Category Archives: Web

Too Little, Too Late – or, Why You Shouldn’t Care About Companies Having Your Private Data

Every time facebook or Google or Apple updates their terms and conditions, the collective internet blows up with articles about how our privacy is slowly being lost and warning us to turn on privacy settings or cancel our memberships altogether. Without getting into the technical details, I will attempt to show you why you have no need to worry: this has been going on since the inception of the internet (and even before with your credit/debit card, employment forms, surveys, catalog subscriptions, invoices, ticket purchases and so on).

Internet-Privacy

Basically, every time you do anything via internet (read email on your desktop, get a push-notification from Twitter on your smart phone or stream a video on your tablet), nearly all your personal information is being sent around to different companies. That is because you or your household signed a contract with an internet service provider (ISP) who assigns you an internet protocol address (IP address) so they can monitor your traffic and connect you to the internet backbone. Whenever you send a request for a web page or an image or an email, this IP address, which is directly linked to your name/address/credit card/phone number, is sent all the way through your ISP to various companies who facilitate the core functionality of the internet, to the final destination, and back. Not only that, but the exact device you are using has a worldwide unique address that is also known by at least your ISP.

This means at the very least your ISP (or mobile service provider, if you are surfing on your mobile device; and the ISP of whoever’s WiFi you are using) knows who you are and where you are at all times. And they send parts of this information as part of every request for information on the internet. Usually only the IP address is sent, but that’s enough to locate you to within a town or even city block, due to the way IP address are assigned throughout the world (think: postal codes). And you simply cannot stop anyone whose website you open or mobile application you use from looking up your general location. They need your IP address in order to give you the content you want!

Now of course today we have many devices with GPS buit-in and even accelerators to measure our current speed (useful for navigation systems and games where you have to physically move the device around). Each company that develops websites or applications that want to use this very specific data, as well as other personal data like name, address, e-mail, credit card, password, has to explicitly ask you for your permissions. For example: for instagram to be able to post your activity to twitter, it needs your permission to do so. It’s pretty simple. If you don’t want it to do that, you can either turn off that feature or not use instagram.

So… if you’re worried that some company out there has too much information on you, try to turn off those features in the privacy settings. If they do not offer to turn off those features (meaning they need your GPS or e-mail in order to perform their most basic functions), then you can simply delete your account.

However: this does not mean that if you’re ever in trouble somewhere that your government cannot look through ALL your recent internet history and location data to see where the last time you accessed your device was. This also means that if you are on trial for a murder, your government can look through that same information to prove (or disprove) that you were at the scene of the crime. The only TRUE way to not let anybody see what you’re doing online, ever, is to not go online.

Does that make sense or did I go to fast?

The ADHD Generation

Introduction

So, there was this huge deal with ADD/ADHD as I was growing up (let’s say early 90s until 2000), and I knew a few kids who were super hyperactive, and they took medication that calmed them down somewhat.  Later in life, they seemed to be fine, but nonetheless, there was much controversy about too many kids misdiagnosed as ADD/ADHD when they just genuinely required discipline.  Fast-forward fifteen years to 2013…

In an attempt to get in touch with the generation of kids ten to fifteen years younger than me, I became an active member of an online humour community.  I had already seen these “internet memes” become trend and receive publicity in the media, and even a South Park episode based on it.  But why is it so popular and what exactly is popular and why do they do this?  Without going into boring details, here’s what I found out about people born roughly between 1995 and 2005:

College Students Have the Right Idea

It would seem those born near 1995 (those entering college or already enrolled) seem to have a good grasp on social issues.  They know they are the next generation, and thirst for knowledge and wisdom.  They take notice of global socioeconomic and political issues and even start forming opinions other than those imposed on them by their parents and professors.  They also have held onto their childhood.  These guys grew up playing pokémon and Call of Duty and Halo and are used to phenomenal graphics, and missed the big internet boom of the late 90s, or, rather, were five or six years old when it happened, so they got the very best of the internet and learned how to properly make use of all the technology that the older generations were creating for them.

This makes them an effective work-force and their minds are sharp and they are keen on learning and on gathering information.  Perhaps the only downside is the slight generation gap they might be feeling.  They spent a lot of time on video games and internet in their youth, and that continues today.  I spent my fair share of course, but I didn’t have life-like graphics and online play to keep me glued to the TV/Computer for days at a time.  I had the feeling that at first meeting, they seemed very set in their ways and egoistic.  They had all the answers because they figured out how to use all that technology by themselves and didn’t need any new ideas from any older generations.  But after some intelligent chat, many of them opened up and some friendships even started to form.  The younger we get, the more these two opposites start to change places…

High School Students are Preoccupied and Unknowledgeable

My browser tells me that is not a word, but whatever.  High school kids are bombarded by the constant media, and have all the latest gadgets that their hard-working parents bought for them.  The high school teachers are much older and wiser, but often lack the necessary tools to get that wisdom and knowledge across to them.  It would seem that people in this age group are hyper-focused on their immediate surroundings/situation and unless something can appeal to them and keep them entertained for the next fifteen seconds, they’re going to ignore it.  I imagine most of them can sit in a 40-minute class period and tweet/check e-mail/facebook / play games on their smart-phones while still seeming to pay attention.  They might get engaged in some classroom participation for a few moments, but then trail off to whatever it is they are doing.

However, these bunch of “ADHD” kids are also hyper-productive.  They scour the internet for the latest buzz, and most often re-use all the “internet memes” (most often meaning pre-made images where they can enter their own text to give the reader a short chuckle) and post in various places.  These memes are often way over-used, and are making fun of something that has recently happened in the media.  Miley Cyrus did that “twerking” thing at the VMAs, and all of a sudden the internet was flooded with a bunch of posts making fun of her – in every way imaginable.  These ranged from incoherent “hey look, I also made something culturally relevant” to a short chuckle, at best.  But they seem to live for the instant gratification of getting a “like” or a comment on something they made.  Back in my day (now I sound old) we told jokes to each other in school, and waited until the next day in order to have the opportunity to talk again.  Of course good friends did sometimes call each other, but it wasn’t the norm.  Today’s high school students have had smart-phones and facebook and twitter since they were 10, so they’ve been utilising/over-using these technologies since then.

However, due to their mass use of all these social technologies, and the fact that these technologies haven’t really changed the last five years, these guys have basically migrated their social lives to completely online.  You wouldn’t believe the stories of people going out on dates, super socially awkward, and then the flood of posts in every conceivable online community about every single detail, utilising every available meme and method to make their online presence look as best/funny as possible.  A short example:

OMG MY DAD JUST PICKED ME UP FROM MY DATE WITH STEVE AND HE LOL’D SO HARD I THINK HE THINKS HES A GIRL BECAUSE HE HAS TITE JEENS AND GURLY FEATURES. #FML #YOLO #DADS

Yeah, that was pretty terrible.  And they really do just write run-on sentences in all-caps and hack up the English language.  But it’s SOOOO cool these days to convey how you are feeling by talking fast with no breaks and hash-tagging as “fuck my life” (FML) or make fun of your parents or whatever.  Like I said earlier, these guys are mega-ADHD and can’t even stop for one second.  And every generation of high-schoolers had their fair share of drama – they are still in their suburban plastic bubble and want to imitate what they see on TV, the movies, and in their parents’ lives.

But all this has made them generally unknowledgeable.  They don’t pay attention in class, and don’t have the patience to learn how to properly use the technology.  The just type away, hit “send”, and refresh the page until somebody comments or likes their post/content.  Before attempting to figure out how to use a new feature of a website they frequent, they either complain about it for a few weeks or write their more knowledgeable friends on how to do it.  It’s sad, but that’s what seems to be going on – and it gets worse as they get younger…

Twelve-Year-Olds Have Probably Seen More Porn than I Have…

That’s right.  You wouldn’t believe the amount of explicit pornographic material I’ve seen on some of these sites.  And the people who post them?  They’re twelve to fourteen years old.  There’s a huge masturbation culture – “fapping” it’s called (I assume due to the sound it makes).  In my day we all masturbated as well, but we sure as hell didn’t talk about it or share links to our favourite porn sites – what if our parents found out?  And at some point that was over and we started looking for relationships with real girls, and didn’t have to worry about what would be posted about us after we went on a date.  But ten to fourteen-year-olds should be holding hands and kissing, right?  Well that’s the funny thing – they would appear to have seen every kind of porn imaginable (I’ll get to that in a moment), and supposedly  jerk off all the time, leaving them little time for homework or outdoor activities, let alone any kind of pseudo-sexual advances toward real-life people.  This affects both boys and girls.

This might scare you, but there seems to be a huge trend toward really freaky sexual stuff – like boys fantasizing about sex with cartoon ponies rather than busty women.  The Japanese hentai and its sub-genres of weird octopus-sex, graphic nubile orgies and much, much more, seem to be commonplace.  People laugh about it online, and trade pics, and talk about which one they like to masturbate most often to.  I find this somewhat disturbing, but I have hopes that this early sexual peak might produce a less sexually-charged/fixated generation that might even turn out to be super-geniuses by the time they hit twenty.  Only time will tell…

Conclusion

What should we conclude?  Well, if you’ve ever talked to me or read a post I’ve written, you can gather that it will be some sort of Utopian hippie-bullshit answer.  Well, that’s exactly what it is!  I’ve already seen examples of teachers embracing this cringe-worthy culture in an attempt to gain their attention.  It seems to work somewhat – a lot of kids talk about how cool their teachers are and post pictures of their failed tests where the teacher has used memes like “Y U NO STUDY?” or “I don’t always fail my students, but when I do, I try to give them a second change (see me after class)”.  Will this work?  Maybe.  There has always been a rather large proportion of students who don’t succeed in school and go on to be the major work-force while their more diligent colleagues go on to earn big paychecks in science, engineering and business industries.

What can we do?  Talk to them – try to peak their interest.  Once in a while, one of the ADHD kids will post something about “wow!  have you ever put two mirrors face to face and looked inside?  #blewmymind #crazyshit #fuckingscience” and I reply with a long-winded and whimsical basic explanation of how light particles work, and how the human eye works, and at the end pose some deep philosophical questions about “is seeing really beliving?” and so on.  You wouldn’t belive the response!  A lot of them respond positively, saying things like, “wow, ur smart” or “yeah, my dad said something like that but I didn’t listen.  Very interesting….”  And I even get into some lengthier conversations about what they think about life thus far, and they ask questions about my life, and I try to encourage them to take time from their online lives and contemplate the universe (in a crafty way, of course).

Each person can find his/her way to accomplish this, but I think it very necessary.  These are the ones who will be going to Mars – not us.  Of course we’re not all gone, yet, and still need to pursue our individual goals and make the world a better place, but if we can get the younger ones to think about life at that age, then probably a lot of the current problems will start melting: the entertainment industry will be forced to make better, more socially and intellectually engaging films/albums, and every business can stop sinking billions of dollars and hours into social media shit and concentrate on producing great products for a better society.

New Internet Memes

I know you are all just itching to find out what the newest thing on the internet will be. Look no further! I have it all sorted out and taken the liberty of posting a few examples:

Being

Have pictures taken of you, your friends, or just random objects doing what they inherently do: exist.

being near rocks
here’s a bunch of hipsters just being…

Peeing

We can all have a lot of fun with this one.  Let your imagination “pee” the limit as you take to the streets, the forest, the grocery story with your cameras and get this piss-party started!

be sure and drop off your package at reception
a great date idea, kids!
don’t be afraid to sit down on the job. everyone deserves a break every now and again…

Sleeping

Take this age-old religious practice and spice it up for the year 2013!  I see it’s already somewhat caught on, but here’s a few examples anyway:

this kid’s got the right idea!
even cats can get in on the action!

Vintage Meta-Fooding

This newest craze has started sweeping the nation.  The idea here is to take pictures of people taking pictures of their food, most likely to be put through a “vintage” sepia filter, so we have to add our “vintage” filters too…

angles make all the difference
vintage meta-fooding can be fun!

Nothing

And the last newest, latest and greatest internet meme will be the “nothing”.  Not sure how it works?  Here are a few examples:

it’s nothing! and it’s fun! and edgy….
here’s another nothing. this one makes me laugh every time

Well, folks – I hope you continue to use the internet safely and responsibly!

Preventing Server Attacks

First of all, I don’t claim to be an expert in linux, server management, or security.  But I’ve been doing this a long time and have dealt with many MANY problems and always seem to find a solution.  However, I’ve mostly been working on other people’s servers or working on VPS (Virtual Private Server) or a managed server, and so often didn’t have to deal with “hacking” (for lack of a better term).  However, I’ve purchased a few of my very own servers over the past few years, and just this last month I started running into some of these problems.  My goal here is just to outline the problems I face(d) and how I solve(d) them.

Symptoms

Well, basically my server was unreachable (could not ping or log in via SSH or even remote console).  I restarted the server, and everything was OK.  It went down again within minutes, so I restarted from the remote console, disabled the networks and had a look at the log files.

Shell Login Attempts

I was getting about 30 shell login requests per minute.  Ok, so I looked on the net for a solution, and it was clear: IP tables.  But how to automate login attempts and ban the IP addresses?  fail2ban.  After installing and configuring, my server was back on track for the next 2 days or so.

SMTP Login Attempts

Ok, so now we got the same thing going on: multiple failed attempts at SMTP login.  My servers uses dovecot to handle mail, so I did some research as how to do something similar as fail2ban for these types of requests.  My answer was found at the dovecot wiki.  So, I got that all set up and working, and again, my server was ok for a day or two.

Reverse DNS-Lookup

So lat night my server was again unreachable, so I again logged in via remote console, closed the networks and had a look at the log files.  It seemed that I was getting quite a few reverse DNS lookup requests.  Here it gets a bit tricky, and I’m not 100% sure of my solution, or even if it is the biggest of problems.

In this case, I’m referring to asking an IP address which domain name/server name is the default.  This is actually an important feature for mass-email programs (newsletters and such).  When a relatively large e-mail provider (say, gmail), sees that 100,000 of its users are receiving similar mails, then it’s probably going to check out which IPs are sending them out, and maybe even make sure that the IPs are linked with the domain in the From: MIME header.  That’s why I always try to use trusted mailing-list providers when I or a customer wants to send out mass e-mails.  But that’s another story for another time.

In any event, based on my research, I concluded that indeed this was a form or hack on my system.  I concluded that because my error messages were exactly like the ones described at Boston Conman.  He describes it there in quite good detail, and concludes in part 2 that a good firewall should take care of this.

Firewall

So I went into aptitude and searched for “firewall”.  The first one that came up was apf-firewall.  It seemed pretty decent, modern, easy, and powerful, so I gave it a shot.  I went through the config file and set it up to meet my needs.  This is an IMPORTANT step, as it explains every feature in good detail, and the default settings are such that it won’t work.  So you really have to read the fine print, and most often a value will be suggested to you.

Firewall + fail2ban

I now knew that I had 2 programs communicating with IP tables, and this could be problematic.  So after a quick search, I discovered how to use apf-firewall and fail2ban together.

Apache mod_security

I mention this first here perhaps only for hierarchical reasons, but actually the first thing I did in this whole process was install mod_security for my Apache server.  However, after installing apf-firewall and fail2ban, I decided to see if mod_security would also play nice.  It turns out the fail2ban wiki has all the answers.

Conclusion

I just had to write this article now, because I noticed I’ve already put a bunch of work into this, and of course it could be that in 2 days my server will again come crashing down.  But I see this at the moment as a “good thing”.  I’m finally getting my feet wet, so to speak, in real-life server security.  It’s only very strange that none of my other servers has this problem, although I went with a pre-install with plesk (ugh! don’t get me started), and they have their own firewalls built in.

If you’re inclined to bullet-points:

  • mod_security for Apache web server
  • firewall (I chose apf-firewall)
  • fail2ban (configured to work with mod_security, dovecot and firewall)

So, I hope this to be the end of my “hacker woes”, but if not, I’ll keep you updated!

Update

So, everything worked fine again for a few days, and again the server became unreachable, even through the remote serial console.  I ordered a new server and moved everything over.  That was 3 days ago, and since then, I’ve had no problems.  Therefore, I would conclude that I had a bad modem, despite all the successful hardware tests.  Oh well, at least I got to whet my whistle in the wonderful world of server protection.  I hope you had as much fun as I did!