Matthew's Weblog

A friend of mine, Bill, found out that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with security. Having worked in a financial services company, I can only say that the troubles he encountered are not that bad… you should have seen some of the sausage in the factory I worked in.

That said, Bill violated a crucial rule of security and he needs to learn it as much as the Schwab folks need to learn their own lessons:

Never, never, never depend on someone else to provide your security.

Bill “used one of his common passwords”… and you shouldn’t have any of those. A common password is a common vulnerability, especially because you can’t know how companies will protect your passwords or your data — as he unfortunately learned. To avoid this, you can use a desktop application (such as the free Password Safe, originating from Bruce Schneier’s Counterpane Labs) or a browser plug-in (such as Password Hasher or Secure Login or any of the other 48 listed on the addons site) or the Mac’s built-in Keychain app so you can generate random passwords and never, never reuse them. Personally, I’ve been using Password Safe for years.

He also offers great tips for websites to make their applications more secure, like not asking for really constant, common, data like mother’s maiden name. The other option is to not answer with an expected response. Mother’s maiden name? Istanbul. Honeymoon location? Jones. And so on…

Never trust someone else’s security.

Technorati Tags: security, password, firefox

More quick reference links to apache goodness: mod-rewrite and virtual hosts overview. Next step, hooking up the rewrite so my old-format links with multiple blogs point to the new-format post URLs. sigh.

Wordpress is simple, but it still isn’t psychic.

And I also found that Redhat has a nice overview of named for those of us still learning BIND.

from a tech reference article…

• once connected open the file:

• /var/ipcop/ovpn/server.conf

Add a line for each XXX subnet you want:

• push “route 192.168.XXX.0 255.255.255.0?

Comprehensive Wordpress Plugin Database with Plugins Tracker

AskApache htaccess password builder

and then some tips on WP security:
drop version string
block viewing of plugins/themes folders
and htaccess (see link above)

whoops, almost forgot Lorelle’s mention of a theme security scanner… which is this security scanner here.

Technorati Tags: wordpress, security

here’s a handy tool to validate pdf files in java

Technorati Tags: pdf, java, validate

From a WebCT Student FAQ:
Prevent Internet Explorer from opening
Office files inside browser windows

Note: This tip for PC users applies
only to Internet Explorer, running under Microsoft Windows 2000 or XP.

Are you tired of Internet Explorer’s
insistence in opening Microsoft Office files (Word, Excel or Powerpoint)
in a captive window within the browser? If you would rather have IE open
Excel or Word documents in the native applications (and even give you a
choice to save it to disk), here’s how you can do it…

1. First open any folder (My Documents
   or a regular file folder) and click the “Tools” menu item, then select
   .

   
   
    

2. On the resulting dialog box, click
   the “File Types” tab (it may take a bit of time to build the list),
   then scroll in the “Registered file types:” window until you find the
   appropriate extension(s) for the files whose behavior you want to
   change (DOC for Word files, XLS for Excel files, or PPT for PowerPoint
   files) and highlight (i.e., click) it.

   
   
    

3. Click on the
   
   button to get to the settings for this file type (in the Edit File
   Type dialog).

   
   
    

4. UNCHECK
   the “Browse in same window” option, and, if you want to have the
   browser ask whether to save or to open the file each time you
   encounter one, check the “Confirm open after download” box.

You’re done! Now, whenever you click a
link to a file having the extension you just changed, Windows will ask
you whether to save the file to disk or to open it… and if you choose
open, it will do so in the native application for the file, rather than
in an embedded (and limited capability) browser window.

From the same Slashdot computer-configuration article:

On Windows
(Score:5, Informative)
by ewhac (5844) on Thursday April 05, @12:32PM (#18625205)
I’ve done this a couple of times recently — once for my new machine, and once for a friend of mine whose machine got pwn3d. My checklist works roughly like this:

* Perform an inventory of the hardware in the machine. Note especially the vendor and model number of the major components. You’ll need this later.
* Establish partitions on the boot drive (only if I’m dual-booting Linux or BeOS or something).
* Yank network cable.
* Install Windows from installation media. This takes a ridiculous amount of time, considering that most of the work is (should be) simply copying files. Reboot.
* Install Service Pack 2, which I conveniently have on a separate CD I burned. Reboot.
* Crank up Windows firewall to highest setting, or moral equivalent thereof (I’m behind a NAT router, so that works).
* Visit Windows Update, and download all security and bug fixes. Duration depends on connection speed, but it can easily consume an hour. Reboot.
* Using the hardware inventory you prepared earlier: for $item in $inventory ; do
o Visit hardware vendor’s site.
o Locate, download, and install latest device driver(s) for $item.
o Reboot.
* done

At this point, you have a usable machine. If it’s my machine (and even if it isn’t my machine), I usually install the following software:

* Firefox [mozilla.com]
* Vim [vim.org]
* VirtuaWin [sourceforge.net]
* TreeSize [jam-software.com]
* PuTTY [greenend.org.uk]
* WinSCP [winscp.net]
* TweakUI [microsoft.com]

Schwab
–

Firefox is now 2, and I have a new tweak list – actually, it’s mostly the same ones but I don’t trust other sites to still exist after I lost a few…

And remember, you can get to these through about:config really easily…

• // Disable image animation
  
  user_pref(”image.animation_mode”, “none”);
• // Enable frame resizability
  
  user_pref(”layout.frames.force_resizability”, true);
• // Prevent popups to hide the urlbar
  
  user_pref(”dom.disable_window_open_feature.location”, true);
• // Prevent popups to hide the menubar
  
  user_pref(”dom.disable_window_open_feature.menubar”, true);
• // Enable pipelining to increase the speed of (broadband) connection (10 on the second line can be any number)
  
  user_pref(”network.http.pipelining”, true);
  
  user_pref(”network.http.pipelining.maxrequests”, 8);
  
  user_pref(”network.http.proxy.pipelining”, true);
• user_pref(”network.http.max-connections-per-server”, 16);
• user_pref(”browser.search.openintab”, true);
• user_pref(”accessibility.typeaheadfind”, true);

Disable only certain annoying JavaScript tricks:

Tools ->
Options -> Content -> Enable JavaScript -> Advanced ->
uncheck (according to your taste) Allow scripts to “Move or resize
existing windows”, “Raise or lower windows”, “Disable or replace
context menus”, “Hide the status bar” and “Change status bar text”

set keyword.URL to prevent I’m Feeling Lucky

More tips from ComputerWorld

Technorati Tags: firefox, configuration, tweaks

Mostly focused on recovery applications, the Slashdot discussion on Live CDs is pretty interesting and added a few new references to my list.

Technorati Tags: live+cd, recovery

How to investigate and kill off all those nasty autostart processes in Windows?

start:run:msconfig