Protecting Yourself and Others from Yourself and Others

Nowadays, there's simply no excuse for any computer connected to the Internet, regardless of operating system, not to have both a hardware firewall (usually implemented in your router/broadband "modem") and a software firewall, monitoring both incoming and outgoing traffic.

The software firewall I've been recommending to those "unable"/unwilling to leave the hypersonic train wreck that is Windows has been ZoneAlarm's free firewall. Users of modern operating systems should start off by enabling and configuring the firewall built into their OS (either ipfw on Mac OS X/BSD Unix, or netfilter for Linux). That can be tricky to manage; fortunately there are several good "front end" helper packages out there, such as WaterRoof. Another excellent, popular Mac tool is Little Snitch; the latter two work quite well together.

However, no matter which tools you use to secure your system's Net connection, one of the main threats to continued secure, reliable operation remains you, the user. This has a habit of popping up in unexpected but obvious-in-hindsight ways.

For instance, I recently changed my Web/email hosting service. Long prior to doing so, I had defined a pair of ipfw rules that basically said "Allow outgoing SMTP (mail-sending) connections to my hosting provider; prevent outgoing mail-sending connections to any other address." Thus, were any of the Windows apps I ran inside a VMware Fusion VM to become compromised (as essentially all Windows PCs in Singapore are), they couldn't flood spam out onto the Net – at least not using normal protocols. This didn't do anything to protect the Net from other people's Windows PCs that might sometimes legitimately connect to my network, but it did ensure that the Windows VM (or anything else) running on the Mac was far less likely to contribute to the problem.

A few days after I made the change, I noticed that my outgoing mail server configured in my email client wasn't changed over to the new provider, so I fixed that. And then, I couldn't send mail anymore. It took an embarrassingly long time (and a search of my personal Wiki) to remember "hey, I blocked all outgoing mail except to (the old provider) in my software firewall." Two minutes later, WaterRoof had told ipfw to change the "allowed" SMTP connection, and I soon heard the "mail sent" tone from my client.

Mea culpa, indeed. But why bother blogging about this? To reinforce these ideas to my reader(s):

1. First, that if you aren't already using a software firewall in addition to the hardware one you probably have (especially if you're not aware of it), you should be. It will make you a better Net citizen; and

2. Use a Wiki, either a hosted one like PBworks or one running on your own system. (I use Dokuwiki; this page on Wikipedia has a list of other packages for the host-it-yourselfer.)

3. Use your Wiki to record things that you'd previously think of writing in a dead-tree notebook or a bajillion Post-it® notes stuck to all available surfaces. This specifically and emphatically includes details of your system configuration(s).

Of course, if using a public, hosted wiki, you'll want to make sure that you can secure pages with sensitive data, like system configurations; why make Andrei Cracker's job easier than it already is?

This whole rant is basically a single case of the age-old warning, "if you don't write it down (in a way that it can be found again at need), it never happened." As the gargantuan information fire-hose that is the Internet continually increases the flow of information as well as increasing the rate of increase, this becomes all the more critical for any of us.

Changing Infrastructure - and "Mea maxima culpa *thwack*"

(which I remember from a Monty Python sketch but can't find attribution. Oh well; please feel free to comment and enlighten me.)

About a week ago, I switched my domain hosting for my Web/mail domain, seven-sigma.com, from Simplehost Limited of New Zealand to WebFaction, based in the UK. Now, Simplehost are a good bunch of guys; their customer service is very responsive and you get knowledgeable, thoughtful answers to questions. On most things, they're very willing to work with people to help them resolve issues. If you're looking for a host in this general slice of the planet, put them on your list of providers to have a good look at.

The deal-breaker for me, though, after two years or so with them, was that I need to be able to develop and demonstrate Web sites using the latest and greatest variety of tools, in particular PHP 5.3.x, which introduces important new features (in addition to fixing numerous bugs).

WebFaction, on the other hand, offer PHP 5.3 support (as well as numerous other tools, such as Ruby on Rails, have good pricing on their shared-hosting packages (as does Simplehost, honestly), and fantastic self-help and support options - video tutorials, Twitter feeds, and so on. Also, doing the obligatory Googling for dissatisfied-customer reactions mostly brings up hits like this one, talking about how (except for a couple of brief periods), the only hits were from reviews pointing out how few hits there were. Chatting on IM and IRC with a few customers also helped.

So, a process that I'd been poking at for a couple of months, with three weeks of serious effort, is done with, hopefully for several years to come.

However, there was a silly-me postscript to all of this: For several days after I made the switch, I just wasn't able to get email working. I went onto the WebFaction email-support forums, flipped through a few messages that described solutions to problems other users had had, tried them, and no luck. Then, tonight, I came across the answer that had been staring me plain in the face from the very first message telling me that my account had been set up.

You folks who have your own domains can probably imagine what went wrong; suffice it to say that the difference between what I was reading and what I was thinking was sufficient that over 1,300 email messages have downloaded in less time than it took me to write this post. So if you've been emailing me and wondering why I haven't answered, I apologize. It's unlikely to happen again — hopefully for several years.

And to the Simplehost support guys, thanks very much for your help. This was not in any way at all Simplehost's fault.

So why would I write something like this, showing a fairly major screwup? Because... I'd rather deal with people who admit their faults and publicly commit to do better, than with people who are infallible legends in their own mind. This industry has far too many of the latter sort. I'm hoping that enough other people feel the way I do that I can continue to do great work for my clients.

Thanks for reading.

EDIT:Years on, never mind how many, I discovered that I'd mistyped "WebFaction" when I meant "Simplehost" three paragraphs earlier. Heartfelt apologies to both. Mea maxima culpa *thwack!*

Once more into the breach, dear friends; once more....

To the half-dozen or so of you reading this blog, thank you; and for those of you who wondered what's happened to me and this blog over the last several months, the answer is both "a great deal" and "not much at all".

I had been ill for a couple of months, with what the doctors insisted was just an ordinary flu, and then a cold, and then an ordinary (NOT H5N1, thank you very much) flu that has kept my close friends busy trying to spy the license tag number of the lorry that keeps running me down. I am better now, thank you.

I have also changed hosting providers for my professional Web site and email hosting; the new crew look to be a good outfit so far:

• they understand the value of responding quickly to customer enquiries, no matter how harebrained;
they understand Linux and Apache and (at least do a convincing appearance of) not just a "me-too" offering;
• their people know their way around their system (see the first comment);
• they have sensibly large limits on disk space and bandwidth; which means that
• they allow you to host a lot of tools and libraries and addons that you can manage yourself (think PEAR for you PHP types) without having to rely on the (necessarily limited) knowledge of a central administrator who may not be quite as up to scratch on version X of the FooBar publishing framework as you are.

In short, as I said, off to a good start. After getting some minor details worked out, and being on my feet again, the all-new seven-sigma.com Web site should be up within the next couple of days.