Not only are they doing a great job, by providing us with the tools we need to licence our creative work (or not so creative), but they also do everything they can to help everyone. My own site uses a CC licence, so I can only be proud of talking about them.

In their own words:

Creative Commons provides free tools that let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. You can use CC to change your copyright terms from “All Rights Reserved” to “Some Rights Reserved.”

I’m doing a presentation at my University, in a discipline regarding communications techniques, and I decided to speak about Creative Commons. I wanted to give something to my audience, so I’ve contacted CC, requesting some flyers or any merchandise they could send me, so I could do a better interactive work with everyone.

They were so great, and answered really fast! In six days I received a mail order with a lot’s of stickers and some postcards, all Creative Commons related.

I think everyone, should follow their example, and be professional like this!

Once again, THANK YOU Creative Commons, I will do anything at my power to spread the word! Keep up the good work!

Since I’m not a big windows user, except for a desktop that his only purpose is to download Linux distros using bit torrent protocol, I was not fully aware of this limitation.

So I did some quick research and realized that this limitation was not a Windows problem, but a hardware problem! You see, 32-bit systems have a limit of memory that they can use. Normally this is 4GB minus the total ammount of memory in the Video Card, the BIOS and everything inside you machine that has memory. So most of the users that now buy 4Gib ram to use with their brand new Vista machine, get stucked at 3 ou 3,5 Gib.

Even thouhg Linux also suffers from the same limitations, it is able to handle higher memory installed, since it uses correctly the PAE… What is PAE you might ask? PAE, or Physical Address Extension is a feature that allows the use of more than 4Gib of physical memory, given apropriate operating system support for this feature.

There are some things you might do to enable PAE in 32-bit Vista, but I haven’t tryed yet this.. maybe in the future…

Here are some places you can go, to read a little bit more and try for yourself:

• Enabling PAE in Vista
• Wiki on PAE
• Microsoft on PAE in Vista

In the future, this limitation will be overcome, since the use of 64-bit systems sets the memory limit much higher. If you want 4Gib, with no hassle just switch to a superior operating system like GNU/Linux or Mac OS X =)

Today I received a e-mail from a good friend of mine, to make a test to know how likely would I eat my friends in case of emergency. The website is called “Would You Eat Your Buddies in a Blizzard?”. Here I post my results, and invite you to take the test and post back your results in the comments… I want to know with who I would arrange my vacations!!!

54%

1. Download Putty to you desktop
2. Change the name of the file, from putty.exe to ssh.exe
3. Move this file to your Windows directory (should be on you drive C:\)
4. Press Windows Key + R (shortcut for run command)
5. Type ssh user@remote.example.com (use your own user and server)

If you got everything right, you now will be asked for your user password.. You can do it even smarter, and use public key authentication, which I love so much, and no more typing would be necessary.

Very cool right? No more fiddling for Putty.exe, no more clicks, no more hassle.. Just “RUN+ssh+options” and this will get you there! Like I said, SSH on Windows… The smart way!

Enjoy!

• Changed default listen port (default is 22)
• Only allow SSH protocol 2 (there are 2 versions of SSH, version 2 is far more secure)
• Disabled root login
• Allowed only some users to login
• Disabled password login
• Set up a private/public key method for authentication
• Set a a firewall rule for those script kiddies who like to knock on my server doors

These were the steps, and believe me, it’s not that big a deal to go through them. Let’s now describe each one!

Default Listen Port
By default, the Open SSH server comes with listen TCP port set to 22. Not trying to make security by obscurity, if you change this default behavior, at least those script kiddies, who scan your port 22, and hammer you with the defaults logins, will be dropped, and your bandwidth will be spared. So head to /etc/ssh (the default directory, most distros) and edit your sshd_confing. On the line: “Port 22“, change this to something else, higher than 1024, because usually port scanners don’t go higher than this by default; for example, use port 2222. When connecting to you server, don’t forget to specify the port number (in the command line this goes by ssh -p 2222 hostname).

SSH protocol 2
In the present, there are 2 versions of SSH protocol. It’s better to go with the latest, since it’s far more secure. So, in the same file you made your port changes, the line which contains the word “Protocol“, put a lonely “2” (probably there is already one there, or 2,1) in front. Save your changes.

Disable root login
Normally for administration purposes, we use the super user (root), but it’s not safe to remote login with this user. If something gets compromised, the attacker will have full power to change anything in your system. So, force logins with other user than the root, and then when you are logged in, su to become root. Believe me, it’s safer this way. So in the same file, when it says “PermitRootLogin“, put a “no” in front. Thats it!

Allow only some users to login
Ok, you now have disabled root login, but any user account on your system will be authorized to remote login. This brings a lot of issues, because more users, means more distributed logins, more chances to security issues (imagine one of your users being kidnapped by a alien, you never know). So authorize one user (you), and if needed, other users, but only if needed. I hope you never left sshd_config, because now we have to search for the line “AllowUsers”. If this line doesn’t exist, add it, in the “#Authentication” part of the file, and specify the users you want to allow login. Example: “AllowUsers user1 user2“. Easy right? Let’s continue.

Password logins
By default, you authenticate in your remote host, by using a combination of user/password. Passwords, by it’s nature are unsafe, so why use them? Next we will set up a digital key authentication, so disable passwords for now. In the same configuration file, change “PasswordAuthentication yes” to “PasswordAuthentication no”. And we are done regarding passwords.

Private/Public key authentication (using DSA)
In the past I explained this (link to previous post). You can use a combination of private/public key to authenticate yourself in a remote host, so use this. Go through that post, and set everything up. Its just a matter of following the steps: (1)ssh-keygen -t dsa; (2)cat ~/.ssh/id_dsa.pub (3)put the output of step (2) in remote ~/.ssh/authorized_keys (chmodded to 600). After making this, edit the lines inside sshd_config, “RSAAuthentication yes”, “PubkeyAuthentication yes” and “AuthorizedKeysFile %h/.ssh/authorized_keys”. And your done here.

Firewall Rule
Would it be great if your firewall detected if someone was knocking on your firewall door? Well, you can use a fully blown intrusion detection system, like Snort (link to snort), but by using simple rules in iptables, we can accomplish some security on the number of times someone tries to login. If you don’t know what iptables are, ignore this step, else, add this rules to your firewall (run this in the CLI or add it to your firewall scripts):

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –set –name SSH

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

The ${WAN} part of the rule, is the network interface you use to connect to your ssh server. I normally export LAN and WAN in a bash script, so I always know what is going where. In the future we will discuss firewall/iptables in detail, for those who do not know about the subject.This simple 2 rules will limit to 8, the number of ssh logins your host will permit in a minute. Thats a huge improvement (only 8 against unlimited attempts).And thats it! This were the steps I made to improve security on my remote host. Combined with a good firewall script, you will get a very tight system, believe me! There are other stuff you can make, like using TCP wrappers, but in my case, I login from a changing IP addres, and this method is not very useful if your IP address changes a lot.Oh, one last thing you can do! If all this methods fail, and someone is able to login using ssh to your server, edit again the /etc/ssh/sshd_config, and in the line “Banner” add in front put “/etc/sshbanner.txt“. Now edit (create) the file /etc/sshbanner.txt and put this inside (copy/paste):

————————————————————————————————————–
WARNING! THIS IS A PRIVATE SSH SERVICE, NOT TO BE USED BY A STRANGER. IF YOU HAVE GAINED ILLICIT ACCESS ON THIS SYSTEM, A CURSE WILL BE SET UPON YOU, AND YOU WILL HAVE A SERIOUS RASH ON YOUR PRIVATE PARTS, AND SUFFER IN AGONIE! YOU HAVE BEEN WARNED!
—————————————————————————————————————

Now, each time a user logs in, he will see this message. If it’s a unwanted user, he will be so scared, that he will log off immediately! =)

Please post back comments, on more things we can use to improve security on our servers!

PS: Don’t forget, when all changes are made, to restart your ssh server (ex: /etc/init.d/ssh restart).

Once inside Disk Utility, just press the “New Image” button.

After this, put the settings that you see in the picture. Here I choose the image’s name secure, the syze 100mb (choose more if you want) and the important thing, in “Encryption“, choose AES-128. If you want to know more about this encryption, read some stuff.

Now, it’s important to choose a strong password, this can be tested by pressing the little key in the next window. This will show you a green bar, that grows, when password gets stronger. If you prefer, let the utility pick a strong password for you. One final thing to take in account: do not remember password in the Keychain, for improved security! So just uncheck that… Click OK, and you are all done!


Now eject the image, and move the secure.dmg inside your pen drive, or anywhere you want! Anytime you want to put new files, just mount the image (double click secure.dmg).

Very easy right? Enjoy simple encryption!

I came up with a name for this project, and the cool thing, is that I can use my domain as an acronym. So DBUGS stands for Digital Backup Using Gmail Storage.

So, what do I have in mind? Well, I came across some weeks ago, with Richard Jone s’s project, the GmailFS. This project, and using his words, provides a mountable Linux filesystem which uses your Gmail account as its storage medium. I read the entire site, and several other sites on the web, only to find out, that although this already can be achieved, some problems still need to be fixed, but since my project for now, exists only on paper, I hope that in the future, a more robust GmailFS, can be used.

What I propose here, is, to combine some cool open source technologies, to obtain a big, expandable online backup, but things like cost and reliability also come to my mind. Now it’s possible to create your own Gmail account for free, and all the tools I suggest using are open-source, so the cost factor, it’s only regarding your Internet connection, which by all means, must be broadband!

So, since it’s possible to mount GMail accounts locally, I started imagining the possibility, to use 2 accounts in a RAID1 setup (mirror), where Gmail_account1 would be the mirror of Gmail_account2. This way, data would be backed up twice, in two different locations. If one dies, the other remains alive, while we add a new one to the array. When I say 2 accounts (arrays), I mean n arrays, since, for RAID1 you can use 2+n arrays, this way, data is mirrored against several locations.

The next step in my theory would be size. Google already offers almost 3GB of storage, and rumors are that they will increase this for 9GB+, but what about if you want more? My thoughts went straight to a LVM setup, for the extra layer of complexity! Now we would have 2+n arrays, each made by LVM volumes, which
would be created using several (1 + N) accounts. Confused? I am! This way, each of the RAID1 array would be stripped across different accounts, and in the future, if we wanted to expand the size of our online backup disk, it was just a matter of creating new accounts, and adding those to each of the LVMs, so our RAID1 array would get bigger.

I also thought of security, and the best to do this, is using disk encryption. Another layer is added to the already tricky setup, but this is not important in the beginning, since for testing, I would not use sensitive data.

To perform the backups, I really think it’s a good idea to use some sort of rsync+cp+mv solution that performs incremental backups, without taking too much space. You can find many options for this online, but one my favorites is RSnapshot. A good source of information for this type of backup is Mike Rubel’s site on the subject.

And that’s it! Several problems must be addressed, and that’s why I started this post. I don’t know if it is either a very stupid idea, or if it can be accomplished and become a cool project. I’m working on some solutions, and I really hope I can post something on the subject anytime soon. Why should I even try this? Because I really think this is a cool idea, and perhaps I will not achieve what I intend, but in the process of failing, lies a path of learning… get it? =)

Please feel free to drop comments on this subject, with suggestions, critics or your help for the project. I’m more than happy to welcome you aboard. Let’s get this one off the paper, and make it work!

First I drew with a pencil, the outline for the disk adapter, which I had at home, then I started cutting, one by one, the sheets of thick paper (they were 60 of them). When I reached the end, I had to make a few adjustments so the blue LED and the USB plug could fit OK, and started to glue each page to each other… unfortunately, my glue was really bad, so I decided to do this later, I just wanted to see the end!

Things went well, and now I have a really cool external hard drive. I even have the Moleskine icon when the disk is connected to my Mac, so I couldn’t be more happy! To finish the “spy” disk, I created a encrypted 40GB image in Apple’s Disk Utility, and put this inside my hard drive. Now I have a really safe place to store sensible information (which I know its not safe, since this can burn at any moment, but I make backups, don’t worry).

There you have it… (time+moleskine+hard drive+nothing better to do = moleskine external drive)
Hope you like it, give me your opinion!

We have to post these rules before we give you the facts.

Players start with eight random facts/habits about themselves.

People who are tagged need to write their own blog about their eight things and post these rules.

At the end of your blog, you need to choose eight people to get tagged and list their names.

Don’t forget to leave them a comment telling them they’re tagged, and to read your blog

It’s going to be hard to tag 8 more people, since I don’t know that many bloggers online…

Here are my 8 random facts:

1. My favorite drink is Coca-Cola, which is also the name given to a person which was born at Maputo, capital of Mozambique (where I was born)
2. I used to hate cats, and now, me and my girlfriend share the house with 2
3. I absolutely love to cook anything from fresh pasta, sushi, to the more regular food… I truly believe if I wasn’t a computer geek I was studying for chef
4. I already set my feet on 12 different countries (this by the time I was 20)
5. I never sleep with my socks on, but I have to get in bed with them
6. I panic if someone squeezes my nose
7. Once I was run over by a luggage truck, on my way to surprise my mother in the airplane
8. Once I was truly disappointed to know that my dream of being an astronaut would be impossible, because I have more than the permitted height, both in NASA and in ESA… I measure 1,94 meters!

And thats it! For now I only have one blog buddy besides Rick, but I will update my list in the future.
I choose to tag Artur Martins on his blog.

I hope I get this list bigger… =)