Log in

No account? Create an account
wtogami's Journal
[Most Recent Entries] [Calendar View] [Friends]

Below are the 20 most recent journal entries recorded in wtogami's LiveJournal:

[ << Previous 20 ]
Monday, August 1st, 2011
7:56 am
Moved to Blogspot
All further blog entries are now on Blogspot.
Wednesday, June 15th, 2011
11:30 am
Flawed Facebook Policy on Hacked Pages Exposes Users to Security Risk
UPDATE: 6/20/2011
After one week, Facebook finally fixed this problem and returned this particular page to its rightful owner.  Unfortunately, judging from this discussion where hundreds of page owners have been crying for help for 6+ months, Facebook page theft remains rampant and will continue to be a terrible problem as their policies make it nearly impossible to recover a page.  The only reason this particular page was recovered was due to the pressure of thousands of outraged followers.

Facebook page theft is a soft target with high reward.  It is simply too easy to steal a Facebook page through the use of computer viruses and spyware.   The reward to the attacker is very high, as they can use the hijacked page as a platform to infect confused page followers with viruses.  Meanwhile, Facebook allows it to happen as it is their policy to never help legitimate owners recover their stolen pages.

How would you feel if you spent the last year building your Facebook fan page with thousands of followers, only for it to be hijacked, allowing the attacker to ruin your reputation by insulting your followers and attempting phishing attacks on your fans/customers?   By current Facebook policies you cannot recover your stolen page.

Monday, June 13th, a popular Facebook Fan Page for a canceled TV show was hijacked by a script kiddie on a power trip.     The attacker apparently targets admins of popular pages using phishing techniques to trick them into visiting dangerous websites, where their cookies are stolen or browsers exploited to install trojans and key loggers necessary to fully compromise their account.  Once the attacker gains control of a Page admin's Facebook account, they are able to fully seize control by removing all previous admins.

Now two days later, the attacker continues to post taunting messages bragging about his conquest.  Even worse, the page's 55k+ fans are exposed to confusing and dangerous links to sites that attempt to steal their cookies or exploit their browsers, an effective method of using the social network itself to compromise other accounts and hijack other popular fan pages.  Despite the pleas of thousands of followers reporting the dangerously abusive phishing links on the self-proclaimed hacked page, it is apparently Facebook policy to do nothing.

Please note that is not technically possible to compromise a Facebook group or Page. As long as the current administrators of a group keep their login details secure, keep their account enabled, and do not allow any suspicious people to become admins, then the group or Page will remain secure. If an unauthorized person gains admin status, we encourage you to contact them directly to resolve this matter. Unfortunately, Facebook is not able to reinstate you as an admin for any group or Page.
Facebook is unreasonable in these expectations, as it is far too easy for ordinary users to be infected by viruses and spyware and their personal accounts to become compromised.  As an administrator of other Facebook pages for both companies and non-profit causes, it is absolutely frightening to learn that if the account of any page co-admin is compromised, then weeks or months of hard work may be stolen with NO RECOURSE.  Most egregious of all, Facebook is unwilling to do anything about attackers using compromised pages as phishing attack platforms.  Facebook's unwillingness to get involved puts the security of users at risk.

Some have suggested that Facebook could mitigate this problem of page hijacking by allowing greater protections to Creators like page-level mandatory cell phone verification or allowing the delegation of "assistant admins" incapable of removing other admins.  While these measures would have likely helped to prevent this particular compromise, it wouldn't stop a determined attacker when the reward can be so large.  Ultimately the policy of never returning a clearly stolen page to its rightful owner must be changed.

Facebook's social networking can be an invaluable tool to improve customer loyalty around a business or organize people around a cause.  Unfortunately, given current policies, companies should be wary of investing real money in Facebook ads or putting significant effort into Facebook page recruitment when all of their hard work can be too easily destroyed.
Monday, March 14th, 2011
5:07 pm
Serious DST Bug in Android and Google Calendar Sync
There exists a serious issue affecting users who live in States like Arizona or Hawaii that do not observe DST where appointments in your calendar erroneously shift by one hour when DST changes in most States.  Searching around both Google Calendar Help and Android bugs it seems this has been going on since at least 2009.

To make matters worse, in this bug Google seems to be blaming the users for misconfiguring their phones or Google Calendar timezones.

This issue seems more insidious than simply a correctable "view" when you change the timezone settings.  Today I found that all of my one-time appointments had shifted one hour earlier, while weekly repeating appointments kept the correct time.  It seems the stored time itself was changed within Google Calendar's server-side for only a portion of appointments, so changing your view will not correct this error.  I may need to go through all of my appointments of the next year and manually decide if times need correction. =(
Monday, January 3rd, 2011
10:59 am
Blogger and Planet, Edit Post Bump Annoyance
I just now discovered an annoying behavior with Blogger and my new blog syndicated to Planet.  Apparently every time I edit an old post, it bumps a field in the atom feed that causes Planet to bump old posts to the top.  This old post indicates this has been a common problem with Planet in the past.  Is this a bug in Planet, miconfiguration in Planet, or a bug in Blogger?

UPDATE: Add ?alt=rss to the Blogger feed URL and it solves this problem!
Thursday, October 14th, 2010
5:42 pm
Cable Modem and Direct Sunlight
Oceanic Time Warner's Scientific Atlanta cable modem would mysteriously screw up and randomly drop lots of packets every afternoon.  The cable modem and wireless routers were high-up off the ground (for better wireless signal strength) right in front of a window.  I simply put the black plastic cable modem on the floor below the window, and the cable modem began working perfectly.  Direct sunlight was causing the cable modem to overheat mysteriously only in the afternoon. =)
Friday, September 17th, 2010
11:06 pm
Warren's Sprint Epic 4G Review
Just a few thoughts about the Sprint Epic 4G.

  • MUCH BETTER THAN EVO: I previously had the Evo 4G for 30 days.  It was a great phone, but I disliked the lack of hardware keyboard and the screen was just too wide.  The Samsung Galaxy S seems to be about the upper limit of acceptable phone size.
  • BEST SPRINT PHONE EVER, especially if you live in a 4G area.  I love the real hardware keyboard.  Battery life is pretty good.  Android UI and apps are very responsive.  The apps included by Sprint (Telenav, Swype) are more useful than the stock apps included on my friend's Verizon Droid Incredible.  I think it might even be currently the best Android phone out of all the carriers.
  • CUSTOMER SERVICE: Not about the phone, but I think it is important to mention.   I've been with Sprint for the past decade.  I've witnessed lousy customer service a few years ago, but I stuck with Sprint largely because I was grandfathered into an extremely cheap legacy plan.  But in the last year or two I've noticed they've seriously turned things around.  Their 30 day return policy surprised me.  I disliked my previous Android phone.  They let me return it and reverted to my previous contract, no questions asked.
  • POOR USB PLACEMENT: Micro-USB on the top of the phone?  WTF were they thinking?  Makes it very annoying to talk on the phone while the USB cable is plugged in.
  • DOCK DISASTER: Samsung's official desk dock for the Epic 4G is a complete failure of design.  Even worse than Masochist's Teapot fail.  The phone does not behave differently while in the dock.  The screen remains in vertical orientation while the phone is horizontal in the dock.  The volume buttons are under the phone, out of reach so you cannot change the volume of music while it is docked.  To make matters worse placement into the dock often pushes on the volume buttons making it max out or mute the volume.  Finally, you cannot have the phone in either of the two cases that they sell in the Sprint store, because the phone will no longer fit into the dock.  Don't waste your money on the dock.  UPDATE: A commenter pointed out that you need to install an app for the dock to automatically become a horizontal desk clock.  So it isn't that bad.  Only why didn't they install this app by default?
  • ANNOYING BATTERY FULL NOTICE: When the battery is full, it chimes and asks you to unplug the USB charger.  Who thought this would be a good idea?  Nobody is going to follow those directions and it is annoying to hear the chime for no good reason a few hours after you went to sleep.
This is one seriously awesome phone.  Sadly they completely failed on the design of specific aspects like the USB port placement and dock.  At least the Battery Full notice could be fixed in a future firmware update.
10:29 pm
How to get MSL Code from Sprint Epic 4G
Tested on Sprint Epic 4G running Android 2.1 Eclair.  Reportedly works on Spring Evo 4G as well.
  1. Root the phone and install busybox.
  2. Install ConnectBot
  3. Connect to Local
  4. getprop ril.MSL
Sunday, July 18th, 2010
12:00 pm
Palm Pre: Still a Good Phone
I've had the Sprint Palm Pre for ~13 months now.  It had some initial problems with build quality of the first batch, but after the warranty replacement I have had no problems for the past year.  Early during June I upgraded to the HTC Evo 4G.  The Evo is a very sweet phone in many respects.  It is very clearly one of the best phones on the market now along with Droid Incredible, Droid X or Samsung Galaxy S.  But I had three key problems:
  • The Evo is too huge.  With the 4.3in screen it crosses the line of acceptable upper bound size for a phone.
  • On-Screen keyboard.  It is simply clumsy and slow to use compared to a real physical keyboard.
  • The Android UI is less streamlined in design compared to WebOS.  Various tasks on my Palm Pre that would take mere seconds would take 5X as long on the Evo.  I found myself missing the sweeping gestures of the WebOS interface.  I do not need to press upon precise locations on the screen to go "Back".  Multitasking between apps on WebOS is very smooth with the card sweeping gestures.
Having used the HTC Evo 4G for a month, it became clear to me that Palm put a serious amount of good design into the usability of WebOS.  There is a lot to like about the WebOS platform.  Hackers have seen how friendly Palm has been toward developers.  FOSS developers have commented about how Palm used various Open Source components like upstart and pulseaudio a well integrated fashion.  If WebOS had launched a year earlier and with fewer initial hardware glitches, it might now be a serious contender to Android.  But various indicators now show that Palm simply lacks the momentum of customers against the likes of RIM, Apple or Android.  Palm is heavily investing in their app ecosystem, without which they have no chance.  It remains to be seen if HP's continued investment will keep the platform alive.

I returned the HTC Evo 4G under Sprint's excellent no questions asked 30 day trial policy.  The Evo is a very good phone, but I'm simply more productive with the streamlined interface of WebOS.  I think the ideal phone would be a larger Pre, with horizontal instead of vertical slide-out keyboard and modern 1GHz processor.  Unfortunately it seems no such device is in the plans.  HP seems to be working on a WebOS tablet.  I might consider the Samsung Epic 4G.  The slide-out horizontal keyboard might make it usable enough for me to tolerate the UI negatives of Android.
Saturday, March 27th, 2010
3:16 am
Paula Cole in Phoenix Saturday Night 9:00pm
Thursday I flew out from Boston to visit my friend in Phoenix, Arizona.  While waiting for the plane I met this woman Jill who happened to be the tour manager for Paula Cole.  Admittedly I did not know of Paula Cole prior to that day.  But I looked her up and realized that I was familiar with some of her songs including the theme song of Dawson's Creek.  She studied music and Jazz from Berklee College of Music in Boston and is a Grammy Award winner.  As a wannabe musician, I have such a deep appreciation for genuine artists, especially singer-songwriters with formal roots.

Friday night we went to see her perform.  It was a bit of an unusual performance in the tiny lounge of Harrah's Ak-Chin Casino in Maricopa.  Not an ideal venue for this type of performance when you're surrounded by people who have more interest in the slot machine than the world-class performer only a few yards away.  But not bad for a FREE concert!  We got there a bit early to be sure we had the best seats in the lounge, ate some food from the takeout place around the left side of the lounge, and sipped some mixed drinks.  She played mainly a mainstream style of music tailored for this particular crowd.  I've seen videos of other performances where she does Jazz standards, so I know she is capable of a broader spectrum of musical styles.  At the end of the performance she did some freestyle beat-boxing that was interesting to see.
Sunday, March 21st, 2010
9:58 pm
spamassassin-3.3.1 RPM Packages
spamassassin-3.3.1 was released last week.  It fixes a few minor bugs from the 3.3.0 release, but most importantly adds support for the new URIBL Spamhaus DBL.  See the 3.3.0 RPM announcement for other notes that remain relevant to this release.
Picture for no particular reason except that any picture makes a blog post more interesting.
Packages for Fedora 11, Fedora 12, and Fedora 13.
Packages for RHEL5.  Requires deps from EPEL5.
Tuesday, January 26th, 2010
11:53 am
spamassassin-3.3.0 RPM Packages for Fedora or RHEL-5
spamassassin-3.3.0 release on January 26th, 2010 by the Apache Software Foundation.  This is a very important upgrade for mail administrators as this is the first major version upgrade in nearly 3 years.  While many improvements were made to the rules, for the most part it is almost a simple matter of a drop-in replacement for spamassassin-3.2.x.  3.3.0 trunk has generally of better quality in both stability and spam detection capability than 3.2.5 for many months now. I personally have been running snapshots leading to this beta release on my production RHEL5 server since early 2009.
Picture for no particular reason except that any picture makes a blog post more interesting.

While 3.3.0 is much improved, the most exciting part of the 3.3.x series is improving upstream processes to enable more frequent rule updates, in order to better combat changing spamming patterns.
  • Rule development and auto-promotion to stable rule updates happen in the same source control, encouraging new and updated rules to land in the sa-update channel far more regularly.
  • Expanded recruitment of additional volunteers for the Nightly MassCheck.  While any volunteers willing to sort mail are helpful, non-English speakers are in high demand.  More variety of types of ham and spam used in nightly automated checks of SpamAssassin helps to improve the quality and safety of rules.  A larger sample size allows for Rescore MassChecks to happen more often, allowing for more frequent balancing of new rules and greater overall safety.  If you can sort mail into separate ham/spam folders, you can help to improve spamasssasin.

Major Changes Specific to Fedora/RHEL SpamAssassin 3.3.0 RPM Packages
  • See upstream's release notes for complete details of this new upstream release.  Many of the rules were made safer especially for a few non-English languages (Japanese and Italian tested), while many other rules were improved or added since the 3.2.x series.
  • Rule updates are now ENABLED BY DEFAULT on a nightly basis.  As of 3.3.0 upstream considers rule updates mandatory.  You may edit /etc/cron.d/sa-update if you wish to modify or disable the scheduled time where update occurs.  /usr/share/spamassassin/sa-update.cron is the script that runs.  Channel definitions are defined in .conf files contained in /etc/mail/spamassassin/channel.d/ where you can see the simple config format and make your own .conf file if you wish to add additional channels.  You will note that the script updates by default only if it sees a spamd, amavisd or mimedefang daemon running.
  • Justin Mason's SOUGHT anti-fraud channel is enabled by default for nightly updates.  From personal testing SOUGHT is the only non-default channel that I personally trust as safe and effective.  Read about its interesting auto-generation methodology.
  • Subscribe for Spamassassin RPM News at Warren's announce-only mailing list.  You will occasionally receive news and helpful tips to improve your spamassassin configuration.

Upgrade Notes (some stuff that I'm aware of that may effect Fedora or RHEL users)
  • amavisd-new-2.6.2 is the minimum compatible version with spamassassin-3.3.0.  This ticket contains a possible quick workaround to make your old version of amavis compatible.  This is only an issue for EPEL5 users which currently has an older version of amavisd-new.  Steve is aware of the issue and will be upgrading the EPEL5 version soon.
  • maia-1.0.2a is INCOMPATIBLE with spamassassin-3.3.0.  Upstream is aware of the issue and said they are working on this.
  • mimedefang versions in EPEL5 and Fedora are reportedly good.
  • STOP USING SARE or OpenProtect.  They died a long time ago.  Some of their rules are dangerous or redundant.  Many of the better rules were integrated into spamassassin upstream.

Download RPM Packages

  • Packages for Fedora 12 or Fedora 11.
  • RHEL5: I personally use these scratch builds.  You will need some new perl module dependencies from EPEL5. The plan is to push spamassassin-3.3.0 final + new perl modules to RHEL-5 sometime early 2010 after extensive testing.  But for now these are unofficial test packages.  Please file bugs if you see any problems.
  • Optional packages: These packages are not required, but they probably will improve your spam filtering results.
    • yum install perl-Mail-DKIM perl-Mail-SPF pyzor perl-Razor-Agent

File Bugs
  • SpamAssassin Bugzilla for most issues.  If you report upstream please indicate the exact package version you are running as reported by rpm -q spamassassin and where you obtained that package.
  • Red Hat Bugzilla if you are having an issue specific to my Fedora or RHEL5 package.

Subscribe for Fedora/RHEL SpamAssassin RPM News
  • Warren runs this announce-only mailing list.  You will occasionally receive news and helpful tips to improve your spamassassin configuration, or warnings of new problems and workarounds, or news about how you can help to improve spamassassin.

Help Wanted: Non-English Volunteers

  • Do you receive lots of non-English legitimate mail?  Want to help to improve SpamAssassin upstream for your language?  While we need help from speakers of any language, we especially need volunteer participants from China, Hong Kong, Taiwan, Korea or other Asian countries. 
  • Volunteering is easy, you only sort mail into folders then run a script on your folders every night in a cron job, which then uploads your logs to the central server.  Your mail remains private.
  • Contact Warren Togami or Fedora's auto-mass-check recruitment coordinator Nick Bebout if you are interested in joining.
Friday, December 25th, 2009
9:45 pm
spamassassin-3.3.0-rc1 for Fedora and RHEL5
spamassassin-3.3.0-rc1 was released today.  Here are extensive release notes upstream of many improvements and bug fixes since 3.2.5.  3.3.0 trunk has generally of better quality in both stability and spam detection capability than 3.2.5 for many months now. I personally have been running snapshots leading to this beta release on my production RHEL5 server since early 2009.  We expect almost no changes are necessary before 3.3.0 final to be released during early January 2010.  This is the LAST CHANCE to test and report any problems.
  • Packages for Fedora 12 or Fedora 11.
  • RHEL5: I personally use this scratch builds.  You will need some new perl module dependencies from EPEL5. The plan is to push spamassassin-3.3.0 final + new perl modules to RHEL-5 sometime during 2010 after extensive testing. I especially need test feedback of systems currently using spamassassin-3.2.5 with Mailscanner, Amavis or Mimedefang.
  • Optional packages: These packages are not required, but they probably will improve your spam filtering results.
    • yum install perl-Mail-DKIM perl-Mail-SPF pyzor perl-Razor-Agent
Tuesday, December 15th, 2009
1:59 am
Music recording with jokosher - Disaster
I decided today that I would try to fix an arrangement of a song, and attempt to mix a recording using fully FOSS tools. For now all I have is my laptop running Fedora 12 and a headset (microphone + headphones) plugged into my laptop.
  • Sunday: Downloaded sheet music of an arrangement that looks plausible for a flute trio.
  • Monday 7:48pm: cjb tells me about the existence of jokosher.
    • 1.5 hours: Fighting bugs and design problems in the Linux desktop.
      • 30 minutes: figuring out why Fedora 12 wont print the sheet music to my printer. Eventually chose some non-obvious non-default menu options and PackageKit decided it needed to download some PPD package, and it began working.
      • jokosher got stuck and needed to be restarted a few times.
      • jokosher crashed a few times.
      • pulseaudio crashed twice.
      • During recording, playback of the other tracks would skip a lot.
      • jokosher exports the flattened audio with metronome enabled by default.
      • jokosher export would export an infinite size WAV file beyond the end of the recording.
      • nautilus when attempting to view Properties on that WAV file got stuck in a 100% loop.
      • lame can't recognize the file format of the WAV file exported by jokosher. oggenc worked fine.
    • 15 minutes: I discover that the arrangement was wrong. Listened to original song and guessed a middle voice that seems to make more sense.
    • 15 minutes: Three takes per part.
  • 9:50pm: OGG or MP3. Quality is very poor, 80% because this human didn't play for 6 years. 10% poor microphone, 10% microphone was too close to the air column (air noises). My next attempt will have a better microphone properly positioned. I will also try audacity instead of jokosher.
Brownie points to the first person who identifies the song title.
Monday, December 7th, 2009
2:03 pm
spamassassin-3.3.0-beta1 for Fedora and RHEL5
spamassassin-3.3.0-beta1 is out. This is very close to what 3.3.0 final will be. 3.3.0 trunk has generally of better quality in both stability and spam detection capability than 3.2.5 for many months now. I personally have been running snapshots leading to this beta release on my production RHEL5 server since early 2009.
  • Fedora 12: spamassassin-3.3.0-beta1 in updates or download here.
  • RHEL5: I personally am using these scratch builds. USE AT YOUR OWN RISK, but feel free to file bugs in RH Bugzilla and assign it to me. You will need some new perl module dependencies from EPEL5. The plan is to push spamassassin-3.3.0 final + new perl modules to RHEL-5 sometime during 2010 after extensive testing. I especially need test feedback of systems currently using spamassassin-3.2.5 with Mailscanner, Amavis or Mimedefang.
  • Optional packages: These packages are not required, but they probably will improve your spam filtering results.
    • yum install perl-Mail-DKIM perl-Mail-SPF pyzor perl-Razor-Agent
Thursday, October 29th, 2009
5:35 pm
USB boot the Fedora 12 Installer DVD

This is a modified version of livecd-iso-to-disk.sh that will install the Fedora 12 Beta i386 or x86_64 onto an ext3 formatted USB drive.  You should be able to boot the USB drive, and it should automatically detect the .iso copied there.  ext3 format required!  The 3GB+ DVD .iso wont fit on vfat filesystem due to the 2GB file size limit.

Does this script work running on Fedora 11 to write the Fedora 12 DVD .iso?  I don't know.  Please try it and report back.

This will be pushed in livecd-tools-031+.  It would be nice if liveusb-creator gained similar functionality...

Thursday, October 15th, 2009
10:47 pm
Palm Pre SMTP SSL auth to Postfix MTA
I run my own Postfix server.  Recently I tried to enable SSL and TLS authorization so my Palm Pre phone can login with name and password and send outgoing mail from any network.  There was no trouble setting up Thunderbird to use SSL authentication for SMTP, but the Palm Pre was very frustrating to figure out.  It turns out that my GoDaddy SSL Certificate was not automatically trusted by the Palm Pre mail client.  You have to import the certificate (self-signed or "real" certs) for it to successfully use encrypted SMTP.  The following steps worked for me.
  • Make your postfix server allow relaying with SSL SASL authentication with names and passwords.  (Look at master.cf to enable optional port 465 and 587 too.)
  • Test it with Thunderbird to be sure it is working, in my case port 465 with SSL.
  • Send an e-mail to yourself, attach the SSL certificate (public key) used by your postfix server.
  • Read that mail on your Palm Pre, download and open the attached cert file.  Import into the Certificate Manager.
  • Email > Preferences & Accounts > [Your Account] > Change Login Settings (at bottom) > Outgoing Mail Server
    • Use Authentication On
    • Enter username and password
    • Port 465
    • SSL
Wednesday, August 12th, 2009
8:51 pm
Attachment Reminder: Huh?

Click Send.

10:02 am
RCN DNS Hijacking - Opt Out
RCN in the past week has apparently been rolling out DNS hijacking. When you attempt to query a domain name that does not exist, their DNS servers respond with bogus responses that attempts to redirect your browser to their own search page.  This is a horrible idea for many reasons like breaking various software, but they don't care because it brings them more revenue in advertising click-thrus.

If you are experiencing DNS hijacking with RCN, call 1-800-RING-RCN and complain about this.  If they don't know what you are talking about, say you want to opt out of "Paxfire".  Then file a complaint, because this is a horribly bad idea to inflict this upon customers by default.
Wednesday, July 15th, 2009
3:20 pm
Help Needed: spamassassin-3.3.0 coming soon
Test RPMS for Fedora 10+, RHEL-4 and RHEL-5.  Rawhide has this version too.

Upstream says there are no remaining serious issues left for release.  They are fixing a few minor bugs and hopefully releasing 3.3.0 in about 2 months.

The main concern for release is to improve the qualty of the scores.  At the moment there are only five people participating in the NightlyMassCheck used for weekly score generation.  More volunteers are needed to follow the HandClassifiedCorpora procedure, where manually sorted Spam and Ham (non-Spam) are fed into the masscheck script on a nightly basis, and logs are uploaded for statistical analysis.  They especially need real persons with a mix of opt-in commercial e-mail (Ham) and unwanted Spam.  Please read NightlyMassCheck if you want to help improve spamassassin's accuracy for everybody.

Reminder: If you use spamassassin, you should edit /etc/cron.d/sa-update and enable nightly score updates.

Sunday, June 28th, 2009
9:42 pm
pidgin-2.5.8 several important bug fixes
pidgin-2.5.8 builds for Fedora 9, 10, 11 and 12.  Please let me know if anything became worse.
[ << Previous 20 ]
About LiveJournal.com