HOWTO

How do do interesting things.

It doesn’t take more than one directory on your web server with write permissions to let someone in.. I started to notice Perl processes running under the www user on my server. It was taking a lot of the CPU, and I couldn’t find the culprit. The only thing I could do was shutting down the Apache web server, then killing the www processes: kill -9 -uwww. But then, it would restart later. So, I looked in the most likely directory /tmp for suspicious files. There were… Perl scripts disguised as images or txt files. It was an Indonesian IRC bot. I removed the files, wondering how they got into /tmp.

The next day, the offending processes resumed! There had to be some other malicious Perl script somewhere. I did a grep -R /usr/bin/perl /home. To locate all files chmoded 777, I tried find /home -type d -perm 777. One of my users was running OSCommerce, and had the images directory chmoded to 777. Ha! The directory was full of exploit files owned by the www user. I deleted them and chmoded the directory to 755. Hopefully that will be the end of it. I will keep a close eye on server processes and any new files owned by www, or containing Perl code.

Any suggestion would be appreciated on how to avoid future problems. I strongly encourage anyone managing a server to check their permissions, and look for Perl scripts that shouldn’t be there.

I don’t do Windows. By that, I mean that I stay clear of any Windows operating system run computer by at least twenty feet! I don’t have a MAC, nothing against them… I use Ubuntu Linux on both my desktop and laptop. So, no iTunes for me. I wish Apple would get it’s act together and compile a Linux version. I’m not holding my breath…

My girlfriend got me an iPod touch this last Christmas, and I love it. Problem is, I can’t transfer files to it without iTunes. Well, until tonight!

It turns out that all you have to do is to get “FTP Server by SavySoda.” This free app turns your iPod into an FTP server. You need an FTP client on your computer. I use FileZilla (there is a Windows version). Upon starting the app, you need to click the ON button. The program then shows you the iPod IP address and port number to connect to. User is “Anonymous,” no password. I had to click it ON/OFF a few times to finally get the IP/Port info to show-up, but then it worked great. The files go into some directory reserved for the app. I have not yet found a way to move them to the regular “Videos” app. Movies do play just fine however, and that’s all I needed.

You won’t want to use this on a public wireless network, since there is no password protection, even if you have one set on your iPod. Don’t forget to turn the server OFF when you’re finished!

Good luck!

In this article I will show you how to send an encrypted message that can not be broken. All you need is paper and pencil. With our privacy disappearing faster than the Mountain Gorilla, I thought that such knowledge might one day become more than a coffee shop conversation topic. I am referring to the One-Time-Pad described by Neal Stephenson in his novel, “Cryptonomicon.” Highly recommended by the way. So, learn it and have fun with your kids. It’s kind of like showing them how to start a fire without matches or lighter. It’s fun, and who knows, they might have to use it some day..

I have always been interested in encryption theory. Surprising, since I never liked puzzles or crosswords. Not to mention my poor math skills. For some reason I have always been driven to learn obscure, odd or outdated skills. Even though I am a programmer by trade, the level of complexity in encryption software is way over my head. I’ve had a PGP key for more than ten years, but to my dismay, nobody ever sends encrypted messages but for the occasional server password; and that may have been two or three emails in ten years. Had I not insisted on it, I would have received none. You would think this feature would be built in every email program, but it isn’t. You must add a plugin to your mail client, if one is even available. I know Evolution on Ubuntu has it built in, and Pegasus Mail on Windows has a plugin. But computer encryption is not the subject today.

Let’s see how it is done. It is pretty easy:

You need a way to produce random letters. These random letters will be the key used to code and decode the message. Do not rely on yourself or a computer to produce true randomness. Typing random keys on your keyboard doesn’t work, it won’t be truly random. Good for practice, but not for real messages. I would suggest putting letters from a Scrabble game in a bag and shake it vigorously. Pick one letter (without looking!), write it down. Put it back, repeat. Write down your pad in groups of five letters, like so:

GEXOJ AXYEN LOWHD AWQJD UBRWJ

You need as many letters as your intended message. Here is a one-time-pad generator, for practice (set group length and key length to 5).

Encoding:

Now, let’s say your message is HELLO. Our first key group is GEXOJ.

HELLO is the message.
GEXOJ is the key, called a one-time-pad because it can be used for only one message.

We are going to count to the position of the letter H, but starting at zero, not one.
A B C D E F G H
0 1 2 3 4 5 6 7…….. Etc…

Here is the whole alphabet to help you:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

H=7.
Our first key letter is G, and G = 6.
Add the two: 7+6=13 = N.
We keep going: E=4 + E=4 = 8 which gives I.
L=11 + X=23 = 34 ! Ha, problem! The alphabet has only 26 letters.
No problem, when we hit 26, we go back to A. 27=B, 28=C, etc. So, 34=I.
L=11 + O=14 = 25 = Z.
O=14 + J=9 = 23 = X.

Here is another way to look at it:

Position 7 4 11 11 14
Message H E L L O
Position 6 4 23 14 9
Key G E X O J
Position 13 8 34 25 23
Encrypted N I I Z X

Our secret message is NIIZX.

Now, let’s decode it:
We do the same thing in reverse…
(If a number is negative then add 26 to make the number positive.)

Encrypted N I I Z X
Position 13 8 34 25 23
Minus (key) 6 4 23 14 9
Equals 7 4 11 11 14
Message H E L L O

The encrypted message is as random as the key is. Therefore, as far as I know, there is no code breaking method available that could possibly crack it. Your message is of course only as safe as the key. If the key is truly random, has not been seen by anyone except you and the recipient and was used only once then destroyed, then your message is safe!

I have my aviation site Planenews on a FreeBSD server. As traffic increased, I was getting more database errors. Looking around the web for clues, I discovered that FreeBSD did not have a default my.cnf file in /usr/local/etc. You can find sample files in /usr/local/share/mysql. I used my-huge.cnf, renamed it to my.cnf, put it in /usr/local/etc, et voila (don’t forget to restart MySQL)!

Problem solved? Nope.. I was still getting errors at peak traffic. I then found mysqltuner, a Perl diagnosis tool for MySQL. I was missing a few variables in my.cnf. See the file below, and notice the additions under “Added by Gil.”


# The following options will be passed to all MySQL clients
[client]
#password       = your_password
port            = 3306
socket          = /tmp/mysql.sock

# Here follows entries for some specific programs

# The MySQL server
[mysqld]
port            = 3306
socket          = /tmp/mysql.sock
skip-locking
key_buffer = 384M
max_allowed_packet = 1M
table_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 128M
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 4

# Added b Gil:
# max_connections 250 crashes my server, use with caution..
#max_connections = 250
wait_timeout = 180
interactive_timeout = 45
tmp_table_size = 64M
max_heap_table_size = 32M


# Disable Federated by default
skip-federated
skip-innodb
skip-bdb

# Replication Master Server (default)
# binary logging is required for replication
#log-bin=mysql-bin

# required unique id between 1 and 2^32 - 1
# defaults to 1 if master-host is not set
# but will not function as a master if omitted
server-id       = 1

# Point the following paths to different dedicated disks
#tmpdir         = /tmp/
#log-update     = /path-to-dedicated-directory/hostname

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates

[isamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

The site seems to be running fine now, with no errors. I guess I will have to wait for a story to make it to a major social networking site to see if it really can take a heavy load. Please tell me about your optimization tips, and how you prepared for traffic spikes…

I can’t tell you how many times an acquaintance or friend has come to me with a broken hard drive asking “Can you get my data back?” as if their lives depended on it. The experience can be quite dramatic. I feel like a doctor telling family members that their loved-one has passed away. Losing all your data can be very stressful. Think about photos you can never get back, hours, weeks, months of work erased, just like that. You get the picture. Hard drives have moving parts, they spin at around 5000rpm. Soon or later, they will break, you can’t avoid it. Is your data backed-up? If you say yes, go do something else. Otherwise, keep on reading, you will thank me profusely some day.

It used to be that a couple CDs, or more recently, DVDs was enough to back-up all of one’s data. Today, with videos, movies, high resolution cameras, data fills-up hard drives like shoppers at Walmart on black Friday. Not to mention that if your drive bites the dust, you will have to reinstall your operating system. If you’re using Ubuntu like I am, not big deal, it’s free. If however you can’t find your Windows registration, guess what, $200 for Micro$oft. Hopefully you also have all your software somewhere safe, ready to be reinstalled.. Think about the amount of work though.. Who has the time to sit in front of a computer looking at a progress bar all day, or pay some geek a fortune to do it for them? I don’t.

These days, you are looking at two options. 1, a full drive backup on separate hard drives. 2, an online backup service. Let’s look at both solutions..

A full drive backup is great because you can make a mirror image of your drive, which can then be restored to a similar drive. You don’t have to reinstall anything, your entire drive is copied bit by bit independently of your operating system. It takes a few hours, but the recovery is painless and very easy. You will need two USB external hard drives of the same capacity as your main hard drive. Why two? Because your hard drive can fail during a backup operation, rendering your backup useless! So, you alternate the drives and backup every other week. At the most, you’ll lose one month of data updates. The downside of this scheme is that you can’t use your computer while it is backed-up. I do it at night, usually it is finished when I get up. You can also lose quite a bit of data if you are not diligent enough. You will need a drive cloning tool. Get G4L, it’s free and works great. You burn it onto a CD and use it to boot your computer. Be careful when you choose your source and target drive, you don’t want to backup an empty or old image to your current drive! An remember, it only works if you actually do it regularly!

The online backup solution is very convenient. You pay a small monthly fee, usually $10, to have your data automatically uploaded to a storage facility via the Internet. You can choose what folders to save, or exclude certain types of files by extension or size. What I like most about it is that it is transparent. You can still use your computer as usual while the program works in the background. I don’t notice any performance difference with the service I use. You need to make sure that the transmission of your data is encrypted, and that it also be encrypted wherever it is saved. Nobody should be able to read your files. The best service I have found is SpiderOak. They give you 2Gb for free, and charge only $10 per 100Gb. Their client program is great, and all data is encrypted. You can even synchronize your laptop with your desktop, or other computers. The process is pretty slow the first time you use it. I just uploaded about 84Gb in the span of a week. After your initial upload however, it is much faster. The good part was that I didn’t have to care about it at all. It works on Windows, Linux and Mac.

Which solution is best? Well, I highly suggest doing both! Make a mirror copy of your hard drive (you can use only one drive then), and have your data backed-up online with SpiderOak. This way, after a crash, you load the drive image with G4L, then update your data from your online backup. Everything is up-to-date, and you don’t have to reinstall anything.

Can you afford to spend $80 on an external hard drive, or/and pay $10 per month? Can you afford not to? Can you lose all your data? Remember, it’s not “if,” it’s “when.” Back-it-up!