JDPFu.com 2025

So, I found a few free minutes today and decided to upgrade this blog to the latest release. This was a security related update, seems Typo had a few security vulnerabilities. As usual, things mostly went fine following the instructions provided by the upgrade web page. Mostly.

Overview of the Steps

Just because you are a home Windows user doesn’t mean you shouldn’t have good password management practices. Core to achieving that are:

1. Changing passwords regularly
2. Having long enough passwords
3. Having complex enough passwords
4. Not reusing passwords
5. Locking accounts for incorrect password attempts

In most companies, password policies are set by the IT guys through an Active Directory Domain Controller. If you have an AD controller at home, you aren’t reading this story anyway.

Err http://ppa.launchpad.net hardy/main Packages
  404 Not Found
Err http://ppa.launchpad.net hardy/universe Packages
  404 Not Found
W: Failed to fetch http://ppa.launchpad.net/madman2k/ubuntu/dists/hardy/main/binary-i386/Packages.gz  404 Not Found

W: Failed to fetch http://ppa.launchpad.net/madman2k/ubuntu/dists/hardy/universe/binary-i386/Packages.gz  404 Not Found

E: Some index files failed to download, they have been ignored, or old ones used instead.

Ouch.

I knew hardy support would eventually go away, but not before the next LTS release which isn’t scheduled for 4 months.

Fixed, 3 Days later ….

We’ve been using SysUsage to monitor general performance of our Linux servers for a few years. Version 3 was released recently with a new web GUI and simpler installation, but not quite the trivial apt-get install that we’d all love. View a demo.

Anyway, go grab a copy of the source tgz and follow along.

 tar zxvf SysUsage-Sar-3.0.tar.gz
 cd Sys*0
 sudo apt-get install sysstat rrdtool librrds-perl
 perl Makefile.PL
 make
 sudo make install
 sudo crontab -e

Drop these lines into the root crontab.

*/1 * * * * /usr/local/sysusage/bin/sysusage > /dev/null 2>&1

*/5 * * * * /usr/local/sysusage/bin/sysusagegraph > /dev/null 2>&1

I performed these steps using Cluster SSH on almost all our Ubuntu 8.04.x servers; each installation worked.

If you have Apache running in the normal place, browse over to http://localhost/sysusage/ ,
If you don’t run a web server, try firefox /var/www/htdocs/sysusage/index.html to see the results.

Further, our simple rsync over ssh scripts to pull the SysUsage output back to a central performance server are still working. Some of the old data from the v2.12 of the program is still inside the RRD files. It isn’t clear at this point whether the data will be used in the new graphs or not. It takes about a day for the graphs to become useful.

Saw an article today that someone has decided to sell WPA passphrase cracking service for about $40. It takes about 40 minutes, but on average just 20 minutes. Seems he has a Beowulf compute cluster with idle time.

If this is what some guy can do, imagine what different governments can do.

Once again, no consumer-grade WiFi is deemed non-secure. Go wired if you care at all. There is no secure wifi/radio networking, none.

Scenario

We all get emails asking us to do something. Sometimes the email includes a link to a specific web site to help you complete the task. Well, unless you only see plain text email messages, no RTF, no HTML, then you can’t trust that the URL you click is really where you are being taken. If there are any miss-spellings or simple grammar issues, ignore the email.

Simple Solution

Don’t click links provided in emails. Rather, manually go the the website. Use your password manager, like KeePass, to open the correct page and enter your login credentials. Or you could type the known URL, just don’t click the URL in the email. Simple enough?

You know this stuff. You know not to click. But it takes just 1 small mistake to be p’wned and you may not realize it for a few days, if ever.

Examples

Hak5.org forums were hacked in 2009. When the maintainers realized it, they sent an email warning everyone and suggesting that you never use the same password on multiple websites. Good advice. If you use a password manager, like KeePass, you never need to worry about reusing the same password. Just use the Generate button to create a strong password for each website you visit.

Web site administrators are being targeted now to gain access to the servers by people who want more bot controllers in their bot network. I’ve used cPanel before at a hosting provider and it would be easy for that page to be cloned, yet still appear to work. The cloner can grab the login credentials and pass them on to the real cPanel page. When you run a web site, the management of that website often bounces between lots of unrelated web servers that you aren’t used to seeing, adding to the confusion. Even Yahoo hosting was targeted, so I can’t believe that some very popular, yet cheap, providers aren’t also.

I get spam emails that are usually sent from small business servers all the time. These servers could be misconfigured to allow email relaying or compromised by some other method. Regardless, sending an email to the administrator never seems to help.

During holidays, we all get Holiday eCards asking us to click on a URL. I’ve gotten 3 called ICQ Greeting Cards this week. The link in all three of those emails was to some nasty software, for sure. Don’t click. They even had safe links included in the email to the real ICQ site to earn my trust.

Be careful out there, especially if you are an administrator for others or public facing internet services. I expect to be hacked at some point. I have been hacked – over 10 years ago. Hopefully, being hacked again won’t happen for some time.

Today I was going through my list of files to backup on my Linux laptop and removing temporary and cache files when I came across a directory that I didn’t recognize. The files were listed as changed with the last 3 days.

changed .purple
changed .purple/accels
changed .purple/accounts.xml
changed .purple/blist.xml
changed .purple/prefs.xml
changed .purple/status.xml

It turns out they are for pidgin, the extremely popular Instant Messaging software. Ok, I use that – fine. But my interest got the best of me and I looked at the accounts.xml file. Obviously it is an XML file, but I was shocked to discover the following (modified for my protection):

        

                prpl-jabber

                admin-userid@example.com/Admin

                some-really-complex-password-with-lots-of-special-characters-in-clear-text

                admin

The password isn’t encrypted. Not at all!

This is unacceptable.

There is an encryption plugin for pidgin but it is for IMs, not the stupid passwords. This is just crazy. Heck, there are ROT13 methods and trivial 2-way password encrypt/decrypt methods which could be used if necessary.

The pidgin wiki has this to say. I have to admit, they do have a point, but I still disagree with it. At least they do set the directory permissions to 700 and file permissions to 600 (user only), but this doesn’t help with my backups placed on another system, does it?

So, Adito/VPN doesn’t really like Linux. The installation goes better than expected on 32-bit Linux, but if you change any of the configuration settings, then have the admin web page reset the server, the system won’t come back up. This happens on both 64-bit and 32-bit Ubuntu 8.04.x in my experience.

Initially, I installed Adito on a 64-bit Ubuntu Server, but problems with the startup scripts and/or wrapper, prevented it from working as far as I can tell. I never, never, never got the Adito to work after a reboot on 64-bit Linux. I ended up installing a 32-bit VM under ESXi 4 and loading Adito there. Comments below is for 32-bit Linux, since it was clear that the 64-bit startup scripts/wrapper was beyond my ability to solve.

Even on the32-bit Adito install, the system has never come back up after changing settings that require a reboot for me. NEVER without doing some extra work. After making any reboot-required changes, only the method outlined below has gotten a running Adito system again.

The Fix

I’ve tried a few methods (UTF-8 settings, hacked startup files, hacked config files, swapped versions of libwrapper crap), only the following has actually worked. As root:

1. cd /opt/adito (or whatever directory you used)
2. Delete the conf/webserver.properties
3. ant install
4. Login through the web interface at http://host:28080
5. Step through the install process keeping all the defaults from before. Only the SSL certificate/key will need to be reinstalled.
6. Reboot and all is well.

I’ve not lost userIDs or policies or tunnel settings doing this.

At some point, I’ll need to figure out how to backup just the settings and DB, without grabbing the entire server image.

What’s the issue?

I can only guess, but I believe it is too much of a mix of java and supporting java tools. According to the blueprint going forward, they plan to swap ant for some other tool and remove libwrapper. Ant is used by all java development teams, so I doubt that really is the issue. libwrapper appears to be a lazy way to set configurations for java web applications. There seem to be incompatible versions shipped with Adito as well. The startup process is overly complex too.

/etc/init.d/adito points to /opt/adito/install/platforms/linux/adito which is overly complex and reads a config file /opt/adito/conf/wrapper.conf which figures out which specific version of wrapper to call in /opt/adito/install/platforms/linux/x86-64/wrapper with the appropriate options (more than 3 options for some reason)

/opt/adito/conf/wrapper.conf is rewritten with every run of ant, which means any time you have to modify it to make it work (UTF-8 character sets), then any use of ant will overwrite those settings. CRAP. There are ways to reset everything with ant or just reset parts. The problem is these resets aren’t explicit in the build.xml file – they are implicit. More crap.

Anyway, the levels of indirection are too complex and just make something that should be

java /opt/adito/lib/adito.war

into something really complex. Yes, I know it isn’t that simple, but it should be. That’s the point.

Update a few weeks later

So we’ve been using the VPN for a few weeks and everything is working well. Performance is good. There are a few things lacking that we’d really like to have, but they are beyond our expertise. Since I’m protecting internal web sites, we didn’t want to leverage LDAP authentication. We really want RADIUS authentication with x.509 certificate exchange. That isn’t a built-in option, so I’ve force really, really long and complex passwords and don’t allow users to change their passwords to get into the VPN. Their LDAP passwords are still known only to them, it is just the VPN access which I demand use 60+ characters. I deliver the password to each of them in a KeePass database, further insisting they follow good password management and protection methods.

Deployment to the entire company happened a few months ago. We’ve had no issues and have placed all our applications behind this VPN.

Help Make This Data Better

As I review this post, I can see where it could be confusing. It isn’t particularly well written. Please let me know which parts are too confusing to be useful. Oddly, this is one of the most popular posts on this site.

You can manage your google data here https://www.google.com/dashboard/. This is good. I don’t really use all the google apps, but seeing all the searches I’ve made over the last few years and the trend data, was eye opening. I elected to wipe my data, then pause all future capture of that data.

What other data did the dashboard show? I have removed anything personally identifying below.

Account
Name: xxxxxxx
Nickname: xxxx
Email addresses: xxxxxxx@gmail.com, yyyyyy@yyyyyyyy.yyy
Requesting data for Account...
Manage account
Edit personal information
Privacy and security help
Calendar
Country United States
Time zone (GMT-05:00) Eastern Time
Requesting data for Calendar...
Manage calendars
Manage mobile devices
Calendar privacy policy
Contacts
Contacts 58 entries
Requesting data for Contacts...
Manage contacts
Docs
Owned by me 1 document
Most recent: Weight 2008 on Jun 6, 2006
Opened by me 1 document
Most recent: Weight 2008 on Jun 6, 2006
Starred 1 document
Most recent: Weight 2008 on Jun 6, 2006
Requesting data for Docs...
Manage documents
Sharing documents
Finance
11 securities in 1 portfolio:
My Portfolio 11 securities
Portfolio value: $0.00 at Nov 6, 2009
Requesting data for Finance...
Manage portfolios
Gmail
Inbox 11 conversations
Most recent: TTTTTTTTTTTTTTTTTTTTTTTT at 7:42 AM
All mail 40 conversations
Most recent: TTTTTTTTTTTTTTTTTTTTTTTT  at 7:42 AM
Sent mail 7 conversations
Most recent: gmail test on Oct 11, 2009
Spam 2 conversations
Most recent: Ref: ssssssssssssssss on Oct 30, 2009
Trash 25 conversations
Most recent: New private message has arrived on Oct 18, 2009
Requesting data for Gmail...
Manage chat history
Manage HTTPS settings
Manage all Gmail settings
Gmail privacy policy
Privacy and security help
IGoogle
Gadgets installed 10 gadgets
Most recent: on Jan 24, 2008
Tabs 1 tab
Most recently added:
Requesting data for IGoogle...
Manage iGoogle settings
iGoogle privacy policy
Profile
About me 2 entries
Name: xxxxx xxxxxx
Profile URL: http://www.google.com/profiles/pppppppppppppppppppppp
Requesting data for Profile...
Edit profile
Manage sharing of contact info
About access and privacy of profiles
Talk
Contacts 1 contact
Sample Contact: zzzzzz@gmail.com
Requesting data for Talk...
About talk
Talk privacy policy
Voice
History 140 calls
Placed calls 4 calls
Trash 36 items
Forwarding phones 2 phones
Requesting data for Voice...
Manage Greetings
Manage Google Voice settings
About privacy and security in Google Voice
How voicemails are transcribed
Web History
Web History: Disabled
Requesting data for Web History...
Remove items or clear Web History
Web History help
Web History privacy policy
Web History privacy FAQ
Other products
Google Maps

There was a list of 3rd party sites with access to this data too. I didn’t recall authorizing any of them. Data removed and future 3rd party access prevented.

Major kudos to google for allowing us to manage our data and privacy settings.

I did leave some of the private data out there for use. It isn’t important to me. Your internet use may tell others things that are better not shared. Suppose you search on a medical term because a friend tells you a story about his mother. That search term is saved and tied to your account. What happens if 5 yrs later you end up being medically diagnosed with that illness? Your insurance company may start legal discovery efforts, or just pay google for the data. Now they refuse to cover your treatment since it was a pre-existing condition. Even if you don’t care about this, you know someone who does. What if you search for foods that are bad for you or visit weight loss web sites for 5 years? Expect your insurance company and the govt to have access to this data. If it is stored, it will get out.

It should be noted that if you aren’t logged into your google account, the data captured doesn’t appear to be correlated with your account. That doesn’t mean it isn’t captured by your IP address or a google cookie, stored, and correlated. Further, you can’t manage the data with the dashboard. Google writes about this other data

Today, google is a little less evil. Until they let me remove my data from other peoples’ accounts (contacts, phone calls, email addresses), I’ll still avoid using google with an expectation of privacy.

11/8: The Washington Post Security Fix guy has an article on this now too.

If you have broadband internet service in the USA, chances are you already pay for commercial antivirus programs. AT&T, Verizon and Comcast all provide commercial AV with their broadband services. Here are the links:

• http://security.comcast.net/
• http://admin.stage.att.net/bellsouth/s/s.dll?spage=cg/yis/sec/vir.htm&is=sec&iss=vir
• http://www22.verizon.com/ResidentialHelp/HighSpeed/Troubleshooting/Security/QuestionsOne/85304.htm

Microsoft also has entered this market with a very competitive free download http://www.microsoft.com/Security_Essentials/. The reviews so far are good. I can’t recommend it myself, it needs time to prove it works. However, I have switched to using it since it came out of Beta. I don’t use Windows much, so my risk is very low.

In short, since you’re already paying for these commercial antivirus programs, why spend money on them again? Use the free versions that your ISP provides.