2

Assorted Miscellany

Posted by T. Greg Doucette on Dec 14, 2010 in Weekend Roundup

Good evening folks! :)

I’m trying to make my way through the 2nd book for my internship (Six Thinking Hats) so I don’t have time to write much, but I did have a few bullet points to toss your way:1

  • Had to go pick up registration materials for the MPRE today. For some reason, knowing I’ve got this exam looming in the near-term future kinda makes the whole “omg I’m gonna be an attorney. Who let that happen?!” thing ever-so-slightly more tangible… and prompting me to freak out accordingly :beatup:
  • Speaking of exams, I discovered that I’m a compulsive snacker when I study for finals. I’ve somehow managed to pack on +15lbs in between Thanksgiving and now despite -0- change in my activity level :crack:
  • Lots of stuff going on in the blawgosphere here recently. A quartet of tidbits for you to check out:
    • The weekly Law School Roundup — a years-old gathering of posts from law students around the interwebz that used to alternate between Evan Schaeffer’s Beyond the Underground and ImNobody’s Thanks, But No Thanks — has found a new home over at KatieLuper.com. Katie’s a graduate of SMU Law out in Dallas and getting ready to knock out the TX bar exam herself, which is presumably so monotonous that she reads blawgs for the occasional sanity check ;) If you’re new to the blawgosphere, the Law School Roundup and ClearAdmit’s Fridays from the Frontline are both an excellent source for discovering new law students!
    • One of those newcomers is Jose, a 1L at Ave Maria Law who has been actively engaging us blawgers on Twitter for awhile now. His new blog is online over at Law of Jose — definitely swing by when you get a spare minute or two :)
    • Madame Prosecutor also posted her first update in months, giving folks a breakdown on how her semester turned out. We’ll see if she ends up disappearing again :P
    • And another brand new blawg, but from a lawyer this time, is Peter Romary’s foray into the blawgosphere over at The True Verdict. Peter’s done a lot of work on behalf of students here in North Carolina and I consider him a friend, but (just in case that’s not enough reason to go read his blawg) he’s good at strongly wording his strongly-held opinions. Plus he’s from the UK, that’s gotta be worth something right? :beatup:
  • Peter’s most recent entry is on Julian Assange, the founder of WikiLeaks who’s been all over the news for awhile now. The issue of Assange being a sexual predator notwithstanding…2 am I the only one disappointed with WikiLeaks in general? The libertarian in me loves the concept, because I’m fairly certain all governments are doing things they have no business doing — and if someone happens to leak that fact, it’s more-than-slightly dishonorable on the part of the government to complain when its own hands aren’t clean. But for the all the value of the concept, and the “cool factor” of the various technologies used in its implementation, the near-exclusive/obsessive focus on the United States really robs the website of its moral virtue (at least in my feeble mind). Despite histrionics to the contrary, the U.S. is still a mostly-open society with a mostly-open government. If our government’s documents get leaked, sure feel free to post them. But where are the documents on Iran, which has a tendency to execute dissenters? Or China, which prefers jailing them instead? Or any of dozens of other countries that people flee by the thousands every year… to come to the United States? :roll:  The whole enterprise is a disappointment, and it saddens me as a tech guy to see hacktivisits across the globe rally to Assange’s defense. </rant>
  • Now that I’ve gotten that particular rant out of my system, I’ve made some more blog tweaks here at law:/dev/null too:
    • On the anti-spam front I’ve started closing old entries to comments if they kept getting spammed. This isn’t a site-wide policy yet (and hopefully it won’t become one) but I figure the odds of an uncommented entry from [#] months ago suddenly getting legitimate interest is pretty slim ;)  In any event, if for some reason you happen to venture to an old entry that you want to comment on but don’t see the comment box, shoot me an email and I’ll re-open the entry to comments. Trackbacks and pingbacks should still work, so you’re also free to blast me from your own blawg too :*
    • You should also see the <title> of each page now reversed, listing the post title and then the blog title. They used to be the other way around, but it got really @#$%ing annoying having to constantly expand the textbox in Google Analytics to see which posts were getting traffic since all I kept seeing was “law:/dev/null – Blog Archive – …”. So I flipped them :beatup:
  • I just found out yesterday that I’m using a different book in CrimPro next semester than what I used in CrimLaw… which means, since I’m taking one class and tutoring the other, I’ll have to bring both to school every day :mad:
  • And I’m still waiting on grades :mad: :mad: :mad:
  • But other than that life is going pretty well :)  I’ve got a lot of friends with birthdays coming up, 雅雅 is coming to visit, I’m heading out west this weekend for firearms training, and the internship is pretty cool. I’m definitely blessed — and actually looking forward to the upcoming semester! :spin:

That’s it for tonight y’all! Hope all of you have a great rest-of-the-week! :D

  1. And yes, I realize it’s not the weekend and putting this entry in the Weekend Roundup category is technically inappropriate. But since I usually post things late — and I can pretty much rename the categories willy-nilly whenever I want anyhow — I’m just gonna put it here and let y’all pretend it was posted 2 days ago ;) []
  2. Reminds of a L&O:SVU episode… []

Tags: , , , , , , , , ,

 
-

Straddling the fence

Posted by T. Greg Doucette on Dec 13, 2010 in The 2L Life

Hey everybody! :D

Way back during my (first-of-two) sophomore year at N.C. State, I had a classmate who was a transplant from England.1

He took great joy in coming up with as many bad puns, double entendres, and various other efforts at groan-inducing wordplay as he could, as a way of highlighting the differences between the way we talk here in the States and what he considered “proper” (read: British) English :roll:

Then one day I was carping about not knowing what to do with my slowly-imploding academic life, and without missing a beat he shot back:

“You can’t ride two asses with just one, T. Greg.”

His other weak attempts at witticism notwithstanding, that particular comment has stuck with me in the decade since he uttered it :beatup:

You’ve probably heard other formulations of it — “there’s no decision worse than indecision”, “if you can’t do everything at least do something”, “moving backwards is still moving”, etc etc etc — but the underlying point is still the same. We live in an increasingly risk-averse society (highlighted by our ever-expanding government “safety net”), people avoid making tough choices, and in the process our problems perpetuate themselves… and usually get worse over time.

Food for thought (I promise that's the last pun in this entry! :beatup: )

I got reminded of his remark this past week reading Spencer Johnson’s Who Moved My Cheese?, a book I was given at my new internship doing legal work with the tech folks I mentioned last month. The book’s a quick read at a svelte 74 pages and the story is a bit (pardon the pun) cheesy.  But it packs a lot in those few short pages. Definitely read it if you get a chance.

Anyhow, the point of that belabored windup to this blog entry is that the book got me thinking about my classmate’s comment, which in turn got me thinking about my own future career plans…

…which in turn led me to discover I have no effing clue wtf I’m going to do with my life after getting this J.D. in 2012 :crack:

This time last year I just knew I was going into the USMC JAG Corps.  Then I ended up on crutches and went on to fail my Physical Fitness Test.  My heart still wants to do it, but I don’t think I’m willing to give up enough time in my other activities (SBA, trial team, potentially making Dean’s List) to really focus on getting in shape.

Even so, I figured it wasn’t a big deal because I just knew I was developing an affinity for CrimLaw and could make a decent living as an Assistant District Attorney.

And of course if that didn’t pan out I just knew there was academia and my “one of these days” goal of teaching2 something like Constitutional Law and/or Criminal Law and/or Evidence at some indeterminate point in the future, a prospect that got reinforced when I locked up a CrimLaw tutoring gig for next semester.

But then out of the blue this internship with I-Cubed opened up, giving me a chance to delve into technology-related law too. The people I’ve met and the company in general both seem pretty doggone cool so far… even though I feel like I’m already behind schedule on my deliverables despite steadily grinding since I started last Thursday3 :surprised:

Completely different areas of law, completely different sets of pros and cons, completely different pay scales — and that’s not even including any other options I haven’t been exposed to yet since I’ve still got 1.5 years of law school left to go.

Don’t get me wrong, I’m not complaining. It’s a good predicament to have. I’m just flummoxed trying to figure out what I want to do, so I can (as Johnson puts it in the book) head out into the proverbial maze in search of my own cheese.

Anyhow, I think that’s quite enough angst for one entry :)  If anyone’s got any compelling insights feel free to share them — and if not, I hope all of you have an amazing week! :D

  1. The same guy who always called me a “queer bird” whenever we talked politics. []
  2. Scroll down to Item #23 on that link []
  3. Though I’m sure a chunk of that is from time spent in the law library trying to not f*ck up on real-world work involving my worst 1L subject :beatup: []

Tags: , , , , , ,

 
7

Should I be getting linked in?

Posted by T. Greg Doucette on Nov 8, 2010 in Technology

Last Thursday I posted an entry about why I started law:/dev/null, which led to a back-and-forth convo on Twitter with Matt Hollowell of LexisNexis. Matt’s comment on that post raised solid points that I hadn’t considered back in the halcyon days of August 20091

…and also prompted me to seek some guidance from y’all. Again. :angel:

Matt mentions the value of LinkedIn, which also echoes a sentiment posted by Ruth Carter back in July on the importance of targeted networking. From my limited perusal of the site, LinkedIn basically seems like “Facebook for Job-Seekers”. And therein lies my conundrum.

On the one hand, I’m definitely a job-seeker.

On the other, I can barely keep my Facebook page updated regularly :beatup:

That’s the main reason why I’m generally far behind the adoption curve when it comes to social networks. I was obstinate in my opposition to Twitter, and didn’t cave in and create my own account until this April — 4 years after it was created, and 3 after it hit mainstream. Since then I’ve been on this rollercoaster of using it frequently and then not using it at all. The same rollercoaster goes on with my Facebook account: it usually gets used for status updates, talking trash with friends about ACC athletics, and setting up event invites for SBA stuff.

I don’t doubt for a minute that there’s value to LinkedIn; otherwise it wouldn’t have any users. But should I be adding yet another social network to my digital repertoire if odds are good I’ll only be a sporadic contributor at best? What are the odds of outdated info doing more harm than good? How many of my law student readers have LinkedIn accounts already?

Thoughts are appreciated, thanks y’all! :D

  1. It seems so long ago now! :crack: []

Tags:

 
2

What could VZW be up to?

Posted by T. Greg Doucette on Nov 5, 2010 in Technology

For the past 2-ish weeks now I’ve been getting called at various hours of the day by Verizon Wireless. I’ve been with the company for almost a decade, I’m happy with my (lavish) phone service, pay my bill on time every month, enjoy my BlackBerry Tour,1 etc etc etc — basically there’s -0- reason for them to call me, so I just haven’t answered. My figuring is that if it was important enough, they’d leave a voicemail :beatup:

Well they called again around 7pm tonight, and one of my friends goes “You really should pick up, maybe they’re calling to give you money.” Implausible though it sounded, that thought hadn’t crossed my mind…

…so I called back.

And she was right :surprised:

Supposedly VZW was/is running a promotion “for certain customers, for a limited time only” to upgrade at my “New Every Two” discount 4 months ahead of schedule. I respectfully declined the offer because I don’t want to get locked in to another phone for 2 years when I’m hoping/praying for a CDMA iPhone to debut in January. She said that was fine… and in the alternative they were going to automatically credit me for one month’s free service, and I’ll still be able to do my usually upgrade in March :crack:

Then for the icing on the cake, she migrated me to a new phone plan that has unlimited minutes/text/data (versus my current 1350 minutes with unlimited text/data) that’s actually $10 cheaper a month, as part of a new 1-year agreement that will actually end ever-so-slightly earlier than my current 2-year agreement :spin:

Now I’ve mentioned my political leanings in past entries, that I’m generally a fan of business, I’m comfortable with companies making money as long as I’m getting a worthwhile product in return, and so on and so forth. But the soon-to-be-lawyer cynicism in me has to wonder what this was all about. Surely I don’t spend enough money to merit VZW just trying to keep me happy. I’ve never indicated a plan to switch to AT&T so that can’t be it. And even if they were trying to get everyone to upgrade to their new line of Android-based phones — a sentiment I’ve heard from several of my colleagues at school — they had no need to give me a month of free service when I declined.

Any of my less-cynical and/or tech-savvy readers familiar with the mobile phone market have any thoughts/insights?

  1. Even though I’m eagerly awaiting the iPhone :D []

Tags: ,

 
-

MacOS X, a decade later

Posted by T. Greg Doucette on Sep 13, 2010 in Technology

WARNING: Non-law content ahead :beatup:

I’ve been an Apple fan since middle school, a love affair I partly detailed in this Things TDot Likes entry from awhile back.

And 10 years ago today I was near the tail-end of my stint as a bona fide Apple employee, evangelizing on the company’s behalf at my alma mater N.C. State,1 when MacOS X Public Beta was released into the wild.

A screenshot of MacOS X Public Beta (Source: Wikipedia)

That’s version 10.0.0b (code name “Kodiak”2) for any of you who are current Mac users ;)

It’s hard for people to appreciate how much the state of operating systems has advanced over the past decade if you’re not a computer geek.

But I am, so let me tell you — things have advanced. A lot.

The great folks over at Ars Technica have dusted off their review of MacOS X Public Beta from a decade ago. Even if you’re not a gearhead like me, consider giving it a read and getting a feel for how primitive things used to be in computing not so long ago :)

  1. I had to give up the gig a month later, since it’s a bit difficult to be a “Student Representative” for a company when you’re no longer a student :beatup: []
  2. MacOS X releases have since been named after big cats: 10.0 was Cheetah, 10.1 was Puma, 10.2 was Jaguar, 10.3 was Panther, 10.4 was Tiger, 10.5 was Leopard, and the current 10.6 is Snow Leopard. I’m waiting for them to use Ocelot myself :D []

Tags: ,

 
-

Spruce-ifying our error messages

Posted by T. Greg Doucette on Sep 5, 2010 in Technology

Good evening y’all! :D

The never-ending war on WordPress comment spam has been less-intense the past couple weeks, owing in large part to my hair-trigger tendency to add people to the .htaccess banlist :beatup:  I started keeping track of the raw number of referrers1 and IPs banned just for my own amusement, and in typical TDot fashion created a chart showing where things were as of September 1st.

See the footnote before complaining about my spelling :P

Banning spammers has the upshot of “purifying” the site stats — meaning the people who show up in the logs are now either (a) search engine crawlers or (b) honest-to-God humans — but it also raises the possibility a legit visitor might get banned because they happen to be accessing the site from a spam-tastic host.

I’ve been meaning to clean up the ErrorDocument files that our web server spits out when that sort of thing happens, but considering I’ve barely kept up with posting do you really think I got around to something that requires actual coding? :P

Fortunately it’s a long holiday weekend following an abbreviated school week, so today got to be the lucky day I sat down and hammered out some more tweaks. In lieu of studying of course :beatup:

Now if you happen to be one of those unfortunate souls banned from accessing the law-licious goodness of law:/dev/null because you or your fellow server denizens have engaged in scurrilous spamming or other electronic acts of villainy, you’ll be greeted with a page explaining that you’re forbidden from accessing anything and, more importantly, my email address if you think I’ve banned you in error. w00t for slightly-more-useful error messages.

Of course with the 403 Forbidden page getting a makeover, the 404 Not Found page was feeling left out so I tweaked that too. Now if you try to reach a post that no longer exists or you go somewhere that’s just plain silly (http://www.lawdevnull.com/pinkelephants/ for instance) the page will not only let you know the thing your looking for isn’t there but also — thanks to AskApache’s Google 404 plugin — provide you with Google-generated suggestions for what you might have been trying to find :)

Feel free to poke around and experiment, and if you notice any bugs or kinks or typos let me know! Actual law-related content coming soon, but until then have a great night!! :D

  1. Computer Science story: even though it’s misspelled, “referer” is frequently used when referring to HTTP referrers since the misspelled variant was in the proposal creating the HTTP specification way back in 1995… because the automated spellcheck back then didn’t recognize either referer or referrer :surprised:  You can’t make this stuff up folks! []

Tags: ,

 
-

When internet memes attack…

Posted by T. Greg Doucette on Aug 15, 2010 in Site Stats

What do “nom nom nom”, “::headdesk::”, and “#fml” all have in common?

Lots of people looking for nom-ing bunnies...

They’re all internet memes I’ve been using here on law:/dev/null for months now… and they’ve turned into a real headache when it comes to site maintenance :beatup:

I first noticed something was amiss when the blog got hit by a massive wave of spam comments back on July 11th. The pageview spike was so massive I had to leave out that entire day when updating these bar charts, otherwise the “Pageviews per Day” bar would be about 50% higher than it is now.

To highlight the spike, I created a new chart below graphing the number of spam comments against the number of unique IP addresses we had in a given month (higher bars == more spam comments per capita).

As I spent the next couple weeks re-acquainting myself with .htaccess directives for this spam prevention entry, I noticed something else odd in the log files: we had a trio of referrer URLs showing megabytes upon megabytes of data being transferred but with -0- corresponding pageviews. After poking around I realized the bunny picture from this old Contracts entry was being hotlinked all over the place for reasons I couldn’t figure out.

So I logged in to Google’s Webmaster Tools for the first time in months, and figured out what was going on — over 15,000+ searches on 30 different variations of “om nom nom” :crack:

July brought lots of spam...

Apparently when I switched how WordPress sets post URLs last month (from the old numeric “?p=1234” to the current setup), the search index for that Contracts entry went up high enough that the bunny picture became the #1 result for anyone doing a Google search with “nom nom” in it.

Not the entire entry of course. Just the bunny pic. :beatup:

Things have calmed down a bit now that I’ve started banning spambots and limiting the hotlinks. My guess is traffic will go back to a more-linear growth pattern for August. We’ll see what happens :)

***

On the search query front, we had a bunch of duplicate searches but also some fresh ones. Here are 20 of the 100+ unique search terms that brought folks here in July:

  • chazz clevinger: worked with me as the Vice President of Legislative & Public Affairs for UNCASG two years ago. I haven’t kept in touch with him much since law school started, but he did good work for the students of North Carolina.
  • nc dmv 30 day tag for insurance lapse: cost me $63, and I didn’t even need one :mad:
  • nccu lsat score evening program: for 2009-10, was 151 for the evening program, with the 25th percentile folks at 148 and the 75th percentile folks at 155 according to the class profile.
  • blackberry messenger group nccu school of law ’11: exists, but I’m not a part of it since I’m in the Class of 2012 ;) Hit up one of the 3Ls for more info.
  • tdot surplus vehicles: HA! I wish I had surplus vehicles…
  • does duquesne law school give midterms?: I don’t know about Duquesne Law, but NCCU Law does :spin:
  • letter demanding payment from ex girlfriend: is probably not going to accomplish much of anything…
  • negative things about nccu law: vary depending on who you ask. I’m a huge NCCU Law fan, and my only real complaint is that the wi-fi can be spotty in certain areas of the building (like the Great Hall and the Fishbowl). Hopefully they improved that over the summer.
  • 2010 11 tuition north carolina: is unfortunately still going up by almost $1K at several universities, since state legislators decided to balance the budget on the backs of students :mad:
  • nccu law fall 2010 class calendar: can be found on the Law School Registrar’s TWEN page, or downloaded from the NCCU Law “Academics” page.
  • nccu school of law’s grading curve: follows a strict-C median, which I happen to enthusiastically support ;)
  • mary wright 1l advocacy competition: takes place every Spring semester for 1L students. You can watch the video of my 3rd place performance here.
  • daryl wade unc: is probably not the same guy as Daryl Wade, the former Student Body President at UNC School of the Arts who served as Vice Chairman of the UNCASG Council of Student Body Presidents last year. I’m sure the other Daryl Wade is still cool though… even if he goes to UNCCH :sick:
  • are 1l’s included in the 30 day delay for financial aid?: For the vast majority of 1Ls, no.1 This was actually one of the questions we had at my 1L Orientation last year, so you’re not alone in wondering :)
  • what percentage of nccu law school are white law students?: roughly 35-40% each class year. Another 45-50% are black, and the remaining 10-20% are spread across other races. We’re routinely ranked among the most diverse student bodies in the country.
  • nccu minority scholarships for white law students: “No, officer…”
  • nccu law fall 2010 book list: can be found above the academic calendar on the NCCU Law “Academics” page.
  • acpi:system state: could signal a dead motherboard :(  Take it to get looked at ASAP.
  • which computer apple or pc for law students: Apple. Hands down. Trust me. ;)

Definitely a different mix of search results getting here this month… :)

***

And finally, here are the Top 5 most-viewed posts for the month of July 2010, quite a bit different from past Top 5s due to the new indexing changes:

  1. On avoiding contract enforcement: Mmm Ks nom nom nom (02/16/10)
  2. On inexpensive résumé websites: Things TDot Likes: Persona Non Obscura (12/08/09)
  3. On post-1L class ranks: Learning what I already knew (07/12/10)
  4. On having a shadow: Spreading the (Law School) Gospel (02/17/10)
  5. On saving money: TDot’s Tips: Tips for the pre-L’s on $$$ (05/29/10)

*THANK YOU* as always to each of you for your continued support of us here at law:/dev/null! :D

—===—

Past Site Stats entries:

  1. My understanding is that some international students who have never attended a U.S. school previously get included, but I don’t know enough people (translation: none) who fall into that category to know if that’s accurate :beatup:   []

Tags: , , , , , , , , , , , , , , , , , ,

 
1

Fight WordPress comment spam with .htaccess

Posted by T. Greg Doucette on Aug 4, 2010 in Technology

Spambots really frost my Wheaties… :mad:

Given the prevalence of Google indexing and the role links to a given site play in search rankings, “spamdexing” is something every blog author is going to face at some point or another. Basically spammers write scripts to leave fake comments on a sh*tload of blogs containing a bunch of links in an effort to boost the search engine rank for their own site.

I had taken a fairly laissez-faire attitude toward spammers since law:/dev/null started back in August, but after getting slammed with spam last month I decided that needed to change. So part of my delay in getting things posted last week (aside from just having a lot to edit) was the product of me dusting off some of my old Computer Science notes and getting intimate with some old spam-fighting techniques.

I’m not sure I’ve got it completely re-mastered, but I figure I’ve got things down enough that I can share some of that insight with y’all. Besides, it took me 6 years to finish a 4-year degree — I might as well put what I learned to some use :beatup:

The overwhelming majority of websites across the globe use the Apache HTTP server, a truly excellent, scalable and secure open-source web server. Odds are good your own blog is running on Apache right now1 and that means you have an effective anti-spam tool built-in using an .htaccess file.

Disclaimer: .htaccess and regular expressions are both powerful tools for web development — especially when they’re combined together. Be über-careful as you work on this file (and make back up copies) because mistakes or typos can basically make your blog totally inaccessible to everyone. I’m also assuming you have at least some familiarity with your own webserver; since I don’t know the specifics of your own setup, proceed at your own risk, caveat emptor, etc etc etc. Basically #dontsuemeplzkthxu ;)

.htaccess is a plaintext file used by the Apache web server to process access-related commands called directives. To create one, all you have to do is create a new plain text file (e.g. in TextEdit on my Mac, after opening a new file I go to Format > Make Plain Text), save it, upload it to your server via FTP or however you directly upload files, then rename it “.htaccess” (without the quotes).

There are all sorts of cool things you can do with .htaccess… but I’m only going to show you a small subset, so feel free to Google for the rest ;)

====================
1) FIRST LOCK DOWN YOUR SERVER…
====================

Certain files on your blog get accessed on the backend by the web server itself or by you via a command-line interface. They’re not the type of thing that should ever be viewable or accessible to the public through a web browser.

For example, you don’t want everyone being able to read your .htaccess file because they’ll know what you’re defending against… and, by implication, what you’re not defending against ;)

Here’s a quick code snippet to block access to these files:

############ PROTECT FILES ############
# This snippet prevents unauthorized access to certain
# core files like .htaccess as well as logs, scripts,
# and other things that can be exploited by spammers
#######################################
<FilesMatch “\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$”>
order allow,deny
deny from all
</FilesMatch>

The “#” denotes a comment to the web server, so everything after that symbol is ignored.

The line is a function call, and the “|” works as an OR logical operator, So here the function is telling the web server to run the inner segment of code if any file request contains .htaccess or .htpasswd or .ini or .phps or .fla or .psd or .log or .sh.

That inner segment of code just says to deny all access to the file requested. Someone trying to access this file will get a “403 – Forbidden” error message.

Then the tells the server the function is done.

====================
2) …THEN REDUCE SERVER OVERSHARE
====================

Turns out overshare isn’t just a people problem: computer servers sometimes needlessly share too much information themselves.

On many installations, for example, whenever the Apache web server generates a document (e.g. a “403 – Forbidden” error message or a “404 – Not Found” error) it includes a line at the bottom listing the version of the web server and what modules are running. This Server Signature is designed to help folks accessing websites through proxy servers who might not be able to tell which site generated a given error. But it also lets spammers know what you’re running, and if for some reason you have out-of-date software — more common than you’d think — spammers will then know which security exploits they can use against your server.

This information is still relatively easy to figure out, but there’s no point in letting your server just offer it up willy-nilly ;)

The ServerSignature is usually off by default, but just in case you can use this code:

############ DISABLE SERVER SIGNATURE ############
# This snippet disables the server signature so the server
# is not volunteering data about itself that could be useful
# to spammers in determining what attacks would work best
##################################################

ServerSignature Off

This just tells the Apache web server to shut off its ServerSignature. Very simple. :)

====================
3) BAN REMOTE COMMENTS
====================

In WordPress, leaving a comment accesses the wp-comments-post.php file. Some spammers will try to access this file without ever actually visiting your site.

You can stop these kind of non-local comments with the following code snippet:

############ NON-LOCAL COMMENT BAN ############
# This snippet prevents spammers from directly accessing
# the wp-comments-post.php file. In order to leave a comment
# a spammer must be “in” your domain by visiting your site.
###############################################
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/?wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^http://www\.yourdomaingoeshere\.com [NC,OR]
# RewriteCond %{HTTP_REFERER} ^-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* – [F,L]

The 1st line is a function call that checks if you have the mod_rewrite Apache module installed and running; odds are you do, but it’s good to check just in case. The 2nd line tells Apache to turn on the URL ReWrite engine.

The next 4 lines cover the conditions that must be met for the URL rewrite command to be executed: (1) the spammer must be trying to POST data,2 (2) the POST data must be going directly to the wp-comments-post.php file, and either (3) the POST attempt is not coming from your domain itself (the “NC” in brackets means the URL is not case-sensitive) or (4) the commenter is using a browser that does not have a HTTP_USER_AGENT programmed.3

Assuming that batch of conditions are met — 1 and 2 and (3 or 4) — the ReWriteRule line is executed. In this case the poster gets a 403 Forbidden error when the comment is submitted (the “F” in the brackets) and the ReWriteEngine stops processing because this is the last command (the “L” in the brackets).

You can also uncomment the line I included that blocks people from posting if there is an empty HTTP_REFERER field also. I left this one out because some security programs intentionally send blank referrer info so you don’t know what website someone is coming from, but if you don’t mind the risk of blocking those folks you can enable that rule as well.

====================
4) BAN SPAMMERS
====================

This is the real “meat and potatoes” of the .htaccess file as far as WordPress spam goes, and in my tests over the past couple weeks it’s been highly effective.

Although you can find tutorials online using the ReWriteEngine for this, similar to the non-local comment ban in #3 above, I’m personally a fan of using Apache’s environment variables. Since the objective of spamdexing is to increase rankings in search engines, spammers usually leave referrer code in your logs that you can use to ferret them out and stop them from ever coming back.

Here’s the code snippet:

############ SPAMMER BAN ############
# This snippet uses environment variables to ban spambots
# that come to your site with certain characteristics, such
# as Referer code from a spam-y site
#####################################

SetEnvIfNoCase Via badproxy spambot
SetEnvIfNoCase Referer badspammer1.com spambot
SetEnvIfNoCase Referer badspammer2.ru spambot
# […add as many of these lines as you have bad referrers…]
SetEnvIfNoCase User-Agent ^Bad.Spammer.Browser1 spambot
# […add as many of these lines as you have bad User-Agents…]

order allow,deny
deny from env=spambot
deny from 0.0.0.0
deny from 255.255.255.255
# […add as many of these lines as you have bad IP address not blocked by referrer bans…]
allow from all

So here’s the way this works. If you see a comment from a spam website or you notice a spamming User-Agent in your logs, you create an entry for it like in the first paragraph.

SetEnvIfNoCase tells Apache to create an environment variable if the given characteristic exists. So, in this example, if a spammer is coming from badspammer1.com Apache will create an environment variable called “spambot”.4

Down in the second paragraph, it will deny access to your site from that referrer since the “spambot” variable is true.

Also in this section, you can deny access from specific IP addresses as well if you notice the same IP producing the same spam over and over. For example, earlier this week I had a handful of compromised PCs leaving me spam comments with fake URLs (meaning the Referrer info was useless) and no common User-Agent I could ferret out of my logs. So I just blocked their IP addresses.

Blocking IPs is a bit extreme since they can be dynamically assigned and may end up belonging to a legitimate commenter days later, so if you do block an IP address I’d suggest commenting it out with a “#” after a couple weeks just in case. You can always un-comment it if the spamming picks up again. :)

====================
5) BAN HOTLINKERS
====================

Hotlinking is the process of taking a URL of where an image is hosted and pasting it into your own page. This is particularly common on message boards where folks post images they see around the web. When you hear people talk about “bandwidth theft”, hotlinking is the action that leads to it. Basically people are loading the image from your own server without ever visiting your site.

I’ve always taken a fairly permissive view toward hotlinking, mostly because I generate a lot of tables and graphs that I’m perfectly fine with other people using — and if they use them, I’d like to see in my logs where they’re using them ;)

But sometimes you get someone hotlinking an image that is loaded so many times (like on a super-busy forum) that your server chokes or you use all your bandwidth for a given month or you get a nastygram from a server administrator for hogging system resources. That’s what happened to me earlier this month :( So using the same environment variables approach for banning spammers I wrote up a blacklist for banning certain excessive hotlinkers.

Here’s the code snippet:

############ HOTLINK BAN ############
# This snippet prevents hotlinks to files in your local domain
# to prevent others from stealing your bandwidth (almost always
# used for picture files).
#####################################
SetEnvIfNoCase Referer badhotlinker1.com hotlinkers
SetEnvIfNoCase Referer badhotlinker2.ru hotlinkers
#[…add as many of these lines as you have hotlinkers…]
<FilesMatch “\.(png|jpg|jpeg|gif|bmp|swf|flv|pdf)$”>
order allow,deny
deny from env=hotlinkers
# ErrorDocument 403 /somedirectory/nohotlinking.gif
allow from all
</FilesMatch>

My current anti-hotlinking pic. It needs work.

We create the environment variable “hotlinkers” if someone is coming from a recognized domain where the image is getting hotlinked. We then use the FilesMatch directive (the same type we used in #1 up at the top) to see if they’re trying to load certain image files like .png, .jpg, .gif, and so on.

If they’re accessing those filetypes from the hotlinked domain, they’ll get a 403 Forbidden error instead.

And if you’re in an artistic mood, the commented line sends them to a custom 403 Forbidden error page — just uncomment it and in place of the hotlinked image they’ll instead see whatever you choose to put in its place. In my case I went with advertising for the blog :beatup:

—===—

Hope this helps any of you fellow blawgers who are tired of dealing with spam comments!  If you have any questions let me know in the comments — and if you’ve somehow been banned from commenting, send me an email5 ;)

And if you happen to be one of my CSC colleagues from NC State, please feel free to double-check my syntax and make sure I’ve got everything right :D

Have a great night y’all! :)

  1. If you’re not sure what webserver you’re on, check with your web administrator. []
  2. This is usually what happens when you submit a form online, contrasted with a GET submission where the data being submitted is embedded within the result URL itself. []
  3. This might, in very rare occasions, block a legitimate commenter. I’m not sure if it will ever happen but consider yourself forewarned :) []
  4. The default value for these is TRUE, but you can also type in “spambot=TRUE” if you’re a stickler for proper coding techniques. []
  5. My email address is located at the bottom of our About page ;) []

Tags: , , ,

 
2

A “real world” byproduct of overshare

Posted by T. Greg Doucette on Jul 29, 2010 in Technology

Good evening y’all! :)

Unlike last week and the week before, I don’t have a string of almost-ready entries just awaiting editing before they’re posted. There’s been a lot of upheaval going on this past week (some of it good, some not so much) so I haven’t been as diligent in keeping law:/dev/null as up-to-date as usual :beatup:

I’m making an exception today, though, because this dovetails with my comments to you about Facebook and overshare in last week’s TDot’s Tips entry on tightening up your digital life.

From today’s article at msnbc.com:

Details of 100 million Facebook users published online
Users’ personal information cannot now be made private, security consultant says
updated 7/29/2010 8:59:38 AM ET

The personal details of 100 million Facebook users have been collected and published online in a downloadable file, meaning they will now be unable to make their publicly available information private.

photo courtesy of msnbc.com

However, Facebook downplayed the issue, saying that no private data had been compromised.

The information was posted by Ron Bowes, an online security consultant, on the Internet site Pirate Bay.

Bowes used code to scan the 500 million Facebook profiles for information not hidden by privacy settings. The resulting file, which allows people to perform searches of various different types, has been downloaded by several thousand people.

This means that if any of those on the list decide to change their privacy settings on Facebook, Bowes and those who have the file will still be able to access information that was public when it was compiled.

Bowes’ actions also mean people who had set their privacy settings so their names did not appear in Facebook’s search system can now be found if they were friends with anyone whose name was searchable.

‘Scary privacy issue’
On his website, www.skullsecurity.org, Bowes said the results of his code were “spectacular,” giving him 171 million names of which were 100 million unique.

“As I thought more about it and talked to other people, I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook,” he wrote.

“Facebook helpfully informs you that “[a]nyone can opt out of appearing here by changing their Search privacy settings” — but that doesn’t help much anymore considering I already have them all (and you will too, when you download the torrent). Suckers!”

“Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details,” Bowes added. “If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)”

He said he discovered the top first name in the list was Michael, followed by John, David, Chris and Mike. The top surnames were Smith, Johnson, Jones, Williams and Brown.

A privacy expert expressed concern at the implications of Bowes’ actions. Simon Davies, of campaign group Privacy International, told the BBC that some Facebook users “did not understand the privacy settings and this is the result.”

“Facebook should have anticipated this attack and put measures in place to prevent it,” he told the BBC. “It is inconceivable that a firm with hundreds of engineers couldn’t have imagined a trawl of this magnitude and there’s an argument to be heard that Facebook have acted with negligence.”

‘A little terrifying’
Some users of Pirate Bay shared his concerns.

“This is awesome and a little terrifying,” lusifer69 wrote on the site. And another, Porkster, said: “I don’t think this is a hack, but a collection from public domain info that people have shared. The importance of the info is structuring it and allowing someone to search or compute the data.”

However, jak322 said: “I’ve got to say, who cares. All the info here is already in the public domain, is not sensitive and as a developer I already have access to what could be deemed personal and private data through the Facebook API.”

In a statement emailed to msnbc.com, Facebook agreed, saying the information on the list was already available online.

“People who use Facebook own their information and have the right to share only what they want, with whom they want, and when they want,” it said.

“Our responsibility is to respect their wishes. In this case, information that people have agreed to make public was collected by a single researcher. This information already exists in Google, Bing, other search engines, as well as on Facebook,” the statement added.

“No private data is available or has been compromised. Similar to a phone book, this is the information available to enable people to find each other, which is the reason people join Facebook. If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications.”

© 2010 msnbc.com

The comments in this article notwithstanding, go through your privacy settings and lock down anything in your profile that you may not want permanently open to the public.

It’s true the information that was public when this user-created database was compiled will still be in it — but (i) relatively few people will know about this database so the threat should (hopefully) be limited, and (ii) locking your profile down now will prevent any future access to anyone trying to create a similar or updated database of this information down the road.

That’s it for today. Hope all of you are having a great week! :D

Tags: ,

 
2

TDot’s Tips: Tighten up your digital life

Posted by T. Greg Doucette on Jul 16, 2010 in TDot's Tips

Hey everybody :)

Today was another mediation day in court as part of my volunteer work with the ADR Clinic at NCCU Law. My co-mediator and I only had two cases, but they both involved actions seeking protective orders to prevent one party from contacting the other.  The first case involved a lady being harassed by one (or more) of her fiancé’s ex-girlfriends, including being the target of a fake Facebook profile, a fake profile on some dating site, and so on.

The lady being harassed was justifiably upset, and had initiated a criminal investigation along with bringing every piece of documentation she had to the court hearing. But the ex-girlfriend accused of doing the harassment was adamant that she wasn’t involved at all — claiming that in fact another ex-girlfriend was impersonating her.1 :crack:

The whole hearing was filled with talk of IP addresses, passwords, email accounts and other Computer Science-y stuff.2 I’m convinced they were both being less-than-honest, but at least they got this particular issue resolved for now.

But given how much of our lives are now online, and how trivially simple it is to compromise our digital security, I thought I’d share a handful of easy tips to help you tighten up your digital life :)

Quick disclaimer: In computing, there’s no such thing as “total” security. Everything can be hacked with enough time, ingenuity, and computational effort — and anyone who tells you otherwise is lying to you ;) Your objective as a user is just to make sure that the time / ingenuity / effort that would have to be spent to compromise your security is worth more to the attacker than the value of what you’re securing.

====================
1) STRENGTHEN YOUR PASSWORDS
====================

Passwords are so ubiquitous online that even non-tech-savvy computer users often have several of them. The problem is that we have so many passwords on so many sites that they’re almost impossible to remember without making them simple, which also makes them easy to compromise.

There are a variety of ways hackers try to break passwords. “Dictionary” attacks use regular words as password guesses. “Brute force” attacks try every possible password combination. “Rainbow tables” are used to try and crack encrypted passwords. The list goes on.

You can limit the success of these attacks by making some really simple changes:

  • The longer a password, the better the security. This makes intuitive sense to most people but you’d be surprised by how many folks have passwords of only 6-8 characters. Your password should ideally be twice that long or more, which in turn requires far more effort on the part of hackers to figure it out.
  • NEVER use regular words in your password. Remember those “dictionary” attacks I mentioned? They use dictionaries of common words/names/places (often coupled with numbers) to guess a password. If you’ve only got regular words as your password, odds are good it will be compromised.
  • Use all available character sets. If you’re a user of the Latin alphabet (ISO 8859-1) you typically have 4 groups of characters you can use in fashioning a password: lower-case letters a-z, upper-case letters A-Z, numbers 0-9, and symbols like $ and @. The vast majority of passwords only use one or two of these groups, and that makes them much easier to hack. For example, someone with the 8-character password “thomas08” is only using two groups, so a cracking program only needs to try at most 2.1 billion possible combinations before guessing it correctly (since there are 26+10 possibilities for each character and therefore 36^8 possible passwords). That seems like a lot, but a typical brute force attack using just one computer can guess 30 million passwords every minute. So in the very best case scenario, where the password only gets figured out on the very last guess, this password will be cracked in a little over two months. But slightly tweaking that password to something like “tHom@s08” makes it far more difficult: now all four character groups are used and there are 94 possible options for each character in the password (26 lower-case, 26 upper-case, 10 numbers, 32 symbols) so a hacker needs to try over six quadrillion combinations (94^8 possibilities) — or guessing 30M passwords a minute for roughly 386 years.
  • Don’t re-use passwords across multiple sites. This common-sense principle is also frequently ignored. Password security not only depends on the strength of your password but also the strength of protection used on the website storing it. If something happens where Facebook or Google get hacked and your password is compromised, far more damage can result if you use that same password at other sites. Whenever possible, use a different password at every site you access to limit the problems caused by a security breach.

====================
2) TURN OFF UNUSED SERVICES
====================

Computers are useful even when they’re disconnected from the rest of the world, but the really fun stuff only happens when computers talk to each other. Accessing websites, sharing files, using Bluetooth accessories — each of these options uses a different “service” on your computer, basically opening a tunnel to the outside world through which other computers can communicate with your own.

If you’re not using a specific service, but the service is still turned on, it’s basically the equivalent of leaving a door to your house wide open. Someone may not come in and steal anything… but why take the chance? :P

Turn off all network services you’re not going to use. The exact details of how to turn things off varies greatly depending on your operating system so I’ll skip detailing it here, but a quick Google search on “turn off unused services” will get you results on how to turn things off in Windows XP, Windows Vista, MacOS X and more.

====================
3) BOOST YOUR WI-FI ENCRYPTION
====================

Wireless communication is rapidly replacing wired networks as the preferred choice for home and corporate users. Wi-fi networks provide far more flexibility in terms of how and where we can use a network, but it comes with a significant security tradeoff: electronic eavesdropping by hackers using readily-available software.

To limit the impact of eavesdropping, encryption algorithms have been developed to secure the data being broadcast over a wi-fi network. Unfortunately some of the most widely used algorithms — specifically Wired Equivalent Privacy (or WEP) — are also the weakest. The WEP algorithm is often the first choice presented to a user setting up his/her home router, even though it has been deprecated by the IEEE because it is inherently insecure. Any WEP-protected network can be compromised in 5 minutes or less with publicly-available software :surprised:

And once someone has access to the unencrypted contents of your wi-fi network, they get to see everything being transmitted by your computer (including websites, passwords, account numbers, and so on).

If at all possible, you should be using at least WPA2 security with a key that follows the same strong-password techniques I mentioned in #1 above. Even the most-secure WPA2 network can be compromised, but it will take so much time/effort that all but the most-determined hackers won’t bother to try.

====================
4) FACEBOOK: LOCK DOWN YOUR PROFILE WITH LISTS
====================

Despite all the outrage regularly heaped on Facebook (not without justification) the social network site deserves some credit for at least trying to have a robust privacy architecture. In addition to being able to restrict access to “Friends” or “Friends of Friends” or “Everyone”, you can also create lists to include whoever you designate — and these lists can, in turn, be used to limit access to parts of your profile.

For example, if you’ve got “friends” on Facebook who you don’t know that well, you can create a list like “People I Don’t Know”, put those folks on it, and then change your privacy settings so no one on that list can see things like your wall or your date of birth or your photo albums.

The reverse also works well: you can block access to sensitive info for everybody (like employers ;) ) and then allow access to selected lists with bona fide friends on them.

The whole process can be tedious and time-consuming, but can be a great help in protecting your identity.

====================
5) FACEBOOK: BE CAREFUL WITH REGIONAL NETWORKS
====================

While we’re on the topic of Facebook privacy settings, many folks join regional location-based networks (“Raleigh/Durham” for instance) without realizing the security implications.

Many of your profile’s security settings are configured by default to allow access to your friends and your networks. But since no email address is required to join a regional network, basically those settings enable literally anybody to join a regional network that you happen to be in, and then have access to your entire profile unless/until you lock it down.

I’ve never joined a regional network myself for that reason, but if you decide to join one make sure to adjust your privacy settings to limit what people in your networks can see.

====================
6) BE AWARE OF WHAT YOU SHARE…
====================

People like social networks because of the sense of intimacy they provide, and that in turn tends to create “overshare” — disclosing information that you’d never reveal if you noticed thousands of people were watching (which they typically are on Facebook and elsewhere).

For example, how many of you have your full date of birth (including the year) on your Facebook profile?

If you raised your hand, did you know that in many states someone’s name and full date of birth are the only things needed to access things like their full voter registration profile… which almost always includes a residential address? Most of us would never randomly announce our birthday in a room full of people, but we do it online without thinking. Complete DOB’s on Facebook profiles are a stalker’s dream come true.

This and other information gets shared with everybody every day on social networks. Be aware of what information you’re revealing publicly and how it can be used by others.

====================
7) …AND CONFIGURE PASSWORD-CHALLENGE QUESTIONS ACCORDINGLY
====================

Another example of the security implications of overshare: learning the answers to password-challenge questions.

Those of you who paid attention to the 2008 presidential elections may recall that Sarah Palin learned this the hard way. On most websites, if you’ve forgotten your password typically you can answer one or more “challenge questions” that are supposed to have answers only you know. Figure out the answer, and you get access to the password or the ability to create a new password.

One of the most common challenge questions: “what is your mother’s maiden name?”

Seems innocuous enough, until you notice that the vast majority of women on Facebook include their maiden names in their profile, and many of the mothers have their sons/daughters linked to their profile. I actually once fell into this category: I have my mom listed as one of my parents, but she has her maiden name as part of her profile. So because of that I had to go through several websites and change my challenge-response questions.

The same applies to other information as well. A close friend of mine once blew me off when I told him he needed to do a better job securing himself online, insisting to me that his information was secure and that he’d buy me a fifth of vodka if I could hack one of his accounts. The challenge question to access the website for his student loans was “What was the color of your first car?”… and his profile picture on both AIM and Facebook was him standing in front of his ’98 Wolfpack red Mustang.

Needless to say I enjoyed the vodka :D

Go through all of your challenge-response questions on each site you use, and make sure the answers are information that can’t be easily figured out from your publicly-accessible information on Facebook, Twitter, a blog, or any other sites you use. Otherwise you might be unknowingly giving access to your information to anyone who wants it badly enough.

====================
8) SEARCH FOR YOURSELF PERIODICALLY
====================

Don’t hesitate to occasionally do a search on your name to see if anyone is impersonating you or has compromised your information. We can get free copies of our credit reports each year to verify our financial health, but few folks realize they can easily check the internet to detect if their information has been compromised as well.

Besides, odds are good potential employers are going to do a Google search on you as part of their background check anyway. Shouldn’t you already know what they’re going to find? ;)

====================
9) LIMIT WHAT E-COMMERCE INFO YOU STORE ON VENDOR SITES…
====================

Along with your passwords being at the mercy of a website’s security, the same is true for any credit/debit card information you store with a vendor. Stories of vendor databases being hacked and credit cards being revealed are all over Google yet people still choose to store that information on vendor sites for the sake of convenience.

Don’t do it.

I know it’s annoying to go grab your credit/debit card when you want to make an online purchase, especially if it’s a website you use frequently. But the inconvenience that can be caused by your credit card being compromised by hackers is far bigger than the minor inconvenience of entering in a number each time you use it.

If you do choose to store credit card information online, see if your banking institution provides an automatic card number generator. These are slowly becoming more common with banks and essentially let you create a bunch of “temporary” card numbers linked to your real account, with different restrictions on how long they last or how much money can be charged to them. Using these temporary numbers limit the fallout if a vendor’s database gets hacked.

====================
10) …AND MOVE QUICK IF SOMETHING IS WRONG
====================

If, God forbid, you have the misfortune of having your identity stolen — or being harassed by your fiancé’s ex-girlfriends — make sure to move quickly.

Certain information about you is logged every time you do something online. For example, just by reading law:/dev/null or any other blog your computer has shared your IP address (the numeric address designating what computer you’re using to access the site), the browser you’re using, your operating system, and so on. Almost every single site you ever access, especially things like social networks or financial institutions, keep all this information in case it’s ever needed by law enforcement.

The catch is that a lot of this info is only stored for 30 days. If someone has hacked into your email or your Facebook account or something similar, you’ve got a narrow window of time to notify law enforcement to help catch the people responsible. And if someone has obtained your financial information, usually you have to notify your bank immediately to use any identity theft protection they might offer.

Theft of your personal information is one of those instances where procrastination is a certifiably Really Bad Idea™ ;)

***

Hope y’all find this info useful :) And if you have any computing security tips of your own, feel free to share them in the comments! :D

Postscript: I’d also like to thank professors Sammie Carter and Dr. Annie Antón for their respective Introduction to Computer Security and Privacy Policy, Technology & Law classes at N.C. State. Even though I was among their worst students, I promise I really did learn some things :)

—===—

Past TDot’s Tips entries:

  1. It was at least a plausible claim, as the criminal investigation had apparently implicated two other ex-girlfriends in addition to the defendant in this case :crack: []
  2. It was entertaining watching their reactions when they found out it was my major at NC State. []

Tags: , , , ,

Copyright © 2021 law:/dev/null All rights reserved. Theme by Laptop Geek.
Find TDot on Twitter or on Google+.