Having trouble viewing this newsletter? View our web version to see it in your browser.

Your Technology Problems...SOLVED

NOVEMBER 14, 2012

Featured Content

What's New at Experts Exchange
From the SLO and beyond

Fun and Games with Hackers
Cd& doesn't mess around

Nata's Corner
Black Friday, Win8 and passwords

Tip From the Moderators
jarmod101 on what is a Mod

In Brief
Things you might have missed

Who did what through Nov. 10

What's New at E-E

mwvisa1New Expert: Experts Exchange's newest budding Genius is Kaidynce-Amirah Christina Cross, born to Zayannab and Kevin Cross on November 5. In addition to being a database whiz, the proud dad is a basketball coach and projects his youngest daughter as a point guard; "She definitely can dribble," he says.

In beta-testing: If you're a network or system administrator, you might want to take a look at Experts Exchange's "datacenter rack utilization and locator application", also known as dRACKula. Designed by EE's sysadmins, who were frustrated with lost productivity configuring and updating server racks, it allows you to monitor and update your systems with a smart phone or tablet -- from anywhere.

You can listen to Scott McDowell and Immanuel Philips talk about dRACKula on the Experts Exchange podcast; all of the Experts Exchange podcasts are available on iTunes and SoundCloud, and you can listen to them on the Stitcher app for iOS and Android mobile devices.

Contest winners: gkiddle, who is just a few months away from having been a member of EE for a decade, won our first annual pumpkin-carving contest, for which he receives an EE coffee mug and pumpkin-spiced coffee from Starbucks. ValentinoV, who wrote an article about Displaying Checkboxes In An SSRS Report, was selected by the Page Editors as the winner of a Nexus 7 tablet.

garycaseExpert Profile: garycase has spent most of his life doing some interesting things with some interesting people in some interesting places. Read EE's profile of who started learning early and never stopped.

Survey says: Experts Exchange is still looking for comments about revamping the Advanced Search, so feel free to weigh in on the matter.

TEDx San Luis Obispo: If making the jaunt to San Luis Obispo in September was a little out of the way, you can now see all of the talks from the EE-sponsored event. In addition to the comments from Mark Wills, Patrick Matthews and Matt Huxtable, we highly recommend those of Gopi Kallayil of Google and Amanda Koster of SalaamGarage.

Free trial: Know someone who could benefit from Experts Exchange, but who has always said that s/he doesn't want to spend some money on something without trying it? Have that person fill out this form and they'll get a 90-day free trial.

Webinar: There are still a few spots available for JamieMcAllister's next webinar about "SharePoint 2010 No-Code Solutions for Power Users" on Thursday, November 15 at 11 am Pacific time. Get one now while they last.

Kudos: A few weeks ago, balajiram23 wrote an article that really wasn't one, so it never got published. But that doesn't mean it wasn't worth reading, so we present it here:

I recently had the good fortune of reading your articles and blogs regarding support on IT strategies. It was very very useful and contained sound, practical advice. In fact, I have already benefited from your discussion on IT questions and especially the way people reply instantaneously to the queries put and almost 95-99% I have got the answers to my questions. You pointed out several things that I will remember for years to come.

I look forward to reading your next informative work. Thank you. Please accept my thanks and congratulations on the same. I have got so much information and have learnt so much from the experts from your website. I think this is a great motivator for many students and IT professionals who need a little extra push. Your articles help us realize that our problems are typical, and we can solve them in constructive ways.

In fact most of my serious problems have been solved by the queries we have put from our company and from my personal point of view too. I really appreciate the efforts and commitment put by your people for bringing up such a good website which is very useful for IT guys like me. I am happy that somebody is there to help me in my tough times when I have nowhere to go for my queries which is really a great relief to me.

I wish these types of websites and blogs are concentrated more to serve the requirements of people who are in definite need of answers for their important and useful queries. It's a great pleasure for me to put forth my experiences and I am happy I am being given the opportunity to express myself in this regard as these types of websites and blogs must be definitely praised so as to enhance your services. Thank you and keep these good things coming. Thanks and best regards

Balaji ram - Senior systems analyst - Emarat Maritime

Fun and Games with Hackers

back to top

A couple of weeks ago, your humble editor and COBOLdinosaur were engaged in some routine email conversation about something trivial, profound or both when he mentioned that he had to go fend off an attack by a "script kiddie", so we asked that he write up something about his activities, or perhaps some advice, with the inducement that we would mention shamelessly plug his site. This is his report.

There are two groups who are never welcome to visit my sites; spammers and hackers. Over the years I have develop a number of web sites for clients, and a couple for myself. The spammers are easy they can be blocked and booted and their 'bots can be defeated. The hackers are a little more challenge, but they can also be fun to deal with.

My latest site at http://coboldinosaur.com/pages/articles.html was up less than a month when it got its first visit from script kiddie hackers and the fun began.

Yes, fun. The kiddie hackers are amusing, and if you have a site designed to meet the lame script based attack of clueless fools; entertaining. A good professional hacker can crack any site. There is no such thing as a hack proof site, but the pros don't go after sites unless there is profit to be gained and most sites don't have anything they are interested in.

So here comes the amateur hacker; a script kiddie trying to get to my database. They try to connect using all the common paths that could work. Not going to find it that way. I don't use a common path, or a conventional name for the database and tables, and I have a unique arrangement for user accounts. Even if a hacker manages to work through it and crack a password, they will find themselves in a rubber room or on flypaper. The rubber room bounces them around in a couple pages with no exit. The flypaper is loaded with worthless stuff that looks interesting. Either one keeps them occupied with time-wasting effort.

A non-conventional design is the first step to security. If you are using common off-the-shelf software and/or widely implemented templates and plugins, you are vulnerable as soon as some idiot finds an exploit and posts it on a hacker site. Here is an example from the PHP topic on Experts Exchange. So you need do add a few twists with some custom code when using off the shelf hacker magnets. I do sites with custom code, so I just use unique architecture for every site.

Step two is detection. I can see exactly what a hacker is doing and trying because I use up to 25 custom logs to report everything that I have decided I want to know about. I don't have to dig through access logs. If a hacker starts to get too close I just make a change so the path they are on will dead end.

You cannot protect a site unless you know what is going on. All sites have logs, mostly they are ignored because they are difficult to analyze. So do your own logging with simple code like this: http://coboldinosaur.com/pages/scripts/Custom_Logging_Site_Events.html. Log everything that is out of the ordinary into a set of custom logs that should be empty unless somebody is trying to mess with you. The logging can be invoked from anywhere including scripts that come down through the host, not just http: requests. They can also be put in daemons or jobs being run with CRON.

As the dumb kids bounce around my site, they provide information and I can attach variables to their sessions to making tracking easier. If they are stupid enough to use a browser with cookies enabled, I can identify them the second they come on the site even when they are not trying to hack. As long as I can continue gathering information, I let them wander in the wilderness.

That is part three of the security model. Gather information, don't give it. The last thing you want to do is block an IP while it is still possible to learn more about the hacker and their attack vector. The IP is probably just a proxy and they will switch to another. If you block them, they are aware you have seen them and they may change the attack vector. Instead get information. The name of the script, referrer, user agent, and the sequence of steps gives you additional ways to identify them and what exploit they are trying. with patience you may get enough information to be able to track them even when they do legitimate stuff, and not trying to hide.

You also never want to help them by returning a real error message. A blank page tells them nothing. I like to send a 403 to a hacker for a not found page, then watch them try and find a way to get to what they think must be good stuff. Every time they try a new wrinkle I have a chance to find out more about them.

Once I have all the information I think I can get, they get a message page. I let them know that I have been tracking their activities and the next time they attempt to hack I will retaliate. If they try it again they get a response that will crash their computer. Am I going to post that? No, that is something that could be used by morons to attack others. If you notice I am not giving much information of how I track, because that would help the hackers hide; but every transaction requires an exchange of information between the server and whatever they are using for a client. Capture and use the information.

Most script kiddies will stop after three or four failed attempts; if it goes beyond that you have enough information to respond. Don't go easy. If you have the skills, downloads a harmless but very annoying bit of adware. If you can get their real IP or the name of the service provider, then contact the admin and notify them of the hacking and indicate you will block their netblock and report the IP to all the blacklists if they do not act. Hackers are scum and deserve absolutely no mercy. Service providers that fail to act against hackers using their facilities deserve to be put out of business.

As for the idiots with unsecured open proxies; they are either stupid (no cure for that) or they are maggots enabling criminal activity and protected by corrupt bureaucrats and politicians. Either way, they belong on public blacklists so web site operators can find them and block them.

Is all this worth the effort? Probably not; but it is recreational and educational. It keeps me up to date on what is being tried by the script kiddies and identifies ways I can make my sites more secure.

The best is when I get an email from a throw away email address whining about how I messed up their computer. That makes my day!

Just in case you missed it my site is at http://coboldinosaur.com/pages/cdHome.html and I never pass up a chance to post my link when it is appropriate.


Nata's Corner

back to top

Nata's PictureYou can't make me. I'm not going to do it. No. But if you want to spend the day after Thanksgiving getting up really early, there are all kinds of sites that list Black Friday ads and deals.

I don't know what all the fuss is about. It's not like anyone I know has ever put anything embarrassing up on an Internet page.

All of us have passwords for all kinds of things, right? And all of us are religious about changing them, and using odd combinations of random letters, numbers and symbols so they're completely unguessable, right? And we never write them down, or leave them on Post-its on the side of our monitors, right? I thought not. But that's what PasswordCard is designed to help with. They give you a printable card that, even if someone finds it, can keep track of all your secure passwords in a non-electonic form that's small enough to fit in your wallet. While it's true that the number of victims in the US was down last year, it's also true that the cost per incident is going up, so maybe a low-tech way of keeping track of them is worth the few minutes it will take to protect yourself.

If that much effort isn't worth it for you, then you should read through the suggestions listed in The New York Times, along with some follow-up ideas from their readers. But whatever you do, it's like locking the door to your house; you may live in a little town where everyone knows everyone, and nothing really ever happens, but you'll only have yourself to blame if someone steals your television.

A few months ago, the other half bought me a new laptop that came with Windows 7, but it also came with a very inexpensive upgrade to Windows 8, and I haven't done that yet (I'm still trying to get used to one system before I go leaping into another, and we all know what a new Windows operating system is like, so I think I'll let them get some of the bugs out of it first). But if you're in the same position, you might want to take a quick look at Sophos' security tips for Windows 8. There's also the free e-book from Dell, and an upgrade assistant available from Microsoft, which is critical. If you don't run it, and you don't have the latest drivers, you're going to wind up with a black screen and only a cursor to show for it.

I know Halloween was a couple of weeks ago, but this makes Dracula look like a Curious George story. There's a PR company out there that builds a plug-in for Outlook 2010 that tells the sender of an email a lot more about the recipient than most of us would like -- unless, of course, you're one of those creepy PR people.

Finally, if you don't have a Facebook account but are thinking of getting one, the company has started giving new users specific instructions on privacy settings, along with a lot of other stuff. Now if they'll just do the right thing and show the rest of us where all their secret settings are.

In Brief

back to top

You will never find a more wretched hive of scum and villainy: Thank god that's over. Biggest winner is Nate Silver of FiveThirtyEight, who proved yet again why, while statistics is one of the three kinds of lies, they can also tell the truth if you don't have a stake in the game. Second biggest winner: Twitter, for getting through the night without a single whale sighting. For our part, if we never hear the words "this ad was paid for by [insert name of shadowy political action committee] which is solely responsible for its content" ever again, it will be too soon. Okay, except for the Americans For A Better Tomorrow, Tomorrow.

...millions of voices suddenly cried out in terror and were suddenly silenced...: The Walt Disney Co. (wich already owns Pixar, founded by George Lucas and later sold to Steve Jobs) is buying Lucasfilm.

She may not look like much, but she's got it where it counts...: There will always be an England, and fortunately, its headline writers will always be creative.

Hokey religions and ancient weapons are no match for a good blaster: In one corner, there was the electronic version of the same systems in place since, oh, 1960. In the other corner, there was 2008 on steroids.

We seem to be made to suffer. It's our lot in life: There's a startup that makes it possible for companies to keep using IE 6... but Live Messenger is being shut down. Oh, and Windows 8 is selling well, sorta (if you ignore the fact that there are something like 670 million devices running some brand of Windows), as long as you don't ask businesses about it.

Fear will keep the local systems in line: Europe, while on the one hand looking for ways to extract cash from Google, is also looking at a way to simply opt out.

It's all a lot of simple tricks and nonsense: Lockheed-Martin won a contract to implement a Microsoft 365 system for the Environmental Protection Agency.

Hey, what are you trying to push on us? The secret is out about Facebook's impact on busines bottom lines.

Jabba, you're a wonderful human being: If you're using SSL on your website, expect a letter from a law firm about a complaint. It should come as no surprise if a lawsuit is filed in Texas.

What good's a reward if you ain't around to use it? Or if the lawyers are going to take a bunch of it?

She'll make point five past lightspeed...: as long as you do it their way, that is. Southwest Airlines sent a "cease and desist" letter to a guy who built a website that would check you into one of their flights automatically as early as possible. Apparently, SWA is all about great customer service as long as it's the people deciding what great customer service is (and charging $10 for it).

I used to bullseye womp rats in my T-16 back home: Remember a little over a year ago when Netflix CEO Reed Hastings tried to split his company in two after raising the price, and it blew up in his face? Today, his company is responsible for one-third of North American bandwidth. It must be tough being right all the time.

I think you overestimate their chances... which is why big tech companies keep chasing the money instead of paying attention. Then again, the Chinese do have issues.

I sense something; a presence I've not felt since... Yahoo, pre-Mayer. Carl Icahn's latest target: Netflix.

I'd prefer a straight fight to all this sneaking around: Apple tried to pull a fast one after losing a round to Samsung, but the UK court said "not so fast".

I told you she would never consciously betray the Rebellion: Coca-Cola got hacked and kept it quiet -- kind of like the secret formula.

Help me, Obi-Wan Kenobi. You're my only hope (Signs of the Apocalypse): A "private" Facebook. Siri gets prudish. A mouse that requires you to go online to get it to work. Navy SEALs were punished for consulting on a video game. And the person who will be writing the script for the next Star Wars movie also did Little Miss Sunshine.


back to top

New Geniuses: ralmada's third Genius certificate comes in the Query Syntax topic area. nav_kum_v has earned his first, in Oracle. Congratulations!


Expert In Topic Area Certificate
hjgode.NET ProgrammingMaster
plusone3055.NET ProgrammingMaster
TheAvenger.NET ProgrammingMaster
sarang_tinguriaActive DirectoryGuru
lazarus98Active DirectoryMaster
DrDamnitApache Web ServerMaster
QlemoCisco PIX/ASAMaster
KvistoftaCisco PIX/ASAWizard
MASQUERAIDDigital MusicMaster
hanccockaHard DrivesMaster
aarontomoskyHardware FirewallsMaster
PeteLongHardware FirewallsWizard
MereteImages and PhotosGuru
JRSCGIIP TelephonyGuru
Darr247Linux DistributionsMaster
CarlWebsterMicrosoft OSMaster
dvt_localboyMicrosoft OSMaster
Exchange_GeekMicrosoft OSMaster
Russell_VenableMicrosoft OSMaster
crouthamelaMisc NetworkingMaster
GaryC123Misc Web DevMaster
HagayMandelMisc Web DevMaster
imnorieMS ApplicationsGuru
MereteMS ApplicationsGuru
butterskMS ExcelGuru
felixdsouzaMS ExcelGuru
pony10usMS ExcelMaster
The_BarmanMS ExcelSage
harfangMS OfficeGuru
peter57rMS OfficeGuru
butterskMS OfficeMaster
RancyMS Server AppsMaster
Expert In Topic Area Certificate
breadtanMS Server OSMaster
NeilsrMS Server OSMaster
npsingh123MS Server OSMaster
Tony1044MS Server OSMaster
TechSoEasyMS Server OSSage
CluskittMS SQL ServerGuru
GhunaimaMS SQL ServerMaster
kelvinsparksMS SQL ServerMaster
mlmccMS SQL ServerWizard
TempDBAMS SQL ServerWizard
SaurvMS SQL Server 2005Master
gohordMS SQL Server 2008Guru
jimpenMS SQL Server 2008Guru
jogosMS SQL Server 2008Sage
TempDBAMS SQL Server 2008Sage
eeRootNetwork AnalysisMaster
pergrNetwork Design & MethodologyMaster
nav_kum_vOracle DatabaseGenius
ralmadaQuery SyntaxGenius
marcustechSBS Small Business ServerGuru
BembiSBS Small Business ServerMaster
Sembee2SBS Small Business ServerMaster
oBdAScripting LanguagesGuru
arnoldServer HardwareGuru
RobWillServer HardwareGuru
Alfred1SSRS SQL Reporting SvcMaster
wilcoxonSybase DatabaseMaster
CitizenRonVB ScriptMaster
Brook1966Visual Basic ClassicWizard
thinkpads_userWeb BrowsersGuru
ded9Web BrowsersMaster
arober11Web ServersGuru
SandeshdubeyWindows 2003 ServerGuru
jordannetWindows 2003 ServerMaster
sushil84Windows 2003 ServerMaster
Darr247Windows 7Guru
liorkrWindows 7Master
redbmasterWindows 7Master
roybridgeWindows 7Master
clonyxlroWindows Server 2008Guru
hypercatWindows Server 2008Guru
McKnifeWindows Server 2008Guru
NetfloWindows Server 2008Guru
RobSampsonWindows Server 2008Guru
hopeleonieWindows XPMaster
ikalmarWireless HardwareMaster
aarontomoskyWireless NetworkingMaster
RobWillWireless NetworkingMaster