I remember around 2001 - when he started his digital "Jihad" against Bin Laden - his web server was hacked several times with a public FreeBSD telnetd remote root exploit.
I won't deny that you have to give him some respect for being able to pull all these stunts and acquiring the money from investors, however as it seems most if not all projects where at least partly illegal.
I know. I want to know if someone with a kernel >=2.6.39 and applied grsecurity patch can successfully use this exploit or if grsecurity protects from this exploit.
I'd love to see up to date stable grsecurity kernel repositories for the major distributions (ubuntu, debian, rhel/centos) that provide patched versions of the distribution kernel. You can configure most of grsecurity via the sysctl interface. At the moment it is always a bit of hassle to patch & compile a kernel from hand even with the great debian/ubuntu kernel-package.
I don't think I'll use an extra distribution. But something like a hardened LAMP/LAPP stack for shared hosting out of the box in a distribution would be great (I think in terms of easy chrooting of users and php, secure permissions, etc.pp) However, I guess everyone has different needs and there is no one size that fits for all.
I don't know. I'm just on the end-user side. Just a guess from my (pretty limited) understanding of the issue: The grsecurity[1] patch includes PaX[2] that can break a lot of software. e.g. Java and X11 and there are sometimes other unwanted side effects as well. And I've found a blog post stating that the author does not want to maintain a upstream patch[3].
I know exactly what you are talking about. Following a plan can be hard. If you don't have clean socks anymore try to include that into your plan. Say 30min household stuff... nobody will ever see my plan. It is personal, full of probably questionable content for other people, but it is realistic and only when it is realistic you even have a chance to fullfill it.
Also: Iterate. Make a plan for tomorrow, realize tomorrow you are 50% off, ask yourself why...iterate till you can fullfill the plan. Include the stuff that stopped you from fullfilling your original plan, spot problems, experiment with solutions. Beeing honest with yourself can be hard.
And: Only do this for 50-70% of your time. If you plan everything you'll go nuts very soon (At least I do) but don't omit personal goals or problems.
As for the problem of acting on the plan: Think about binary sort... split the problem till you can handle it, then merge the parts. If you don't know how to handle it you can always think about splitting it up.
> It stops our mail server from being used as an open relay though?
From outside of your network yes. If one of the computers inside your network is infected your mail-server will happily deliver the spam mails.
> How does blocking 1 specific port stop the issue anyway?
> They can just change the port they connect on?
I don't know of any SMTP-Server that accepts E-Mail on Ports other than 25. Port 587 requires authentification before sending an E-Mail.
I thought most poeple don't accept E-Mails sent from isp-networks with dynamic ip adresseses. Maybe that's not the case and they try to reduce spam this way.
> I was offering an opinion on how to resolve those issues.
> Changing which port accepts the mail is in my opinion pointless.
Nobody changed any ports. E-Mail is still send to port 25 from mail-servers. But if you are a not a mail-server (e.g. a client in a network) you have to use the submission port and authentificate against your isp/comapany mail-server.
you can still use port 25 on your isp mail gateway but now they can filter and rate-limit your emails.
> It's like saying that most burglars come in through the back door so the government blocks everyones back door, they will just come in the front.
not really. it is good practive to only act as mailserver if you are on a static ip and mx records point to your server. none of this is fullfilled by dynamic isp ip adresses. So this just stops the unwanted practice for good.
I'm quite new to Steve Pavlina writings. So I've checked with Wikipedia to get an idea on his claims.
He already got college credits from high school and studying at Berkeley, this important detail is nowhere found in the article.
I've also found that most of the advice sounds great but is hard to impossible to apply.
He appears to be exceptionally clever but a term paper on math and engineering problems are not written with a 12h marathon on the weekend, at least not on my university.
Oh, pfft. I looked him up and he doesn't even go to MIT. Anyone can cover the freely available material in a year if they did nothing else. However their level of retention would be ridiculously low. Testing would prove this but self study conveniently lacks this.
That's pretty sound advice. However a lot of scripts won't work if you disable exec and co.
some other random ideas for php-security:
If you have to enable some form of option to exec binaries be aware that open_basedir is useless now, because the attacker can just start a python instance and operate under apache user if you are using mod_php
using fastcgi (mod_fcgid or nginx+php-fpm) and restrictive permissions on your directories should at least protect your other users home directories.
another idea is prevent malicous scripts is to firewall apache and php from iptables. there is an iptables module for restricting uid and gid ranges to have access to the outside world. this could at least prevent a trojan dropped in /tmp to connect to their irc-server. but you can also disallow outgoing traffic to port 80, this breaks however all the auto-update features of e.g. wordpress.
A lot of script-kiddie toolkits can also be stopped by not having gcc,wget,python etc.pp available to the user running php.
if you have to host sensitive data on the same host as the php application it's wise to use a jail or at least chroot for php, there are some guides to put a mod_fcgid php into a chroot
and: never ever use the mysql root user for database connectivity!
I'm sure a vanilla linux-distribution is as easy an target as a windows box, if not even easier.
But why don't they use some hardened (grsecurity,selinux) kernel + http://linux-ima.sourceforge.net/ + a default forbid MAC policy + remote logging.
I can't see how this attack vector could be used against such a system.
These are deadly drones. It is probably a lot more work than using a plain windows box. But these machines can kill people. I thought the Military would use state of the art software security system.
About vanilla systems, I think no one can make a worse job than Microsoft. When I discovered that Windows XP was auto-executing some files in any USB stick you plugged in it, I decided to not take Microsoft seriously EVER about security. Yes, it was after their grand announcement they would focus on security. They probably improved many things since then, but I can't trust a company that did not understand the problem about arbitrary code execution during all these years to do a half-decent job at security.
The world-wide epidemics in computer virus would not exist without Windows. It is not about it being the most prevalent OS : Linux is prevalent amongst webservers, highly valuable targets. iOs is the most prevalent OS on cellphone, always-on targets. Neither see virus spreading. Think about it.
Reading good articles like that won't change anything. That's the bitter truth. At least this is the case for me, and probably some other people on the internet.
I'm nowhere near to have myself in full control again but I'm sick of wasting my days and feeling bad over this.
Willpower for me only works when I'm concentrated.
So there is a concentration problem. Being able to concentrate is also a muscle. I'm having a habit of actively avoiding exercising concentration.
Related to programming it's difficult for me:
A problem in my Code appears? I'm starting to Google solutions instead of trying to get a complete understanding of the problem. I'd fool myself into saying: I would look into this but I don't have the time and nobody will pay me for that. Googling and somehow trying to apply the results often works but it gives you an feeling of being unable to create something on it's own.
Then there is this thought: I would like to do something but there are too much people out there that could it better, so why bother trying?
And Instead of spending the days and nights learning and working on something I'm jumping around switching between problems I never fully understood nor am I able to afford the time to understand them...
So it comes down from willpower to concentration and at the moment I'm believing the cause for a lack of these skills is a lack of structure.
Structure for me is planning, planning in advance. Revisiting your plans and having clear ideas about yourself and the surrounding world. So creating structure requires concentration...
It works like a Circulus vitiosus in both ways. If you are structured for a longer time you're concentration and willpower will go up. If you lack concentration your structure get's weaker and concentration will fall, procrastination will rise.
How to solve this problem? Honest question.
(Sorry for hijacking this thread, but I think it is somewhat relevant to productivity and flow to sort these things out)
Set an alarm (on your watch, or whatever) to go off every evening. When it goes off, spend a few hours planning the next day. When you wake up the next day, follow your plan.
Worked great for me. Gradually, my personality changed and I didn't need to do it any more.
A problem in my Code appears? I'm starting to Google solutions instead of trying to get a complete understanding of the problem.
The insidious thing about this is just how effective it is (if you are good at it)
Then there is this thought: I would like to do something but there are too much people out there that could it better, so why bother trying?
I have my own version of this demon. Everything I can think of to do, I know has been done before, and done better. This knowledge, combined with my need to make things that are new or better, is a terrible roadblock to me.
Honest answer: Consider the possibility that you may have a hidden health issue. Look into that angle. Addressing my own health issues has been the single biggest boost to my productivity, ability to concentrate and ability to stop being a serious hardcore procrastinator. If you simply lack physical energy and ability to concentrate, willpower is not going to overcome it.
Best of luck, whatever the answer turns out to be for you.
Talking about stuff like this is bound to sound esoteric, I think. So
I want to put this disclaimer upfront that I detest esotericism.
I can only assume that your problems are similar to mine, so I can
only suggest what works for me. And that might not completely work out
for you in the end, but it's worth a try for sure.
Concentration: The problem of not being able to keep distracting
thoughts away can be lessened with meditation. I came across this
suggestion in the book Pragmatic Thinking and Learning [1] and have
found an excellent CD to listen to called Guided Mindfulness
Meditation [2] by Jon Kabat-Zinn.
I tend to try to avoid meditation because for a while I seem to do
fine and so long as I do fine it just feels like a waste of time for
me. Time that I could invest reading a book. But eventually I always
end up having an extreme amount of distracting thoughts to the point
that I cannot learn anymore. I've now had this problem crop up often
enough with meditation always helping that I'm now a lot more willing
to spend the time and meditate. I want to emphasize that for *me* it
was necessary to get to the dead end and suffer from it to become
willing to change something. Maybe you can relate.
Structure: Well well, the way you write it sounds a little bit rigid
to me. I tightened up imagining all that structure you strive for and
I'm thinking you should relax a little bit. Or at least I should (and
do). So maybe we are different in this regard.
I do think you should lay back a bit and think about what really
interests you deep down in your heart. I assume you've been working
too much on hopelessly boring stuff, because with that I can relate
again. I've been working a little bit on a little server in erlang but
somehow at some point I couldn't bring myself to working further on
it. Well I could, but all the time I felt something was wrong.
As I'm happy to learn interesting programming languages and have heard
all the hype about lisp for so long (I'm looking at you, pg) I finally
gave in and started reading Practical Common Lisp [3] and now
Paradigms of Artificial Intelligence Programming [4] and what can I
say. I see now that what disappoints me in erlang but also in other
languages is having forced upon me one paradigm and/or a rigid set of
rules. In the case of erlang that might be perfectly fine as the
language can make certain guarantees that way. I've realized though
that I would much rather enjoy the lisp-ish freedom while molding a
solution. So this is my story of disappointment and fresh wind.
One quick addition in the end: In an xkcd comic [5] there is a
description of a solution (see the alt-text of the image) that delays
access to certain websites (like reddit, hn for me) but does not block
them completely. It just delays the access (-- more discussion on the
xkcd blog [6]). This serves the purpose of destroying the notion of
instant reward these stupid little bits of new information might give
you, however irrelevant they may be. I've found this to be helpful for
me because sometimes in the past I've procrastinated the hell out of
the day. I got fed up with repeatedly spending hours with unproductive
stuff and feeling sorry for the time in the end. See the pattern? I
needed to run into this problem several times before I decided that I
have to change something. I don't want to make some point here. I just
find this pattern interesting.
What I have done is I have taken an existing little chrome extension
called delaybot which by default only delays for rand(1.5) seconds and
changed the delay to 30 secs. This has worked wonders in the
beginning. I say in the beginning because I've now disabled the
extension as it is getting in my way now. No, this is not the
procrastinator disabling a helpful little tool. :-) I've found that
since I've picked up meditation again I didn't run into this problem
anymore anyways. I also tend to just bookmark away a lot of actually
interesting discussions to read them later, which of course I never
do. I do this bookmarking and closing of tabs because I tend to
accumulate too many tabs easily otherwise.
Not all is great though, the article made me realise that I'm a little
bit too hard with myself when I'm excerting will-power. I try to go
through the mentioned lisp books fast (as there are more to come
still) and at some point I notice that I can't bring myself to read a
lot more at that point. To me this looks similar to the cookie
experiment where a group of people is less productive after excerting
will power in a previous task.
So, to conclude: Even if not all is roses I can say with certainty
that meditation is the single most helpful tool to increase my
productivity. It changes me from being helpless to being more in
control of what I'd like to do with my time.
Regarding your lack of passion: Man, search your feelings. If you find
something that really interests you, you probably wouldn't think much
about what other people could do better than you. That AI book [4] I'm
reading? It features ancient techniques at the point where I am right
now but it's still a great read and I'm learning a heck of a
lot. That's what keeps me going. Also, lisp.
Phew, that was long.
I would love to hear feedback. :-)
Sorry to answer on the most superficial aspect and last line of your post... But I wonder why PG's site is so thin in width, making it extremely well readable, while HN uses the whole screen width? I consider the whole screen text use a UI anti pattern.
I can only speculate. :-)
Maybe restricting the width to improve readability would yield suboptimal results in heavily nested threads. One might find out by manipulating the corresponding css attribute. Doesn't chrome or firefox support this out of the box?
So this is the width of the paragraphs. I think it would still be useful if you could disable the automatic line breaking to provide your own formatting. I think there is a middle ground between the two regarding readability.
EDIT: Of course you can disable the automatic line breaking as I've done exactly this by indenting the whole post with 4 spaces, except for the links. But that also changes the font to the monospace family.
No I think there isn't. It is effective and often there is probably no other even mildly realistic way to solve some problem in time (e.g. a bug that is reported in the software bug-tracker)
I missed to make a concise point with that (concentration anyone?) It's more like 'Googling for a solution' became my default behaviour in most parts of my life. Be it education, food, advice... I think this is dangerous at least for me.
If I'd like to "hack" a LAMP-Server I certainly wouldn't start by attacking Apache or PHP.
The biggest attack vector are outdated scripts. Once an attacker has access to PHP, he basically has a normal user login. Running PHP as the apache user gives the attacker full read access to all your web-folders.
If I where him, I'd put 2 lines code into the PHP-Webmail script to send me your e-mail logins and from there I can research further...
using fastcgi for php, block/log outgoing traffic per uid/gid, disable sockets for php uids, use suhosin to disallow certain php calls, nosuid,noexec webroot/tmp nothing really protects you against a mildy creative attacker...
I'm a sysadmin for a dozen LAMP shared hosting sites used by non-tech users and keeping these things secure is a major pain in the ass.
especially if your users want to use these riciolous unsecure php scripts. joomla die in a fire...
I'm sorry disabling version numbers is good idea but calling it "securing" your server is idiotic.
I won't deny that you have to give him some respect for being able to pull all these stunts and acquiring the money from investors, however as it seems most if not all projects where at least partly illegal.