Category Archives: Servers

News and issues relating to server side technology.

Eight Ways to Blacklist with Apache’s mod_rewrite

Posted on by

With the imminent release of the next series of (4G) blacklist articles here at Perishable Press, now is the perfect time to examine eight of the most commonly employed blacklisting methods achieved with Apache’s incredible rewrite module, mod_rewrite. In addition to facilitating site security, the techniques presented in this article will improve your understanding of the different rewrite methods available with mod_rewrite.

via Eight Ways to Blacklist with Apache\’s mod_rewrite | Perishable Press.

MediaGoblin

Posted on by

MediaGoblin is a free software media publishing platform that anyone can run. You can think of it as a decentralized alternative to Flickr, YouTube, SoundCloud, etc. It’s also:

  • The perfect tool to show and share your media!
  • Building tools to empower the world through decentralization!
  • Built for extensibility. Multiple media types, including video support!

via MediaGoblin.

The Tiny Box That Lets You Take Your Data Back From Google

Posted on by

For open source developer Johannes Ernst, what the world really needs is a simple device that anyone can use to take their data back from the wilds of the internet. So he designed the Indie Box, a personal web server preloaded with open source software that lets you run your own web services from your home network–and run them with relative ease. Any system administrator will tell you that setting up a server is just the first step. Maintaining it is the other big problem. Indie Box seeks to simplify both, with an option to fully automate all updates and maintenance tasks, from operating system patches to routine database migrations.

via Out in the Open: The Tiny Box That Lets You Take Your Data Back From Google | Enterprise | WIRED.

A completely assembled device costs $500.

This is just a linux box with standard server packages installed and probably a customized management system.  Running your own web server does not take your data back from Google unless you run your own search engine.   The main type of data Google retains for its customers is email.  Running your own email server does keep your personal information from Google.  However, from the article:

For now, it won’t include an e-mail server since spam filters make it so hard to run one from home.

How to set up your own private instant messaging server

Posted on by

The video below will walk through the process of setting up and installing Prosody, a lightweight Lua-based instant messaging server application. We’ll be using Ubuntu 12.04 for our server, though Prosody is a cross-platform application and will run on Windows, OS X, and a number of different Linuxes. Strap in, grab your server, and let’s roll!

via How to set up your own private instant messaging server | Ars Technica.

Munich opts for open source groupware from Kolab

Posted on by

The Kolab groupware system that was originally developed for the German Federal Office for Information Security (BSI) will be employed as part of Munich’s MigMak project, a abbreviation used by the city to describe the migration of its mail and calendar system, Kolab said. The system is to be provided as completely open-source technology, including the necessary professional support, it added.

All the city’s LiMux PCs and the remaining Windows PCs will be using the Kolab Desktop Client in combination with the Kolab web client based on Kolab Enterprise 13, it said.

via Munich opts for open source groupware from Kolab | ITworld.

From: Kolab’s web site:

What is Kolab?
Kolab is a secure, scalable and reliable groupware server. It is formed by a number of well-known and proven components or the standards tasks such as E-Mail, Directory and Web Service.

Google now proxies images sent to Gmail users

Posted on by

It’s simple for senders to do this. Embed in each message a viewable image—or if you’re feeling sneaky, a nearly invisible image—that contains a long, random-looking string in the URL that’s unique to each receiver or e-mail. When Google proxy servers request the image, the sender knows the user or message corresponding to the unique URL is active or has been viewed. In Moore’s tests, the proxy servers requested the image each subsequent time the Gmail message was opened, at least when he cleared the temporary Internet cache of his browser. That behavior could allow marketers—or possibly lawyers, stalkers, or other senders with questionable motives—to glean details many receivers would prefer to keep to themselves. For instance, a sender could track how often or at what times a Gmail user opened a particular message.

via Dear Gmailer: I know what you read last summer (and last night and today) | Ars Technica.

The key to this issue is that Gmail now defaults to images on in email which should always be off.  In order to fix this Google must cache all images upon receipt of every email.  Doing it when a user requests an email defeats the entire purpose.  It’s always good practice to view with images off on all email no matter what the provider claims.

14 MEPs emails intercepted by a hacker thanks to Microsoft flaws

Posted on by

My best guess is that what they did was to impersonate the EP-EXT wifi network and steal our credentials from the login page (https://wifiauth.europarl.europa.eu/, now no longer available, see screenshot below for what it more-or-less used to look like). In this scenario, after I automatically connect to the rogue WiFi (because my phone recognizes the SSID), it presents me with the familiar login page, but this time it’s not HTTPS but plain HTTP. So, no warning about a self-signed certificate is presented to the user.

After I type in my credentials, the rogue WiFi is turned off for a minute or more, so my phone re-connects to the real EP-EXT network and I am asked for my credentials again. I would probably think that I mistyped the password or something and not think twice about it. After a minute the rogue WiFi goes back online, waiting for the next victim.

via epfsug – Re: Ang.: [EPFSUG] 14 MEPs emails intercepted by a hacker thanks to Microsoft flaws – arc.

This is classic MITM where a user inadvertently accepts a different certificate than provided from the mail server which allows the man in the middle access to the encrypted stream.  Always be on the lookout for those pop up notifications.  An attacker can’t get to an encrypted stream without your permission — even on an unsecured open wifi.

From: Temporary Switch-off of the EP Public WI-FI Network. EP Private Wi-Fi Network Still Available.

The Parliament has been subject for a man-in-the-middle attack, where a hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).

The consequence is that some individual mail-boxes have been compromised. All concerned users have already been contacted and asked to change their password.

As a precaution, the Parliament has therefore decided to switch-off the public Wi-Fi network until further notice, and we invite you to contact the ITEC Service Desk in order to install an EP software certificate on all the devices that you use to access the EP IT systems (email, etc..).

Tension and Flaws Before Health Website Crash

Posted on by

Thanks to a huge effort to fix the most obvious weaknesses and the appointment at last of a single contractor, QSSI, to oversee the work, the website now crashes much less frequently, officials said. That is a major improvement from a month ago, when it was up only 42 percent of the time and 10-hour failures were common. Yet an enormous amount of work remains to be done, all sides agree.

via Tension and Flaws Before Health Website Crash – NYTimes.com.

Systems like this should require 5 9s availability from the beginning.  This means that the system should be operationally up 99.999% of the time.  This allows for around 5.7 minutes downtime per year.  I suspect companies like Amazon, Facebook, and Google meet this standard for high availability.  There are all kinds of methods and tricks to achieve this that have been learned over the past century in telecommunication systems.

In the last week of September, the disastrous results of the project’s inept management and execution were becoming fully apparent. The agency pressed CGI to explain why a performance test showed that the site could not handle more than 500 simultaneous users. The response once again exhibited the blame-shifting that had plagued the project for months.

How a grad student trying to build the first botnet brought the Internet to its knees

Posted on by

On November 3, 1988, 25 years ago this Sunday, people woke up to find the Internet had changed forever. The night before, someone had released a malevolent computer program on the fledgling computer network. By morning, thousands of computers had become clogged with numerous copies of a computer “worm,” a program that spread from computer to computer much like a biological infection.

via How a grad student trying to build the first botnet brought the Internet to its knees.

Robert Morris’ father worked for the NSA at the time.

From: Robert Morris (cryptographer)

There is a description of Morris in Clifford Stoll‘s book The Cuckoo’s Egg. Many readers of Stoll’s book remember Morris for giving Stoll a challenging mathematical puzzle (originally due to John H. Conway) in the course of their discussions on computer security: What is the next number in the sequence 1 11 21 1211 111221? (known as the look-and-say sequence). Stoll chose not to include the answer to this puzzle in The Cuckoo’s Egg, to the frustration of many readers.[8]