Another year, another new years post

Yup, it's that time of year again: That time of year when I post a random photo (such as what I had for lunch), comment on how my posting has decreased for yet another straight year (down to 2 posts this past year), and wish you all a happy new year. So from me, and these delicious tacos, have a happy new year!

Security on the Internet

These days computer security is a hot topic. Companies tell us how hard they work to ensure their users safety, and the media throws around buzz words like "military grade encryption" constantly. And yet, despite all of this hype and the general trend of wider public awareness, many of the largest companies still don't understand basic security principles. Social media companies such as Facebook and Twitter have taken steps to allow encrypted connections to their services via SSL/TLS (Or "Secure Socket Layer," and its successor, "Transport Layer Security," the encryption protocols behind HTTPS), but they still don't have them enabled by default for the majority of their users—meaning your password can easily be stolen by the guy sitting across the coffee shop from you on the same public Wi-Fi hotspot. A recent request for investigation [PDF] filed with the Federal Communications Commission (@FCC on Twitter) exposed file-hosting company Dropbox for allowing its employees to access customers encrypted files, and even worse than all that is the recent string of attacks by the (arguably) grey hat hacker group referring to itself as "LulzSec." Victims of these attacks were exploited using relatively simple attack vectors and included high-profile companies such as PBS, Sony (NYSE: SNE), Sony again, and—allegedly—InfraGard, a non-profit partner of the FBI. Even security companies and defense contractors aren't immune, with RSA, The Security Division of EMC Corporation (NYSE: EMC) recently announcing that a vulnerability in its SecurID two-factor authentication product had been exploited by unknown attackers to infiltrate Lockheed Martin (NYSE: LMT). If these big players can't keep up, how's a small business or individual supposed to ensure their data is secure? The answer, as it turns out, is "easily." Below are a few easy steps you can take to make sure your data is secure.

Website Security

One of the most basic ways you can protect yourself online is by visiting social media sites, email, etc. via SSL where supported and enabling any options to force SSL encryption. These options are available on all the major social-media / webmail sites including Facebook, Twitter, Gmail, and Hotmail.

If you own a website or other internet-based service that doesn't implement SSL/TLS, enabling encryption is one of the best (and easiest) things you can do to secure your site and protect your visitors. This is as easy as purchasing and installing a certificate from a trusted Certificate Authority. I recommend RapidSSL (49.00 USD / year) or Network Solutions (39.99 USD / year). Unfortunately, SSL certificates do often cost good money, and this can be tough on individuals or small businesses. However, it is possible to secure your site using a free CA such as CAcert or StartSSL. The trade off is that these certificates are not trusted by as many browsers, so your users may see confusing warning messages when trying to visit your site over HTTPS unless they install your providers root certificate. Bear in mind that the strength of your SSL certificate is only as strong as the protection of your private key (the part of the certificate that is installed on the server). SSL only works as long as no one else has access to the private key which is used to encrypt communications, so if your private key is stolen—perhaps due to a server vulnerability, or an attacker gaining physical access to the machine—there's no guarantee that the encrypted channel is actually private. If you're not using an untrusted or self-signed certificate, you might also consider enabling the "Strict-Transport-Security" header which tells modern browsers that your site supports SSL and that they should use it whenever possible.

Another simple thing you can do to protect your website is to make sure your forms are not vulnerable to SQL injection (or, more generally, code injection). The recent PBS / Sony hacks were performed by a simple tool which automatically injected SQL code into a page using the login form. This sort of problem is one of the deadly sins of the web. It is absolutely inexcusable to be vulnerable to such simple attacks. If you're interfacing with a database, either use existing libraries which are known to be secure, or use parameterized statements. Many websites think that because they sanitize their input, they'll be okay. However, this approach is fairly naive, and won't catch 100% of the tricks hackers use to bypass your security.

Even following these basic steps, it's still (easily) possible that some little oversight may lead to a vulnerability and your site could be compromised. When this happens, what data could an attacker get? If the answer is "plaintext passwords," you're still doing it wrong. Lots of companies choose to store user passwords in plaintext, meaning that anyone who gets a dump of the password database can instantly login as any user and compromise other user-data (perhaps due to that cardinal sin, password-reuse). Have a little respect for your users and save their passwords as salted hashes.

Email Security

Email security is another beast all together. As stated in the IETF's RFC 1855,

"Unless you are using an encryption device (hardware or software), you should assume that mail on the Internet is not secure. Never put in a mail message anything you would not put on a postcard."

Email encryption is an underutilized tool that should be used whenever possible. Most mail clients support either S/MIME or PGP/MIME, and even if they don't, attachments and text can always be encrypted and/or signed (so that a recipient knows they came from you) with a free program such as GNUPG which implements the OpenPGP standard. Personally, I prefer PGP to S/MIME when signing and encrypting emails. For the system to really work, unfortunately, everyone needs to encrypt all of their email all of the time. This way an attacker can't tell the difference between emails containing sensitive data, and those that contain pictures of your cats.

Other simple steps you can take to ensure your email is secure include implementing a two-factor authentication system. This approach is becoming more popular among the consumer sector, with Gmail recently implementing it for regular and Google Apps users. Two-factor authentication can take many forms. Gmail's approach involves calling or texting the user's cell phone and giving them a code which they must enter every time they log in (along with their username and password). Two-factor authentication can be used for much more than email, however. It's common practice to require it when logging into websites, remote servers, and even for physical locks.

Conclusion

There are all sorts of ways to enhance your security online, and there are many more I'd love to cover here (such as using public-key authentication for SSH connections), time permitting. However, for now, enough—and then some—has been said. Online security is important to the modern internet, and even a basic knowledge of general good-security principles goes a long way towards protecting you and/or your customers. With that in mind, I encourage you to think about your own security, and work towards improving it in the future.

EDIT: After taking recent events into account, I've decided not to even entertain the argument that Lulz Security is a grey hat group. Their antics were always in rather bad taste, but now they're just plain disgusting.


EDIT: And now there's this. Confirmation, directly from Lulz Security, that they are no more than petty cyber-crooks.

World IPv6 Day: Intent to participate

As you might have read, the Internet Society Newsletter today announced World IPv6 Day. The intent is to create AAAA Records for the homepages of major websites which previously only had IPv6 connectivity on subdomains on 08 June 2011 and test them for 24 hours. Though the event is designed for websites owned by large companies with millions of viewers, IPv6 is just as important for people running low traffic personal websites.

With this in mind, I am announcing my intent to participate in World IPv6 day, however, I would like to take it a step further. By most estimates, having a dual stack running IPv4 and IPv6 will only cause connectivity problems for some 0.05% of users [1]. Before and after June 8th, I will begin carefully monitoring access to my website and looking for changes and trends in the data. If at the end of the day I find that having IPv6 connectivity on the main site does not adversely affect the majority of my users, I will be permanently enabling IPv6 support on SamWhited.com.

I have sent my intent to participate to the Internet Society, and hope they will see that their mission affects large companies and small websites alike. The traffic generated from being an official part of IPv6 day (both before, and after the event) would give me a much better baseline and signal to noise ratio to work with as I monitor my traffic this June.

With only ~37 days worth of IPv4 addresses remaining as of 12 January 2011, it is imperative that ISP’s and device manufacturers begin to take a look at restructuring their services to include IPv6 [2]. NAT is only a temporary solution, and can not be allowed to grow at the ISP level. We all share a mission to ensure a widely available and open internet, where users are free to consume and generate content without being locked into the rigid rules of the old and dying protocols used by their ISP’s. Some people say the way forward is not clear, and many argue—correctly—that it may be costly. However, in the end, IPv6 is the only way to save the internet from suffocation, and move forward into an evermore open playing field.

EDIT: On January 14^th I received the following reply from ISOC’s Phil Roberts:

Hi Sam,

thanks for your interest.  I've had quite a few responses from individuals who have their own website.  I'm not sure we're going to list individuals but we may, and if so, you're [sic] site is in my database.

Regards,
Phil

Hopefully they will realize that IPv6 affects large and small alike, and list smaller websites as well so that we can all improve our quality of service. If you would like to see smaller sites represented, contact ISOC and let them know!

The “New Year Post”

Though I’ve only had 4 posts since last year's new year post (and most of them short) I’ve been keeping busy, and productive: everything I wish for you in the new year!

From me, and Goliath the Eastern Screech Owl (Megascops asio), have a wonderful 2011, and happy 23-day (01/01/11)₂!

Redesign

As you may have noticed, this blog has changed (again)! Just like last time, I recently updated my personal website and wanted the blog to reflect that. I also wanted to design the new template to be compatible with Blogger's template designer.

 

When designing the new site my primary goal was minimalism. My old site had too many colors, lines, and fonts, so I took most of them out. Since the main content of the site (and this blog) is text, the choice of typeface was very important. With this in mind I looked for three things: First of all, the typefaces needed to reflect the simplicity of the site, secondly they needed to be installed on the majority of my visitors computers (or be licensed for use as a webfont), and finally, they needed to make reading the site easy. To achieve this I looked primarily at humanist and neo-grotesque typefaces. I ended up settling on Verdana, Geneva, and Tahoma (falling back in that order) for the body text. For titles I wanted a transitional serif font which would be easy to read, both on screen, and in print. I ended up using Georgia with Times New Roman as a fall back. The main heading of the site felt important enough that I wanted it to stand apart from the rest of the page and have its own typeface; for this I chose Museo.

 

This post contains material from SamWhited.com. For the latest information, please visit samwhited.com/about/site/.

Mass Hardware Failure

A few days ago I experienced something which I’m still scratching my head over… massive hardware failure across several independent systems. It started when my external hard drive which houses my backups died. The next day, my laptop died, and the day after that, my netbook started running extremely slowly, failed to boot once or twice, blue screened once, and has been showing all sorts of other symptoms (sporadically though, it works fine at other times).

Since I don’t have the money to buy a new laptop, I’m building a desktop (currently on Newegg.com, but I’m buying the parts wherever I can find the best deals). To that end, if anyone has any hardware recommendations or ways I can make my purchase a bit cheaper I’d love to hear them. I’m currently looking at an Intel based machine (Core i7-920 or 930), but if anyone has AMD suggestions I’m willing to hear those too.

My current build is here (clearly this is not complete and has duplicates of some parts which I am considering). Any and all suggestions are welcome, this list will continue to change as I get feedback from those more knowledgeable than myself.

Greensleeves for Harp and Cello

I've always loved folk music. Be it Appalachian folk with its often rough-hewn instruments or Irish folk played on traditional Uilleann pipes. One of my favorite folk songs is the English Romanesca, "Greensleeves" and I've wanted to do an arrangement of it for some time. Recently I got around to doing just that.

I decided right from the beginning to do a very non-traditional arrangement of the song. Originally the piece was intended to simply be a cello accompaniment for a solo piano arrangement I found online, however, this quickly changed when I decided to replace the piano with a harp and write the part myself (though traces of the original piano part can still be seen throughout the piece). Below is a video of the song being played; the music itself is rendered by the computer.

Download MP3
View Score