Josh Wieder

{ Update : there is a new bit of Linux malware making the rounds that likes to play games with iframes. Comprehensive descriptions of the exploit are listed below - of particular interest is the write up on Crowdstrike. I don't have enough data to know for sure if the two events are related as nothing I administrate has been compromised, but the iframe mechanism is fairly unique in both cases. https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012 http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html http://linux.slashdot.org/story/12/11/20/1733237/new-linux-rootkit-emerges Here is my comment on the Slashdot Article: http://linux.slashdot.org/comments.pl?sid=3263519&cid=42074663 } I usually take a quick look at this site's traffic and referral sources following a post. One of the great things about having a circulation close to

HIPAA, SOX, SAS-70 - those whose business relies on hosting a website are no stranger to the regulatory schemes of trade organizations and their acronyms. The PCI Data Security Standard is perhaps the most well known and widely adopted. PCI DSS is a set of very general outlines of security best practices for those who process and/or store credit cards using computers. Compliance is certified by a third party corporation (a Qualified Security Assessor or QSA), and demand is created by offering lower credit card transaction fees to websites who are certified as compliant. On the whole, the initiative has had some big successes. Credit card companies win by reducing incidents of fraud as more sites adopt standard security features, merchants win through reduced transaction costs and by being able to advertise a third party certification of secure site design and companies responsible for certification get to exist and create new jobs in the process. The standards have gone a long way to

Tropical Storm Debby recently made my acquaintance at my humble home here in South Florida. The storm itself was a non-starter, but apparently the outer strands of it spawned a series of tornadoes across Florida last Sunday.  While I am pretty handy with a computer, when it comes to un-nerd-related topics I am oblivious, and on Sunday I was unaware of Debby or the tornado warning that had been issued. It was sunny outside that day - if I had heard something I would have written it off as a false alarm anyway.  My home is on a lake and surrounded by trees. My favorite part of the house is the expansive back porch. The porch is screened and runs the entire length of the house - we've installed a hammock whose awesomeness cannot be translated into English as well as a large hand crafted wooden table. I tend to do my drinking in the hammock while whittling away the hours with a great view of the lake. The table is for when I actually need to get some work done or eat something. Bet

Helicon Ape is a great tool that allows people to stop complaining that Windows does not provide support for .htaccess, or for those who need URL rewriting in pre-Windows 2008 servers. For maximum confusion, Helicon names its configuration file httpd.conf like Apache. I made some modifications to the logging verbosity in that file, helping out an admin who hadn't realized that debug-level verbosity on redirect logging results not just in poor performance from the additional overhead needed to write to a file each time a URL is mod'd, but in a huge file that will quickly overwhelm available storage. Attempting to save http.conf resulted in errors because it was in use by a process so I copied my modified file to the desktop, renamed the existing conf file and copied my copy back into the Helicon configuration directory.  My changes weren't applied. The syntax was correct in my changes and Helicon kept processing redirects. Sure enough I compared permissions on the tw

When thinking about launching an .NET application with IIS, memory tuning the webserver is often ignored. I often complained about how php.ini offered more straightforward means to address performance tuning - but I was wrong. Windows Server reserves half of its available RAM for the operating system. Of the remaining RAM, by default IIS will only allow 60% to be allocated to applications (in v1.0 I think it was actually 40%, in later versions its more generous). This setting is configurable, and can be set in your machine.config of the relevant framework path (%system% Microsoft.NET\Framework\) by adjusting the memoryLimit parameter . I recommend not reserving more than 80%. There is a ton to do here, and more than I can address in one post. Benchmarking these settings in development is a necessity, so do the needful and check out this overview here:  http://msdn.microsoft.com/en-us/library/ff647813.aspx

I recently stumbled across this article on how to create custom hosting space field's for websitepanel, a cool control panel software for Windows Servers: http://websitepanel.net/developer-guide/custom-links-in-account-and-space-menu I have mixed feelings about control panel software generally (they make it necessary to troubleshoot two things - software and underlying services), but this one is as good as it gets in Windows and I have had to fix quite a few of them over the years. For these to be practical in production, customization is needed and I thought it was cool of WebsitePanel to have a fairly comprehensive developer guide on the topic.