Where does my security come from?

A couple of months ago, one of the windows was broken on my in-law’s van while it was parked in our driveway overnight. We have a dusk-to-dawn light over the garage, but that didn’t deter the burglar. I have felt guilty and frustrated by this, and have been thinking about installing security cameras around the house.

Continue reading

Shifting Perception of Microsoft

I just finished reading an article about Microsoft’s antivirus offering. Due to my ongoing pain, exhaustion, and fuzzy-headedness, I will once again ask your forgiveness for my short, curt, and blunt sentences.

First, I’ve got a decent amount of experience as an end-user and as tech support with various antivirus (AV) products. I’m not a virus expert or a coder, but I know more than the average bear about viruses and their removal, as well as about different AV software. I’ve been following Microsoft’s offering and development for at least five years now.

Second, I recognize the various red flags that are put up about M$’s AV. “Do they purposely make their operating system insecure to sell additional security products?” “Won’t this make other security companies obsolete, putting them out of business? That sounds like monopoly behaviour.” Etc.

For expediency’s sake, I won’t go into a lot of detail about how M$ AV has fared in the past other than to say that it sucked. Windows Defender was piss-poor in beta and has improved, but I still don’t trust it. Combine this with my general distrust of Microsoft and their DRM, fierce anti-piracy, and privacy-invading systems and I think you’ve got an operating system best avoided if at all possible. That’s why I switched to Linux almost three years ago (following my beta testing of Vista) and now own a MacBook. I don’t like being treated like a criminal.

All that being said, there are a few new things on the M$ horizon. Windows 7 is simply a phenomenal operating system based on what I have seen so far. They keep telling me that it’s very similar to Vista under the hood, and maybe that’s true, but it just runs well. Way better than Vista. It makes me feel like they actually listened to customers rather than treating us poorly and assuming we’d happily pay to choke down whatever they deigned to throw to us. Over the last few years, they’ve relaxed their communications grip and allowed more blogging, more openness, and more honesty with the user community (and their relationship with developers has been good for quite some time). This leads to a more positive perception of them.

From what I read in the above-linked article, their AV is pretty solid now, and I think they have some good reasoning behind it. I dislike the idea of buying an insecure OS, but the more I learn about Windows development, the more I can accept its quirks and appreciate how they are working to correct the problem(s). I think they’re going about it the right way.

And to be perfectly honest, using Mac OS X, I’ve come to accept the dark side a bit more. I’m not so blindly hypocritical that I can’t realize the absurdity in bitching about M$ DRM and then accepting Apple with open arms. No one is more locked down than Apple. There’s a philosophical difference between the two, but the point stands: I am willing to accept certain restrictions because functionality and ease are superceding factors.

Vista wasn’t good enough to make up for its shortcomings. Windows 7 is, and when you bundle it with tight antispyware and antivirus software that makes it actually [more] secure out of the box like it’s supposed to be, that makes the operating system significantly more palatable.

Ever since they got trout-slapped in response to Vista, Microsoft has been working hard to clean up its act and woo users. Believe you me, I can be bought. Make me a shiny, solid, secure operating system and you might just get a user back.

Endnote:: The last sentence isn’t quite true. There’s an excellent chance I’ll run Windows 7 in a virtual machine at work to use Microsoft Outlook. I’ll keep Linux on my desktop and OS X on my MacBook. I do, and will, however have Windows 7 in Bootcamp on my Mac for gaming. There’s a decent chance I’ll even increase that partition by another 25gb come August to move World of Warcraft from the Mac to the Windows side, as I’m pretty sure it’ll perform better there. What I’m saying is, I don’t have Vista anywhere, nor will I. Windows 7 is acceptable, and Microsoft is whirming its way back onto my computers with their improved PR and OS.

Severe Java Vulnerability in Mac OS X

In case you haven’t heard, there’s a huge hole in Mac OS X’s security in regards to Java that has been there for some time and remains unpatched. This Java exploit is proven to work 100% of the time on all browsers and operating systems that are unpatched, but both Linux and Microsoft Windows are patched. Apple, as yet, remains open and vulnerable.

After learning of this, I quickly wrote some directions on how to disable Java in your web browser on OS X (we’ll be adding more operating systems and browsers later) and how to install both Firefox and NoScript to protect yourself in case you do need to use Java on occasion.

I’ll be honest here, OS X really isn’t that secure. If you use a Mac, be sure to disable Java or at least install NoScript. Otherwise you’re just leaving yourself open to attack.

As for me, I’ve now got Ubuntu 9.04 installed in a virtual machine running a second firewall, NoScript in Firefox, and a few other security hardening measures. Nevertheless, I still worry about this stuff.

On Adventure and Job Security

He had spent years in search of boredom, but had never achieved it. Just when he thought he had it in his grasp his life would suddenly become full of near-terminal interest. The thought that someone could voluntarily give up the prospect of being bored for fifty years made him feel quite weak. With fifty years ahead of him, he thought, he could elevate tedium to the status of an art form. There would be no end to the things he wouldn’t do.

– On Rincewind from Sourcery

“Matt, would you walk me to my next class?” Erin asked me breathlessly, her eyes wide with fear behind her slightly oval-shaped glasses. We had sat next to each other most of my freshman year of high school in geometry, but hadn’t begun speaking to each other until relatively recently. To be honest, I hadn’t even noticed her until last week.

Despite having been in close proximity to this girl for over a semester and a half, she always avoided notice by wearing big flannel shirts, keeping her hair over her face, and never saying a word. But when she walked into the dance the previous Friday night, it was like beholding an angel. I swear she shone with a pure white light, and her laughter swept me from my feet. She was enchanting, and when she told me that we had a class together, I was flabbergasted.

Today she was hiding again, though. Boots instead of high heels and flannel rather than lace, the only distinguishing mark about her the fear that was plain on her face. Of course, I agreed to walk her, and gently cajoled the story from her as we crossed the campus.

A band of pagans (not true satan worshippers, nor actually powerful witches) had forced her to a shrine they had built with the intent of harming her. Whether it would have come to rape or murder is hard to say, but Erin was terrified (she had escaped by kicking one in the groin and bull rushing past the one with the knife), and being the gallant witch I was, I vowed to protect her. For the next several days, I ditched out of classes early so I could walk her from place to place, and cast guardian wards wherever and whenever I could to keep her from harm.

I served as Erin’s bodyguard for only a week before she disappeared. Finally tracking her to Texas, I learned that she had fled the state out of fear, but was thankful for my help. Helluva reward.


Over the last couple of days, I have had a somewhat sobering and comforting realization. Despite my frustration at being unable to write due to the muddled nature of my mind on pain medication and the constant throbbing of my jaw, I have found myself uniquely blessed. It has occurred to me how truly wonderful it is to have a real job.

Not that writing isn’t a real job, for those who make an income from it, but in this moment, I’m kind of glad it isn’t my real job. I have a secure position at a major university which provides me with sick leave, vacation time, retirement benefits, and a steady paycheck based on the work, services, and knowledge I provide.

Writing is, to my mind, kind of like adventuring. You put yourself out there, go out on a limb, and pour yourself into something. You do it out of love and excitement and perhaps a certain amount of naivete. Sometimes this pans out and you make a paycheck here and there, but it’s not steady or secure.

Being unable to write for the last few days, I’ve felt a bit like a failure. I haven’t been producing, and subsequently my self-worth has faltered. But now it occurs to me that, at least at this stage in my life, that’s OK. My job isn’t writing; writing is a hobby I enjoy, but it’s not what pays for our house or our food. I have no obligation to a muse or a mission, I’m just (supposedly) doing this for fun.


I met a lot of people when I started college who wanted to go on a big adventure. They wanted to get out and see the world, to “start their life,” and to see what it all had to offer. I thought they were fools.

Adventure always found me whether I wanted it to or not, and it was never truly pleasant. Rather, I sought boredom, because boredom meant nobody was trying to kill me or mine.

I didn’t find boredom until I became Christian, and even then, not until after my first year or so of college. Once I placed myself under Jesus’s banner, I found that I no longer had to fight everything on my own. God takes care of me.

This was kind of a depressing realization at first. Part of me still thirsts for adventure, for the thrill of cheating death, for striding where so few go and daring everything for the next great leap. There was no point in keeping myself in good physical shape anymore, in pushing myself in certain academic pursuits, or in preparing for the great battles. There were no more great battles, and there was no more adventure of the sort I knew.

But there is certainly joy, and the last few days has highlighted that most dramatically. April has been truly wonderful, taking care of everything for me with love and gentleness. She has done the dishes and cleaned, cooked for me, catered to my every need, and somehow not resented my listless and constant napping.

All-in-all, I’m fine to be rid of the adventures of my youth. I could fill a book someday with them, and I probably will, but I’m not anxious to repeat them. I’d rather have this comfortable bed and our kittens, my beautiful wife and our home, and a secure job where I am valued and sheltered in the warm bosom of the university’s bureaucracy. I know from experience that there’s simply no end to the things I wouldn’t do.

Carrington 1.3 has been released

If you pay attention to your WordPress Dashboard (I notice mine every 2-3 days), you might have seen that version 1.3 of Carrington has been released. Carrington is the theme I use for SilverPen Publishing, but it’s more than a theme: Carrington is a unique shift in theme framework development and finds itself in a significantly more advanced category than your standard WordPress theme.

Simply put, it’s all kinds of wonderful, and I’ve really enjoyed having its style represent SilverPen Publishing. However, I have had to make a few tweaks to the theme, and when faced with an upgrade, I was hesitant to recommit myself to that task. All of those changes would have to be made once again, and I didn’t take notes on what I had edited because I didn’t think I’d have to do it again any time soon, let alone with this theme.

Most theme publishers write a theme, put it out for public consumption, and leave it. I never expect upgrades of a theme unless a major change in WordPress outright breaks the theme, and even then it doesn’t get upgraded most of the time. Alex King‘s a champ, though, and stands by his work. If I could laud him any more highly I would, but for now my praise and recommendation will have to be sufficient. Such dedication caught me by surprise though, hence the lack of notes.

Because there were some important security upgrades in this version, I went ahead and upgraded after backing up my current theme, and then spent some time going through and changing what I needed to. In addition, I actually took notes this time as I went, and I’m going to go ahead and post them here. As I read in someone else’s blog recently, notes for me, notes for you.

Reasons to upgrade:

From Alex King’s blog:

Version 1.3 of Carrington Blog is now available for download.

Upgrading is strongly recommended due to a security patch in this release.

This version has a couple of changes – both bug fixes and new features:

  • Added an image.php file for displaying media. This is not yet abstracted into the framework, but will be in the future.
  • Added a field to the settings page for adding in analytics code.
  • Fixed a problem with IE7 and the dropdown menus.
  • Explicitly send headers with AJAX responses, hopefully fixes some issues reported by Safari users.
  • Added a Log In link to the header.
  • Added code to load in translations.
  • Updated documentation.

Continue reading


Our campus newspaper took a look at the dangers of social networking last week (just in case it hadn’t been done enough in the last few years by other media outlets) and noted that Spokeo seems to take Facebook’s propensity towards aggregation and turn it up to eleven. Curious about this site, I decided to make my own account and give it a try.

The long and short of it is that:

  1. It does pull together a somewhat creepy amount of information about your “friends,” and
  2. It requires all your login credentials.

You have to enter login information for every social networking site you wish it to pull data from. Spokeo claims that it do not store these credentials, rather using them to import what it needs that single time, but I have trouble believing that claim. Suffice it to say that I’ll be spending a portion of my day developing some brand new passwords and changing every account I own.

Even more interesting/startling is when you import friends from Facebook or Myspace and Spokeo then cross-references their email address against sites you may not even visit to see if your friends are on there. People who have shared their Facebook profile with me now are sharing their Flikr pages with me, they just don’t know it because they never told me about their Flikr page, Spokeo did.

It’s a net-stalker’s dream, and an intriguing site to be sure, but I can’t feel comfortable using it. As Spokeo points out in their disclaimers, they’re not pulling any information you don’t already have access to. I am technically able to get a person’s email address from Myspace, and then I could go myself to Flikr and look them up. The difference is that I didn’t and wouldn’t; the thought hadn’t crossed my mind. What’s more, the site does it all for me; it’s like having a site named Stalkers’R’Us that aggregates all public/state information on a person and hands it to you (address, phone number, birthdate, email/website addresses, SSN) without you having to do more than login and click “import.”

It’s novel, and I think the creators have done some good work. The site is classy, well-functioning, smooth… and the principle behind it isn’t necessarily bad. I’m just not comfortable with it.

The multiple passwords conundrum

Your users have a total of 3-6 different different logins and/or places to log in. Knowing that keeping all eggs in one basket means making an omelet on the sidewalk rather than in a proper skillet, you institute a system with a different username for each one and password complexity requirements that encourage different passwords for each. This means that, should a clever phisher find a person’s email password, they do not have access to the financial records or students’ grades.

However, the user doesn’t really care about security. They have work to do, and deadlines, and simply want to get to it. So, rather than sit for an hour or two a day trying to figure out how to log in to the myriad resources they need to do their job, they write the information down on a Post-It note for easy reference. And because they don’t want to spend another hour trying to find the note, they stick it to their monitor, or the underside of their keyboard.

Which sort of defeats the purpose, I suppose. Which is more secure: A single username with a complex password that gives access to everything for that user, or a bunch of accounts and passwords? Both have pros and cons, and I tend to advocate a method of multiple usernames/passwords, but all stored in an encrypted file behind a single username/password. This way, you only have to remember the one ID, but have multiples for all the other resources.

And the best way to keep that single username/password secure would be, first, to never write it down. But I’m intrigued by the potential of biometrics for securing all the other keys. I don’t know what the best answer is, so I’m glad we have some security consultants coming in to take a look at these kind of issues and make informed recommendations on them. I know what works for me, but I value security over usability; I don’t care if it’s a bit harder to do my job, as long as it’s more secure. Most people probably don’t fall into that category, though.


The main thing to know about User Support is that we must be flexible. You never know what tomorrow is going to bring; the night’s storm might have fried a bunch of PSUs, or a virus outbreak could shut down every lab on campus. I spent most of today building web servers in virtual machines to test redirection solutions for our wiki, and had intended to write something about Linux at some point because I ❤ Linux oh-so-much. But a new project has given me a different focus.

Over the next week and a half, I’ll be working on two main things. First, and as quickly as possible, developing a list of security concerns, problems, proposals for research and further consideration, and potential solutions. We have some consultants coming to the university eventually to look into IT security, and we’d like to have something to give them to help them with their work. The second is a set of training and documentation guides on the new Banner system we are putting in. Banner is an Enterprise Resource Planning (ERP) program developed by Sungard Higher Education (HE) that we began working on a year or so ago. The implementation is a three year process, all told, and we’re nearing the launch of the first modules. My boss has requested a set of documentation by next Friday and assigned me to the team to work on it, so I started that earlier today.

Redirection will be moved to the backburner, my whiteboard has some ideas scribbled on it for the security RFP, and I feel productive. I’ve been reviewing other university’s Banner documentation and will be doing more of that tomorrow… as well as downloading Debian (which comes on 3 DVDs apparently?) to play with in a VM once this has all settled down.

Always different one day to the next, but it’s an exciting career I thoroughly enjoy. Hopefully I’ll have some good things to write about security in the next few days (I particularly look forward to delving into the latest version of Truecrypt).