Nov 30, 2012

Repair A Hole in Your Sole On The Cheap!

This post is not going to deal with software or technology today, but something for anybody. Well, anybody who is super cheap anyway. This is for those of you who have the perfectly broken in pair of shoes that are super comfortable, yet they are so broken in that holes are starting to develop on the soles.

Sure you can take your shoes to a shoe repair store, but often times it's not cost effective to do that. The cost of getting a shoe re-soled is about the price of getting a new pair. I found a better solution that will only cost you about $2.88 from Amazon. I'm talking about fixing your shoe with a bicycle tire patch!

Check out these photos from Instructables:

Shoe With A Hole in The Sole

Mark The Area to Be Patched With A Crayon

Apply The Patch Glue

Apply Patch To The Area And Let Dry

When Dry Remove The Film From The Patch


Not a bad idea right? This is a super cheap way of getting a few more miles out of your favorite pairs of shoes!

Are you going to try it? Let us know how it goes in the comments!

[Via  Instructables]

Nov 29, 2012

My Help Desk System Has Better SSL Implementation Than the CIA

Is it just me or is it bad that my company's help desk ticketing system has a better SSL implementation than one of the most secretive and allegedly secure agencies in the world? Here is how my help desk system compared to the Qualys SSL Test:

Here is how the CIA scored:

Kind of makes me wonder if our secrets are really safe with these guys. Now I'm not surprised how Wikileaks is able to get so much on them. They can't even secure a public web server correctly.

Am I being too harsh on these guys? Tell me what you think in the comments.

Nov 28, 2012

A Walk In The Cloud [Infographic]

At my company we essentially run our own "cloud". Meaning we rent out space at a data center, and use our own server hardware. I mean if you think about it, that is exactly what a cloud service provider is doing. I mean, the word cloud to some people conjures up an idea that these services are provided with magic or something. Um, yeah, no...

A few times a year the idea of moving our infrastructure to the cloud comes up but it always gets shot down because of the monthly cost. I mean when you rent space at a data center you still have to pay a monthly fee, but the equipment and software is yours. With the amount of storage and bandwidth we use it is actually cheaper for us to rent a data center than to rent storage in the mystical cloud.

Anyway, speaking of moving to the cloud I found this interesting inforgraphic from the folks at Trend Micro. Check it out:

INFOGRAPHIC: A Walk in the Clouds.

Nov 27, 2012

Best Bet For an Adsense Alternative:

I can't believe I didn't see this email before from, but I just noticed it because of another email I got from them saying they were migrating my account to their new platform which uses the Yahoo and Bing advertising networks! Here is a snippet from their email:

Yahoo! (NASDAQ:YHOO) and today announced a long-term agreement to launch Yahoo! Bing Network Contextual Ads program. This new program aims to provide web publishers with a powerful and effective new solution for earning advertising revenue. Publishers can now use the platform to create and customize ad units that display relevant text ads from across the Yahoo! Bing Network. We believe that Yahoo! holds a key leadership position in online advertising and teaming up with them allows to offer web publishers with a solution that generates additional revenue for them and provides customization, control and flexibility that they would like.

This is great for those of us who have been burned by Adsense and were never given a good explanation  Being able to display ads from Yahoo and Bing has got to be the next best thing right?

Well I just replaced the ads around Bauer-Power with ads, so we'll see how it goes. Ever since getting kicked off of Adsense a few months ago I've been running Technorati Media ads which have only performed at about 25% of what Adsense did.

Much like Adsense, I am still able to use Technorati's ad code as a backup if doesn't have an ad to run. That is some good news. Plus the portal is easy to use and you can stay up to date on your earnings and performance.

So what do you think? Will running Yahoo and Bing ads be a great alternative to Google's Adsense? Let me know what you think in the comments!

Copying Is Not Theft

I saw this video while Stumbling around yesterday. It was originally made in 2009, but it's the first time I've ever seen it. It has to deal with the argument that the MPAA and RIAA often use when fighting against piracy that copying music and movies is stealing.

This video kind of makes you think about that argument a little more. I mean, how can you be stealing if you make more of something? Check it out:

Now I also get that when someone pirates a video or music the artist, and the people who worked on the pirated item lose money. However if I already purchased your DVD and made a copy of it as a backup in-case something happened to the DVD, how is that stealing?

What's your take on the video? Let us know in the comments!

Nov 26, 2012

Error Creating Scheduled Scans in Immunet 3.0 Free

On Friday I wrote about a free antivirus program that is powered by ClamAV called Immunet. It's great because it is free for corporate use and provides on-access real time protection from malware. There is a problem that I had with it though, and that was in creating a scheduled scan.

When trying to create a scheduled scan using a domain user's credentials I kept getting an error saying:

Error creating scheduled scan. An unknown error has occurred.

Not sure why it doesn't like domain credentials, but I was able to work around this issue by creating a local administrator account called av and use those credentials to schedule the scan. After that you can just use that local account, or you can go into Windows Task Scheduler and change the credentials used to SYSTEM or perhaps a domain account.

Nov 23, 2012

Forget ClamWin. Check Out Immunet 3.0 Free!

The other day I wrote about how you can use ClamWin with Clam Sentinel to have free open source virus protection with on-access protection. Plus you can use this in a business environment! Well there is actually a better solution, and it ties in with Windows Action Center unlike ClamWin and Clam Sentinel. Not only that, but it also uses ClamAV for it's engine when offline.

I'm talking about Immunet Free. From ClamAV's Site:

Immunet 3.0, powered by ClamAV utilizes advanced Cloud-based, community-based, and integrated ClamAV detection technology to help secure your PC. The 3.0 release fully integrates the core ClamAV detection engine to provide exceptional offline protections against the latest malware threats. The fast cloud based SPERO and ETHOS engines allows for a fast and light footprint with no need for continual signature updates keeping your system up-to-date with the latest protections in real-time. This hybrid approach provides a highly effective and customizable AV solution for Windows desktops in both your home, and your office. The fast and light footprint is ideal for laptops, gamers, and power users who just want their AV to do its job and stay out of their way.

While connected to the internet your computer is protected using their ETHOS and SPERO detection engines, but you also have the ability to enable ClamAV updates and the ClamAV detection engine as well for when your computer is offline. For some reason the Immunet site says offline protection is only available with their Pro version, but that's not true if you enable ClamAV.

I tested it out on my computer at home. I updated the ClamAV engine and disconnected from the internet then ran a scan. It still found two instances of malware on my machine. You can also schedule scans to make sure your system is safe offline or not!

The best part about this is that nowhere in their EULA do they say that you cannot use Immunet in your business. So yes, it is free for corporate use! In fact I found this on their forum from one of the administrators:

...we have no problems with people using the free version of Immunet in corporate environments.

The only real limitations I see with Immunet is that with the free version you can't scan incoming our outgoing email, and you can't scan local email databases like OST or PST files. Still that isn't a big deal since most email solutions these days have integrated antivirus. Gmail certainly does, and so do many spam filter companies.

Have any of you checked out Immunet? Like it? Hate it? Let me know in the comments. Right now this is the front runner in my opinion for a free business antivirus solution.

Nov 21, 2012

Add On-Access Scanning To ClamWin Antivirus

One of my favorite antivirus programs has to be ClamAV. It's free and open source, plus it can be used for corporate use. It's one of the very few free antivirus programs that can be used in a large corporate office. The only other one I can think of is Comodo, but that one has a problem updating sometimes. Just check their forums.

Anyway, the problem with ClamAV, and it's Windows counterpart ClamWin is that it doesn't provide on-access scanning. That means you don't get real-time protection when a virus or another piece of malware tries to infect your computer. You generally have to wait until the next scheduled scan for ClamWin to find the infection. By then, it may be too late.

Not anymore. There is a cool free companion to ClamWin that provides on-access protection. It's called Clam Sentinel. From their page:

Clam Sentinel lets you scan files for malware with ClamWin Antivirus in real-time as they are added, modified, or copied to the computer. It scans permanent hard drives and USB/removable drives with ClamWin, but Clam Sentinel also uses its own system monitor to detect unknown malware that does not have a ClamWin signature. Sentinel is designed especially for older computers, such as Windows 98, ME, 2000, and XP, but it has been tested on Windows Vista/Windows 7 machines and works fine on them too.
If you have a small business with ten or less employees, I would recommend using Microsoft Security Essentials because it's free for business use for 10 or less workstations. If you have more than 10 people though, but still can't afford the high cost of commercial antivirus, then perhaps you should give ClamWin with Clam Sentinel a try.

What antivirus do you use at your office? Is it a free solution or an expensive solution? Let us know in the comments!

Nov 16, 2012

How To Configure Active Directory Users in Fortigate

I mentioned yesterday that I recently received a Fortigate 60C firewall. One of the main reasons for getting it, besides the awesome price, was it's ability to do DLP, web filtering and a bunch of other cool tools as a part of their unified threat management. Well yesterday I was playing with web filtering and I found a really interesting feature.

You can limit access to certain websites by user, and those users can be authenticated using active directory over LDAP. The issue I found with the default settings was that it's looking for a CN identifier  but I want my users to be able to use their regular username. For instance if your company uses first.last for the username, that's what I want to do.

To do that we first need to configure our LDAP server settings to point to our domain controller, then modify the settings to look for the AD username. To do that:
  • Go to User > Remote > LDAP
  • Click Create New
  • Give it a name
  • Enter the IP address of your domain controller
  • Leave the Server Port at 389
  • Change the Common Name Identifier to sAMAccountName <- AD Username!
  • Change the Bind Type to Regular
  • Enter the User DN for a domain administrator account (See below)
  • Enter the password for your domain administrator account
  • Now click the Browse button next to Distinguished Name and browse to the OU where your users are.
  • Click OK
Should look something like this:

If you don't know how to find the DN for a user account, the easiest way is to open ASDI Edit on your domain controller, browse to the user then right click and click Properties. The DN for the user can be found under distinguishedname. Just double click on it and you can copy the contents out and past it into your Fortigate.

That's it really. If you enter the DN and the password correctly for your domain administrator, then the browsing part will work. If the browsing part doesn't work, something is wrong. Either way, now you can create users that match their current AD user name for authentication on your Fortigate!

Nov 15, 2012

How To VLAN Tag Your NIC in Ubuntu Linux

I am playing with a new Fortigate firewall at my company. I talked about it in the most recent episode of Tech Chop. Well it came in the mail today and I started to configure it. Unlike my current firewall, I can't assign particular VLANs to the individual physical ports. If I want to have multiple subnets on my network, which I do, I have to create virtual VLAN interfaces under the five physical "internal" ports.

This isn't a problem once I get it into place because my core switches handle VLAN tagging, and trunk ports. The problem is configuring it without a switch because by default your computer's NIC doesn't handle VLAN tagging.

In Windows, sometimes you can download a driver for your NIC to handle VLAN tagging, but not all NICs support it. For setting up this firewall though I was using an Ubuntu laptop. Setting up VLAN tagging in Ubuntu is actually pretty easy. Here's what you do:

  • Install VLAN package on your computer:
#sudo apt-get install vlan
  • Edit your /etc/network/interfaces file so it would contain the following:
# The loopback network interface
auto lo
iface lo inet loopback
# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.

# VLAN 1
auto vlan1
iface vlan1 inet dhcp
vlan_raw_device eth0
Once that is edited, save the file and reboot. When your Ubuntu computer comes back up, as long as it is plugged into a switch or a firewall interface configured for VLAN tagging it should work fine. Also, if you need to configure a static IP address on a particular VLAN here is an example of that:

# VLAN 2
auto vlan2
iface vlan2 inet static
mtu 1500
vlan_raw_device eth0

Notice that you can tag your VLAN any way you want. If your VLAN is tagged VLAN 104 on your switch, your interface will be vlan104 in Ubuntu. Makes sense right?

The only problem I had with this is that if I wanted to change the VLAN tagging to test connectivity on the other VLANs I was setting up I had to reboot for the changes to take affect. Simply restarting the network service didn't do the trick. If you know of a better way than rebooting, let me know in the comments.

Anyway, since I was able to tag my NIC with various VLANs, I was able to test connectivity on all the virtual interfaces on my new Fortinet without having to set up another switch!

Nov 14, 2012

Digital Engagements: Connecting With Consumers on Mobile Devices

Mobile engagement grants businesses the power of omniscience—as long as cell phones remain beside consumers, so too can businesses. The emerging necessity of meeting customers at their phones have companies scurrying to match competition and meet consumer demands. Correct implementation of mobile engagement yields immediate results and promises fortuitous growth for small businesses everywhere.

Live Chat

Live chat software is an incredibly effective method of mobile engagement to cut costs and improve sales. In real time, customers can ask contextual questions to a live agent for immediate answers. Its revolutionary chat software efficiently assists your website visitors. LivePerson chat solutions have proven to thwart shopping cart abandonment, increase sales by 20 percent and boost chances of sales by three times. Adding to its e-commerce value, their offerings also greatly benefit customer service. Your company can increase its satisfaction rate and save issue handling costs by 25 percent.

Photos Foil Words

According to, Instagram has surpassed Twitter in daily mobile engagement from data compiled by comScore in a mobile measurement report. Small businesses should consider jumping on the Instagram bandwagon to visually promote their brand, joining the others who have already found success with the photo sharing app. Red Bull posts photos from their worldwide events, NPR shows photojournalistic snapshots featuring current events and news, and Starbucks posts promotions and its variety of coffees. Brainstorm ideas to engage Instagram users with photos of your products or services to proliferate your brand.

Format & Mobile Mindfulness

Keep in mind, to engage customers on a mobile phone, it must be formatted correctly and optimized for a small screen. Prevent user eyestrain by constructing the web page to be easily read without unnecessary magnification. Limit rich media to ensure speedy and smooth navigation for users. Since modern phones are navigated via touch screen interaction, place links far apart to benefit finger accuracy. Being cognizant of platform differentials, such as those between the iPhone and Android, is a vital factor in the successful delivery of content to users regardless of device. Flash animation and videos works on the Android, for example, but is ineffective on the iPhone. Also consider implementing up and down scrolling only, limited key entry and navigation functions.

Customer Analytics

By setting your company app loose in the digital world, it will retrieve a wealth of valuable demographic and analytic information from your customers. Customer mobile use is a window into consumer tendencies—which can then be analyzed and put into effect. For example, an intelligently constructed app can supply you with geographic advertising effectiveness and what stores are frequented by individual customers. By raking in this data, marketing strategists can conduct a highly targeted campaign to pinpoint certain demographics. Another strategy of discovering consumer information is tactful placement of QR codes. Incite interaction by sending the consumer promotional material once scanned.

Nov 13, 2012

The White House's Petition Site Has Sucky SSL. Sign My Petition!

There has been a lot of talk about secession lately since Barack Obama has been re-elected. If you haven't heard, many states have used the White House's petition site to request to secede from the union. While on one of the petition pages, I noticed that the site was protected with SSL. Since I am kind of as stickler for how SSL is implemented on a web server thanks to my own quest for PCI compliance, I decided to check their site out using the SSL Labs Tool. Check it out:

'C' rating for a government website? That is horrible! Now I wouldn't say that the petition site is a matter of national security, but this is still down right embarrassing. I have therefore started my own petition for the petition site to fix their SSL implementation! Please sign it here! LOL!

How To Disable All Ciphers Except RC4 128 In Windows 2008 R2

If you have been reading the blog lately you know I've been making configuration settings on my web servers  to make my SSL implementation PCI compliant. I even made a video about it on my weekly video podcast Tech Chop. The thing is I didn't have any Windows 2008 R2 web servers in my environment, but I will pretty soon. That means I had to figure out how to basically set the same things in Windows 2008 R2.

In Windows 2003 in order to disable all weak ciphers, and pretty much any cipher except RC4 in order to mitigate the BEAST attack, you had to make registry changes. In Windows 2008 R2, you have to do this by creating a group policy. For this post, I'll just make a local group policy.

  • Click WIN + R > type gpedit.msc and click OK
  • Navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
  • Open SSL Cipher Suite Order and click the Enabled radio button
  • In the Cipher Suites Box paste in TLS_RSA_WITH_RC4_128_SHA then click OK

After that is set, just reboot. Now if you run a scan using something like SSLTest, you will see that your server is only using RC4 128 Bit Encryption which is not susceptible to the BEAST attack.

True, you can just disable all versions of SSL and TLS except TLS 1.1 and TLS 1.2, but if you have users that use browsers that don't support the newer TLS versions, like Firefox for example, then you will still want to be able to use SSL 3 and TLS 1. By limiting the cipher used to only RC4, you can still be PCI compliant, and protected from the BEAST!

Nov 12, 2012

Nothing Techy Today. Just My Son Eating Sour Candy.

I have nothing techy to write about today, so I thought I would cheer you all up on a Monday with this video of my 3 year old son eating a piece of really sour candy.


Nov 9, 2012

Move A Spare Disk From One NetApp Controller To Another

Today I logged into my NetApp OnCommand System Manager and got an alert message saying Critical: There are no spare disks. That didn't look too good so I checked the disks on both controllers in my NetApp FAS2020 and sure enough one controller had three spares, while the other controller didn't have any. Well it turns out moving the spares is pretty easy, but you have to do if from the ssh terminal.

On the node you want to remove a spare from run:

aggr status -r

That will display all of your spare disks as well as any other disks you have, and will list their device ID's. Here is a screen shot of what I have. Notice there is only one spare now, that's because I moved one to the other filer before writing this. Anyway, the device ID we will need is circled.

Let's say for the sake of argument that there were multiple spares in the above picture, and the one we want to move is device 0c.00.11. First we need to remove ownership of that device by running the following on the owner:

disk assign 0c.00.11 -s unowned -f

Once that is done, run the following on the other controller you want to move the spare to:

disk assign all

That's it! Now you have moved a spare from one filer to another!

Nov 8, 2012

/etc/rc Settings for NetApp FAS2020 Takeover on Network Failure

I took over as the man in charge of the network for my day job a little over a year ago. Before me there were some guys that didn't have the level of IT knowledge I have. I'm not trying to toot my own horn here. They just specialized in different areas. For instance, the guy who hired me was at his core a database administrator. He didn't know anything about networking, or Active Directory. He also didn't know how to setup an iSCSI SAN from NetApp.

Because of that, when they purchased our NetApp FAS2020 SAN, they had our vendor configure it for them. Well our vendor apparently didn't know their ass from their elbow about how to configure the thing for takeover in the event of a network failure. To be honest, I didn't either, but at least I know how to test to see if it works!

Fast forward to October 28th of this year. Our data center was doing some power maintenance on one of their generators, and power was cut to our 'A' power for several hours. In theory nothing should have gone down for us because our two iSCSI switches are on separate power, and so are the two power supplies in the NetApp. Well, when one of the switches went down so did all of the LUNs on one of the NetApp controllers. For some reason takeover failed when one of the NICs went down.

After troubleshooting with NetApp it appears that the reason that a takeover didn't occur was because the /etc/rc files were configured incorrectly by the vendors who my company had setup the NetApp. All NICs needed an nfo option, and they didn't have that. What I had to do was ssh into both filers, and edit the /etc/rc file by running:
wrfile /etc/rc
Then I pasted the following into the terminal where the cursor was:

hostname filer01
ifconfig e0b `hostname`-e0b netmask mtusize 9000 trusted -wins mediatype auto flowcontrol full nfo partner e0b
ifconfig e0a `hostname`-e0a netmask mtusize 1500 trusted -wins mediatype auto flowcontrol full nfo partner e0a
route add default 1
routed on
options dns.domainname
options dns.enable on
options nis.enable off

After that I pressed enter, then control +c to save the file. Once that is set you also need to make sure that cf.takeover.on_network_interface_failure is set to on by running:

options cf.takeover.on_network_interface_failure on

And you need to make sure cf.takeover.on_network_interface_failure.policy is set to any_nic by running:

options cf.takeover.on_network_interface_failure.policy any_nic

You need to make these settings changes on both filers. Make sure you change the hostname for the other filer in your /etc/rc file. Also make sure you change anything else you need to fit your network.

Once those changes are complete, you need to manually perform a takeover of one node, then manually perform a take back. Then do the same thing with the other node. After we did this I was able to simulate a network failure by unplugging a network cable on one node. It took about 51 seconds, but the takeover automatically happened, and we didn't really lose connections with our LUNs.

Special thanks to Cecilia Thompson at NetApp Tech Support for helping me track down the root cause of this!

Nov 5, 2012

Social Media At Work: Destroying Productivity [Infographic]

Someone sent this to me, and I thought I would share it here. It's an Infographic on how social media is killing productivity in the work place. If you follow my weekly video podcast, Tech Chop, you may have seen a free and easy way to block this stuff using OpenDNS. Anyway, this Infographic is pretty cool:


Social Media At Work

[Via Learnstuff]

Nov 3, 2012

Bank SSL/TLS implementation Ratings. How Secure Are They Really?

I am in charge of the security program at my company, and that includes maintaining PCI compliance. I was running a scan of one of my web servers the other day and got dinged because we were using TLS 1.0 on one of our secure web sites with a Cipher Block Chain encryption algorithm. It had something to do with being vulnerable to The BEAST attack which can be thwarted if you upgrade to TLS 1.1 or TLS 1.2, or by reducing the ciphers you use to only RC4. Now, my company doesn't even handle sensitive data, but we have to maintain these requirements because of our relationship with banks.

So I got to thinking, how many banks are using at least TLS 1.1? If not, how many of them are protected from The BEAST? How good are their SSL/TLS implementations anyway? Check out these screen shots I took of several big banks in the United States, and their score from the SSL Labs Test.

Bank of America TLS

Bank of America

Chase TLS


Citibank TLS





Union Bank

Wells Fargo

Wells Fargo


PNC Financial

Pretty interesting huh? Once you realize that just by putting an SSL certificate on your website doesn't necessarily make it secure, you start wondering about every SSL/TLS certificate you see. Is your money safe with these guys? Probably, but on the sites with a rating below an 'A' rating, or with red warnings at the bottom it kind of makes you wonder.

What rating does you bank get? Let us know in the comments!

Nov 1, 2012

How To Upgrade From SSL to GnuTLS for Apache in Ubuntu

This post is about moving away from the old school implementation of SSL and upgrading to TLS, or specifically GnuTLS in Apache on Ubuntu Linux. The reason you would want to do this is so that your web server will support more the more secure TLS versions 1.1 and 1.2.

The main reason one would want to replace SSL with TLS though is probably because they found out during a PCI scan that their web server was susceptible to the BEAST attack, and it was recommended that they upgrade to TLS 1.1 or TLS 1.2. No matter the reason, it's not that difficult.

First you will want to disable SSL in Apache by running:
sudo a2dismod ssl
Next you will want to install GnuTLS by running:
sudo apt-get install libapache2-mod-gnutls
Next you will want to enable the GnuTLS module:
sudo a2enmod gnutls
Now you will need to edit the apache2 config you have for SSL using your favorite text editor. I am using default-ssl located in /etc/apache2/sites-available. Comment out the following items with the # symbol:

#SSLEngine on
#SSLCertificateFile /path/to/public.cer#SSLCertificateKeyFile /path/to/private.key#SSLCACertificateFile /path/to/ca-bundle.pem# SSLOptions +StdEnvVars# SSLOptions +StdEnvVars
Now change <IfModule mod_ssl.c> at the beginning to <IfModule mod_gnutls.c> and paste the following under #SSLEngine on:
GnuTLSEnable on
GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0
GnuTLSCertificateFile /path/to/public.cer GnuTLSKeyFile /path/to/private.key GnuTLSClientCAFile /path/to/ca-bundle.pem
Now save the file and restart Apache by running:
sudo service apache2 restart
If you have any errors after restarting you may need to comment out some other SSL related items in the config. Otherwise your site should now be using the most secure version of TLS that your browser supports:

The problem with this setup is that not all browsers support TLS 1.1 yet. I'm looking at you Firefox. Anyway, if you still need to be PCI compliant, but still offer support to shitty browsers, you can do it at the expense of encryption strength by only using RC4. To do that replace the string after GnuTLSPriorities to say:


The above string will only give you 128bit encryption, but will protect you fromThe BEAST while allowing your users to use shitty browsers.
Pretty cool right? Are you upgrading your web server to TLS 1.1 and 1.2? Is it for PCI compliance issues or something else? Let us know in the comments.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam