Month: Apr 2011

Sach Ka Samna — Some InfoSec. Myths, Busted

OK, I am not Rajeev Khandelwal, but like our world, information security has its own share of myths, that, over a period of time, have quite a collection of believers behind them, masking the truth. This article is an attempt to rationalize their bust.

Long passwords means secure system

Long passwords means one thing — I will write it somewhere!

No seriously. How else would I remember it ?

Does that mean we should shorten our passwords? Not really. The God is (as has always been) in detail.

What it means is that we have to be careful while choosing a password. Keep it easy to remember, yet tough for others to guess (yeah, all the best!). It also means that everytime we chose to write it somewhere, we are on our way to make our system insecure.

Oh, I almost forgot the mother of all password mistakes — sharing it with others!

Security is a trade-off. Be careful what you trade it for!

Keeping anti-virus updated will save me from viruses

Anti-virus industry is like cops. We all know the probabilities and outcome of a cop vs. thief. Cop has to win everytime, thief only once. What it means is, if you have a paid version AND the anti-virus that you use currently, is the market leader (tough to determine), you can sleep on weekends (in night, sometime).

Does that mean we should shut our systems down and dust our papers and pens off?

Update your anti-virus daily (and keep a licensed copy of it, please. Kaspersky has gone cheap. And no, I have not yet received any commission from them!), and while you are at it, keep a backup of your important data. On a separate media (not on a separate partition on the machine).

Also, think about firewall and getting it installed on your machine.

SSL is secure

Nothing is 100% secure. That small padlock icon means that the data between the client (your browser) and the server (where the website is stored) is encrypted. But it doesn’t mean that people cannot sniff the data (if the server is compromised, or if there sniffed the initial cryptographic key — classic Man In the Middle).

If I don’t access Internet from my machine, my data is secure

True. But then you have to stop using USB sticks, stop using CDs/DVDs. In other words, stop using your computer.

Bottom line, there are more ways to get into your machine than there are hair on my head (I am not bald!). What it takes to secure your machine is a collection of good security practices (including some boring work like patching your machines, changing your password regularly, not sharing your password, etc.)


Linux is more secure than Windows

While I personally like Linux (because of its power), it is also true that mis-configured (or one that is not configured at all) linux is no better than windows.

So, should we dump all our Windows systems and migrate to Linux? The answer to most of us is NO. One, we will have a hard time finding proper versions of everything that we require for our business. Two, the work associated with migration (including testing, and training) doesn’t make it a viable solution.

A possible solution could be to use Linux for some servers (like file and mail servers) while keeping Windows for clients.

Information Security Standards & regulations are just pain-in-u-know-where

I couldn’t agree more! However, regulations are there because they are response to some real pain that business had been facing for quite some time. Regulations like HIPAA, HITECH, SOX evolved out of a business need to secure customer data. Traditionally, they shouldn’t be present. Corporations/enterprises should have included security as part of their SDLC. More on that later, however.


We have to be worry about hackers

Reports have shown that internal threats are more dangerous than outside ones. After all, we know the loopholes, right? Problem is, not everyone is un-professional. People don’t do these kind of things very often (even in a cut-throat world like ours). However, the cost of one incident is so great (IP loss, loss of image, etc.) that organizations have to consider this threat as real. Where there is money, there will be criminals (real or virtual).

Further, increasing reliance on contractors, consultants, and outsource vendors increase the exposure.

Main Khelega

India vs. Pakistan, 1989, Sialkot

A bleeding nose.
Concerned people, seeking medical attention for the lad

Main Khelega, One Answer
Four in next ball, answer sealed, stamped and delivered.

Sachin Tendulkar
Answer to our fervent prayers for a hero, so unblemished, so integral, giving hope to parasites like me, reminding us of one’s strength and ability to become whatever one wants!

Main Khelega
Because Karma is what we should do, karma is what makes us, karma is our link & our salvation.

To India Integral & to a Hero
Main Khelega!

Remove the blogger navbar

You must have noticed the blogger navbar (also called navigation bar) on top of almost every blog (on blogger, of course!). It looks like this (part of it):-


a portion of blogger navbarI will tell you why is it not visible on my blog (oops, site!), and also why is it not visible on many other blogger blogs. The reason is, they disable it using a CSS trick, which is neat. Take a look at this blog on blogger for a step-by-step procedure on how to make the navbar go poof (dresdain files, anyone?). I used the steps mentioned in the blog, and it worked like a charm. Also, it completes the deception (as far as my website is concerned 😉 ).

Use Google to host your website : For Free! — Part TWO

In my last post, i wrote about why i chose to use Google blogger to host my website. Here are the basic steps to do so:-

  1. Create a blog on Blogger;
  2. Modify the blog design;
  3. Change configurations in your DNS settings (of the domain that you own) and that of the blog.

Now let’s tackle the steps in detail.

  1. Creating a blog on blogger is not very difficult, so i won’t describe it here. However, a step by step video tutorial on how to create a blog on blogger (aka blogspot) is present on Internet. However, why two names for a blogging platform? Beats me!
  2. Now, we are going to make our blog look like a website. Please follow the steps below to do so:-
  3. Logon to blogger.com using your ID and password;
  4. Under the heading “Manage Blogs”, click on “Design” for the blog that you want to change the design of (you will see many blogs under the heading if you maintain more than one blog using one user ID. However, makes me gape at the stamina of people who maintain more than one blog! However, i digress).
  5. Click on “Template Designer”.
  6. Choose a template by clicking on it. After doing changes, click “Apply to Blog”.
  7. Click “Back to Blogger”;
  8. Click “Posting”.
  9. Click on “Edit Pages”. Click “Leave this Page” (if a windows comes asking whether you want to save any changes on this page).
  10. Click on “Create a Page”.
  11. Provide a page title and page text for the page (e.g., page title could be “About Me” and page text could be a brief description about yourself).
  12. Click “Publish Page”.
  13. Now blogger will ask you the placement for page(s). Choose the “Blog Tabs” option.
  14. Click “Save and Publish”.
  15. That’s it! You now have a blog with website-ish look!

To create and add further pages, logon to your blog, go to “New Post”, click “Edit Pages”, then click “New Page” to add another page to your site.

Now, to the most important aspect of them all — how to configure your DNS settings so that everytime someone types www.yoursite.com, it takes them to yourblog.blogspot.com without changing the address in the address bar! Yes, that is very important (we are not doing any redirection here). But before that, let me put up my gyaan hat on and deliver some very boring lecture to you (you can skip it, but then i would come to know about it and would deliver a curse that all your close relatives will be turned into gyaan-vriksh and would treat you as wanting some free gyaan. You know the results of that, won’t you!).

Basically, everytime you type a website address onto your browser’s address bar, some things happen:-

  1. Browser would try to locate the IP address of the server where this site is stored (using some hocus-pocus known as name resolution in coordination with a group of servers called DNS Servers);
  2. Once IP address is known, the browser requests the server (@ that IP address) for the website (that you requested);
  3. The server sends a copy of the website to the browser, and the browser displays it to you.

Phew, some steps! So don’t blame your browser the next time it fails to show the latest pics of some celeb who wanted her 15 seconds of fame because India won the WC, because the server might have been the culprit.

Anyways, back to the topic (men are pigs, i tell you!). Now, here, google not only allows us to use its server for our blogs, it also allows us to tell everyone about their IP address (well, not strictly, just the host name; rest all is managed by google).

To do all this, you MUST have a valid domain name that is registered to you. If you don’t have one, you can use one of the many registrar sites that sell a domain name. Use one of the them to buy a domain name of your choice.

After you have bought a domain name, visit the google help center page that details how to publish your blog under your domain name. Follow the steps below once your reach the google help center page:-

  1. Select “Host my blog on a URL that i already own”.
  2. Select “on a top level domain (www.example.com).
  3. Now you have to add something known as CNAME. Another google support page for step-wise instructions on how to do that for your domain registrar.
  4. After you are done with adding the CNAME, you have to add some IP addresses to your “A Records”. If you don’t fill “A Records”, visitors who leave “www” from your site address while looking for it, will see an error page. Basically, you will find the “A Records” on the same page on your DNS Manager provided by your hosting service.You will need to create four “A Records” pointing to the following four different Google IPs:-
  5. 216.239.32.21
  6. 216.239.34.21
  7. 216.239.36.21
  8. 216.239.38.21
  9. After you add them, you have to save your zone file (there would a button on the hosting provider’s interface somewhere to save it). Wait for an hour or so before moving onto the next step.
  10. Now, logon to the blogger, and go to “settings” > “Publishing”.
  11. Click “Custom Domain”.
  12. Write in your new URL (www.example.com), and save your settings. If you do not enter the “www,” you will receive an error message.
  13. You are done!

Some helpful notes:

  1. If your new domain isn’t taking you to your blog, wait another day or two to make sure all the DNS servers have been updated. If it still isn’t working, contact your registrar to make sure you entered the DNS settings correctly.
  2. Your original BlogSpot address will automatically forward to your new domain. That way, any existing links or bookmarks to your site will still work.