Happy New Year, 2009. Every one makes some kind of resolution for the new year. I think it is the hope that we can somehow change the things that we least like about ourselves or our lives that causes us to make promises. Every year I resolve to lose weight, but somehow by the end of the year I am right back where I was before.

This year, I am resolving to write more and be more visible. I plan on writing regularly here about information security and the relationship it has with economics, politics, news, and other areas. Hope you enjoy, and if there is something you wish to comment on or suggest, please put it in the comments.

I thought this letter to Optimus Prime from GEICO was one of the funniest things I have read in a long time. Enjoy.

http://mcsweeneys.net/2007/7/9weaver.html

So after quite an ordeal starting at the launch of the Wii on 11/19, I finally have a Wii! I must say, after playing it for only an hour, I am completely addicted. It simply rocks.

Nintendo has done a great job putting together a gaming console everyone can enjoy.

I was trying to diagnose a problem with my Hauppauge WinTV remote on my MythTV box, and I wanted to tell if it was the remote or the card. So the Hauppauge tech support told me to hold the remote control in front of a digital camera and see if I can tell if the IR signal is being sent out from the remote.
Apparently digital cameras can capture infrared light, something I didn’t know and thought was cool.

Since then, I found this helpful site on many techniques to troubleshooting handheld remotes.

I was in class the other day and the instructor was telling us how the IRS saved hundreds of boxes of paper documents that were completely soaked and supposedly ruined after a flood in the basement of the DC headquarters.

They took the boxes of paper and put them on huge freezer trucks for a few days.

Apparently, if you want to remove water from accidental spills or whatnot from paper, put the paper in the freezer for a few days and then shake the ice off. The paper will be completely restored!

Thought that was useful.

Using VMware player (free) and EasyVMX (free website), you can create your own VMWare images of virtually any operating system (maybe except OS X86, which is the one I really want).

I did this on my Linux box so I could run my copy of Windows XP.

1. Download and install VMware player
2. Get your install CDs or DVDs ready
3. Create a virtual vmx in EasyVMX
4. Download and upzip the file provided
5. Insert CD or DVD and start up Vmware player, pointing it to the .vmx file created from EasyVMX

The OS should install fine inside of VMplayer. If you ever need to change any settings, the .vmx is a text file and can be edited for different parameters, just back it up before you do anything.

Ok, this is out of the ordinary, but I thought it was neat. Someone told me yesterday of a simple way to remove permanent ink (like from a Sharpie) from a dry erase whiteboard.

Simple write over the permanent ink with a dry erase marker and let it sit for about 30 seconds. Then, wipe off with a clean cloth or eraser. The permanent ink will disappear! This actually works, I just tried it.

Apparently there is some chemical reaction between the two inks that causes the permanent marker to be wiped away.

Have fun!

Looking at the dismal state of affairs for my family website (hand coded in vim), I decided to replace the entire thing with something easy to maintain, looks nice, and allowed me to easily upload pictures, videos, and news. I decided on the following setup:

1. Main site - Wordpress 2.x for how easy it is to post content, there are a million themes, and has many plugins available.
2. Pictures - Gallery, using the excellent Gallery2Wordpress integration. I also downloaded the iPhoto plugin for Gallery, which makes publishing pictures easy. You can also use the Gallery Remote application.
3. Video - I am using Rossgerbasi.com’s Extreme Video plugin for Wordpress.
4. Subscribers - Using the Subscriber 2.0 plugin for Wordpress allows me to have a list of email addresses to send content whenever I post a new message (since most of the family does not use RSS).

My publishing workflow consists of the following:

1. Upload pictures using Gallery or upload video.

2. Create a new post in Wordpress with a link to the new album or video.

3. Publish

There are obvious replacements to the above if you don’t want to host the pictures or video on your own website. The most common replacements are Flickr for photos (using the Wordpress Flickr integration) and using YouTube to host the video (you can use the Extreme video plugin still for this). For video, I just download the video to iMovie and export it as a Quicktime video for web (or Flash video because I have Flash MX Pro).

So far, this has proved very reliable, easy to maintain, and I get a bunch of comments from friends and family about the pictures and video.

After a long hiatus, I am going to try to keep this blog up to date. I expect to write about security issues that are current, and a lot of implementation issues. Let me know if you would like to see anything in particular covered here.

This is a summary of my comprehensive search for a decent web analytics system. We have a dedicated server that collects, archives, and then processes all of our web logs from various systems that we run. We run different OSs, application servers, and web servers, so the web analytics has to be able to handle multiple formats, and in some cases, clustered log systems.

We were using Webtrends for the last 4 years, but I was never really happy with it. It is expensive, the statistics are inaccurate, the interface is slow and cumbersome, administration is a nightmare, and they no longer support running on Linux (I had to monitor the zombie processes and kill the server every other day because it froze up).

So I started a search for a replacement, looking at hosted options, for pay options, and open source options. Here is what I came up with for anyone who is also looking:

1. NetTracker — This is the system that we eventually purchased. It is truly amazing, the best web analytics software out there. Not very expensive, extremely powerful, and very lightweight on the server side. We chose the flat file database option because it was cheaper, and performance is incredible. The statistics are much more accurate and the user interface is extremely fast. It will process dynamic pages using URL parameters and other session factors. I can’t say enought good things about this software.

2. AWStats — a fast, open source, very powerful package that gives many options, professional results, and detailed reports. A nice feature is the ability to search for any page within a site and get stats on that page. Nice open source alternative to for pay options.

3. Webalizer — a good, fast, basic analytics package that allows you to run multiple reports for different servers, although it doesn’t do clustered servers. We run webalizer every night on a series of web logs that produces statistics for individual web sites. Works very well and is good for basic reporting.

If you have any others that you think are better, feel free to post a comment below.

Google just released a “Google Mini” search appliance aimed at small and medium sized businesses. For only $5,000, you can get a 1U server that will crawl your Intranet or Internet site, up to 50,000 documents of 220 file types. Very handy and inexpensive, plus the advantage is that it will crawl your website and create an index of your ColdFusion applications as well, instead of Verity grabbing the documents off of the file system.

Google Mini FAQ

I hope to purchase a couple of these at work.

There have been a lot of posts recently on the XmlHTTPRequest object since Google released their Google Suggest application in the Google labs. Here are a few links describing this method that I thought I would throw together:

• Many links, explanation
• Apple Developer Connection article
• Mozilla Information
• Google’s Javascript

If you have more, feel free to post a comment.

Thawte SuperCerts are certificates that allow client browsers to negotiate a 128-bit SSL session with a server over HTTPS that will downgrade if your browser only supports 40-bit encryption. However, this year when we renewed our certificates at work, we were getting a series of errors because they changed the root Thawte CA certificate for the supercerts. Now they require an intermediate CA certificate on the web server. Details to do this on Apache/mod_ssl is here: Thawte KB vs29541

However, there is a problem with this when using the javax.net.SSL class to initiate the connection. Java will say the certificate is expired because it can’t chain the root Thawte CA and Thawte SGC CA certificates together. Here is how to install the Thawte SGC CA certificate on the Java application server to make this work:

Steps in IE 6.0 on Windows 2000 to get the cert:
1. Connect to https://my.domain.com
2. Go to Tools > Internet Options > Content > Certificates > Intermediate Certification Authorities
3. Choose “Thawte SGC CA”
4. Click “Export …”, then “Next>”
5. Select “DER encoded binary X.509 (.CER)”
6. Name the file thawtesgcca.cer
7. Select “Finish”

Now, import the certificate into the keystore in Java on the application server :
1. cd JAVA_HOME/jre/lib/security
2. keytool -keystore cacerts -storepass changeit -import -alias thawtesgc -file thawtesgcca.cer -trustcacerts

Very irritating. As far as I know, this is only needed for the Supercerts and not the regular 128-bit web server certificates.

I have developed a search plugin for Firefox that uses the Google Desktop to search for files. Unfortunately, you have to go in and manually edit the source file for your particular unique string for right now until I figure out how to generate or capture it.

1. Do a search in the Google Desktop and copy the unique string. The part you need is bolded:
   http://127.0.0.1:4664/search&s=2247545786 ?q=test&ie=UTF-8&btnG=Search+Desktop
2. Go here to the install search plugin
3. Go to your searchplugins folder in Firefox and open the googdesktop.src with a text editor. Typically this is stored in Windows at C:\Program Files\Mozilla Firefox\searchplugins\.
4. Edit the googdesktop.src with the unique string you copied from step 1 above. The src file will indicate where to copy this value. Save and close the .src file.
5. Restart Firefox.

If you have any problems, let me know. This search plugin is still in beta, but it seems to work OK in my testing.

Google released a tool today that allows you to search for email, documents (like Word, PowerPoint, Excel), web pages, IM logs, and any other text on your hard drive (Windows only). It looks pretty fast, too.

desktop.google.com

Here is a long article about it at O’Reilly.

I just updated from b2 to WordPress to get rid of the comment spam (thbbbt!).

I tried the script to migrate everything over, but it didn’t work, so here are the database statements I executed in MySql to get this done:

Move categories:
insert into (cat_ID, cat_name) select * from b2categories where cat_ID != 1;

Move posts:
insert into wp_posts (ID, post_author, post_date, post_content, post_title, post_category) select ID, post_author, post_date, post_content, post_title, post_category FROM b2posts;

Update wp_posts with correct information:
update wp_posts set post_status = ‘publish’, comment_status = ‘open’, ping_status = ‘open’;

Move post2cat:
insert into wp_post2cat (post_id, category_id) select ID, post_category FROM wp_posts;

Comments (after deleting the spam jerks):
insert into wp_comments (comment_ID, comment_post_ID, comment_author, comment_author_email, comment_author_IP, comment_date, comment_content, comment_karma) select comment_ID, comment_post_ID, comment_author, comment_author_email, comment_author_IP, comment_date, comment_content, comment_karma from b2comments;

update wp_comments set comment_approved=’1′;

Seems to work OK for now.

This is a funny picture of what they thought home computers would look like in the future.

I am totally doing this to my house: Check out the article here.

I am really tired of paying propane and electricity bills.

A great article from SecurityFocus about using common *Nix tools to add layered security in front of MS Exchange and other vulnerable MS Groupware tools.

Here is part 2 of the series.

Ok, everyone probably has seen this before, but here it is for those who haven’t:

The Geek Test — see how much of a geek you are.

I scored a 38.