Basic Filtering for Normal People…

Earlier I posted about my “tanstaafl” related issues in getting filtering and proxy services set up.

Good news: I finally got it all to start reliably. It’s still a bit quirky about restarts for log turnovers though.

Nevertheless, I stumbled into something else incredibly useful, and after a few weeks of trying it out I will be shutting down my own filtering.

The service is called openDNS. Their purpose is to replace the sometimes flaky DNS service that comes with your ISP (Hi, Comcast!) and provide an alternate means to look up addresses on the internet. This means that every time you try to look up www.apple.com, their computer takes the web address and sends back the numerical address, much like looking up phone numbers in a phonebook by name.

The side benefit of this is that you can also specify corrections of typos, define what kind of websites you don’t want visited from your household or office, and specify what exceptions you want to allow, because they control what computer you connect to when you ask for a website.

Specifying what you want to block follows the same categories used in DansGuardian, and the logs give you a nice list of sites that have been denied. What it doesn’t do is let you know who in your network made the request, give you a weight for how strict to be within a category, or let you see what sites have been visited that were not blocked.

I can deal with those weaknesses, as it simplifies my computer setup and makes it a little more difficult for the kids to work around the restraints (I still make sure I eyeball their activity and computers on a regular basis). It has one other “plus” – the instructions. They have excellent documentation that should go a long way in helping you set up your router or computer to use their DNS servers as well as tracking changes in the IP address your ISP hands you.

Best of all, it’s “free.”

Well, not completely. They make money by sending mistyped or flat-out wrong domain names to their own search and ad results. 

Improvements

We’re going through several here.

First of all, I’ve moved to a new host. 

Second – I’ve upgraded the blogging software at the same time. Actually this was less scary than doing the upgrade in place because I not only had a local copy of the website, but a fully functional one online I could always flip back to. The only headache was getting the old database uploaded to the new server as phpmyadmin didn’t want to handle that much data…..

Next step after another post on DNS stuff and filtering: Get my theme updated. 🙂

TANSTAAFL

One of the best known SF acronyms outside of Science Fiction is TANSTAAFL, from Heinlein’s The Moon is a Harsh Mistress. It means “There aint no such thing as a free lunch.” more to the point, it means that there is a price for everything in time, money, sweat, or effort.

This to me holds true in the Linux world, and with many of the often brilliant “free” programs that are available.

You can probably see where this is going.

I’ve been trying to set up proxy services on my G5 running Leopard, so I can get rid of the Suse box that currently has no purpose in life outside of acting as a network proxy server for controlling web access. Running one less computer is good, even if the toaster-box doesn’t add much to my electric bill, and the G5 is becoming less and less my primary workstation anyway – my MacBook Pro is.

Getting squid installed – the proxy software – was pretty simple. The problem? I wanted to run it in conjunction with some filtering software called Dansguardian. This is the part where you shake your head, tsk, and say “ahh… foolish mortal.”

OSX launches background programs in a whole new way from traditional Unix/linux methods. The package I installed was fairly up to date and had a proper startup entry in it. or so it seemed.

The long and the short of it is I have the proxy working, but not the filter, and I’m spending much time on this simply because I want to figure the puzzle out, not because it’s cost-effective.

It’s fun, in a way, but usually I spend too much time fixing other people’s computers to want to have “fun” tinkering.

A Neat Feature in Stacks

Yes, I loathe the ever-changing stacks icons, and the workarounds needed to make a stack a consistently identifiable target.

That said, there are a few features that you look at and wonder how you lived without it.

For example.  A new file gets downloaded to your inbox. You click on the stack and the stack pops open. Click on the disk image file and the disk mounts. Then you install your software. Now it’s time to clean up.

Now, my past practice has been to open up my inbox and drag the image file from the inbox into the trash. Unthinking, I clicked on the stack again since my selection arrow was nearby,  clicked on the image file, and stopped.

I didn’t want to reopen it. So still holding down the mouse button while kicking myself mentally and expecting to see a new “disk” pop up on my desktop, I instead see the file move with the arrow. Before I realize what I’m doing I drag it into the trash.

Not quite believing what I just saw, I open up the trash, and sure enough, the file is there.

Wow.

UPDATE: As of OSX 10.5.2 Apple fixed the stack issue. You can now have the icon in your dock show up as the containing folder, and keep a nice, easy to identify target. They’ve added some more improvements too.

Virus Scams

 

A client of mine recently received an email purporting to be from the Department of Justice (and another one from “the IRS” ) relating to claims made against their business. It had some official-looking language about case numbers and claims filed by so-and-so, and noted that a copy of the complaint was included “in the pdf below.” They were suspicious for several reasons, and asked me to check it out.

Even if you expect the IRS or DOJ to email you out of the blue with this kind of thing, addressing the recipient by the wrong gender is a big red flag. The other thing that made me immediately suspicious was the “pdf” file was zipped.

The ZIP format is an incredibly useful compression and archiving standard that was even more important back when internet access was typically via modem. The downside is that if the package is really a virus installer it will not only unpack the virus files but execute them, infecting your system. For this reason any decent virus scanner will search through .zip files as they come in, but some viruses still slip through, especially in email. Also, PDF files are already compressed so there is little benefit from further compressing them (technically speaking – the graphics are already compressed. You may save some space by compressing the text more). Someone legitimately sending a PDF – or any document small enough to reasonably email (a word DOC file, etc.) – will almost never go out of their way to zip it up. Laziness, if nothing else, practically guarantees this.

As a matter of nettiquette, never email someone a .zip file without warning them ahead of time, and if you receive one without a prior heads up from a known, trusted source, be very suspicious. One of the nastiest infections I cleaned out looked like it came from a trusted source so the client opened it up without checking with the sender.

To wrap the story up, I took a snapshot of my virtual Vista installation under VMWare Fusion so I could restore to that earlier point, and looked at the zip file.  As expected, the antivirus software immediately caught it and archived it.

DAVE and Leopard

Just discovered another upgrade “gotcha” with Leopard related to Thursby Software’s “DAVE.”

DAVE has been around a long time. Before OSX it allowed Macs to access windows shares and networks with the same credentials/etc. as windows machines. Even when OSX allowed access to Windows file servers and limited Active Directory compatibility Dave and AdmitMac were a much more complete solution, especially when it came to home folders, authenticating to a domain, etc.

Of course, such an extensive system hack intercepting all of the Windows-related CIFS/SMB traffic is likely to break on a major system upgrade, and sure enough it did. If you remembered to remove this before upgrading to Leopard, or first installed the update to version 7, then all was well, and you could still access Windows servers. if you didn’t, your computer would fail to connect.

Fixing this isn’t that tricky, but is non-obvious unless you are paying for an upgrade. In all cases the best way to remove DAVE is to use the removal package (DAVE is one of the few programs on a Mac that really needs an uninstaller). The issue is that the same incompatibility that prevents DAVE from working prevents the version 6 or earlier uninstaller to shut down the services. In this case, download the trial for version 7 (don’t even bother filling out hte form, just download it), and run the uninstaller for version 7. After a restart, your Mac will get back onto SMB servers as reliably as ever.

Minor Recovery Issues.

I’ve been more a fan of the VMWare Fusion virtual windows solution than Parallels, usually because Fusion has had less stability issues (especially relating to one client’s Quickbooks needs) and was just a little more polished. Well, sometimes you find rough spots.

Apparently Fusion assumes the hard drive size never changes. After installing the new HD in my MacBook pro and recovering from backups, everything else worked great, but Fusion couldn’t run the Boot Camp parition. While the error told me it realized the partition map had changed, Fusion would not give me the option of pointing to the new drive.

It was not a difficult fix – I found where Fusion stored the virtual machine file that pointed to the Boot Camp partition and deleted it, allowing Fusion to create a new one.  Nevertheless, VMWare should not assume that people will never change disks or partition maps, and should have provided an option to reset where it should find the Boot Camp partition.

Best Feature of Leopard Yet…

… has got to be Time Machine.

Last week I was at a clients’ office and had my laptop drop off a counter just, just after I’d put it to sleep.

The good news was that the MacBooks and MacBook pros all have sensors that, upon sensing an impact can park the heads on the hard drive before they have a chance to crash into the platters and kill the drive.

The bad news is that right when you put it to sleep, the laptop writes out the contents of RAM to the HD in case the battery dies/is removed, but the sensors are not functional.

So I had one thoroughly dead hard drive.

After finagling around with Disk Utility and discovering I could create a partition big enough for all of my files that avoided the damaged areas and was thus usable, I restored the computer from my Time Machine backups and a few hours later was back to work. Most of this time was spent figuring out what parts of the drive were usable.

Then I ordered a new drive which I installed this weekend. Not ridiculously difficult (say… like a Mac Mini) but I’ll never complain about pulling apart a Toshiba or Compaq again.

Anyway. The point is that I had my computer back in full running order within hours in what was effectively a bare metal restoration. All my programs worked, and all of my settings were in place. All of this as part of the backup system that came with the OS.

Side note. I hate Torx screws. Why do manufacturers insist on using Torx screws on top of the mini-phillips (and even regular phillips) sized screws? The good news. Lowes has a nifty Kobalt-brand multi-head Torx screwdriver that includes T5 and T6 heads for about five bucks.