Category Archives: Linux

All HTTPS all the time, With HSTS to boot

I’ve been brushing up on my web security best practices recently.  OWASP is a great resource for this!  One of their recommended best practices is to use HTTP Strict Transport Security (HSTS).  This involves redirecting traffic from unencrypted HTTP to HTTPS.  However to ensure that no future Man in the Middle attacks happen with the redirect, it’s best to tell the browser to always go directly to HTTPS regardless of the protocol.  This, in a nutshell is the HSTS solution.

I’ve updated plip.com and blog.plip.com to be served over exclusively over HTTPS.  This is thanks to a *.plip.com wildcard certificate from Global Sign. After setting up Apache to use the certs on the SSL vhosts, I then needed to redirect all traffic away from HTTP.  For plip.com, this was a simple Apache rule in the HTTP vhost:

# send everything to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

And then for the blog.plip.com, iThemes had this codex entry about a simple plugin to rewrite HTTP to HTTPS, following the second option on their page.  They do caution that this plugin might have performance drawbacks as you’re parsing every post on the fly.  You can fix this if you’re running a caching system, like W3 Total Cache, which I am! W3TC recommends you fix slow HTTPS calls by enabling caching of HTTPS: Go to Performance -> Page Cache and check “Cache SSL (https) requests.” Easy peasy!

Now to add the HSTS to the HTTP header.  For plip.com this is easy as I have a single PHP header file for the entire site. I just added this line:

header('Strict-Transport-Security: max-age=31536000');

For the blog, I extended the simple iThemes plugin by adding these lines:

add_action( 'send_headers', 'add_header_hsts');
function add_header_hsts(){
        header('Strict-Transport-Security: max-age=31536000');
}

Special thanks to the WordPress Codex on how to set headers as well as a random post over at Hakre on WordPress on how to format the HTTP header in PHP for HSTS.

Plip.com has absolutely zero affect on the big players, and the EFF would never care about giving me a report, but I’m scoring 4 out of 5 on EFFs encrypt the web report:

  1. Plip doesn’t have a data center, but all connections for administration are encrypted.
  2. Plip now, of course, supports HTTPS
  3. Plip now supports HSTS
  4. Plip does not support Forward Secrecy
  5. As Plip uses Google Apps, it supports STARTTLS

Looking at what it takes to set up my ciphers, I’m still gonna shoot for getting a perfect 5 of 5!

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Meego 1.2, Meego Laptop and a MacBook Air

As many of you know, I’ve had an on again, off again, and then on again affair with Meego. I love that lil’ guy! You may have expected me to be quite excited about the recent release of Meego 1.2, including a netbook refresh. Since I was running Meego on a netbook, you may have then also expected me to be super excited about the very recent announcement of the ASUS Eee PC X101. This is a 2lb laptop that runs Meego and is expected to cost $200. Sweet!

However, as you may have guessed from the title of this post, I’m not running Meego any more. I’m running OS X on a MacBook Air 11″. I had crossed the threshold of tinkering around on a laptop, to wanting to commute with one every day. Indeed, 2lb was my sweet spot for a laptop. I wasn’t that stuck on the OS as my apps are all cross platform enough. I seriously considered many different netbooks and then the MacBook Air came out. The 11″ was just over 2lb, included a full size keyboard, had a 1366 x 768 screen and a 5 hour battery. It was also insanely small. For a relative paltry $1000, there was simply no laptop, regardless of OS, that had had all of the above features. Period. Though I think the new Eee X101 will be very cool, it lacks the screen resolution of the Air. I briefly considered the Sony Vaio X (no longer available) which met all my requirements, but it was a pretty penny to pay for an Atom processor.

“But if you want something super light, what about a iPad?”, you ask? I do agree, an iPad’s insanely long battery life coupled with 1.3lb weight has some handy uses: a cross country plane ride, long regular commutes where you want to read the news and browse email or need a super light weight video conference rig. But what about when you want to run an IDE? What if you want to compose a 3 page (7,500 character) long email? What if you want to flip back forth between the 3 browsers you have open to check how your code renders? The answer is clear: you need a laptop.

I’ve been super happy with my Air and I wish the best of luck to Meego.

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

How to spam this blog

As a follow up to last week’s post (How to comment on this blog), this week I bring you the results of the no-captcha test.

After much spam slipping through reCAPTCHA, I decided to nix a captcha all together. Originally I thought that just requiring a field via javascript and doing no server side checking would work. This was silly of me, of course. The spammers, having the source code of WordPress, would just blindly submit a comment to any post, bypassing any client side JS checks I had in place.

The fix was to create a field that was not known to spammers like the reCAPTCHA is. Further, if it is appended via javascript, then it is even harder to automate. I wrote the simple-math plugin (have a copy!) and implemented it as follow:

  • Turn off reCAPTCHA
  • Add a field via javascript
  • Ask a simple math question, validated in client side JS
  • Only validate that the field exists, not that the math is right, on the server side

The jury is, and I’m fully vindicated. Here’s the stats:

Hits Comment
Attempts
Comment
Succeses
Attempts
per
Visit
Defense
Success
Rate
Feb 6th-12th 1191 57 17 4.79% 70.18%
Feb 12 11pm – Feb 13 10am 58 20 13 34.48% 35.00%
Feb 13th-Feb18th 1204 132 0 10.96% 100.00%

#spamstats td, #spamstats th {padding:4px;margin:5px}
#spamstats td {text-align:center;}
#spamstats tr:hover {background:#ccc}

The important thing to note is twofold. The first is that the average number of raw hits (excluding me, yahoo and google) was the same week to week. Further, the number of attempts went up 200% of which 100% were thwarted (Defense Success Rate). Again, I suspect this is all possible because it’s not easy, nor worth while (it’s OK, plip isn’t a big blog, I know…sniff) to automate spamming against one off solutions like mine.

I should note that I used the free version of Splunk to garner the ad hoc stats for this post. As I was hemming and hawing on whether to count cookies or IPs or hits, it wasn’t worth while to use the old school command line style stats. Splunk scoffs at this level of stats and reporting. Really, it’s above it, but will happily crank out what you ask for it with ease. Here’s a purty graph:

Caveat Emptor: I work at Splunk.

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Meego Redux: 1.1 Released

If you recall, I fell in love with Meego a bit ago. Then, we broke up, and I left Meego for Ubuntu Netbook Remix (UNR). Guess what? Yup, just like the title of this post suggests, I’m back to Meego. Yesterday was their 1.1 release and the netbook flavor with Chrome is ready for the Live USB Key, easy install testing. I skipped over the live USB thing and cut right to the chase to install it over UNR.

I went to go install some of the key apps that I use and bumped into a few problems. I’ll sketch ’em out here in case any one else is an early adopter like me:

  • No more yum: Well, yum is still available to install, but it’s not there by default. Instead the fine folks at Meego are shipping ZYpper instead. Works just the same, but for the not so distro savvy nerds like me, I had to search around in the forums to figure what was what. Thanks physalis!
  • KeepassX: The next problem I found was that Keepassx’s download page had 404 links for the fedora packages. When I found that Fedora 12 page DIDN’T 404, I downloaded THAT version of KeepassX. Welp, that version didn’t like the current version of QT that ships with Meebo. Finally, I searched around and found a slightly out of date version at hany.sk
  • Dropbox: Nothing really tricky here. Their download page has a “Fedora (x86 .rpm)” package. For both KeepassX and Dropbox, it looks like this to install it :
    sudo zypper install nautilus-dropbox-0.6.4-1.fedora.i386.rpm

For those keeping tabs, I did do a write up on configuring Meego mail and calendar which appears to all be the same in 1.1 as it was in 1.0. At first blush, it seems a little tricky to set up with Google Apps, where plip.com’s mail is, but we’ll hack away.

Next up: Installing Skype. Happy Meebo-ing!

Update: Skype installed no problem, and QT warning seems to be around fonts. A forum tip around font hinting worked wonders to make Skype and KeepassX look sharp (actually, look anti-aliased).

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Jolicloud OS is just Ubuntu Netbook Remix

After seeing a post over on Engadget about the new Jolicloud,  I decided to check it out. It quickly became apparent that it is just Ubuntu Netbook Remix (UNR) with a different skin and a nice Jolicloud app.  Looking at some forum posts and the comments on the above Engadget link, my opinion isn’t too novel or new. What is dissapointkng is that Engadget fronts like this is something more amazing than UNR’s latest release, which I run and like.

Me? I’m waiting for Meego 1.1 which is expected to drop in October.

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Google: gmail, mail and calendar sync with Meego Netbook (Google Apps Too!)

Recently a reader inquired about how to set up Meego to sync with gmail mail, calendar and contacts based off me mentioning I got it working.  I use Google apps for mail hosting at plip.com, so this applies to both gmail and Google Apps (domains that use gmail for their email server).  Settings are based off IMAP settings for Thunderbird.

Here’s the steps I took for a clean install of Meego (see matching screenshots below too):

  1. Launch Mail for the first time
  2. Enter your Google Apps or Gmail login info (per google IMAP or thunderbird )
  3. Choose IMAP (again, per google IMAP or thunderbird )
  4. Configure SMTP (again, AGAIN per google IMAP or thunderbird )
  5. Confirm and make sure contacts and calendar are checked
  6. Mail Works!
  7. Launch Calendar and Contacts
  8. Contacts synched!
  9. Calendar synched! (no screenshot :( )

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Ubuntu Netbook Remix update

I know, I know you have been waiting to hear how it is going with new OS on the netbook. Well my dear readers, I have some good news and some bad news.

First the bad news. The bad news is that Meego really felt snappier and more polished. Though there’s a lot of overlap in software like Evolution is standard on both, something about the simplicity of Meego won out. Both come with a simple window manager and both can be easily extended with new apps, but Meego was more of what I wanted and less of what I didn’t. Example: auto hide task bar on Meego is nice because screen real estate is so precious. This I want. Ubuntu entire open office suite, this I don’t want. Also, Meego loads apps faster (eg Chrome) and boots waaaay faster.

Now the good news: the sleep problem is fixed and AIM totally works. The sleep fix was very satisfying, just follow the included script on superuser totally worked. Snap the lid shut and it goes right to sleep. Click the power button and it springs back to life in under a second. In general Ubuntu is quite nice.

I wonder how EasyPeasy is doing these days?

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

Bye Bye Meego, Hello Ubuntu Netbook Remix

Meego, as I mentioned before, is really really cool. I was able to get all my apps installed and even managed to get my Google calendar, mail and contacts syncing by just adding it via the email client under IMAP (BTW – Meego, you should really highlight that feature!). All the apps even appeared as a native icon alongside the pre-installed ones which is a really nice touch. Alas, the lack of a working AIM client is just too much. It’s my primary IM network and it just bugged me that it didn’t work. Which is too bad, because Meego is so close to being perfect. Well, too about AIM and about sleep.

So, what to do? After reading Mr. Doctorow’s latest post, I was reminded about good ol’ Ubuntu. Sure enough, there’s a Netbook remix. Let’s give it a whirl! USB key is prepped and primed and install is imminent.

Also – I love love love (yeah, 3 times) Pendrivelinux.com!. This is a super easy way to create bootable USB drives (aka live “CDs”) of your local linux distro. The old days of some crazy fdisk silliness is gone. Now it’s just point and click. Love it.

Stay tuned for my Ubuntification!

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail

New Love: Meego

A bit ago I read a post about Meego 1.0 being available. I had a Acer great netbook that was suffering from a slow slow install of XP. I’d been thinking of going to Linpus, which originally shipped with the Aspire Ones. However, Meego had great live, bootable USB download which allowed me to give the whole OS a spin on my hardware. Everything just works: webcam, USB bluetooth dongle, wifi, NIC and internal SD Card.

Last night, I took the plunge and installed it over XP.

Today, I’m happy to report I’m never going back to XP on this lil’ guy. I got Dropbox, KeepassX, Synergy and sshd all working with out a lot of hassle. The boot time is insanely fast. Google Chrome is WAY faster than FF3.6 in XP. I am a very happy camper.

Go Meego today! Full disclosure – sleep looks to be broken :(

Update: It looks like AIM is broken too. That’s a real bummer because it’s my main IM network.

FacebooktwitterredditpinterestmailFacebooktwitterredditpinterestmail