AlanBarber.Org

Computers & Technology

Monday, May 23, 2005

Subversion 1.2.0 released

The newest version of Subversion has been released today.  Subversion is a source code version control tool.  It’s similar to tools like the de facto standard open source CVS or Microsoft’s Visual Source Safe.  These tools are used to allow developers to manage changes to source code.  The major feature of any version control tool is the ability to allow a user to track every change made to a file in order to look back over the history of the file.  Should bugs or other issues crop up it allows a developer to compare the versions of code in order to find out exactly where the bug occurred.

Subversion has been around since early 2000 and was developed as a replacement for CVS which has some very significant shortcomings.

The major difference between CVS and Subversion is that Subversion does directory versioning where as CVS does file versioning.  This means that Subversion allows you to move, rename, delete, add, etc files and directories in a project over time and it properly tracks all that.  Why is this important?  Many times as you develop you might end up wanting to rearrange files into new directories or change their name.  CVS isn’t smart enough to track that.  If you rename a file or directory then CVS only sees a new file or directory and doesn’t know how to keep the history of the file, including the change tracked.  You could say the CVS only sees the trees where as Subversion sees the forest.

Anyhoo, version 1.2.0 has been released. Here’s the new stuff:
Optional locking ("reserved checkouts")
Full WebDAV autoversioning
FSFS repository back end is now the default
Faster access to old revisions
Many improved APIs
Many bugfixes

I’m currently using version 1.1.4 for my projects.  I think I’ll probably wait a week or so before I upgrade.  I just like to give it time for other more daring people to take the plunge and weed out any problems.  I’m sure it’s safe and stable by I prefer to know that from others using it instead of having my repositories get lost because of some horrible bug.

Check out subversion though.  It’s a very nice tool and much more modern than stagnant old CVS.

Posted by abarber on 05/23/2005 at 06:57 PM
Computers & Technology • (0) Comments • Permalink

Sunday, May 22, 2005

How to delete an undeletable Web Service Extension in IIS 6.0 on Windows Server 2003

Here’s a quick tip for anyone trying to delete a Web Service Extension in IIS 6.0 on Windows Server 2003.  As you know there are some extensions that don’t have the options of being deleted.

Here’s how to change that.

First you’ll need to download the Internet Information Services (IIS) 6.0 Resource Kit Tools from Microsoft.

You really only need to install the Metabase Explorer but feel free to do a full install as all the tools can be handy to have.

Start up the Metabase Explorer and navigate to to SERVER(local) / LM / W3SVC.  Look for the key named “WebSvcExtRestrictionList”.  On my system it as an ID of 2168 but it might be different on yours.

Double click on the “WebSvcExtRestrictionList” key and a window will open with all the extensions.

Each line’s format follows this basic format (separate by commas):
Status (0 Prohibited, 1 Allowed)
File Name
Delete Flag (0 Can’t Delete, 1 Can Delete)
Service Extension Short Name
Service Extension Display Name

Just click on the extension you want to delete and set that delete flag to 1.  Click OK and exit the Metabase Explorer.  Open up IIS Manager or at least refresh the Web Service Extensions window.  You should now be able to delete the Extension you want.

Posted by abarber on 05/22/2005 at 12:19 PM
Computers & Technology • Tips & Tricks • (0) Comments • Permalink

Sunday, May 15, 2005

Watch out for those phishing emails!

I shouldn’t have to say it but since I’ve been getting many of these fake emails lately I figured It wouldn’t hurt to post a reminder.

Watch out for phony emails asking for user account or credit card info!  The technique is called phishing.  Phishing attacks are called that because the senders are “fishing” for people’s personal information.  Common attacks target users of online banks, Paypal and eBay.  The email will claim there is a problem and your account will be closed or whatnot if you don’t correct the problem.  They nicely provide a link in the email message to the login page.  Here’s the problem.  That link, while it may seem to be a valid url to the company’s site, actually points to a fake webpage crafted to look legit.

Let me give an example that I actually received today!

quote:

---

Dear eBay member,
We at eBay are sorry to inform you that we are having problems with
The billing information of your account. We would appreciate it if you
Would visit our eBay Billing Center and fill out the proper
Information that we are needing to keep you as an eBay member. 
If you don’t comply until the June 2005, your eBay membership may be suspended.

Sign in Here https://signin.ebay.com/ws/eBayISAPI.dll

As outlined in our User Agreement, eBay will periodically send you
Information about site changes and enhancements. Visit our Privacy
Policy and User Agreement if you have any questions.

Thank you! 

---

Sure sounds and looks legit doesn’t it!  However, I’m not a moron and I know it’s fake.  Here are the 3 things that show it’s a fake.  Now these aren’t easy to spot so you have be a bit knowledgeable of these things.

1) The message was sent to an email account that isn’t in any way associated with my eBay account!  Now if you only have one email account you won’t be able to catch this flaw but for people with multiple email accounts it will be.  I know I registered my ebay account with account@this_domain.com but this message showed up in the inbox of account@some_other_domain.com.

2) The to address doesn’t match.  The message arrived in the inbox of account@some_other_domain.com but in the header the to address is set to some hotmail.com user.  Again, this should be a rather duh moment for people yet so many would never notice this.  Why would this message show up in my inbox but be addressed to some random hotmail user?  Probably because someone is using a spamming program that just spits out random too addresses when it sends out messages.

3) The link to the login page doesn’t go to an eBay url!  Oh, sure it looks pretty legit when you see the page but it’s actually a different website.  I won’t post the actual url/ip but suffice to say when you visit the page you are NOT anywhere close to an eBay server.

So what can you do to protect yourself?  The easiest answer is this.  Any time you get an email message from your bank, eBay, Paypal, etc that asks you to click on a link to log in because your account is going to be cancelled or whatever, DON’T CLICK THE LINK!  Instead, open up your browser, type in your banks url manual and log in.  That means clicking on the url bar at the top and typing each letter of H T T P : / / W W W . E B A Y . C O M and pressing the enter key.  Phishing relies on one simple fact.  Users are lazy and will follow the path of least resistance.  That means just clicking a link and following it blindly.

Take the time and log in securely and keep your accounts safe everyone!

Posted by abarber on 05/15/2005 at 03:36 PM
Computers & Technology • General • Tips & Tricks • (0) Comments • Permalink

Saturday, May 14, 2005

New home server update

Well the new home server is coming along nicely.  I ended up ordering a 430watt cooler master power supply from NewEgg.com on Monday.  Both boxes ended up arriving on Thursday.

I realized I had an Antec ks-188 full tower case down the basement.  Heh, how I managed to forget I had that I don’t know!  So I decided to use that instead of buying a junk mid tower with a no name brand power supply.  I set a budget of 200 bucks so I was very limited.  Using the Antec case allowed me to spring for a better quality power supply which is a good thing for a server.  Running 24/7/365 with lots of hardware you should have a good supply.  Nothing worse than some generic supply blowing out on you!

So anyways.  I tossed everything together and it booted up perfectly on the first try. 

The Windows Server 2003 SBS Install went easy enough as well.  I’m just slowly getting things setup and installed.  Really, I’m having fun just playing around with my new toy!

Right now the server isn’t doing much.  It’ll just cover my basic development needs.  In the future when I can afford to I’ll put in a large Raid-5 array so the server will become my central file and backup server too.

There is one issue I’m having.  I need to find an anti-virus scanner that will work with windows server.  I use the free edition of AVG on my system but it won’t allow me to install it on windows server.  Does anyone happen to know of a free/cheap AV scanner that would work?  Well I guess I could shell out 70 bucks for the AVG File Server edition if I have to.

Posted by abarber on 05/14/2005 at 10:43 PM
Computers & Technology • (2) Comments • Permalink

Tuesday, May 10, 2005

FreeBSD 5.4 Released

quote:

---

The Release Engineering Team is happy to announce the availability of FreeBSD 5.4-RELEASE, the latest release of the FreeBSD Stable development branch. Since FreeBSD 5.3-RELEASE in November 2004 we have made many improvements in functionality, stability, performance, and device driver support for some hardware, as well as dealt with known security issues and made many bugfixes.

For a complete list of new features, known problems, and late-breaking news, please see the release notes and errata list, available here:

http://www.FreeBSD.org/releases/5.4R/relnotes.html

http://www.FreeBSD.org/releases/5.4R/errata.html
Dedication

The FreeBSD 5.4 Release is dedicated to the memory of Cameron Grant. Cameron was an active FreeBSD Developer and principal architect of the sound driver subsystem despite his physical handicap. His is a superb example of human spirit dominating over adversity. Cameron was an inspiration to those who met him; he will be fondly remembered and sorely missed.
Availability

FreeBSD 5.4-RELEASE supports the i386, amd64, ia64, pc98, sparc64, and alpha architectures and can be installed directly over the net, using bootable media, or copied to a local NFS/FTP server. Distributions for all architectures except alpha are available now. The distribution for alpha should become available within the next day or two.

Please continue to support the FreeBSD Project by purchasing media from one of our supporting vendors. The following companies will be offering FreeBSD 5.4 based products:

FreeBSD Mall, Inc. http://www.freebsdmall.com/

Daemonnews, Inc. http://www.bsdmall.com/freebsd1.html

If you can not afford FreeBSD on media, are impatient, or just want to use it for evangelism purposes, then by all means download the ISO images. We can not promise that all the mirror sites will carry the larger ISO images. At the time of this announcement they are available from the following sites. MD5 checksums for the release images are included at the bottom of this message.
Bittorrent

As with the 5.3 release we are experimenting with Bittorrent. A collection of trackers for the release ISO images is available at

http://people.freebsd.org/~kensmith/5.4-torrent/
FTP

At the time of this announcement the following FTP sites have FreeBSD 5.4-RELEASE available.
ftp://ftp.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.FreeBSD.org/pub/FreeBSD/
ftp://ftp3.FreeBSD.org/pub/FreeBSD/
ftp://ftp5.FreeBSD.org/pub/FreeBSD/
ftp://ftp.at.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.ch.FreeBSD.org/pub/FreeBSD/
ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/
ftp://ftp.ee.FreeBSD.org/pub/FreeBSD/
ftp://ftp.es.FreeBSD.org/pub/FreeBSD/
ftp://ftp.fi.FreeBSD.org/pub/FreeBSD/
ftp://ftp.fr.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.ie.FreeBSD.org/pub/FreeBSD/
ftp://ftp.is.FreeBSD.org/pub/FreeBSD/
ftp://ftp5.pl.FreeBSD.org/pub/FreeBSD/
ftp://ftp3.ru.FreeBSD.org/pub/FreeBSD/
ftp://ftp.se.FreeBSD.org/pub/FreeBSD/
ftp://ftp.si.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.tw.FreeBSD.org/pub/FreeBSD/
ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.us.FreeBSD.org/pub/FreeBSD/
ftp://ftp5.us.FreeBSD.org/pub/FreeBSD/

FreeBSD is also available via anonymous FTP from mirror sites in the following countries and territories: Argentina, Australia, Austria, Brazil, Canada, China, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Indonesia, Ireland, Italy, Japan, Korea, Lithuania, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Taiwan, Turkey, Ukraine, United Kingdom, and the United States.

Before trying the central FTP site, please check your regional mirror(s) first by going to:

ftp://ftp..FreeBSD.org/pub/FreeBSD

Any additional mirror sites will be labeled ftp2, ftp3 and so on.

More information about FreeBSD mirror sites can be found at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html

For instructions on installing FreeBSD, please see Chapter 2 of The FreeBSD Handbook. It provides a complete installation walk-through for users new to FreeBSD, and can be found online at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html
Acknowledgments

The FreeBSD Developers deserve the most thanks. Without their efforts FreeBSD would not exist.

Many companies donated equipment, network access, or man-hours to finance the release engineering activities for FreeBSD 5.4 including The FreeBSD Mall, Hewlett Packard, Yahoo!, Sentex Communications, Sandvine, Inc., FreeBSD Systems, Inc, and NTT/Verio.

The release engineering team for 5.4-RELEASE includes:
Scott Long Release Engineering
Robert Watson Release Engineering, Security
John Baldwin Release Engineering
Ken Smith Release Engineering, amd64, i386, sparc64 Release Building, Mirror Site Coordination
Hiroki Sato Release Engineering, Documentation
Doug White Release Engineering
Murray Stokely Release Engineering, Documentation
Wilko Bulte Alpha Release Building
Marcel Moolenaar ia64 Release Building
Takahashi Yoshihiro pc98 Release Building
Kris Kennaway Package Building
Joe Marcus Clarke Package Building
Jacques A. Vidrine Security Officer
Paul Saab Bittorrent Coordination
CD Image Checksums

MD5 (5.4-RELEASE-amd64-bootonly.iso) = 6882dd5ce59cda1ba4a66ef45f017597
MD5 (5.4-RELEASE-amd64-disc1.iso) = 26bca75d799c0a1690c6ae0bf0886234
MD5 (5.4-RELEASE-amd64-disc2.iso) = 3da9debeae15a49158b01b1d92843fbc

MD5 (5.4-RELEASE-i386-bootonly.iso) = 2afe65af7e7b994c3ce87cefda27352e
MD5 (5.4-RELEASE-i386-disc1.iso) = 3dbb37485535e129354bc099e24aed99
MD5 (5.4-RELEASE-i386-disc2.iso) = e4b748415ca783fce64cfafd6bd56f57

MD5 (5.4-RELEASE-ia64-bootonly.iso) = 45b032bf952e7ea8b2c42f94c3fa4997
MD5 (5.4-RELEASE-ia64-disc1.iso) = 2b1ad22da2ea0fe86345c99590049ebd
MD5 (5.4-RELEASE-ia64-disc2.iso) = 62e589928628453f1813db7402b4f3ad
MD5 (5.4-RELEASE-ia64-livefs.iso) = 6c05d71c36d84179923668faddf58e43

MD5 (5.4-RELEASE-pc98-disc1.iso) = 003dee8647e9b2cbca7df0d92011800f

MD5 (5.4-RELEASE-sparc64-bootonly.iso) = 91cb2304c2ecbcce0b312738649ba88d
MD5 (5.4-RELEASE-sparc64-disc1.iso) = 5f77c9a20e09d5ef66fad9c60e17c2ac
MD5 (5.4-RELEASE-sparc64-disc2.iso) = 7da34a32ca8196a34732548fe92d71e6

---

Posted by abarber on 05/10/2005 at 06:36 AM
Computers & Technology • BSD • (0) Comments • Permalink

Monday, May 09, 2005

Project monkey1 has begun

I’m about to build my first home server. Whoopie!

I’m making a system that will be:
- a file server
- a database server running MS-SQL
- a development server that runs code version control (Subversion), IIS for doing .net web development and vmware so I can run other OSes like FreeBSD, CentOS, solaris, etc for testing.
- a backup server for all the other computers in my network

It’ll be running Windows Small Business Server 2003 Premium.  Thanks to Microsoft for giving me a free NFR copy to use.  Man I love their developer programs.  I got this for being a “Microsoft Partner”.

So far I’ve ordered:
Mitsumi 1.44MB Beige Floppy Disk Drive
Biostar M7VIG 400 Socket A mATX Motherboard
AMD Sempron 2200+ CPU
512MB PC3200 DDR RAM

Parts I need to get:
Case
Power Supply

Parts I have:
13gig HD for OS/Apps
Creative 6x DVD Drive

Future Part when I can afford them:
IDE Raid Card that does raid5
3x250+ Gig HDs to put into raid5 array
Another 512mb or 1gig stick of pc3200 ddr ram

Inititally, the system will just cover my development needs but when I can swing it I’ll setup a nice raid array to cover my file and backup needs.

Posted by abarber on 05/09/2005 at 09:01 AM
Computers & Technology • (0) Comments • Permalink

Sunday, May 08, 2005

Google Web Accelerator Security Issues

Those crazy boys and girls at Google have release yet another tool.  Called the Google Web Accelerator, it’s basically a proxy server/cache system.  It’s for broadband users only also.

The basic premise of the thing is this.  With Google having huge datacenters full of computers all over the place, you probably have a faster and more stable connection to Google’s systems then the random webservers floating out in the net.  So, instead of directly accessing websites you connect to the Google system and have it download the pages for you.  Then Google caches the pages and should another Web Accelerator users request the same page they just send the cached page.

In theory it sounds like a nice system but there are a few issues I have with it, and there’s one helluva big but too.

1) The boys and girls at Google know two things really well.  Searching and selling strategic ads for the searches.  I find it hard to believe that Google would offer this server if it doesn’t in some way allow them to incorporate one or both of these points.

My guess would be that they are monitoring all the pages that you visit using the Web Accelerator.  Why?  To improve search results of course.  Think of the raw data you can get from monitoring browsing habits of people.  If certain sites get lots of hits then there’s a good reasoning that the content of those sites are considered better quality to web users.  So give those sites a boost in their rank for their page content.  Do some sites draw in many visitors that only follow links to other sites?  In a similar reasoning you might decided that these sites link to good content that web users find useful.  So why not give these sites an improved rank worth to.

The paranoid might say that Google will get people hooked on the Accelerator and then start slipping in their Google ads into sites.  That’s what spyware programs do and I don’t think Google would be that low to pull a stunt like that.  They’ve taken a lot of time and money to convince people that they’re an ethical and upstanding company.  Pulling crap like that would kill them.

2) Since Google is working as basically a proxy server as a website operator and system admin I’m not too happy about that.  Website operators and system admin many times compile stats from their webserver logs.  The webservers log every page access and include the ip addresses of every computer that connects to the site.  You can do what’s called an ip lookup and find out some handy info about your visitors.  You can find out what ISP or company owns the IP address.  This lets you know a few facts such as the country the visitor is probably from and if they’re using broadband or not.  As a website developer these facts help you design your site better for the users. 

Problem is, Google is acting as a proxy server for users.  That means all the access logs show the users coming from a Google datacenter.  Now I have no ability to process those logs to get useful info from them.

The other part of this proxy thing that bothers me is the fact that I don’t like Google downloading my site content once, caching it and feeding it to others.  Well this is a good and bad thing.  The good being that it does reduce bandwidth and system load on my server but the bad is that I want visitors to access my site.  I like to know how many people are actually visiting my website!  I know I got one hit to my site from Google but no idea if 10 or 10,000 people visited my site today because they get their pages from Google’s servers not mine.

3) This is the big BUT that I have.  This isn’t 1995.  Web pages aren’t just static html pages that people upload to a server.  Most page content is built on the fly.  Web scripts pull content from databases and build custom pages for every visitor.  Many sites have people log in to view these pages too.  Currently, the Google Web Accelerator caches these dynamic pages and feeds them to other users.

Do you see the problem with this?  I sure hope you do!  This is a horrible security issue.  If you visit a page with the Accelerator, say a message board for example.  It caches the message board pages and will send them to someone else! 

Wait I still don’t see the problem with that you say?  People are actually get cached pages of other users.  Joe User is logged into the message board.  At the top of the page it says “Welcome Joe User”.  Sue User visits the message board too.  Guess what she sees at the top of the page, “Welcome Joe User”!  That’s right she’s seeing Joe’s pages and not her own! 

Again Sue clicks to view her private messages.  Good ol’ Google Web Accelerator gladly sends a cached page and Sue sees Joe’s Private Message inbox instead of hers!

Now luckily Sue is never actually logged into Joe’s account.  She could never change his password or post messages as him but she’s seeing his private pages.

This isn’t theory either people!  It’s actually happening!  There are posts at message boards where people are posting screen shots of their browsers with private message inboxes of other users!

Now as I said you are never actually logged in as another user but you still manage to see pages that are not really for your eyes.  Also, the Web Accelerator doesn’t cache encrypted https pages so there should be any stories of people’s credit card info, etc showing up on retailers’ sites.  Thankfully!

Now I’m no Google hater so don’t think I’m being mean for the sake of bashing Google.  I only use Google for searches and I do have a few GMail accounts, still, there are some terrible security issue here folks!  I won’t be using the Web Accelerator anytime soon and I highly advise others to think before just blindly installing it because it comes from Google.

Posted by abarber on 05/08/2005 at 04:26 PM
Computers & Technology • (0) Comments • Permalink