Caffeinated-Geek.com

Just finally had time to sit down and read the latest (August 2007) edition of Sys Admin Magazine, and according to a blurb in the front (and some chatter on the internets, it looks like it will be the last issue of the publication.

This saddens me quite a bit, as it was truly a great resource for this specialized target group.

I remember reading it back in high school before I actually started my IT career – when I was just a nerd with too much free time and couple of boxes with Linux and FreeBSD installed simply for keeping myself entertained.  The shell script snippets, ideas, and real-life stories were what really made the magazine.

RIP, Sys Admin Magazine.

Systems Admin

We received a letter today regarding Alta Resources, Inc – a credit card processor who handles services for the Disney Movie Club regarding a security breach of our credit card information:

Dear Disney Movie Club Member,

We have been informed of an incident at Alta Resources, Inc., a company that processes and fulfills orders for the Disney Movie Club. This incident involved credit card information received by Alta Resources from a number of Disney Movie Club members.

*snip*

One of Alta Resources’ employees sold certain credit card information to federal law enforcement agents, as part of an undercover sting operation, in May 2007. This information included your name, address, credit card number and expiration date, and credit card type (e.g., Visa, Mastercard, American Express, or Discover), and may have included your telephone number and email address if you had provided that contact information to us. We have been assured that the card security code (e.g., the CVV or CVC code) for your credit card was not included in this information.

*snip*

The individual involved in this incident is now longer employed by Alta Resources and no longer has access rights to Alta Resources’ premises or computer systems. You also should know that Alta Resources now has taken additional corrective and precautionary measures, and has been independently certified under the Payment Card Industry Data Security Standard, and industry standard for safeguarding of consumer credit card information.

At least they’re letting their customers know. Glad they weren’t being total dimwits and storing CVV codes in a database. Also glad that the genius trying to do this had his first “successful” sale to a government agent.

So, I’m curious – does the last paragraph I posted from the letter mean they weren’t following PCI standards (were not PCI compliant) before?

Full scan of the letter:

Security crack, credit card

I posted this a while back on an internal blog at my workplace, and a friend recently asked if I knew of a way for this to be done, so I’ll re-post it here. I work for a wholesale ISP, and we often take an existing ISP’s customer base, including email and personal web space hosting, and migrate it to our servers. We’ve used this hack once or twice for some migrated accounts from an ISP, who in the past, allowed users to have personal web space at their domain, but under a “normal” subdirectory of the domain, such as http://example.com/username/. Migrating their subscribers to our servers would have required a change to the Apache-style http://example.com/~username/ format, which would break existing hard links and search engine results.

Our workaround uses Apache’s rewrite module (not surprisingly, named ‘mod_rewrite’).

In the VirtualHost section for the domain I wish to affect, I add the following directives:


UserDir /home/example.com/*/WWW
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond /home/example.com/$1/WWW$2 -f [OR]
RewriteCond /home/example.com/$1/WWW$2 -d
RewriteRule ^/([^/]+)(.*) /home/example.com/$1/WWW$2
</IfModule>


Of course, change the directories to match your local setup.

Now for how it works… Say a web user surfs to http://www.example.com/username/ – The rewrite rule will first check for a file or directory at /home/example.com/username/WWW/’s existence, and if it indeed exists, Apache serves the requested file out of the referenced directory.

A couple of things to be cautious of:

• This MAY interfere with folder’s in your domain’s website structure! User directories (based on the username) take precedence over your website directories. If a user with the username “images” happens to be added to your system, I can only imagine very bad things may happen to your visitors.
• I don’t know how much of a strain this is on Apache. From my experience, mod_rewrite is NOT horribly efficient. If at all possible, DON’T DO THIS – just make your users deal with a standard UserDir setup. If they are horribly concerned about the “ugly” tilde in their URL, I’d suggest one of the many options out there for URL forwarding or regular domain hosting.

Random Hacks, Systems Admin apache

The DST change is fast approaching. A few quick notes on testing/fixing for some OSes…

FreeBSD:
I’m told that releases after 6.2-REL have the correct zoneinfo data.

You can check your system with the following command:

narf-gw-1% date -r 1173607200
Sun Mar 11 03:00:00 PDT 2007
narf-gw-1% date -r 1194166800
Sun Nov 4 01:00:00 PST 2007


If the correct daylight zones are returned, your system is set to update properly.

If not, ensure you have the latest ports tree installed and install the misc/zoneinfo port.

Windows NT/2000:
No known Microsoft fix, but IntelliAdmin has a free fix available. Read their blog post, including instructions and download links.

Windows 98/Me:
No known Microsoft fix, IntelliAdmin once again has a free fix for you. Read their blog post and download (and upgrade your OS if you can).

Systems Admin daylight savings, freebsd, windows 2000, windows 98, windows me, windows nt

Ran into a fun little issue recently configuring a new router while taking into account the changes we’re going to see in Daylight Saving Time here in the U.S.

As of the year 2007, Daylight Saving Time in most of the U.S. and Canada starts earlier than past years due to the U.S. Energy Policy Act of 2005. DST now begins on the 2nd Sunday of March and ends on the 1st Sunday of November, both at 02:00 AM local time.

If your network equipment keeps time, and you set it to your local time (not GMT), then you may need to change this by hand — often the software powering these systems do not yet follow the new DST rules.

In order to do this automatically on most versions of Cisco IOS, you can try the following…

First, check your current time configuration – there’s no need in doing this if the version of IOS on your router obeys the new DST rules:

grps-edge-rtr-1>show clock detail
01:18:39.439 PST Fri Feb 9 2007
Time source is NTP
Summer time starts 02:00:00 PST Sun Apr 1 2007
Summer time ends 02:00:00 PDT Sun Oct 28 2007

In this case, the router is following the old DST rules, indicated by the incorrect dates. We will need to update this for this version of IOS.

Let’s update the DST settings. This should be pretty painless:

grps-edge-rtr-1>en
Password:
grps-edge-rtr-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
grps-edge-rtr-1(config)#clock timezone PST -8
grps-edge-rtr-1(config)#clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
grps-edge-rtr-1(config)#end

This set of commands first applies the standard timezone with the label “PST” as -8 hours offset from UTC. Then we state that the summer-time zone we label as “PDT” starts on the 2nd Sunday in March at 2:00am, and ends on the 1st Sunday in November. Obviously, change the timezone labels and UTC offsets to suit your needs.

You then should confirm the new settings with the following command:

grps-edge-rtr-1#show clock detail
01:19:53.644 PST Fri Feb 9 2007
Time source is NTP
Summer time starts 02:00:00 PST Sun Mar 11 2007
Summer time ends 02:00:00 PDT Sun Nov 4 2007


I’ve tested this on a handful of IOS versions, including from 12.1 through 12.4. As a note, all versions of 12.4 that I have access to already have the new DST rules set by default, however setting the summer-time rules this way won’t hurt anything.

Don’t forget to commit your changes to NVRAM!

Network Admin cisco, daylight savings