January 30th, 2004 § Comments Off § permalink
In other news, Microsoft has decided to hold off on Eolas-related changes to Internet Explorer. The company, in a press release, explains that it will not implement any changes to its browser because its intends to appeal the current judicial decision granting victory to Eolas and also because the Patent Office will revise the patent Eolas holds considering that there are strong questions concerning its validity.
Judging from the way things are, it’s well possible that everything will be solved without any need to change browsers or any other applications affected by the patent, which is good news.
January 30th, 2004 § § permalink
My hosting provider has just informed they will be changing the server in which my site (along with those of many of my friends) is hosted. Motive: none, except that they want to change it. As a result, the site may become unavailable for some time in the next few days. In fact, considering the recent level of service of those guys, it will probably be much worse than that.
To my (few) faithful readers: I’m trying to solve this chaotic situation for some time now, but fear has prevented me from doing I should have already done, which is moving away from this hosting provider. I apologize. Thanks for your patience, too.
In a good Christian spirit, I think I should send an e-mail to my provider thanking them for all the troubles and headaches I endured in the last few months. It’s certainly helping me to be more patient with everybody.
January 28th, 2004 § Comments Off § permalink
The University of Liverpool is offering a terrific post-graduate course: a MA in Science Fiction Studies, running for one year and dealing mainly with English-written science fiction, though it will also consider some European writers.
Now, imagine yourself studying your favorite genre for a whole year, with full acess to the Science Fiction Foundation archives, one of the richest science fiction archives in the world. I think I’m going to cry.
I can’t help but think that I live in Brazil, where buying such kind of books is hard because you need to import them, where the national market for the genre is virtually non-existent, and where no university would ever consider the possibility of running such a course. I really think I’m going to cry.
January 26th, 2004 § Comments Off § permalink
My wife was fixing us breakfast when a slice of bread, with butter on it, fell on the kitchen’s floor with the butter side up. Surprised, she picked the slice up from the ground, to dispose of it, and remarked loudly: “Well, I guess Murphy’s Law has exceptions.” She had just finished saying it when the bread fell again to the floor with the butter side down this time. As I said later, when she told me the story, Murphy’s Law has no exceptions.
January 22nd, 2004 § § permalink
From the series “Things that only your hosting provider can do for you.”
A few weeks ago, some strange e-mails reporting delivery errors started arriving in my inbox. At first, I thought they were a resurgence of an old spam technique of forging mail delivery errors to distribute spam and/or viruses. However, those e-mails didn’t contain any spam message or payload whatsoever. Since they didn’t look like the usual error messages my mail server provides, I didn’t bother with them, thinking they were just the result of a crazy spamming surge meant to fool filters. Of course, I was mistaken in presuming so.
The problem started to become clear when some of the e-mails I sent in the next days returned undelivered and flagged as spam. As I never engaged in such activity, I couldn’t understand how that had happened. But as I share an IP address with other sites, I presumed that one of them had done something that had been considered spam by some blacklist. Anyway, I decided to investigate the issue and soon found the cause of the problem.
As it turned out, the hosting provider I’m using today maps a special CGI path in all sites it hosts, apart from the usual cgi-bin path, which contains a bunch of scripts that can be used by any site to implement some simple functions like contact forms, hit counters, and similar things. But — that’s where the trouble beings — none of those scripts is protected. All of them can be used by anyone, whether they are customers of my hosting provider or not.
From the logs, I found that one of the scripts, a formmail clone, is being constantly used to send small amounts of spam, which resulted in my site being included in some spam blacklists. Also, I also found that some networks have completely blocked access to my IP address — permanently in some cases. To make things worse, I host eleven other domains that are probably marked as spam senders as well.
Needless to say, I’m looking for a new hosting provider — for the fourth time since I started this blog. I’m also considering a change in my primary domain name to avoid future problems, which will be a huge inconvenience.
I guess that will teach me to choose my hosting providers more carefully — and to be willing to pay more for better service.
January 21st, 2004 § § permalink
One of the systems I use regularly has a simple mechanism to prevent brute force attacks against the authentication interface. The system allows three attempts at authentication and, in case they fail, blocks the specific login used from trying to authenticate again for some reasonable length of time after the third attempt. Once that blocking period has expired, the user can try again. A new failure will result in another blocking period, which grows with each further attempt. At some point, when the number of failures reaches a certain threshold, the login is completely barred from accessing the system until an administrator clears him or her. Thats a simple and effective way to block some kind of attacks, although somebody determined enough might be able circumvent it somehow.
A few days ago, while trying to access the system, I reached the first three attempts limit. After waiting for some minutes, I tried again and was blocked once more. I was surprised because I was sure I was providing the correct password. It was then that I realized that I was giving the incorrect username: it was missing one of its characters.
The point here, which Im certain you can see, is that I was blocking another user from accessing the system because of my mistake. As this system has a large number of users, the probability of similar usernames occurring is very high, especially because the username is limited to a just few characters. Luckily, the users of this specific system are not likely to access it more than a few times each week and my mistake almost certainly didnt cause any problem to the other user. However, imagine a system where users are constantly logging in and out. In such a system, such mistakes could lead to large amounts of users being inconvenienced. And in systems where such access is crucial to business, things like that could become a serious problem.
Moral of the story: a system must implement all possible security measures that can be implemented on it, but those security measures must also be balanced with regards to their usability or users will suffer as a result.
January 20th, 2004 § § permalink
Just the other day I was doing a favor for a friend of mine who owns a marketing company when I stumbled upon a thing that showed once again how Windows is much more unsafe than Linux or any other decent OS if installed with its default options.
Since that friend doesn’t know much about programming, she asked me to create some scripts for the site of one of her clients. The site is hosted in one of the biggest hosting providers in Brazil, both in terms of customers and infrastructure, which shall remain unnamed to protect the not so innocent. At some point, one of the scripts gets a file uploaded to the server and forwards it to a specific e-mail address. So far, so good. It’s just a question of hooking two components together.
However, when I started creating the script, I found that I didn’t know where to temporarily store the files, before they were sent to the correct e-mail address and deleted from the server. It was a bit past midnight, and I had to way to ask support. Since I was using a programming language that has no command to retrieve the current directory, I just used the simple and dirty way to find where the file is running from: I caused an error. With the directory at hand, I tried to save a file to it. It worked. Considering that that language also lacks any kind of protection against that kind of thing, I wasn’t bothered. So, just for fun, I tried to save the file at C:\Temp. To my surprise, it just worked.
All right, accessing C:\Temp isn’t a big deal, even though it wasn’t supposed to happen. So, I decided to go further, and tried to access C:\WINNT. As incredible as that may sound, this directory was completely accessible, with full reading and writing rights. If that is not a security hole, I don’t know what a security hole is.
In short, a user with a simple FTP password can easily compromise the machine, which is part of a much bigger cluster. Even a user with proper access to the site can easily damage the machine by mistake. And some people still say Windows is safe.
January 15th, 2004 § Comments Off § permalink
All reports regarding my assimilation have been largely exaggerated. Contrary to what may seem, I didn’t stop blogging. It’s just a project with a tight deadline that is approaching faster then I’d like. As it happens with this kind of project, extra time and weekends at work are the norm. I hope to resume normal programming here anytime soon.
January 1st, 2004 § § permalink
The last year was a good year for me. The first three months were a bit on the rough side, with the political and economical changes that took place in Brazil, but the rest of it was actually quite good. Many things changed, and I faced a lot of challenges that will extend themselves through 2004. All in all, a better year than most.
May 2004 bring to all of us all of good it can.