September 2004 Archives

If you have a minute check out 1-800 Save a Pet because it's a nice site for a good cause. Be sure to check out their spiffy theme song.

Mark Stosberg worked on this site and he tipped us to the site on the CGI::Application list. Other recent discussions on this list have been very useful to improving my understanding of some of the finer minutia of object oriented perl programming.

I also wanted to make sure to give a plug to Mark's development company, Summersault, LLC. Mark and the others at Summersault are active contributers to the Perl (specifically through CGI::App) and the Open Source community, and Mark has recently contributed a number of very key "plugins" for writing CGI applications. You may never use one of these programs, but if I write something for you, the chances are really good that I will.

Thanks Mark.

Over the years I have had the good fortune to have a number of very hard working and talented people working with me. Aaron Lewis at ADL Datacomm has worked with me in various capacities for almost 10 years now.

He's just written an interesting HOW-TO describing how to create a transparent ethernet bridge with a PC, a couple of network cards and Linux. You can read it over at the ADL Datacomm web site.

Such a bridge allows systems adminstrators to put a machine on a network without an IP address, and to read all the traffic passing through it. The lack of an address makes it more difficult to remotely compromise and by reading the traffic administrators can spot "signatures" or patterns in the data flow that indicate an attack is in progress. Such monitoring is the basis for a lot of intrusion detection systems (IDS).

Bridges are also used in older networks to join networks segments that have different physical network protocols; such as making token ring talk to ethernet segements.

In case there was any doubt about the advice in the the aritcle about service pack 2, "Fun with XP SP2 and NMAP", I think users should apply the patch if they can. (Unless of course someone else is responsible for the machine, such as a network administrator.)

Users may have heard security experts claim that XP SP2 has vunerabilities. This may be true, but so are these facts:

1) Some of the vunerabilities existed in previous versions of Windows XP and simply remain unaddressed.

2) Security is about layers, and this service pack impliments some new layers, the net effect is a good thing.

3) A lot of the stuff the experts are speaking about is pretty esoteric stuff, requiring certain conditions to pre-exist and also requiring the user to be more or less a zombie. Larry Seltzer had a good quote about this on the BugTraq list.

W

here do we draw the line on this social engineering stuff? If I send an e-mail to someone telling them to flush their iPod down the crapper does that mean the iPod is vulnerable to a toilet attack?

So, to summarize: YES, apply serivce pack 2 on Windows XP machines that you are responsible for. NO, do not flush your iPod.

Related reading: "A Feast of Egos", by Tim Mulen of Security Focus

James Doohan, aka Chief Engineer Montgomery Scott got his star on the Hollywood walk recently in case you missed it. I haven't watched StarTrek in some time, but if I tuned in StarGenX or whatever the most recent version is, I would expect the latest Captain Whatshisname to be saying things like "Firewalls Up, Mr. Scott".

Microsoft's Number 1 of three steps to protecting your PC is Use an Internet Firewall. I don't always agree with Microsoft, but these days you really should have some kind of firewall between you and the Internet.

Firewalls come in hardware and software varieties. I tend to favor a hardware firewall for several reasons, although host based software firewalls have their advantages too.

A hardware firewall router for broadband will generally also provide several switch ports so you can also network several computers with the same piece of equipment. Its been my experience that once these are setup correctly there's less chance the average end-user will try to reconfigure it, and correspondingly less risk of leaving holes open.

Personal, or software based firewalls are nice because they are so easy to update. If an exploit is released, users these days seem to feel comfortable downloading applications and following instructions, so a software based firewall may be easier to maintain.

Ideally, end users would understand the intricacies of packet filtering and IP routing, and they could maintain a mixed environment of hardware AND software based firewalls for the extra protection this kind of layered approach offers. However in my experience, a single firewall at the perimeter of these stub networks is likely to be the most uniform and fairly fool proof way to offer an acceptable trade between usability and security.

I've just seen too many turned off host based firewalls to really trust my clients' network security to them. I've also seen installations of host based firewall software that were so restrictive that they couldn't update themselves; and VPN connections dead as a doornail.

If you have an office LAN you should talk to your consultant or integrator. They will be able to tell you what kind of firewall you have now, and if it has been reviewed and updated recently. (If you have a consultant or an integrator, and you don't have any firewall protecting your LAN from the Internet, you may have a larger problem.)

SOHO hardware firewalls start at around $50, and they're pretty small so you can even take them with you on the road. If you can get someone to configure it for you once, chances are good you'll never have to mess with it again.

In the end, whatever firewall that users will actually put up and maintain between them and the Internet is the firewall that's best.

A couple of postscript notes here:

1) Microsoft's three steps leave out a very important one too, use strong passwords.

2) Remember that wireless thingies can be hacked from a distance of 2000 feet; perimeter firewalls don't even begin to address that hole. (Why would someone break into your firewall, if they can just hack away at your wireless LAN on the other side until they get in?)

3) Firewalls actually come in more than two flavors, there also are three technical categories: packet filtering; proxy based; stateful packet inspection.

Astute readers and some Movable Type users will notice that AdvisorBits is now published using version 3.1. They have added some spiffy new blogging features at the same time that I had been thinking about making some changes around here. (There has been at least one post in each of the last 21 months, AdvisorBits is almost 2 years old!)

Over the years I have helped a lot of web designers get their start, and one piece of advice I have consistently given is that a site should never be published "Under Construction..." The reason for this advice is simple: Today's information scavenging users never come back to a site that doesn't have anything to offer them.

I am about to break my own rule. This blog is under radical reconstruction.

Starting with a redefinition of "What it is." Most definitions note that it comes from a conjunction of the words Web and Log. Any basic and generic description would include verbiage about posts, or nodes. A post or a node of information. Like little bits of advice.

Before you is the basic unit of a blog. Stripped naked of its style, with only the information remaining.

In the days to come, for the second anniversary of AdvisorBits, I will rebuild this blog from the ground up with explanations of the process at each step along the way. Readers, clients, and friends are invited to join the process through posting comments, which in turn will become a part of the information node.

I plan to discuss the following:

Information Architecture

This is a buzz word phrase at the time of this writing. I went to architecture school, and I didn't learn a thing about building. (I later worked for an architect in order to learn this... a little.)

These days a lot of web designers, and a few people legitimately dedicated to the study and exploration of this discipline, organize data into some kind of structure which they then refer to as Information Architecture.

How do we organize data into information on a web site? AdvisorBits will serve as an guinea pig.

Content and (separately) Presentation

And what about document structure?

In order to effectively design and deploy web sites, there are a number of reasons to separate style from substance. I will examine these reasons, and provide information on standards. We'll also look lightly at the absurdity of our purist tendancies to conform rigidly to the standards.

I hope the new improved Advisorbits will be interesting and helpful to my readers and clients; one way you can point me in the right direction is to comment on this post. Let me know what your biggest questions are about the whole process of web design for small businesses.

My friend Jesse is a genius with Photoshop. He can take just about any photo and make it look good; I oughta know because hes helped me out of a design jam a couple of times. But me, I can't afford those professional kinds of tools when my primary use will be to shrink my photos of flowers from my garden. When I mentioned the GIMP to Jesse, he kind of mumbled some things I dont quite remember as if to imply theres stuff that Photoshop can do that GIMP can't.

One of the features he likes about his tool was some ability to store procedures and repeat them. I found out there's a thing in GIMP called script-fu which is an implimentation of the scheme programing language. I don't think this ability to write our own scheme scripts to manipulate images is much use to me or Jesse, but the ability to plug in other people's scripts sure is. I have been working through some of the tutorials at the GIMP web site and the various plug-ins are mentioned in some of the tutorials.

And I found out there's a script-fu to apply lomo effects. (Although the script didn't work because it was for an older version of GIMP, I found a refernce to this set of instructions that allows me to create my own lomo effect. Thijs van der Vossen · Faking Lomo) Do I like it?

Which brings me back to Jesse, because I had never heard of this until he mentioned it on his own blog at http://plasticmind.com/weblog/. Lomo is a Russian optics company that makes camera which takes pictures that have their own unique quality of color and light.

This is not a rant about Macs or Microsoft.

It's a little more like confessing defeat, but the cost to benefit ratio strikes me mighty thin to work around these CSS Bugs in IE5 XHTML and comes with the OS X these days.

I don't believe in designing for the bleeding edge browsers that only a few of us have. By the same token I won't refrain from using valid page layout techinques because they break in a fairly old browser that a tiny number of users have not discarded in favor of other readily available and free alternatives. This is why some pages on the web, including these presumably, will not look good in IE 5.x for Mac.

Related Links:

• Safari Home Page
• w3schools.com Browser Stats Page
• Mozilla, Firefox, and Cameo browsers for Mac