Category: Computers

I’m setting up a new Ubuntu server and while most of the defaults are fine, there are some things that I need to adjust. I have a very shallow understanding of this stuff, so there could be better and more secure ways to do this, but this works for me.

Disallow access to PHP include files

There isn’t any reason that people need to see the include files that I use in my websites. You could name them .inc.php so that the raw code isn’t available, but that’s not very elegant, and outsiders can still access the file. There isn’t anything particularly sensitive in them, but by themselves, they don’t display correctly. So I added a few lines to my /etc/apache2/apache2.conf file. Just below the section that disallows viewing .htacess files.

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

# The following lines prevent .inc files from being
# viewed by Web clients.
#
<Files ~ "\.inc$">
    Order allow,deny
    Deny from all
</Files>
#

Prevent directory browsing

If you have a bunch of images in a directory, then anyone who wants can view all of them just by looking at the web page source and putting the directory name after your URL. I’d rather they not do that, so I restrict listing of the files by adding this line to my /etc/apache2/httpd.conf file. On my default Ubuntu install this file is empty.

Options Includes FollowSymLinks MultiViews

Restart Apache for the changes to take effect.

Alternate method to prevent directory browsing

If you want to prevent directory browsing in just one directory and either don’t want to change the whole site or don’t have access to the files named above, add this line to your .htaccess file.

Options -Indexes

Probably don’t have to restart Apache for changes to take effect.

Prevent Directory Browsing on a Per Site Basis

Changing the httpd.conf file will change the behavior of all sites on your server. If you want to change the behavior of just one site, edit its file in /etc/apache2/sites-avalilable. Find the line that has Options FollowSymLinks in it and if it has Indexes in it, delete it. This is what the default Ubuntu install has.

  <Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>

Probably do have to restart Apache for changes to take effect.

Prevent access to your include directory

Add this to your site’s file in /etc/apache2/sites-avalilable.

#<Directory /www/MySite/include.php>
#    Deny from all
#</Directory>

Show an error document instead of the default 404 error

Create a normal php document with your sites navigation and a message that says the file can’t be found and maybe you can find it with the nav menus. Add this to your site’s file in /etc/apache2/sites-avalilable. And while you are at it, there is no reason you need to tell anyone that they don’t have permission to see a particular file, just tell them it’s not found, so add the same line for a 403 error. I take them back to the main page and display the missing file in the main page.

ErrorDocument 404 /index.php?p=missing
ErrorDocument 403 /index.php?p=missing

I recently started selling my software on Gumroad. For the Windows side, we just zipped up the .exe installer and uploaded it. For the Mac side, we first made a disk image where we laid out the files and then compressed them. You can do this with Disk Utility, but it’s a lot easier to do it on the command line.

The first thing you should do is put all the files you want to distribute into a folder. Then get info on the folder to see how much room you will need for your disk image. Round up a little. In the example below, I’m creating an image with 20MB. “ ProductName” is the name of the software, e.g. Match Ups!, or Train Time.

hdiutil create -megabytes 20 -fs HFS+ -volname ProductName ProductName.dmg

Once you have everything laid out how you want it, compress the image.

hdiutil convert -format UDZO ProductName.dmg -o ImageForDistribution.dmg

Where UDZO – UDIF zlib-compressed image. You can rename ImageForDistribution.dmg to anything you want.

A couple of recent posts on identity theft, card readers on gas pumps, and break-ins to the computer systems of large companies has prompted me to finish writing up my thoughts on how you can increase the security of your credit cards and on-line transactions.

Summary for those who don’t have time to read the whole thing. Crackers are not targeting you. They are looking for the low-hanging fruit and it’s not that hard to make it not worth their time to mess with your accounts.

1. Change your password on your email and all bank accounts, brokerage, phone plans, etc. to have at least 13 characters—upper, lowercase, at least a few numbers, and few special characters.

2. Use a different email address for your financial accounts than you use for general email.

3. Do not ever re-use the same password. It’s not as hard as you might think to have a different password for each site. For example, I have a generic password for sites that don’t have any financial information and I just prefix it with the first two letters of the site. Since lots of sites have two word site names, I use the first letter of each word. So BeachTalk is BTbazmarle! The ‘word’ in the middle isn’t a dictionary word (or words) or something that pops up on Google. Make the password 9 letters or more.

Here’s a simplified version of what crackers are doing. Crackers sometimes break into sites and steal the entire password file. If the site has even rudimentary security the passwords are encrypted—but surprisingly enough not all sites do this. But even if they are encrypted, computers are fast enough now that they can compare the encrypted passwords to a ‘rainbow table’ of encrypted passwords and decrypt them. Basically, they can compare the password to all possible combinations of letters, numbers, and symbols. At the moment rainbow tables are easy to construct for 8 character passwords. It’s basically impossible to construct rainbow tables for 13 characters. Longer passwords are still subject to dictionary attacks, so you don’t want to make a password by combining two dictionary words.

The first thing they’ll do when the get the passwords is try to use them to log in to banks, Amazon, Best Buy, etc. Many people use the same email and password for all their logins, so they get a lot of logins for places they care about from small sites that aren’t secure. My server gets thousands of break-in attempts every day and I don’t have anything worth stealing. I can’t even imagine how many attempts that sites with millions of users get.

Unless you are someone famous, you don’t have to worry about using things that you know as your password. So you can use the initials of your family for the first four letters, JMJD, then append one or two made-up words that you can remember—maybe you fly a TSIO Bonanza, tsiobonan, your street address is 874 and your the special characters corresponding to your birth year are %&. So your easy to remember password is JMJDtsiobonan874%&

If you use a laptop, don’t let the computer remember your passwords for financial sites. You should write them down, but don’t keep them in your wallet.

Now, here’s why you want a separate email address for your financial accounts. I have a different one for each of my accounts. If I get an email sent to john@LF about my bank account being overdrawn, or a shipment has been made, I know it’s a fishing attack. If I get an email to BofAJohn@LF then I am fairly confident that it’s legit. But that’s not the main reason I use a different email. Most sites will let you change your password if you forgot yours by requesting a new one with an email. Once someone has your email address and can log in to your account, they’ll start requesting a password reset everywhere they can think of. Banks are getting better at requiring another authentification factor, like your favorite candy, but not every site does this. If your bank has an email address that you only use for them, crackers won’t be able to reset the password.

Spammers will pay for cracked accounts. I’ve gotten spam from people who have had their Yahoo, Hotmail, or Facebook accounts hacked. Outright thieves will pay for other accounts. Cracked iTunes accounts are worth $8, AT&T and Verizon accounts are worth $4 and Twitter and Facebook are worth $2.50.

These techniques won’t stop the NSA, Rupert Murdoch, or someone who is targeting you specifically, but will make it less likely that some random cracker will get your info.

We recently migrated our sites to Linode. Since we switched distros from Gentoo to Ubuntu we had to add the users in by hand. That meant that the permissions on the old system didn’t match the permissions on the new system. In most cases, I want the person who owns the site to be the owner of the files and the group for the site be able to read and write the files. I usually put myself, artists, and system maintainers into the group. Everyone else, including Apache, gets read access. To do this manually is a real pain. Fortunately, there is an easy way.

To change the permissions on the directories go to the site you want to change and use:

sudo find . -type d -exec chmod 775 {} \;

To change the permissions on the files go to the site you want to change and use:

sudo find . -type f -exec chmod 664 {} \;

You need sudo since you probably aren’t the owner of the files. That’s it. The commands work recursively from wherever they are started.

My first laptop was an AT&T Safari running Windows 3.1 that I bought using my employee discount in 1993. It was fine for spreadsheets and word processing but was woefully underpowered for running Photoshop or Director. Even the games that I wrote at the time were barely able to run on it. So my main computer for many years was a desktop. Usually it was the second most powerful Apple computer that Apple sold. And I replaced it every 18 months or so. In July of 2000 I got an Apple G3 laptop that was capable of doing real work. It lasted a bit longer than my typical desktop and was used for testing games for at least 10 years. It still ran, albeit too slow to browse the current internet, when I recycled it a few months ago. After that I used a couple of G4 laptops and handed them down when newer models came out that were significantly faster. I bought my last laptop in June of 2006 and have been happily developing web pages, Director programs, and apps with it. It runs Photoshop and Flash fine and I’d still be using it if I didn’t need a computer that runs Mountain Lion. I briefly borrowed a newer Apple laptop and I am now using a Mac mini. I can’t really tell much difference in the speed compared to my almost 7 year old laptop. The biggest difference is the hard drive. I upgraded my laptop to a 500 GB drive a few years ago and I’m using most of it. The mini has a terabyte drive and it’s nice to have the extra space.

So why did I buy a Mac mini when I’ve been happily using laptops for years? Three reasons. I work at home and at the office, so I need to have the same data in both places. I don’t go into the office as often now but when I do, I can unplug the mini and take it with me. The second reason I liked my laptop was because I used it to look stuff up when reading, watching TV, gardening, etc. But now I have an iPad Mini and an iPod Touch so I don’t use the laptop the same way I used to. All of the information I need can be found with the iDevices. Plus they are much more portable than the laptop. The iPad Mini also lets me watch iTunes University courses and from time to time Netflix.

But probably the deciding factor was performance and price. The Mac mini was $864 including tax. I already have a couple of monitors. The big Samsung is great for coding and the smaller ViewSonic holds mail, files, and miscellaneous code just fine. It has great color fidelity for the times when I need to edit photos. The Mac mini comes with two video ports and an HDMI to DVI Adapter cable, so I connected the Samsung to the HDMI port with the adapter and the ViewSonic to the mini-Display port with my current adapter. It has four USB ports, which aren’t nearly enough on their own, but with a couple of 4 port dongles I could connect my iDevices, Logitech Mouse, and Dell QuietKey keyboard. Two backup hard drives remain behind my big monitor.

I added a Jawbone JAMBOX to get better sound. Since that’s the main selling point of my apps, I need to be able to hear things well. But it was only $164. And that’s all the extra stuff I had to buy.

So for $1,028 I got a 2.3GHz quad-core Intel Core i7, 4GB RAM (expandable to 16 GB for $168 from Crucial if I need to) and a 1TB hard drive. The same specs in a laptop are $2,160. For me, that’s a significant difference. I suppose if I worked at client locations or coffee shops, I’d need laptop. But, since I don’t, it seems like a waste of money to me. Even the lower spec laptop at $1,620 is almost twice what I spent on the Mac mini.

I’ve been using this setup for a month now and it works really well. About the only thing I need to change is to organize the rat’s nest of cables behind the monitor.

Update: As of April 2015 I still don’t need the extra RAM. And I did fix the rat’s nest of cables as I describe in this post.

Update: Summer 2016. My laptop is still going strong, but my wife’s 2009 MacBook is starting to have problems with the trackpad and is a bit slow for editing photos. I considered getting her a Mac Mini, but she works in a variety of places so she needs a laptop. I like the retina display on the MacBook Pros, but they haven’t been refreshed for four years. The MacBook on the other hand just came out. It is light and much smaller than the MacBook it replaces. Speed hasn’t been a problem and she is getting used to using Pixelmator and Acorn, so she doesn’t miss Photoshop. If I need a laptop, We got the low-end model and it works just fine—especially compared to the old one. As a bonus, it plays Netflix and other video sites fine.