Most of my work is available publicly, but some development is hosted on a private SVN that’s hidden behind a firewall. Unfortunately, my primary development server is on the wrong side of that particular firewall, so I use the following command to bridge the gap:

ssh -R 1980:svn_host:80 username@dev_server.com

That creates a reverse tunnel through my laptop to the SVN server and allows me to checkout code using the following:

http://localhost:1980/path/to/trunk

I’m posting that because I lost my terminal command history and had to think for a moment about how to do this again.

Years ago I used to tunnel my outgoing email to an un-authenticated SMTP server that only accepted outgoing messages from hosts on the local network. That was fairly common back in 2000 or so, but obviously made life (or communication) difficult for people at home or on the road. The easy solution was to SSH to a machine on mail server’s local network and forward emails through it.

ssh -L 1925:email_host:25 username@ssh_host

Doing that, I was able to configure my mail client to send outgoing emails using a server configuration like the following:

SMTP host: localhost
SMTP port: 1925

A quick Google search of klaomta.com reveals more than a few people wondering why it’s iframed on their websites. The answer is that the site has been compromised.

Unfortunately for the fellow who asked me the question at WordCamp, solving the problem can be a bit of a chore. Keeping your WordPress installation up to date is important, as there are some known security flaws in older versions, but most of the attacks that crackers use are targeted elsewhere. Your passwords, all your server apps, the PHP config, your hosting control panel, and other users all must go under the microscope when trying to find security holes.

Stefan Savage, speaking in a segment on March 13’s On The Media, asked:

The question I like to ask people is, what are you going to do to the highway system to reduce crime. And when you put it that way, it sounds absolutely ridiculous, because while criminals do use the highway, no rational person is suggesting that if only we could change the transportation architecture that crime would go away.

Savage was speaking on the matter of internet security, and his comment was a counterpoint to a number of commentators who suggested the only way to secure the internet would be to replace the internet. This notion that we need a smarter internet has been around for a while, but its proponents have forgotten that the basic dumbness of the internet is the foundation of its success.

Mike Neuenschwander, for one, was ecstatic that the On The Media segment didn’t “slide into a futile discussion on the merits of world peace,” and followed Savage’s point with considerable discussion about the difference between the network and the social structure of trust. (In contemplating a recent NY Times story on this subject, Computing Community Consortium also quoted Savage on this point. The Coolest part: Savage commented to explain more.)

Near the end of the piece, Jonathan Zittrain explains why attempts to impose more limitations on the internet are so dangerous to the future viability of the internet:

so much of the code we now think of as central and crucial and cool and revolutionary is code for which, when most rational people first see it, their reaction is, what’s the point?

Zittrain offers Twitter as an example, but Ray Tomlinson offers an even better one. According to the legend, the man who invented email told his friend “Don’t tell anyone! This isn’t what we’re supposed to be working on,” as he first demonstrated the application that would eventually become the internet’s first killer app.

This is an old one, but because I’m in the air again today it’s worth digging up this up. Defense Tech long ago pointed out The Identity Project’s position on showing ID for air travel:

If a 19 year-old college student can get a fake ID to drink, why couldn’t a bad person get one, too? And no matter how sophisticated the security embedded into the ID, wouldn’t a well-financed terrorist be able to falsify that, too? The answer to both questions is obviously ‘yes’.

Honest people, on the other hand, go to Pro-Life rallies. Honest people go to Pro-Choice rallies, too. Honest people attend gun shows. Honest people protest the actions of the President of the United States. Honest people fly to political conventions. What if those with the power to put people on a ‘no fly’ list decided that they didn’t like the reason for which you wanted to travel? The honest people wouldn’t be going anywhere.

WordPress 2.7 requires that plugins explicitly white list their options using a couple new functions. WordPress MU has required this security measure for a while, and it’s nice to see an evolved form of it brought to the core code. Migrating Plugins and Themes to 2.7 article in the codex offers some guidance, but here’s how it works:

First, register each option for your plugin during the admin_init action:

function myplugin_admin_init(){
	register_setting( 'my-options-group', 'my-option-name-1', 'absint' );
	register_setting( 'my-options-group', 'my-option-name-2', 'wp_filter_nohtml_kses' );
}
add_action( 'admin_init', 'myplugin_admin_init' );

In the example above, the value for my-option-name-1 will be filtered by absint before being saved to the options table. my-option-name-2 will be stripped of any HTML by wp_filter_nohtml_kses.

Then build a form like this prototype:

<form method="post" action="options.php">
 
<?php settings_fields('my-options-group'); ?>
 
<input name="my-option-name-1" id="my-option-name-1" type="checkbox" value="1" <?php checked('1', get_option('bsuite_insert_related')); ?> />
 
<input name="my-option-name-2" id="my-option-name-2" type="text" value="<?php format_to_edit( get_option( 'bsuite_insert_related' )) ?>" />
 
<input type="submit" name="Submit" value="<?php _e('Save Changes') ?>" class="button" />
 
</form>

Easy.

Presidential Limos are armored, yes, but Gregg Merksamer reveals that George W. Bush’s limos sport five-inch thick glass, more than twice as thick as in Clinton’s limo. Merksamer should know, he wrote the book on so-called “professional cars”. He says half an inch is enough to stop a .44 magnum at point blank range, and BMW’s X5 “Security” model features only a little more than that. So what’s it mean when a person needs ten times that amount?

GreenSQL promises to protect SQL databases against SQL injections.

GreenSQL works as a reverse proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc).

Amanda Mooney posted a note about being told she needed corporate permission to take a picture in a store. Mooney’s interest was in telling others how much she likes the products and the brand — exactly the sort of word of mouth advertising most brands are anxious for, but imagine some more pedestrian uses: what about the customer who wants a friend’s opinion about a new skirt? Can that customer snap a cell phone pic to send?

Meanwhile, Bruce Schneier reports on increasing limits to photography in public spaces and the supposed link between terrorist threats and photography. It’s nonsense, he says, but the trend is increasing.

Taking and sharing pictures builds community. Flickr knows this. Facebook, with more than 14 million photo uploads daily, knows this. What exactly are public officials and sales executives worried about?

(photo credit: Xava du)

I’ve been pretty aware of the risks of SQL injection and am militant about keeping my database interactions clean. Mark Jaquith today reminded me about the need to make sure my browser output is filtered through clean_url(), sanitize_url(), and attribute_escape(). Furthermore, we all need to remember current_user_can(), check_admin_referer(), and nonces.

Corporate networks are defenseless against the growing threat from instant messaging, and the government warns WiFi is insecure and easily sniffed.

Experts suggest we take precautions against the growing risk of p2p software that’s exposing sensitive documents and threatening national security.

Businesses blame security problems on their employees, their mobile devices, and other consumer technologies.

And now we have MySpace.

I Am Not A Terrorist.

I AM NOT A TERRORIST.

I am not a terrorist.

Democracy Now!

Burning Patriotism!

air travel, Arabic, civil liberties, freedom, I am not a terrorist, security, t shirt, terrorism, transportation security administration, tsa, We will not be silent

The Mercury News’ QA on carry-on restrictions answered a big question I had:

Q Can I still carry my laptop, cell phone and iPod on board?
A Those items are still OK as long as you’re not traveling to or through the United Kingdom.

But a Reuters story posted at C|Net suggests the restriction on liquids won’t be going away any time soon.

Draconian restrictions on carry-on baggage may stay in place for months, even years…

None of this, of course, has anything to do with the mid-term elections and everything to do with our new understanding of evidence first uncovered in 1995.

Extra: Java Cafe’s photo of the flight home.

air travel, baggage, carry-on, carry-on restrictions, cream, creams, electronics, fluid, fluids, flying, liquid, liquids, liquids on a plane, restrictions, security, who the fuck brought this motherfucking beverage on this motherfucking plane

If I didn’t like flying, or at least if I couldn’t tolerate it, I wouldn’t making my third distant trip in as many months. And though I know many others spend a whole lot more time in planes than I do, I still think Vasken has a bit of a point in the following:

I couldnt help thinking about the horrid dichotomy that is airline travel… on one hand, my flight from Philly to Manchester takes 50 minutes, or 6+ hours less than the trip takes in a car–on the other hand, it took me 5 hours to get from my house to the place I was staying in PA, a savings of a mere 2 hours. Looking back, the stinking train ride took a full hour to transport me a whole 10 miles, the drive home was another hour (45 miles), and the security line comes in dead last (a full 15 minutes for 20 feet). The 50 minutes in the air? 350 miles, and they bring you drinks. What a marvelous technology, rendered almost useless by the inadequacies of American public transit and the paranoia of its citizens.

Anyway, see you in Corvallis.

travel, airlines, air travel, flight, flying, time, security, wasted time, vasken hauri, flying time, trasnportation

The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea:

Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To see why this is, consider that even though you can authenticate the origin of a signed script on the Web, there’s still no reason to trust the creator. If you encounter a script signed by your company’s IT department, you can probably trust it without much risk. However, you’d have no reason to think that a party you don’t know—for example, a random company on the Web—is at all trustworthy. So they signed their JavaScript—that doesn’t mean it doesn’t try to do something malicious! And if it did, most users would have no way of knowing.

In short, most browsers will pop up a scary looking security window asking the user what he or she want to do, and the chances of the user hitting the button marked “no, I don’t dare allow cross-domain XMLHTTPRequest calls” are at least 50-50. And, even if they weren’t, who would tolerate that message appearing regularly?

tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest

Gary Wolf wrote in the June issue of Wired about how smart mobs in New York’s World Trade Center outbrained the “authorities” and enjoyed higher survival rates because of it. Wolf is talking about the NIST report on Occupant Behavior, Egress, and Emergency Communications (warning: PDFs). There’s also this executive summary and this looks like a mind numbing PowerPoint presentation (also PDF). So, what about it?

For nearly four years – steadily, seriously, and with the unsentimental rigor for which we love them – civil engineers have been studying the destruction of the World Trade Center towers, sifting the tragedy for its lessons. And it turns out that one of the lessons is: Disobey authority. In a connected world, ordinary people often have access to better information than officials do.

Wolf talks about news coming in via cell phone and Blackberry, people making informed decisions that contradicted the authorities, and doing so calmly and efficiently.

We know that US borders are porous, that major targets are largely undefended, and that the multicolor threat alert scheme known affectionately as “the rainbow of doom” is a national joke. Anybody who has been paying attention probably suspects that if we rely on orders from above to protect us, we’ll be in terrible shape. But in a networked era, we have increasing opportunities to help ourselves. This is the real source of homeland security: not authoritarian schemes of surveillance and punishment, but multichannel networks of advice, information, and mutual aid.

As wolf says, “question authorities.”

Thanks to DefenseTech for the link.

Technorati Tags: authorities, authority, blackberries, civil engineers, communications, defense, disaster, disobey, egress, elevators, emergency, evacuees, question, question authority, report, review, security, smartmob