Category Archives: Rumblings from the Secret Labs

The Rise and Fall of Adobe Flash

Posted on by
2

A long, long time ago, I wanted to make lava lamp buttons for my Web site. I wanted the shape of the lava blobs to be random and mathematically controlled, and it had to be done with vector graphics – animated gifs would have been huge to provide something that even remotely felt random, and back in those days most people connected with dialup modems.

I searched high and low for a vector animation tool and couldn’t find one. There was Macromedia Director, which I used extensively back then, which put out files for Web play in a format called Shockwave, but it wasn’t a true vector-based program. Not the right tool for lava lamp buttons, that was for sure. I’d started playing with a java applet to draw my buttons, but it seemed like vector animation was something the Web really needed. I mentioned this to a friend of mine, and he said, “Oh I know some guys with the tool you’re looking for.” At the time it was called FutureSplash.

I mentioned FutureSplash to my boss. It was going to be huge, I predicted. His response: “Maybe we should buy them.” (Ah, those dot-com boom days, how I miss them.) Three days later Macromedia announced that they had bought FutureSplash (for a lot more than we could have paid) and contracted the name to Flash.

The rest is history — until the present.

There was even a time when I imagined that a lot of the Web would end up as Flash. Or at least it should. Flash had a lot of things right that HTML had managed to screw up. You could do a lot more, and with Flash the Web experience began to approach the quality of experience people had in other parts of their computing lives.

Macromedia and later Adobe seemed to go out of their way to prevent Flash from taking over the Web. Creating Flash became ever more complex and ever more expensive. Nowhere was the simple “baby Flash” that Joe Amateur could use to build a nice site without first getting extensive training and shelling out a few hundred bucks for tools.

Meanwhile, Flash designers didn’t help in those early years, either. So much Flash became “look what I can do” rather than “look how I can make your visit to my Web site better” that Jane Surfer started resenting Flash. “I waited 60 seconds to download this?” A good example of that sort of waste is at the top of this page, in fact. There are a couple of fun things in the banner, but they don’t enhance the Muddled Experience very much.

Now, the world is shifting again. If you’re reading this site from your iPad, you don’t see the banner at all. No Flash in iOS. This is something the other tablet manufacturers have made a big deal of—but maybe not for very much longer. Microsoft’s next tablet OS won’t support Flash, either.

HTML, the platform I get paid to dislike, is becoming HTML, the platform I get paid to deal with. HTML5, CSS3, full SVG support, and robust JavaScript libraries make possible just about everything Flash can do, without Flash. That’s a lot of things to learn and manage to get a job done, however. Before, a designer could just master Flash and be confident that their work would look right wherever the Flash plugin was installed.

What’s needed is a tool like Flash that, after you’re done designing, outputs your masterpiece in Web-standard format, with HTML, CSS, and JavaScript. When something like that comes out, the handwriting will be on the wall for Flash.

And here it is. Adobe, makers of Flash, have announced Edge, the animation tool that will eventually replace Flash. It looks pretty good. It doesn’t do anything remotely close to what Flash does (no mention of audio that I’ve found, for instance, so my banner would have to forego the theme song, and interactivity will have to be handled outside the tool as well, as far as my first glance tells me), but it does a great deal, and when you’re done the product will work in all modern browsers, including mobile ones. Adobe has applied their long, long experience making animation tools to make the user interface slick and clean (though you will want a really big monitor).

Flash will be around a long, long time yet; it still lets a developer build Web-based user interfaces that would be a pain in the butt to create from HTML and the rest of the alphabet soup. That gap is narrowing, however, and as Edge gains in features (and, alas, complexity), the marginalization of Flash will accelerate. I’m impressed that Adobe said, “If Flash dies, we’ll be the ones to kill it.” They really are the right people for the job. Now all we need is “baby Edge.”

Thanks!

Seven? Really?

Posted on by
Reply

A few days ago the Firefox team let forth a new major release. 7.0.1. Seven. That’s a lot of progress since earlier this year when they floated Firefox 4.

Most software companies would have labeled this release 4.3. The Firefox team has eschewed the first dot and has decided to make any release with a feature change a new major release. There is no n.1; the first decimal digit is entirely vestigial. There was no 4.1. There was no 5.1 or 6.1 There will be no 7.1, just 7.0.1. This might sound stupid, unless you have Inside Information. Which I have, thanks to Wikipedia.

The Internet Explorer team at Microsoft, sworn rivals of Firefox, are nonetheless ok guys who want to make this whole Web thing work. Back in the day when the Firefox team kicked the ass of the web world and released a browser that not only defined standards but provided the tools to help Web developers code to those standards, team FF were the guys to beat. On the release of FF3, the boys at Microsoft sent the team a cake. Firefox 4 was similarly honored. And FF5. And so on.

And now we see the real reason behind the accelerated numbering. Each major release gets a cake. If I was in charge, there’d be a new major version every Thursday.

* The firefox team joked about sending a cake to Microsoft to honor IE 8 (or 7 or 9 and you shouldn’t ask me to remember shit like that), but they would send the cake along with the recipe. Open-source cake. But (as far as history records) they didn’t. Would’a been funny. There’s talk and there’s action, and seriously you don’t want to be on the losing side of that with Microsoft.

3

Thanks!

Then there’s Incapsula

Posted on by
5

I’ve written about CloudFlare in the past. I think it’s a no-brainer for small-time bloggers like me who control their own domain name registry. My writing has attracted the attention of another company, Incapsula, who offer a similar service.

Incapsula would love for me to give them a try, so I can write about them, too. They’re under the impression that I have some sort of influence in the world. Ha! They’ve even offered me a free upgrade to the ‘pro’ level of the service. One really cool thing about the upgrade: out-of-the-box SSL, which means you don’t have to get your own certificate to handle commerce. Certificates can be a real hassle, and a considerable expense.

The thing is, I’m pretty happy with CloudFlare. As of today, people on IPv6 can read these words. (Much like telephone numbers in some areas, the world is running out of IP addresses.) I’ve worked out one kink with the system and things are running smoothly. Does Incapsula have code to install on the server to make it play well with others? I don’t know.

Also, I don’t really need any of the advanced services of either system. I don’t do e-commerce, which could be a compelling reason to switch and grab my free upgrade.

I have a couple of terrifically minor quibbles about CloudFlare’s user interface and flexibility blocking IP ranges, but nothing worth even mentioning here. Logically, I should just stick with CloudFlare and leave it at that.

Except…

That guy they think I am? The one whose words can shift the balance of power in an emerging new market? I’m not that guy. I’ll never be that guy unless I devote myself to the task, and I’ve got other things to write about that are probably more interesting to most of you. But still I want to be the guy they think I am. I want to write the CloudFlare vs. Incapsula smackdown article to which all the pundits refer.

To do something like that, I’d have to set up a site to use Incapsula, but I don’t want to rock the Muddled Boat. I have jerryseeger.com, but what sort of test do I get out of a site that no one ever visits? It’s a site where acceleration hardly matters because the whole thing is so simple, and there’s no sign of e-commerce on the horizon. The thing barely even gets spammed.

Still, I have to think of something… the public demands it!

1

Thanks!

Your Most Important Password

Posted on by
9

I’ve mentioned passwords before, but today I’d like to tell you about the most important password in your possession, the single password that keeps the hordes at bay.

Take a moment to think about the passwords you use for your various secret stuff. If you’re like me, you have your ordinary password for unimportant stuff, then you ratchet up the entropy for sites that involve money. For a long time I had two passwords, my ‘secure’ one and my ‘other’ one. Now I’ve started taking my passwords a lot more seriously, which means keeping a file of all my passwords, itself protected with massive encryption and the most awesome passphrase ever. No one’s getting into that file.

But here’s the thing: they don’t have to. There’s another password I have that’s just as powerful and easier for a bad guy to use. My primary email password.

How does that password drop my trousers universally? Simple: if someone had access to my email, they could click “I forgot my password” on every site in the world and harvest the responses. If the evil robot cleared out the emails before I read them, I’d be none the wiser. And I’d be fucked.

You might think your online banking password is the one you must protect most diligently, but your email password will hand them your bank account along with everything else. This is the password to protect and change regularly.

As an aside, you can make things a little tougher for bad guys by modifying your email address when you register for stuff. For instance, if I register at xyz.com, I might use [email protected] for my email address. The cool thing about ‘+’ is that it doesn’t change the delivery (the above will go to [email protected]) but you can sort your email based on the suffix, and you can track who gave your email address away. Most significantly, if some wrongdoer has your email password, they still have to guess the +suffix part for each site before they can use the “I forgot my password” feature. If your email password gets out, that second line of defense could really save your ass.*

Also, know that if your email provider gets hacked, you could be hosed. There is one major company (rhymes with achoo!**) that seems to have a hard time keeping the wrong guys out of your account (although I think it’s the address book that has been compromised, and not direct access to your emails). There are likely others that do a better job keeping their names out of the press when they spill your information.

So, to flog the horse: If bad guys gets access to your email, they own you. Protect that password diligently. Change it fairly often. Use [email protected] when you sign up for stuff. In databases around the globe, your email is quite literally your entire identity.

* I read somewhere that hotmail and some others don’t support the + in emails. I haven’t tested personally, but if your provider is one of those, drop them immediately and find a better service.

** I’m pretty sure I have stock in a company that ends oo!, so I’m not just slinging mud here.

Thanks!

Bad Behavior, CloudFlare and Google Bot

Posted on by
3

This blog has several layers of protection from the evils of the outside world, but those layers don’t always get along. One problem that I had is pretty common among CloudFlare users, and the documentation provided by the relevant players has a hole in it – a key nugget of information that can make all the difference.

The nugget follows in due course.

My first line of defense from ne’er-do-wells and miscreants is CloudFlare. They stop most of the bad guys before they even reach my site. Still, for some sorts of attacks, when there’s doubt it’s better to let the bad guy through. It may turn out to be a good guy.

A program called Bad Behavior is my next line of defense. It sits on my server and quickly spots liars and weasels. For dangerous-looking attacks, that’s the limit. But, when there’s doubt and the site itself is not at risk, Bad Behavior will let the attack through.

At this point, ‘attack’ means ‘comment spam’. Everything else is stopped before it reaches this stage. Most of the comment spam has been stopped as well, but some has been given the benefit of the doubt. That’s where Akismet comes in. This layer spots the rest of the comment spam, and it can be much more aggressive since it doesn’t actually delete the spam, it puts it into a bin for future review. So, legitimate comments can be rescued by an alert blog admin.

It works pretty well. Three spams actually got through all the layers last week, the first time any have gotten through in quite some time. Somewhere, a spammer popped a bottle of bubbly.

So comment spam is pretty well thwarted. Hooray! Unfortunately, for a while I had a pretty big problem. Search engine robots were being denied. I fell off Google and Yahoo! and all the rest, and traffic to this site dwindled.

Note: according to this article, Bad Behavior has been updated to avoid the following problem. Yay! You should still install the CloudFlare plugin and the Apache module if you are able.

Here’s what was going on:

  1. Googlebot said ‘hey, muddledramblings.com, show me page x’.
  2. The request must get past CloudFlare. No problem. They see it’s the real Google bot and pass the request on to my server.
  3. Bad Behavior is next. They look at the incoming message and see something that claims to be a Google bot but It’s not coming from Google. It’s coming through CloudFlare. Bad Behavior says, “You are a lying sack of dingo dung and a false Google bot. You are obviously evil and you may not pass.” Google is shut out. The other legitimate robots are cut off as well.

This problem is pretty easy to fix, but not quite as easy as WordPress admins would like to hope. CloudFlare has code that you can install on your server that will straighten the whole problem out. Basically it tweaks incoming messages so that the original source appears instead of CloudFlare. This bit of fix-it code is available as a WordPress plugin, so you can install the plugin and rest easy.

But that’s the thing that tripped me up and is not explained in the docs. In the case of working with Bad Behavior, the WordPress Plugin is not enough.

The catch is that Bad Behavior does its magic before the CloudFlare plugin can do its magic. So, even with the CloudFlare plugin firmly installed, Bad Behavior will reject Google bot and all his pals.

There are two simple solutions: 1) Install the CloudFlare Apache module, which kicks in before anything else is run. This is preferable to the WordPress plugin anyway, because it’s a system-wide solution. 2) If you don’t have that level of control over your server, turn off Bad Behavior. It’s a shame to lose that layer of protection, but not devastating; there’s some overlap between what CloudFlare stops and what Bad Behavior stops. You still have two layers and your own alert management to fall back on.

Thanks!

How This Blog Works

Posted on by
Reply

Over the years, the technology behind this blog has gone from cave-dwelling stone-knives-and-bearskin static pages to cloud-city jet-packs-and-lightsaber dynamic yumminess. That transformation starts with WordPress but does not end there. Not by a long shot.

I started the Muddled Media Empire using a tool called iBlog, because it was free and worked with Apple’s hosting service, which I was already paying for. iBlog’s claim to fame was that it didn’t require a database – every time you made a change it went through and regenerated all pages that were affected. Toward the end, that was getting to be thousands of pages in some cases, each of which had to be uploaded individually. When iBlog’s support and development faltered, it was already past time for me to move on.

WordPress is an enormously popular Web-publishing platform. It comes in two flavors: you can host your blog on their super-duper servers and accept their terms of service and the slightly limited customization options, or you can install the code on your own server and go nuts. I chose the latter, mainly because I wanted to be able to touch the code. I’m a tinkerer.

So I signed up for a cheap Web host and set to work building what you see now. At first things were great, but after a while the host started having issues, and the once-great customer service withered up and vanished. So much for LiveRack. I think they just didn’t want to be in the hosting business anymore. I moved to iPage.

iPage was cheap, but I was crammed onto a server with a bunch of other people and sometimes my blog would take an agonizing time to load. Like, almost a minute. Then there was the time a very popular Geek site linked to my CSS border-radius table and iPage shut me down because the demand on the server was too much. Ouch! My moment in the sun became my moment at the bottom of a well.

I set out to find ways to make this blog more server-friendly and more user-friendly at the same time. Step 1: caching. WordPress doesn’t store Web pages, it stores data and the instructions on how to build a Web page. So, every time you ask to load a page here, WordPress fires up a program that reads from the database and assembles all the parts to the page. The thing is, that takes longer than just finding the requested file and sending it back, the way iBlog did. Caching is a way for the server to say, “hey, wait a minute – I just did this page and nothing’s changed. I’ll just send the same thing I did last time.” That can lead to big savings, both in time and server load.

I looked at a few WordPress cacheing programs and eventually chose W3 Total Cache, because it does far more than just cache data. For instance, it will minify scripts and css files (remove extra spaces and crunch them down) and combine the files together so the browser only has to make one request. It will zip the data, meaning fewer 1’s and 0’s moving down the pipe, and it does a few other things as well, one of which I will get to shortly.

I installed W3 Total Cache, and although some settings broke a couple of javascripts (for reasons I have yet to figure out – I’ll get to that someday), the features I could turn on definitely made a difference. Hooray!

But Muddled Ramblings and Half-Baked Ideas was still way too slow. I continued my search for ways to speed things up. I also began a search for a host that sucked less than iPage. (iPage was also starting to have outages that lasted a day or more. Not acceptable.) I decided I was willing to pay extra to be sure I wasn’t on an overwhelmed machine.

I’m not sure which came first – new server or Amazon Simple Storage Service. S3 is a pretty basic concept – you put your stuff on their super-duper servers, and when people need it they will get it really quickly. Things that don’t change, like images and even some scripts, can live there and your server doesn’t have to worry about them.

This is where W3 Total Cache earned my donation to their cause. You see, you can sign up for Amazon S3, and then put your account info into the proper W3TC panel and Bob’s Your Uncle. W3TC goes through your site, finds images and whatnot, puts them in your S3 bucket, and automatically changes all the links in your Web pages to point to your bucket instead of your own server. (Sometimes I find I have to copy the image to my S3 bucket manually, but that’s a small price to pay.)

Now a lot of the stuff on my blog, like the picture of me with the Utahraptors the other day, sits on a different, high-performance server out there somewhere, and no matter how overwhelmed my server happens to be at the moment those parts will arrive to you lickety-split. Amazon S3 is not free, however – each month I get an invoice for two or three cents. Should Muddled Ramblings suddenly become wildly popular, that number would increase.

About that server – the next stop on my quest for a good host was a place called Green Geeks. I wanted to upgrade to a VPS, which means I get a dedicated slice of a server that acted just like it was my very own machine. There is a lot to like about those, but my blog just wouldn’t run in the base level of RAM they offered. I upgraded and reorganized so that different requests would not take up more ram than they needed. Still, I had outages. Sometimes the server would just stop freeing up memory and eventually choke and die. Since it was a virtual server in a standard configuration, logic says it was caused by something I was doing, but all my efforts to figure it out were fruitless, and Green Geeks ran out of patience trying to help me figure it out.

The server software itself is Apache. At this point I considered using nginx (rhymes with ‘bingin’ ex’) instead. It’s supposedly faster, lighter, and easier to configure. But, I already know Apache. I may move to nginx in the future, but it’s not urgent anymore.

During the GreenGeeks era I came across another service that improves the performance of Web sites while reducing the load on the servers. I recently wrote glowingly about CloudFlare, but I will repeat myself a bit here for completeness. CloudFlare is a service that has a network of servers all over the world, and they stand between you the viewer and my server. They stash bits of my site all around the world, and much of the time they will have a copy of what you need on hand, and won’t even need to trouble my server with a request. About half of all requests to muddledramblings.com are magically and speedily taken care of without troubling my server at all. They also block a couple thousand bogus requests to my server each day, so I don’t have to deal with them (or pay for the bandwidth). It’s sweet, and the base service is free.

Unfortunately, it was not enough to keep my GreenGeeks server from crashing. Once more I began a search for a new host. I found through word of mouth a place called macminicolo. Apple employees get a discount, but I wasn’t an Apple employee yet. It was still a bargain. For what turned out to be the same monthly cost of sharing part of a machine at GreenGeeks, I get an entire server, all to myself, with plenty of RAM. I’ve set up several servers on Mac using MacPorts, and I knew just how to get things up and running well. It costs less than half what a co-located server costs anywhere else I have found (Mac, Windows, or Linux). (Co-location has up-front costs, but in the long term saves money.) So I have that going for me.

The only thing missing is that at GreenGeeks I had a fancy control panel that made it much simpler to share the machine with my friends. I do miss that, but I’m ready now to host friend and family sites at a very reasonable cost.

So there you have it! This is just your typical Apache/WordPress/W3 Total Cache/Amazon S3/CloudFlare site run off a Mac mini located somewhere in Nevada. Load times are less than 5% of what they were a year ago. Five percent! Conservatively. Typically it’s more like 1/50th of the load time. Traffic is up. Life is good.

Now I have no incentive at all to learn more about optimization.

3

Thanks!

Ubiquity Solutions: Evil or merely Overwhelmed?

Posted on by
11

Note: Wow. This got long, and somewhat technical. For today, some of you might want to look at cute pictures of cats instead. I won’t mind.

I noticed the other day a huge rush of spam comments from ip addresses starting 108.62. I did a lookup and found that the whole block is owned by an outfit called Nobis Technology Group. Most of the addresses also mentioned Ubiquity Server Solutions. They are a massive hosting and colocation service. Basically, they supply the hardware and infrastructure, and their customers set up Web servers and whatnot.

Some of those customers (or the customers of the customers) send out a lot of spam. A truckload. In some cases the customer of a customer of a customer might have been lax and his server got hacked and turned into an unwitting spambot. In other cases the people using Ubiquity’s servers are likely institutional spammers.

Brief aside: Why does comment spam even exist in the first place? Google plays a big role there, with a number called Page Rank. Part of Page Rank (at least historically) was that more links pointing to a page make it land higher in Google searches. So, the spam comment isn’t to get readers of a blog to buy Doc Marten shoes, it’s to get that particular site to land higher in Google’s results when someone searches for them.

The thing is, Google doesn’t publish page rank numbers anymore, and they steadfastly maintain that the comment spamming actually hurts your results in a search. That hasn’t stopped many companies from promising higher sales and taking people’s money in return for smearing their name all over the Internet.

Google could go a long way toward eliminating this sort of spam by publishing page rank again, only now include the amount the rank was hurt by spamming activities. My shoe salesman above is not going to keep paying when Google shows the opposite of the desired result.

So anyway, using CloudFlare’s threat control, I blocked an entire range of ip addresses allocated to Ubiquity’s servers. Then another. I didn’t like this solution; I had no idea how many legitimate potential blog visitors I was blocking. After reading more, the answer surprised me.

The folks at Ubiquity point out that they have terms of service that prohibit using their infrastructure to spam people. When I sent them a complaint, they were professional and courteous. They asked for more specifics, then said they’d sent a complaint to the culprit. Only after they’d asked what my domain name was.

Question: Did they send a message to the culprit saying ‘stop spamming people’ or did it say ‘stop spamming that guy?’

On other blogs where people have ranted about Ubiquity, representatives of the company have responded with measured, rational responses, explaining what a huge uphill battle it is for them, and asking the community to keep sending reports when spam comes from their range. Those reports make it possible for them to put sanctions on clients who are in violation of their terms of service. It is a huge problem and not easily solved.

And yet. Other hosting companies don’t seem as bad, from where I’m sitting.

One of those responses from a Ubiquity representative threw out the argument (I’m paraphrasing from this) “While it’s theoretically possible to monitor all data to weed out the 500MB/s of spam from the 2GB/s of legitimate traffic, that would be really expensive and we wouldn’t be able to compete in this market.” My first takeaway: they think 20% of the traffic from their servers is unethical. Wow. Now, that’s reading a lot into a statement like that, so take it with a grain of salt. Also, it was in a comment to a blog post and may well have been a typo in the first place.

But still, it makes me wonder. And a request coming in to a server for data (legitimate traffic like a request to load a Web page) is fundamentally different than robots on a server sending unrequested data OUT (a high percentage of which will be spam), and sending emails (almost all of which will be spam). A small random sampling of GET and PUT messages outbound from their data centers would probably smoke out the most egregious violators pretty quickly, and not require a lot of hardware to implement. (Not sure how I feel about this from a privacy standpoint.)

Once I got the message that Ubiquity had sent their complaint to the spammer involved, I unblocked that range. Sure enough, in a few minutes more spam came through. I sent the report and back up went the blockade. In my casting around the Internet I read assertions that were not contradicted (so must be true!) that said that NO legitimate traffic would come from those IP’s anyway; they were the addresses of big servers and not IP’s that would appear when Joe User is surfing. So there’s no downside to blocking them. (I’ll put the blocked ranges in a comment below, if you want to follow suit.)

Although, as I put the blockade back up, I had a thought: If I complain about every violation, and cc Google, then the cost of NOT clamping down more effectively on the host’s clients goes up. At some point, if enough people complain enough times, the cost of fixing the problem at the source becomes less than the cost of continuing to do business they way they are now.

That goes not just for Ubiquity, but for all hosts, and for Google and the other search engines. There is no incentive for them to play nice unless we create one.

Yep, I’m proposing fighting spam with a deluge of emails, and I’m probably too lazy to do it effectively.

Of course, this blog is hosted at a data center that almost inevitably will have spammers. Do I want to pay more for my own hosting because my data center has to install a bunch of spam detectors? In my case, I’d be willing to pay a bit more to know my host is doing the right thing, but I think I’d be in the minority. That makes it really difficult for one host to unilaterally decide to take the high road. And you’d be alienating about 20% of your customers, if Ubiquity’s off-the-cuff numbers are an indication.

2

Thanks!

CloudFlare = Awesome

Posted on by
3

So by now you’ve probably heard of “the cloud”, but you might be vague on what the cloud actually is. That’s OK, the cloud is by nature vague. In short, it’s just a name that applies to what the Internet has been trying to do for a long time: information without location. You put a photo up in the cloud, and it’s just “out there”, not on any particular server, not in any particular data center, not in any given country. Could be there are copies of it all over the place, and when someone wants to look at the picture, The Cloud serves up the copy closest (in Internet miles) to the person who wants to see it.

This requires a lot of expensive equipment. Google and Amazon are the biggies in the cloud, but there are others as well, who, for a price, will host your data in a ‘cloudy’ way. In return, people around the world can load your stuff faster.

This humble blog is in the cloud. When you load a page here, roughly half the time the request doesn’t even reach my server (protected in a bunker somewhere in Nevada), but is instead served up from one of CloudFlare’s data centers around the globe. It’s pretty sweet, and has reduced the strain on my server (not that it’s working that hard anyway) while improving the Muddled Experience. The cost for this service? Nothing. It’s free.

I totally win.

CloudFlare also blocks a few hundred spammers each week, before my server has to go to the trouble of blocking them. They compile usage stats and provide other interesting information, and cut the load time for the blog about in half.

They’re a friendly bunch, too; when I suggested upgrades to their interface they wrote back with specific questions as well as thanks. A site they hosted was attacked from China a while back, and it brought down part of their network. They were right up front about the issue and what they were doing about it, and advised people on how to ‘de-cloud’ until the crisis was over. Not everyone was happy, but I was impressed. Soon after reading those communications I signed up.

How can they offer something like this for free? It’s the upsell, of course; they offer premium services. In addition they create a platform for other companies to sell stuff to me. Some of those services are pretty cool, too, though I haven’t dipped my toe in those waters yet (for instance, there’s a free service that checks your site now and then to see if it’s been hacked).

Overall, I can’t think of any reason NOT to use CloudFlare. Check ’em out and tell them Jerry sent you!

Thanks!

OK, This is a Little Spooky

Posted on by
7

I guess I knew this intellectually already, but reading this article really brought it home. We all know that info we post on Facebook and other social media sites is more or less public, no matter what security settings you use. The stuff just leaks out. Your birthday, gender, and zip code is enough to uniquely identify most of us in this country. Once someone has that, they can start to gather more information about you and share it with their friends.

But there’s another piece of information that most of us have shared all over the Internet, which when combined with the above, gives unscrupulous (or are they?) enterprises the ability to gather vast amounts of information about what you do even when you’re not using a computer.

What nugget of information is that? Your face. If you’ve used modern photo software, you may already have noticed that it’s getting pretty good at recognizing not just where faces are in your pictures, but whose faces they are.

Let’s say I own a big store, something like Target. I already have security cameras scattered liberally around the place. Imagine that now I can buy a list of faces in the zip codes close to my store. Suddenly I’m able to keep a record of which departments in my store each customer visits. The next time they come back, I can put a tease on a video screen as they walk in, tailored to their purchasing habits, or I can alert security if the person is a suspected shoplifter.

Of course, your friendly neighborhood government can use technology like that, too, and they already have your picture on file.

What to do about it? Realistically, nothing. The train has left the station, and there’s no calling it back. We could try to pass laws about this stuff, but they’d be pretty much impossible to enforce. You could try to scour the Internet and remove every picture in which you’re identified, but good luck with that.

The only counter-strategy I can think of off the top of my head is misinformation — tagging a whole bunch of different faces with your id, to create uncertainty over who the “real” you is. That only goes so far, however; once your face and credit card are linked at a retailer you’re done. It’s probably time to coach our children to not make the same mistake we did, instead to take a page out of Harlean’s book. She is a fiction. The Internet is no place for real people.

Coda:
The front panel of the article linked to above is about breaking the security on iPhones. It’s worth noting that while the article is correct, the same advice applies to anything protected with a password. The obvious thing missed in the article is that most people don’t put any password on their phone, rendering the rest of the warning moot. I use an Android, and my screen lock thingie has even fewer permutations than a 4-digit number. I’m not out to stop the pros; I put the lock on the phone when I read that California has ruled that searching a phone doesn’t require a warrant, even though searching a briefcase does. My lock is to stop prying during routine traffic stops. I don’t have anything to hide, but it’s important that everyone protects privacy, not just people with something to hide.

A closing note about passwords:

Thanks!

Mmm… Honey

Posted on by
2

I just installed a honey pot on this site. The idea of a honey pot (or honey trap) is to create a tempting target that attracts wrongdoers, but once they put their hand in the honey pot they leave sticky fingerprints everywhere they go.

In Internet terms, the honey is a seemingly-innocent email address placed on a Web site, invisible to humans but easy for robots to find. When the spam harvesters scrape the email address off the site and use it, both the harvester and the spammer are caught and blacklisted, which reduces their ability to run robots and get their mail through.

The more people who participate, the more trouble spammers have spotting the honey pots. How can you help? Even if you don’t have control of your site or run a blog through one of the major services, you can pitch in. Go to Project Honey Pot and sign up. You can provide invisible-to-humans links to honey pots on other sites, if nothing else, and it doesn’t cost you diddley-doo.

If you click on the “swag” link in the header, you will see that they could also use a graphic designer. I imagine a spam-bear with his head stuck in a honey pot. How you communicate that it’s a spam-bear and not an ordinary bear I leave as an exercise for the visually talented.

Once Project Honey Pot compiles its list of villains and ne’er-do-wells, what happens next? Many major services use the list, and I also use a program called Bad Behavior which blocks blacklisted bots and spammers from reaching my site. Recently I added another layer called CloudFlare which is awesome enough for me to devote a separate episode to it. So, you have that to look forward to.

In the meantime, I encourage you to join the crusade to make life more difficult for those who want to use the Internet for evil.

1

Thanks!

Amazon Links Restored

Posted on by
Reply

Once more you can support Muddled Ramblings and Half-Baked ideas when you shop at Amazon. Just start your shopping adventure by clicking the link in the sidebar, and while nothing else changes for you, a slice of the money you pay will make its way to the Secret Labs, located for the purpose of this exercise in New Mexico.

I hope so, anyway; I haven’t actually tested the links.

Shop and enjoy!

1

Thanks!

A Rambling Blog

Posted on by
3

A couple of years ago I became fed up with my Web hosting provider. MMHosting had been great, but then came the outages, and the complete lack of response from their support people. (At the start of my stay with them, I had been mightily impressed with their customer care. That ended.) Then there was the time Muddled Ramblings was mentioned on a very popular blog and my hits soared. They turned me off.

I moved to a new, very inexpensive host called iPage. It was great, until the outages, which could last a day or more. When I asked what the problem had been and what they had done, they were vague. “No, really,” I persisted, “I understand the jargon. Tell me what happened and what you did to make sure it won’t happen again.” I never got an answer.

“You get what you pay for,” I reasoned, and iPage was wedging me onto an already overcrowded server and there just wasn’t enough computer there to handle all that traffic. Giddy with a new income stream, I decided to upgrade. The way to avoid getting wedged onto an overcrowded machine is to cough up the bucks and reserve a portion of a machine that is yours and yours alone. It doesn’t matter what any of your neighbors on the box do, they can’t take your resources away from you.

The downside to this approach is that you can’t borrow resources from your neighbors, either. For reasons I still don’t understand, my virtual server went nuts every once in a while, cranking away and eventually running out of ram and descending into a hellish limbo of non-Web-serving confusion. I’ve gone over all my stuff and I can’t find anything that would cause that, but there must be something. (It might be coming from outside; perhaps China still hates this blog, and throws a half-assed attack at it periodically. They do that shit. I expect it’s something more local, however.)

So the money I was throwing at the problem wasn’t helping. It was time to weigh my options again. The step up from renting a dedicated slice of a server is to use the whole damn machine. Naturally, this costs a lot more, since there’s one customer per machine.

Except when it doesn’t. Enter my new best hosting pals, MacMiniColo.net. For the price I was paying Green Geeks, I get more than six times the server, and it’s MacOS, which means all my experience setting up servers with MacPorts pays off. (I’m a big fan of MacPorts. It’s not always quite as easy as they make it sound, but usually it is. Tonight I needed to add SSH2 support in PHP, and all I had to do was type sudo port install php5-ssh2 and that was that. I’m not even sure what SSH2 is (as opposed to SSH) but it simplified the WordPress AutoUpdate process.)

There were a couple of hiccups getting everything running (I set up jerryseeger.com as a WordPress install first to pave the way), but once everyone agreed where the MySQL socket was it was Holiday On Ice the rest of the way. The last step, getting AutoUpdate to work in WordPress, was something I’d not managed on the CentOS virtual server at GreenGeeks. Now it’s cake.

So, I’m pretty happy. I’ll be watching for the midnight-runaway problem, and if the extra horsepower doesn’t solve it (if it even happens at all), at least now I know that there is nothing on this box I don’t control.

2

Thanks!

Apple’s Latest Security Update

Posted on by
3

Mention Viruses to a Mac user and the response will often be… well, smug. Many Mac users believe that viruses and other malicious software are a Windows problem. Apple hasn’t done much to discourage that notion, not even to warn users when real threats are afoot.

Recently someone launched a bit of malware targeted directly at Macs. The program would lurk on Web sites (I think that’s where it came from, anyway), and flash up a message “Your computer is infected with a virus! Download our software to clean it up!” The software to install had a noble, protective-sounding name. People followed the instructions, and infected their own machines. Before long a couple similar threats appeared, including a much worse one that required less participation by the owner of the computer.

Now, it could be argued that only an idiot would fall for something like this. I occasionally see alerts that my windows computer is infected and I must download something to fix it — even though I’m on a mac. You don’t have to be around the Internet very long to learn not to trust strangers. Unfortunately, there are a lot of idiots, and even more newbies who have not learned that hard lesson.

A couple of days ago at work I got an email addressed to all Apple employees telling them not to fall for “Scareware”. The evil had been circulating for a month or more before Apple even alerted its own employees about the threat. Yesterday Apple released a security update that removes this particular family of bad guys and takes some measures to make similar attacks more difficult in the first place.

But there’s one thing no virus protection can do: prevent the user from giving permission to dangerous software to run on their system. Once the user says the software is OK, that’s it. Mac users’ feeling of immunity from harm could make them more gullible; they’ve never given much thought to how they would react when confronted by an urgent message like the ones in this latest outbreak.

So, fellow Mac users: Don’t be stupid! Almost as important: Put that smug attitude away. Your day is coming, sooner than you think.

Thanks!

Securing Dropbox

Posted on by
5

As I mentioned recently, Dropbox is awesome. When using it, however, it’s important to think about security. The dropbox guys lock up your data nice and tight – but they hold the keys.

Think of it this way: You’re on a cruise ship, and you have a priceless diamond tiara (don’t we all?). You know it’ll be much safer in the ship’s vault than in your cabin. The ship’s purser is only too happy to watch over your valuables in their very strong safe. Now you can rest easy.

Except… there’s someone besides you who can open the vault. What if the government serves the purser with a warrant (or some other constitutionally-questionable writ) and takes your tiara? What if someone fools the purser into handing over your tiara? For most things, trusting the purser is fine, but that tiara is really something special. What you need, then, is a special box with a really strong lock. You give the purser the box and neither he nor anyone else can even see what’s inside, and you can make it a really strong box, so even if the purser hands over the keys to his vault, your stuff is still safe.

The same principle applies with Dropbox. It’s really convenient and pretty darn secure, but someone else is holding the keys. For most things, like my writing, no further security is necessary. Yet I have a few files that I don’t want to leave to someone else to protect, but I still want the convenience and data backup Dropbox provides. On my mac I’ve set up a very simple system that allows me to see my most secret files whenever I need to on any of my machines, but protects them from prying eyes. It’s actually pretty simple, and there’s almost certainly a direct analog on Windows.

The disk utility that comes with Macs can create an encrypted disk image using pretty dang strong encryption. If you put that image file in your dropbox, then any files you add to that virtual disk will encrypted and saved to your Dropbox when you unmount the disk. Here are the steps:

  1. Fire up Disk Utility (it’s in the Utilities folder).
  2. Click New Image
  3. Decisions, decisions….
    • Name your new disk. If you name it “secret stuff” that will just make people curious.
    • Size: For reasons I’ll go into shortly, I’d advise not making this any bigger than you really need. If you’re protecting text files, it can be pretty small. The 100MB setting is probably more than enough for most people.
    • Format: Just use the default
    • Encryption: I say, what the heck. Go for the maximum unless you’ll be using a really old machine.
    • Partition: just use the default.
    • Image Format: sparse disk image – this will keep the size of the actual disk file down. UPDATE – As of MacOS X 10.5, there’s a new option called “sparse bundle disk image”. DON’T USE THAT! It seems perfect at first (see below) but things get mucked up if there’s a conflict.
  4. Save. You will be asked for a password. You’ll not need to remember it, so make it good and strong, nothing like any password you’ve used anywhere else. Keep the “save in keychain” option selected. (If you need it later, you can find it with Keychain Access.) – Remember: this is the secret that protects all your other secrets.
  5. Voila! Put the disk image in your Dropbox folder. When you open the image file, a new hard drive will appear in finder. Anything you put on the drive will be added to the .dmg file you created.
  6. “Eject” the drive on that machine and open the .dmg on any other machines you want to share the information. While you remember your crazy password, get it saved in the keychains of your various machines.

A couple of notes:

  • The .dmg file will only update when you “eject” the drive. So I advise you not keep it mounted most of the time. Open it, add/access the files inside, and close it again. If you open it on two machines at the same time, you will end up with two versions in your Dropbox folder.
  • I advised saving your password on your keychain, but remember that anyone who can access your computer can also access your secrets. So you might want to consider not putting the password in your laptop’s keychain, for instance, if you think it might fall into the wrong hands.
  • Since your secret files are saved as a single blob of data, you won’t have automatic backups of individual files. If you need to recover one, you’ll have to find the right version of the image file.
  • Since your information is saved as a big ol’ blob, if you make a huge .dmg file it will eat up space in your Dropbox and burn up unnecessary bandwidth each time your save. ‘Sparse’ images only grow to the maximum as you use the space (but never shrink unless you intervene with Disk Utility).
  • UPDATE – Apple has created a new format that saves the image file as a whole bunch of little blobs, rather than one big one. With that option, when you make changes, only the little blobs that changed need to get updated. This was to make Time Machine work better, and at first I thought it would be perfect for Dropbox. Then I spent a few minutes testing and discovered that the way Dropbox handles conflicts (two computers updating the file at the same time) gets royally hosed when you use this format. Bummer. So, don’t use it.
  • It’s possible to set things up to protect individual files, but it’s complicated. Hopefully it won’t always be.
  • Important! If you only store the password on one machine – Save it somewhere else also!. If you lose that password (if your hard drive crashes or your computer is stolen, for instance), you’re not getting into your strongbox. Ever. That was the whole point, after all.
1

Thanks!

Anybody need a Web Host?

Posted on by
15

I’ve ponied up for a web service that is WAY more that I need. The type of account is intended for resellers – most people who buy this much server turn around and sell web hosting accounts to small clients.

There are two configurations for the account: bare server and bells & whistles. The bells & whistles option costs a little bit more, but would save me hassles. (No need to manually configure httpd.conf, for instance.) The bells & whistles option also makes it really simple for me to set up you guys out there as “customers”.

So, here’s what I’m thinking: If I can get three people interested in paying me $5 a month for Web hosting, I can pay for the bell & whistles and save myself some hassle moving this site over to its new home.

For $5 a month you get:

  1. Way, way, less crowded server than you would get anywhere else even for four times that much money.
  2. Confidence that I will never let the server get bogged down, since the whole reason I’m paying for the thing is so my site won’t get bogged down
  3. Personal service. You know the guy in charge. I’m more than happy to help my friends through getting set up and all that stuff. It’s a level of service I’m only able to do because I’m limiting the number of people I let onto the server.
  4. My Web provider (and soon yours!) is about as as green as they come. Say no to carbon!
  5. The satisfaction of knowing that your money is helping a small collective of folks sharing a server rather than feeding a big corporation.
  6. I am also now an official enom reseller, which means I can take care of your domain registration for a rate only a little higher than GoDaddy. For the extra money you get… um… There must be something…

Anybody interested? Let me know now, before I go ahead and move this site over the hard way!

Thanks!