Monday, 15 January 2007

I know, I know... All us security pros are often looked upon with disdain. We "make your job harder" and "come up with policies and rules that make it impossible to do any work." On those exaggerated points we can agree to disagree. We have to strike a balance, which can be hard to do at times, and below is just one of many, many reasons why. I wish I could discuss all the Bad Things(tm) that cause us to do the things we have to do, but unfortunately that's not always possible.

A recent UTube video shows how a simple browser address typo can result in a complete mess, from a security standpoint. And in the grand scheme of things, this particular security issue is relatively small.

But for the average computer user it's a big deal. Take a look for yourself.

The dramatic accompaniment music is fun (and superfluous), but the threat is real, and not fun. Imagine how you would respond to this problem. Or would you even respond. Many people just pretend it didn't happen and keep on using their computer. I can't tell you how many times someone has told me, "I have a virus son my computer, it's been there for a couple months and it keeps getting worse."

And the whole time they use their computer to do online banking, pay bills, and all those things that should be protected.


Add/Read: Comments [1]
Monday, 15 January 2007 12:56:24 (Pacific Standard Time, UTC-08:00)
#  Trackback

I recently moved the domain (web site, mail and everything else) to a virtual dedicated server. In doing so, I lost the anti-spam services that were previously provided by my old web host. Needless to say, the resulting load of spam was fairly overwhelming. My prior host had an appliance out front that caught the better part of the junk email headed for my email server, but a fair amount still got through. At any rate, the move and resulting lack of junk mail protection necessitated a thoughtful look at the options out there.

My criteria were as follows:

  1. Needs to be software I can run myself. I've had my fun (yeah, that's sarcasm) with expensive services that are not overly effective. Complicated billing, archaic payment systems (invoices without a dollar amount? what?) and a couple hundred bucks or more a year was not for me.
  2. Preferably open-source. Nothing solves problems that plague the community like the members of the community, so I figured there must be something out there that the afflicted masses build and maintain.
  3. It had to stop spam, not just identify and tag it. My email server (MailEnable) is already capable of detecting and "flagging" emails as spam, but that doesn't stop it from getting to my mail server in the first place. The goal was to prevent, not react. So I was looking for a gateway-like solution - something that receives all the inbound email, checks it, and forwards on only the good stuff.
  4. It needs to learn how to act. Static rules don't work. We see it in the fraud world, and it certainly applies to spam battles, as well. The system has to be able to learn and adapt and operate in the context of my email accounts.
  5. It needs to be kept current. An open source project that no one has worked on for six months or more is likely a dead project, and that won't get you anywhere in a world where the landscape changes constantly. Spammers change tactics a lot, and the tools to prevent spam have to evolve to keep pace.

I did a bit of research, and frankly I came up with very little that met all my criteria. Sure, there are a whole slew of commercial products out there, but as I said before, I was looking for open source and free (or very close to it). I'm not looking to buy.

The one thing I found that truly seemed to fit the bill was ASSP, which stands for Anti-Spam SMTP Proxy. It's an open source, Perl-based gateway application that you can run on any operating system that supports the Perl interpreted language (which is pretty much all of them). It requires Perl v5.8 and a specific set of Perl modules, and it can be run as a daemon/service. ASSP has been updated about every two months in the recent past, with the most recent update having been in December (as of the time of this writing).

"The ASSP server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam."

I quickly downloaded the ASSP files, installed the necessary Perl modules and was on my way. I had the ASSP service up and running within just about 15 or 20 minutes. Note that to get the app to run as a service, you will need to manually edit the config file and set the flag in there to specify that you want to run it as a service, or else the only way you'll be able to get it to start is on the command line. Alternatively, you can start ASSP from the command line, access the web admin interface, and change the setting there. Once you do so, you'll be able to start the Windows service or run the daemon in Linux or whatever OS you're working with.

The first thing I did after getting the service set up was to access the web administrative interface and change the default admin password. Do that first. Please. Then I put all of the anti-spam options into "training" mode and I specified a few of the basic server settings (like my domain and email account). I set it up to accept all inbound connections for email (SMTP) from the Internet on port 25, and to forward all emails that are determined not to be spam to the MailEnable server on another (unused) port. Since the MailEnable SMTP server is on the same host, the configuration and security setup was pretty simple. Of course, I them spent some considerable time looking through the many, many settings available. It's cool stuff, but you don't have to tackle it all right up front.

It's worth mentioning here that the ASSP wiki has a lot of good information about setting you system up. Be sure to refer to that resource. If you do, you can be up and running in no time. If you don't, you might just wish you had. Remember, always read the freakin' manual before you ask questions. Heh.

The training mode actually results in all email being delivered (not blocked), but it adds some header information to the email which you can read if you like in order to determine whether or not the ASSP system is flagging it as spam. I actually set up my Thunderbird client with a rule to look for the ASSP header and if the spam flag was true, to move the email off to another folder.

What you are supposed to do during this training period is to categorize the good and bad email, and in doing so tell the ASSP service how to treat the email it sees coming in. I used the email interface for submitting spam and good mail to ASSP for about a week before I turned training mode off. Reporting is very easy. I specified two email aliases in the ASSP system, such as and (those are not the actual addresses of course) and on a regular basis forwarded groups of email back to the ASSP service that fit into each category. In fact, I even went back into my archive of valid email from before installing ASSP and forwarded a bunch of it to the system, so it could quickly learn what valid email looks like in my world. Your learning period will probably be about a week or so, or however long it takes you to gather 400 or more spam emails along with some some good, valid email.

Once you've provided the system with a corpus of good and bad email, you run a little Perl script on the server to update the Bayesian spam detection database, which is the adaptive learning part of the system. I did this a few times - about daily - throughout the first week. With each update the system got smarter and smarter. Once spam email was being very effectively categorized by ASSP, I switched the system from learning mode into normal operating mode and also configured ASSP to forward a copy of all spam emails it receives to a separate email account (say something like In doing so I have created a place for the system to provide me with all the spam email so that I can continue to peruse it when I feel like it in order to make sure nothing gets trapped in there as a false positive. But my main email account is spam-free. Initially I found a few valid emails were ending up being categorized as spam, but all I had to do was to forward those to the email error reporting interface mentioned above and then rebuild the database, and now for the past few days I have seen zero false positives. I intend to continue to check that account now and then, just to ensure I don't miss any critical email. It's a quick and easy process, especially since all the spam that is blocked by the system as a result of coming from known spammer sources (RBL lists) never even makes it into the system. So, I'm just weeding through the small remainder of the stuff that the system analyzes and weeds out in the second phase of its analysis.

Here is what the service has done for my email account since I turned it on about 12 days ago:

General Runtime Information

ASSP Proxy Uptime:
12.232 days

Messages Processed:
2297 (187.8 per day)

Non-Local Mail Blocked (percentage of email that is spam):

CPU Usage:
0.27% avg

That's 288 valid emails and 2009 blocked as spam. As I said at the beginning, a bit overwhelming for only one email account in the mix, and obviously quite necessary to do something about it.

I still need to do some small amount of work to make sure the service stays up and running from a high-availability standpoint, and in fact I have that minor issue with not only the ASSP service but also a couple other email services and even the IIS service. Resource constraints seem to play havoc now and then on my virtual server, but I think I have managed to get a handle on that.

For anyone that's looking to put an anti-spam proxy in place for your own mail server, I most definitely recommend checking out ASSP and giving it a try. Download it here (use the most recent stable version). Or check out the ASSP Wiki, which contains documentation, the FAQ, and everything else you can think of. A high-level list of features can also be found on the ASSP home page at SourceForge.

Add/Read: Comments [1]
IT Security | Safe Computing | Tech
Monday, 15 January 2007 02:18:28 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 12 January 2007

If you sense a pattern to my post titles, you're really paying attention. Recently I spent a few weeks using the Samsung Blackjack, a new Windows-mobile smartphone. Within the first 24 hours, as I wrote last month, it became clear to me that the phone wasn't going to work for me, being a power user of mobile technology for critical, fast-paced business. In other words, Crackberry-style. You can read my experiences here, and also know that while I was able to adjust somewhat to the Blackjack, the three weeks that followed that first "24 Hours" post were not significantly better than my initial impressions.

Palm Treo 750 For the past few days I reverted to using my tried-and-true Blackberry 8700 again. I went back because using the Blackjack was holding me back in a substantial way, and I am so busy at work right now I needed to get back to something that would perform and work the way I work. It's worthy of mention that after about 10 minutes using the Blackberry my old wrist pain started to come back. Not a good sign. the 8700 is wider then the Blackjack and the Treo, and I found that holding it was stretching my thumb out in a way that was causing me pain. So, that's a good thing to discover. Also, while I enjoyed the quick usability of the Blackberry the moment I went back to it, I found the screen and general look and feel to be plain and stark after living in Windows Mobile for a few weeks.

Anyhow, on Wednesday this week, a new box arrived via FedEx from Cingular (despite the much-hyped winter storm) and I swapped the Blackjack and the Blackberry back out again in order to give the new Palm Treo 750 a try. This is the latest of the Windows Mobile 2005 enabled Palm devices. It runs Windows Mobile Phone Edition v5, plus Palm has made some nice little enhancements to the home screen (or "Today" screen, as they say) and other software interfaces. To be honest, I was quite skeptical about whether this new device would be sufficient after my experiences over the past few weeks with the Smartphone version of Windows Mobile running on the Blackjack hardware. But I can report today that I am pleasantly surprised, and that I may have actually found a Windows Mobile phone that can replace my Blackberry for real-world use.

To be certain, the Treo 750 is a significantly beefier (both physically and figuratively) device than the Blackjack. But it is fast and smooth, very well designed and crafted, and is thought-out in a way that most other devices are not. Palm's attention to the enhancements they made to the home screen and some of the underlying software is indicative of their usability focus, and that's important. In fact, it may just make the technology sufficiently usable for what I need. Pretty much anything I need is accessible right there on the home screen. Because it's a PocketPC version of Windows Mobile, it has the touch screen and a stylus, so I can use my finger or the metal pen thing. Of course there is also the ubiquitous five-way button pointer just above the keyboard pad that works quite well for navigation, too.

So, what is it that is so much better about the Treo 750 that has me singing it's praises? Let me count a few of the ways:

  • It's fast and more powerful. The Treo doesn't miss keystrokes or pause for several to many seconds when you launch an application or try to do normal everyday tasks.
  • The way Palm approached text and MMS messaging is very cool - It looks a lot like an instant messaging interface and makes for a fast and positive text messaging experience.
  • Better speakerphone.
  • More advanced Windows Mobile software, with the ability to run PocketPC applications.
  • The keyboard is pretty darned terrific, leaps and bounds better than the Blackjack's.
  • The Treo loads web pages reliably and faster than the Blackjack, which is interesting since the 3G network the Treo uses is not (yet) HSPDA. The Treo currently runs on the UMTS network, with a HSPDA software upgrade slated for the first half of this year.
  • Check out some of the ease-of-use enhancements in a one-minute PC WORLD video here.
  • Check out Cingular's Treo 750 interactive tutorial (about 20 minutes) here.

What are some remaining Treo 750 and Windows Mobile shortcomings? There are a few, if I want to get nit-picky:

  • Battery life in my subjective first-day use on the high speed network was better than the Blackjack, but it is still not up to par with what one gets out of the Blackberry (which is and EDGE network device, for the record - slower yet again).
  • More proprietary connectors?? I know, it's a Palm creation. But seriously, why the heck can't we just charge and sync via a standard Mini-USB2.0 port? Time to locate and buy some more accessories. If I had $29.00 for every cheap plastic vehicle charger I ever bought, I'd be just about break-even.
  • The Inbox application on Windows mobile doesn't let you aggregate all your mail into the main inbox if you use subfolders in Outlook/Exchange to organize your email. More on that and what I did to alleviate the problem this evening can be found below.

Quick sidebar: My friend Trevin reacted in an IM conversation tonight to my petty complaints about the devices by saying, "Oh, cry me a river Hughes." Heh. Hey, man... You know, it's picky, difficult people like me that gently drive usability experts back into their corners and holes (in a friendly way, of course) where they make technology miracles happen in the next rev, and we also provide them with wish lists of things that would make us buy their stuff. Everything I say is intended to be taken from the perspective of "room and opportunity for improvement." Now, Trevin tells me he likes the smaller form factor of the Blackjack. The Treo is just too large and unwieldy for him, he says. Well in my book the Treo is smaller than my Blackberry 8700, at least width-wise, and that's a good thing. The Blackjack was almost too small. And yes, too small is possible - especially when you have to fit a QWERTY keyboard on the thing. Also - Trevin's a truly terrific guy, and I respect his opinions greatly. We have different perspectives, different jobs and use our devices differently. And he was being sarcastc in our IM chat - a little poking fun at friends kind of thing.

For some additional perspective, I'd suggest reading Walter Mossberg's Personal Technology article from Thursday, in which he says he thinks the Blackjack is a better device than the Treo 750 overall, although he recognizes some of the benefits of the Treo. It's clearly a purchase decision to be made based on individual and specific needs. Walt also points out that the newly-announced Apple iPhone (or whatever they end up calling it), which won't be released for several months, will likely be a killer for an of the Windows Mobile phones. Time will tell. The iPhone looks terrific for sure, but until I see one and use it, I am not convinced it would work for my particular business power-user needs. But that's also not likely to be the target market.

As I noted in my Blackjack review and above, I have always been a hyper-organizer of email, using folders and subfolders in Outlook and Exchange to organize email by type and recipient. As a result, due to the way the Windows Mobile Inbox works, in order to see if any email has arrived that gets distributed to any folder other than the inbox, I have to navigate the folder tree on the mobile phone, which requires a whole bunch of clicks and scrolls. Now, the full Windows Mobile edition on the Treo 750 includes a much simpler and easier mechanism in the form of a Folders menu, which allows me to much more easily access the folder list. But what I really wanted was what I was used to: A mobile inbox where all email sits, regardless of how I organize it in my desktop Outlook client.

So, I found myself in a bit of a stuck situation, until I got to thinking about it and spent a few minutes this evening IMing with Trevin. I had briefly thought of dumping all of my Exchange folder hierarchy completely and changing over to using Search Folders in Outlook. Trevin told me he only uses search folders and that he uses them extensively. I am running Outlook 2007, and the search performance in that application pretty slick, so I made up my mind and went straight to my Outlook rules and exported them (just in case), then deleted them all. Now all my email would go to my inbox. I started setting up search folders and found I could actually do a lot more with those than I realized - That's something I will be getting deeper into at a later date. Anyhow, I replicated and created the necessary functionality and effectively solved by mobile inbox issue. Now the phone puts everything where I want it and Outlook shows me what I need to see the way I need to see it, only even better than it did before.

I will always like Blackberries, and I am sure I will be running new ones now and then (since I tend to be the guy who tests the new stuff). But for now, the 8700 is gone and the Treo 750 is in its place. It will be interesting to see how it performs over time, but this time around I have a level of confidence that was not present on the last WinMobile trial. That's a good thing.

What do you think? Have experience with these devices? Any PocketPC/Windows Mobile software you think I can't live without (or would not want to live without)?

Add/Read: Comments [9]
Mobile | Tech
Friday, 12 January 2007 01:04:06 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 11 January 2007

Every now and then you find a real gem worthy of pointing to. It's one of those days. A few of the guys who work on my team apparently had an interesting conversation today - one of those ones that, well... As Brent says:

"Today I had one of those conversations. You know, the mildly creative, useless, on the verge of non-pc, feeling giddy, make you laugh conversations."

Read all about it at his blog. They did the math and arrived at the definition for some pretty important technology figures. 'Nuf said. Heh.

Add/Read: Comments [0]
Humor | Random Stuff
Thursday, 11 January 2007 23:18:28 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 09 January 2007

DIR-625 Router from D-Link Recently I wrote about my frustrations with the several WRT-54G Linksys routers I have bricked and suffered through over the past few years. I've been on a search for a good replacement. A number of people have recommended sticking with the Linksys hardware, but since I have been through a few of them, I really just wanted to make a change. My friend Omar and a few others suggested the D-link routers, specifically the ones that do QoS traffic shaping for a variety of network services. Those people using the D-Link Platinum series routers spoke so highly of them, I decided to look at them seriously and decide which one would be best for me. Omar uses a model that is billed as a gaming router and he loves it.

While at Costco earlier today, I discovered they were stocking a Pre-N "RangeBooster" wireless router, the D-Link DIR-625 model. I saw that it had the QoS engine that people were heralding, and being a -N model it has some future to it, which is nice. Omar had noted to me that these routers have the ability to be configured and tweaked in fine detail right out of the box (in other words the firmware you get on the thing is incredibly capable and sufficiently detailed for advanced users), and he was certainly right. You can granularly configure almost anything you can think of. The device will even email you when system events occur or when a new firmware upgrade is available, if you want it to. Quite cool.

I have been up and running with it all evening and am very, very happy. My wireless network connection is now rock-solid and the user interface for the router is top-notch. Not once has the network paused, glitched, dropped or otherwise puked on itself, which is quite a change. I could get used to this, heh.

You can check out an online emulator of the DIR-625 router's web interface here (use a blank password). Product information can be found here. The support and firmware page for this model is here.

Setup was quick and easy, simple enough for anyone due to good packaging and a CD-wizard driven installation routine. This router is highly recommended for both home users and geeks.

UPDATE: 1/15/2007 - I have been running the router for about a week now with exactly zero problems. This thing is as solid as a rock and shapes traffic quite well. I should have made this move long ago.

Add/Read: Comments [7]
Tuesday, 09 January 2007 23:48:22 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 07 January 2007

In May, the National Security Agency (yes, that one) published a guide in PDF form (818KB PDF file) called "The 60 Minute Network Security Guide - First Steps Towards a Secure Network Environment."

It's good stuff. Sure, it's not a 100% guide to everything you need to know and do, but it covers the bases quite well. Some have balked at the complex password and rotation requirements and made the requisite "that won't work in the real world" noise, but those of us who actually do operate in the real world know it can be done and that 90 days is a bad number (it's too long IMO, and lacks usability - it should be either 84 or 42 days). Sure, a few people will complain (it's human nature and it takes all kinds), but the vast majority are more than happy to do their part. Don't let the vocal few chase you away from what is proven over and over to be right.

There are always good and effective ways to accomplish goal while meeting requirements: For example, the use of passphrases instead of regular passwords makes complex, long passwords a cinch, and all it takes is about 5 minutes of user education to show people how well it can work (use your all-hands meetings and you'll be amazed what you'll get accomplished in a short period).

Read the guide, use it, and you'll be better off. A variety of other security configuration guides from the NSA can be found here. There are more than 80 guides covering server and client operating systems, network infrastructure, database platforms, and more.


Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Sunday, 07 January 2007 16:48:57 (Pacific Standard Time, UTC-08:00)
#  Trackback