Nirlog.com

There’s been a lot of buzz around the OpenDNS lately. OpenDNS is a DNS provider that offers free service, with safer and faster browsing experience. This is how it works.

1. You register an account in OpenDNS site.
2. Login to your account.
3. Change your DNS Setting pointing to OpenDNS Servers.

That’s it, you’re good to go. The only difference from your normal environment is that now you’re using the OpenDNS DNS Servers.

The Advantages of using OpenDNS Server

You’ll be protected from Phishing attacks because OpenDNS keeps the database of phishing sites, so it can identify and stop sites trying to phish (cheat or trick) you. It claims to be faster than your ISPs DNS with large cache but I didn’t notice any change in my browsing speed after the change, but this could definitely be an advantage if your ISPs DNS is slow. It can correct the typos for you. For example, if you type nirlog.cmo instead of nirlog.com, it’ll correct your mistake and point you to the right site. The latest feature called Shortcuts allows you to type something easy-to-remember into your address bar for those web sites you visit often. For example, I can just type short “gmail” to visit Gmail, instead of typing the full url “http://www.gmail.com/“. This, I think is a very handy feature. Network admins can configure the full office networks too.

You can map short names for your favorite web sites

The Down side of using OpenDNS Server

You need to be always logged in to the Open DNS web site to use the service. They make money from the advertisement. It works like this, when there’s a typo OpenDNS cannot fix, it’ll redirect you to a yahoo search result with advertisement. I think that’s ok, but in some cases they’ll redirect you to a site that’s nothing to do with the web site you intended to visit. For example if you type http://nirlog.cm then it’ll redirect you to http://agoga.com/. It’s clearly not the site I intended to visit, the best thing OpenDNS could have done is to redirect to nirlog.com since there’s no nirlog.cm or at least it could have redirected to an organic search in Yahoo, the search engine they’re using. So, I think OpenDNS’s decision on what’s a typo, what’s wrong and right could be questionable. Actually the redirection has nothing to do with OpenDNS, it’s due to registrar for Cameroon, who has created parked pages with Agoga for every unregistered .cm domain.

When I typed http://nirlog.cm it redirected me to http://agoga.com

I think OpenDNS has a clear advantage over your ISPs DNS, with it’s phishing protection and speed in some cases. The shortcut is a very handy feature too. So for my personal machine I’ll keep the OpenDNS setting.

Update: John Roberts from OpenDNS has cleared the point about .cm domain in his comment, apparently registrar for Cameroon has created parked pages with Agoga for every unregistered .cm domain. So, it has nothing to do with OpenDNS. And also if you’ve setup OpenDNS on your networks, then you don’t need to login to the web site.

Allan Leinwand at GigaOM has an interesting post about Web 2.0 & Death of the Network Engineer.

I was recently meeting with a Web 2.0 company discussing their network infrastructure plans. As I started asking questions about their racks of servers, their storage area network (SAN), their plans for routing, load-balancing and network security, the CTO of the company stopped me and made a bold statement.

He said, “The Internet is like electricity. We plug into it and all of the things that you mention are already there for us. We don’t spend any time at all on network or server infrastructure plans.”

To this CTO, knowing the details of his network and server infrastructure was like knowing the details of the local utility electricity grid – not required. Is this a bad thing, or proof that networking technologies have succeeded?

I think for Web 2.0 startups the network infrastructure and the internet is really like electricity in the beginning, but once you start to grow and need to scale, you can’t afford the black box approach. Then you’ll need to have a very detailed understanding of everything.

Today it’s impossible to think business and personal communications without email. Sending and receiving emails costs you and me nothing. It’s free! The zero cost (for users), the efficiency of delivery, and ease of use has made it so popular. But now email has become a victim of it’s own success. Just my quick test with one email server for 4 days showed that 96% of the emails received were abusive.

The email protocol (SMTP) was designed at a time when very few people were using emails and everyone basically knew each other. So, security was not a concern, but today the world has changed and that trust isn’t there anymore, but the SMTP protocol we’re using remains the same.

So, how is today’s technology dealing with this problem?

Read the rest of this entry »

Few years ago I was looking for a virtual host management system, that’s when I came across Virtualmin. The features satisfied my requirements and of course you can’t beat the free, price wise . I’ve been using it in an environment with 100+ virtual hosts since then, and don’t have any regret on my choice. It’s running all these years without any problem.

What is Virtualmin

Virtualmin is a free and open-source virtual hosting management system designed to make virtual hosting quick, reliable, and secure. It’s a Webmin module, which supports the creation and management of Apache virtual hosts, BIND DNS domains, MySQL/PostgresSQL databases, and mailboxes and aliases with Sendmail, Postfix or Qmail. It utilizes existing Webmin modules for these servers, and works with any existing system configuration, rather than needing it’s own mail server, web server and so on. There’s also a commercial version of Virtualmin that you’ve to pay for, called Virtualmin Pro, which includes some extra features and support.

Read the rest of this entry »

WordPress is reporting that a cracker gained user-level access to one of the servers and modified the 2.1.1 download file. The hacker managed to modify two files in WP 2.1.1 to include code that would allow for remote PHP execution. The 2.1.1 package does not seem to have been compromised when it was initially released, WordPress encourages all users to upgrade to 2.1.2 to patch the security hole.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

If you’re reading this in your RSS reader, just wanted to let you know that I’ve changed the look at Nirlog.com. Now I’m using a new theme WP-Multiflex-3, by Ainslie Johnson. My previous theme called WP-Andreas09 was also by Ainslie. I like the new theme, and I think many blogs will be using it, but I’m one of the first to have it, so I don’t mind . It supports Widgets, the cool thing is that the header too is widgetized in 3 sections, top, middle and bottom, which can be placed where you want or left out if you don’t want them. The theme is also SEO friendly, where space is left for your “keywords” and “descriptions” in header.php, and title appears before the the blog’s name. I love the RSS Subscription button at the header too.

Technosailor has an useful article about 10 Things You should Know About WordPress 2.1. This is a timely and useful post for those who’re planning to upgrade their Wordpress to 2.1. The new version will be released tomorrow and it is the major release since 2.0 branch was launched. This new version will have new features. Some of the notable features are:

• Auto-save of Drafts
• Better Image Upload Handling
• Deprecation of $tableposts, $tablecomments, etc
• Plugin Compatibility
• Native WordPress Migration Functionality
• MySQL Version
• New Visual Editor Interface
• Merging of Links and Categories
• Privacy Features
• Nonces

As for myself, I’ll test the Wordpress 2.1 on a testing site before upgrading my blogs. The main task would be to check the plugin compatibility and also I’ll need to upgrade the MySQL to 4.0+ before upgrading, since Wordpress 2.1 doesn’t support MySQl 3.xx

Update: Wordpress 2.1 is released

After a marathon of php hacks, trial of different themes, plugins, research of online security sites and security tools… I’m delighted to announce my new blog Security Tools News & Tips to my readers here. As the name mentions, this blog is exclusively focused on Security Tools, News and Tips. The site will be a repository of best security tools both hardwares and softwares (freewares and commercials). I’ve already posted 30+ security tools in the site and will be updating the repository regularly with some of the best in the industry. I’ll also post latest news and tips on security issues. The site is at it’s beginning stage so, I’ll be making some adjustments and changes over time. I’ll of-course maintain this blog (Nirlog.com) too, this is kind of personal where I’ll continue to write about different topics without any constraint. Please visit my new blog and let me know what you think.

The comment and trackback spams had been a headache for me. Every blogger understands how annoying they are and how unproductive they can make you. Besides from being a blogger, I maintain systems that hosts many wordpress blogs. The good news for a normal blogger who uses wordpress is that the built-in Akismet anti-spam in wordpress 2 is already very mature and can catch most of the spams. The spam comments are caught by the mighty Akismet but from system’s perspective, it’ll still have to process and classify it as spam or good comments. When there’re robots and scripts commenting in thousands, it makes MySql consume a lot of system resources (Memory, CPU and connections), making the whole system unavailable at times.
Read the rest of this entry »

Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. Noam Eppel writes how the Internet security is failing and what can be done about it. He compares the current state of security industry with a boiling frog:

They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerate it since we are used to it.

The article lists out attacks that made the headlines recently and points out that failure can be seen everywhere — spyware, phishing, trojans, viruses, worms, spam, botnets, web application vulnerabilities, DoS attacks, Active-X, passwords, patch management, zero-days, wireless access points, internal attacks, vulnerabilities in security software, mobile viruses and encryption.

Recently Noam Eppel has published an update to the failure article with Community Comments & Feedback, where he highlights the Good, the Bad and the Ugly comments generated by his article.

I think both articles are very useful, with loads of data and insights, specially for Information Security Professionals.