users with a free system scan in order to clean any
files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent
your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

watch out. these are scams. do not fall for them.

here’s the script i use on secure backup runs using rsync—with a little modification to the names and ip addresses for security reasons—but everything else is essentially the same. i have to run this through cron because the server is headless—no monitor. i just access it via the ssh console or browser from another computer.

#!/bin/sh

DATETMP=`date +%Y.%m.%d`
RSYNC=/usr/bin/rsync
SSH=/usr/bin/ssh
# the private ssh key of the local computer
KEY=/rsyncuser/.ssh/id_local
RHOST=remote.ip.addr.ess
RPATH=/remotedata/
LPATH=/localdata/
LOGFILE=/rsyncuser/rlog.$DATETMP.log
# contains the file extensions of files to be excluded from the backup
EXCLUDES=/rsyncuser/localexcludes
OPTS="--exclude-from=$EXCLUDES"

# check if rsync is already running
RUN=`ps x | grep rsync | grep -v grep | wc -l`
if [ "$RUN" -gt 0 ]; then
echo rsync already running
exit 1
fi

$RSYNC -avz -e "$SSH -i $KEY" $OPTS $RHOST:$RPATH $LPATH >> $LOGFILE

i leave an entry in crontab to run the script once each day. sometimes a backup run goes longer than 24 hours so i needed to check if rsync is already running in the server. if the script doesn’t check, it will run another instance of the script and would slow down the server or, worse, brings it down completely.

i have to encrypt all data that gets transferred between the two computers via ssh just in case a naughty third party is “listening in”. i use 2048-bit encryption. processing the data—encrypt at remote; decrypt at local—is a little slower but i am more confident that the data will be safe from eavesdroppers.

i use the exclude-from option to exclude files that shouldn’t be backed up—music and movies—or else the backup will take too long especially on just a dsl line.

if you notice anything wrong with the script, please leave a comment.

note: this is repost from my old blog.

rockyou, a service that offers up applications to social networking sites, has been hacked. 30 million user passwords along with the associated e-mail address has been compromised and some has been reportedly been leaked on the net. rockyou has apps in facebook and myspace. if you run applications made by rockyou they highly recommend that you change your password in rockyou and other online accounts that use that e-mail/password combination (presumably associated with rockyou). now.

with a handful of government websites being hacked the a lot of people have been asking me, “is that really possible? can they really hack into the election system?” the short, practical answer is, “given time, a hacker can hack into anything. given time.”

let’s clarify something first. a website is like a billboard or a poster—it serves up information about whatever. its easily accessible to the general online public.and it can easily be defaced when no one is looking or if its not guarded. and if it does get defaced it doesn’t mean the person who did it was able to get into the company premises and steal whatever it is that’s in the safe.

hacking a website is not the same as hacking into a company’s internal network. a corporate website usually just contains information that the company wants the public to see. like i said, similar to a billboard or poster. hacking the website is equivalent to defacing the billboard. there is no real damage done or stolen from the internal network. it is highly unlikely that the internal network of a company is physically connected to its website. how do i know? its best practices—if it can be avoided, you do not connect the web server to the internal network. and if you do, you have to make sure that there’s at least one layer of security (essentially a firewall with a ridiculously long passphrase) between the web server and the internal network.

how could have the websites been hacked?
its a combination of several things which also includes luck but its mostly laziness on the part of the server administrators. they could have put a longer password and, if it is possible, change the username of the administrative account. and these things should be changed again every so often—six months with some of my servers. there are easily downloadable “tools” to help today’s script kiddies (noob hackers) get into a website. i do not take that for granted.

how hard is it to hack into a company’s network?
if the network has been setup properly, its pretty hard. you have to know and get through several things before you can get your hands into the good stuff.

first, you have to know the ip address of the door—commonly a firewall—to the internal network. most networks are connected to the internet in one way or another and this firewall has its own ip address. the problem is that there are over 4 billion ip addresses in use on the planet. pick one. the admins certainly wouldn’t publicize their ip address and even if that got leaked there are usually several more they can use.

now if by chance you do get their ip address, you have to know three more things—the port number, the administrative username and the password for that firewall. think of a port number as something like a mini door and there are more than 64 thousand of these mini doors in that address. you have to pick one to use. then there’s the username which can be anything and, of course, the password—which can be pretty long. it can even be a sentence complete with capitalization, spaces and punctuation.

if you get through the firewall, you can then proceed to the file or database server which you would need, of course, the administrative username and password. which, again, can be anything. and there are some who are paranoid enough to put another firewall between the first firewall and the database server.

so to recap, you would need the ip address, port number, the administrative username and password of the firewall, the internal ip address, the administrative username and password of the database/file server. and also the administrative username and password of a secondary firewall you may encounter. and you have to enter all of this data in a very limited amount of time.

best of luck to you.

so the answer is “if the system is setup properly, no, they can’t really hack into the election system.”

is there another way to get around all this security?
there actually is. you can try launching a phishing attack specifically targeting the system administrators and pray that they’ll fall for it. personally, i do not think the admins are stupid enough to fall for such an attack.

what can i do to be safe from such attacks?
for starters, don’t believe everything that gets sent to you via e-mail. and don’t click on that link that your friend sent to you without carefully inspecting it first. and try not to use internet explorer. please.

for php development i use a local php/mysql web server to make dev work a bit faster. these are the steps we followed for a workstation running linux.

download xampp from apache friends. the version available was 1.7.2.

extract the downloaded archive with:

sudo tar xvfz xampp-linux-1.7.2.tar.gz -C /opt

note: if you have xampp already installed, the above command will overwrite it. careful.

xampp is now installed in /opt/lampp

to start xampp:

sudo /opt/lampp/lampp start

you should see something like this:

Starting XAMPP for Linux 1.7.2...
XAMPP: Starting Apache with SSL (and PHP5)...
XAMPP: Starting MySQL...
XAMPP: Starting ProFTPD...
XAMPP for Linux started.

which means the server is ready. i don’t need an ftp server for dev work so i decided to stop proftpd:

sudo /opt/lampp/lampp stopftp

note: issuing the above command will deactivate the proftpd server permanently–it will not start when you start xampp. see the command cheatsheet somewhere below to find out how to reactivate it.

to test our setup fire up your favorite browser and type:

http://localhost

you should see something like this:

you’ll be able to see the status of the installed components, the status of the security of the system, links to documentation and most importantly, detailed information about the server system via phpinfo() as well as database administration panels–phpmyadmin and phpsqliteadmin.

at this point, we have an apache webserver running with php and mysql support.

(more…)

some issues came up with my web development setup when i did a clean install of ubuntu 9.10 (karmic koala) and migrated my data from backups.

i have a web/php server running off my workstation on localhost being used to test html and php pages i develop. i have apache serving up name-based virtual hosts–one for each client website. accessing http://client1 would give me the local index page of client1, accessing http://client2 would give me the local index page of client2 and so on. this little webdev symphony got messed up when i performed a clean install of ubuntu 9.10. all i could get was a “403 forbidden” error message which i eventually attributed to a permission problem rather than to my server setup.

click to enlarge

the not-so-elegant solution i found is to move all of my development files inside the public folder in my home directory, edit the httpd-vhosts.conf file to reflect the move and changed the base directory in bluefish. i also propagated the permissions from the public folder to all the files and folders it contains by right-clicking on the public folder, click on properties, choose the permissions tab, and clicking on the “apply permission to enclosed files”.

and you’re done. hopefully. i consider this a temporary solution and it worked for me. it may not work for you. your mileage might vary. don’t do this without a proper backup.

painful. not a lot but painful nonetheless. it was mostly because if grub–ubuntu’s boot loader. after going through the install process and restarting my workstation grub had other plans and didn’t load up the filesystem and therefore could not start linux and most of everything else. its apparently an issue with karmic koala as i found out from the forums. this ubuntu version is painful.

on first boot after the install, i got a message from the bootloader saying it couldn’t load … something named after a bunch of numbers with dashes in between. restart. on second boot it gave me the grub menu with the option of editing the boot commands before booting. i took the opportunity and tried editing the commands. after some why-the-heck-not deliberations i took out the line that started with the word “search” and proceeded to boot. and it did! now, i wanted to see if the settings stuck so i restarted the computer. i was presented with the grub menu again which means the initialization file (menu.lst) of grub is messed up or non-existent (it was the latter ). after a couple of hours of axious searching in the ubuntu forums i was able to reinstall grub and had a proper menu.lst file.

the rest of the installation went fine. restoring my settings from backup was easier.

admitedly, there are really nice changes to the system but it is not the best ubuntu released mostly because the grub bootloader gave a lot of people headaches, me included. i later found out that the bootloader is a beta version that was included in the final release. bad idea. and then i get an occasional “pause”—application windows start to dim as if in deep thought and couldn’t be disturbed and after a few seconds wakes up again. i still have to find out what causes that. but at the moment i’m just glad my workstation is up and running again.

i’m actually a bit excited about the windows 7. after the publicity, the waiting and attention its getting one can’t help but be a little excited.

and then a few days after windows 7 launches comes ubuntu 9.10—karmic koala. i’m excited about that too.

for me, what will likely happen is that i will upgrade to karmic koala as soon as its out and i’ll wait for the ideal time to get windows 7. when is the ideal time?, you ask. and my answer is, when i get the extra money (which is so not now). or when someone gives me a license (like that’s going to happen).

now, if i want to run windows 7 on my computer i would be compelled to upgrade the memory and the graphics card or maybe even, heaven forbid, purchase a new computer altogether. and then i’d have to buy a license. that’s a double whammy right there. as it is, my current workstation barely clears the minimum system requirements of windows 7 but its already okay at running windows xp. i suspect that with the upgrades it would run xp even better than it would running windows 7. ibm and canonical even suggests that running ubuntu on the old hardware is a better (and economical) option. i would agree. as things stand, most of the computers i take care of need more memory or need to be replaced altogether just to run windows 7. and that’s a more money out of the coffers.

still, windows 7 is ‘new’ and i get interested with new things. its like a grown up toy. i try to learn about it, see how it works and, eventually, get to know how to break or hack into it. ha! i do that with almost everything technologically related. curiosity is a habit of mine. i will eventually get to play with windows 7. and ubuntu 9.10. my curiosity will be quenched for the moment until something new comes about again.

but at the end of the day, it all comes down to economics. its cheaper to deploy linux. there’s no going around it. free is free. still, there are people—and companies—willing to shell out the money for staying in their comfort zones. to each his/her own.

special html characters i use in my web development tasks.

pick your poison

windows 7 is coming and most people running xp or vista will be upgrading sooner or later. i’ve been reading up on what it would take to upgrade windows xp to windows 7 and most of the answers point to more money for both hardware and software and quite a handful of hours for the upgrade itself.

windows 7 essentially has the same system requirements as vista–1ghz processor, 1 gig of memory, 16 gig of drive space and 128 meg of video memory on a vid card that supports at least dx9. this is the “official” system requirements. the “unofficial” requirements are a bit higher–1.6ghz cpu and 2 gig of memory–if you want an acceptable level of performance. if you want zippy then you’d have to spend for a faster cpu and more memory. most people would want zippy so it may be better and more convenient to get a new computer. really. but don’t take it from me.

if you want to know if your current computer can run windows 7, microsoft has conveniently provided an upgrade advisor which you can download and run in your windows computer. don’t forget the grain of salt.

upgrade times range from an hour and a half to 20 hours. some may take longer. the fastest way is to do a clean install from windows xp to windows 7–at least that’s what microsoft recommends. put the dvd in and have it reformat the whole drive. of course, you have to save your data first and then reinstall your applications later but i think a clean install is still better than 20 hours of upgrade time. besides, i think its a good idea to do a clean install on a new operating system.